New Year Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

Page: 1 / 10
Total 97 questions

Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Question 1

Refer to the exhibit.

Question # 1

The exhibit shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?

Options:

A.

When all three members have the same packet loss.

B.

When T_INET_0_0 has 4% packet loss.

C.

When T_INET_0_0 has 12% packet loss.

D.

When T_INET_1_0 has 4% packet loss.

Question 2

Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)

Options:

A.

Encapsulating Security Payload (ESP)

B.

Secure Shell (SSH)

C.

Internet Key Exchange (IKE)

D.

Security Association (SA)

Question 3

Refer to the exhibit.

Question # 3

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)

Options:

A.

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

B.

During passive monitoring, FortiGate can’t detect dead members.

C.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

D.

FortiGate passively monitors the member if TCP traffic is passing through the member.

Question 4

Refer to the exhibit.

Question # 4

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

Options:

A.

type must be set to static.

B.

mode-cfg must be enabled.

C.

exchange-interface-ip must be enabled.

D.

add-route must be disabled.

Question 5

Which two statements about the SD-WAN zone configuration are true? (Choose two.)

Options:

A.

The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.

B.

You can delete the default zones.

C.

The default zones are virtual-wan-link and SASE.

D.

An SD-WAN member can belong to two or more zones.

Question 6

Refer to the exhibit.

Question # 6

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.

Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)

Options:

A.

Set additional-path to send

B.

Enable route-reflector-client

C.

Set advertisement-interval to the number of additional paths to advertise

D.

Set adv-additional-path to the number of additional paths to advertise

E.

Enable soft-reconfiguration

Question 7

The administrator uses the FortiManager SD-WAN overlay template to prepare an SD-WAN deployment. With information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on spoke and hub devices.

Select three templates created by the SD-WAN overlay template for a spoke device. (Choose three.)

Options:

A.

System template

B.

BGP template

C.

IPsec tunnel template

D.

CLI template

E.

Overlay template

Question 8

What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.)

Options:

A.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

B.

Packet duplication does not require a route to the destination.

C.

Packet duplication supports hardware offloading.

D.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Question 9

Refer to the exhibits.

Question # 9

Exhibit A shows a policy package definition Exhibit B shows the install log that the administrator received when he tried to install the policy package on FortiGate devices.

Based on the output shown in the exhibits, what can the administrator do to solve the Issue?

Options:

A.

Create dynamic mapping for the LAN interface for all devices in the installation target list.

B.

Use a metadata variable instead of a dynamic interface to define the firewall policy.

C.

Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt.

D.

Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

Question 10

Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)

Options:

A.

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.

B.

By default, local-out traffic does not use SD-WAN.

C.

By default, FortiGate does not check if the selected member has a valid route to the destination.

D.

You must configure each local-out feature individually, to use SD-WAN.

Question 11

Question # 11

Question # 11

Exhibit A shows the firewall policy and exhibit B shows the traffic shaping policy.

The traffic shaping policy is being applied to all outbound traffic; however, inbound traffic is not being evaluated by the shaping policy.

Based on the exhibits, what configuration change must be made in which policy so that traffic shaping can be applied to inbound traffic?

Options:

A.

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

B.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

C.

In the firewall policy, select Proxy-based as Inspection Mode.

D.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

Question 12

Refer to the exhibit.

Question # 12

Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?

Options:

A.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

B.

FortiGate has terminated the session after a change on policy ID 1.

C.

Changes have been made on firewall policy ID 1 on FortiGate.

D.

Firewall policy ID 1 has source NAT disabled.

Question 13

Refer to the exhibit.

Question # 13

FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.

Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)

Options:

A.

Specify a unique peer ID for each dial-up VPN interface.

B.

Use different proposals are used between the interfaces.

C.

Configure the IKE mode to be aggressive mode.

D.

Use unique Diffie Hellman groups on each VPN interface.

Question 14

Refer to the exhibits.

Exhibit A

Question # 14

Exhibit B -

Question # 14

Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status.

The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule.

Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?

Options:

A.

The traffic will be load balanced across all three overlays.

B.

The traffic will be routed over T_INET_0_0.

C.

The traffic will be routed over T_MPLS_0.

D.

The traffic will be routed over T_INET_1_0.

Question 15

What is the route-tag setting in an SD-WAN rule used for?

Options:

A.

To indicate the routes for health check probes.

B.

To indicate the destination of a rule based on learned BGP prefixes.

C.

To indicate the routes that can be used for routing SD-WAN traffic.

D.

To indicate the members that can be used to route SD-WAN traffic.

Question 16

Which type statements about the SD-WAN members are true? (Choose two.)

Options:

A.

You can manually define the SD-WAN members sequence number.

B.

Interfaces of type virtual wire pair can be used as SD-WAN members.

C.

Interfaces of type VLAN can be used as SD-WAN members.

D.

An SD-WAN member can belong to two or more SD-WAN zones.

Question 17

Refer to the exhibits.

Exhibit A -

Question # 17

Exhibit B -

Question # 17

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.

The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.

Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

Options:

A.

Destination internet service must be enabled on the traffic shaping policy.

B.

Application control must be enabled on the firewall policy.

C.

Web filtering must be enabled on the firewall policy.

D.

Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Question 18

Question # 18

Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)

Options:

A.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

B.

The measured bandwidth is less than 100 KBps.

C.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

D.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

Question 19

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)

Options:

A.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

B.

It provides direct connectivity between spokes by creating shortcuts.

C.

It enables spokes to bypass the hub during shortcut negotiation.

D.

It enables spokes to establish shortcuts to third-party gateways.

Question 20

Exhibit.

Question # 20

Which conclusion about the packet debug flow output is correct?

Options:

A.

The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

B.

The packet size exceeded the outgoing interface MTU.

C.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

D.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Question 21

Refer to the exhibit.

Question # 21

In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti-replay setting on the hubs?

Options:

A.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

B.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

C.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

D.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

Question 22

Which statement about using BGP for ADVPN is true?

Options:

A.

You must use BGP to route traffic for both overlay and underlay links.

B.

You must configure AS path prepending.

C.

You must configure BGP communities.

D.

IBGP is preferred over EBGP, because IBGP preserves next hop information.

Question 23

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are three mandatory post-run tasks that must be performed? (Choose three.)

Options:

A.

Create policy packages for branch devices.

B.

Assign an sdwan_id metadata variable to each device (branch and hub}.

C.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

D.

Assign a branch_id metadata variable to each branch device.

E.

Configure SD-WAN rules.

Question 24

Refer to the exhibit.

Question # 24

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)

Options:

A.

FortiGate flushes all sessions.

B.

FortiGate terminates the old sessions.

C.

FortiGate does not change existing sessions.

D.

FortiGate evaluates new sessions.

Question 25

Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.)

Options:

A.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

B.

XAuth is enabled as an additional level of authentication, which requires a username and password.

C.

Three packets are exchanged between an initiator and a responder instead of six packets.

D.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Question 26

Refer to the exhibit.

Question # 26

The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)

Options:

A.

The reply direction of the asymmetric traffic flows from port2 to port3.

B.

The auxiliary session can be offloaded to hardware.

C.

The original direction of the symmetric traffic flows from port3 to port2.

D.

The main session cannot be offloaded to hardware.

Question 27

Exhibit.

Question # 27

The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

Options:

A.

The health-check VPN_PING orders the members according to the lowest jitter.

B.

The interface T_INET_1 missed one SLA target.

C.

There is no SLA criteria configured for the health-check Level3_DNS.

D.

The interface T_INET_0 missed three SLA targets.

Question 28

Refer to the exhibit.

Question # 28

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

Options:

A.

All traffic from a source IP to a destination IP is sent to the same interface.

B.

All traffic from a source IP is sent to the same interface.

C.

All traffic from a source IP is sent to the most used interface.

D.

All traffic from a source IP to a destination IP is sent to the least used interface.

Question 29

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

Options:

A.

The sdwan_service_id flag in the session information is 0.

B.

All SD-WAN rules have the default setting enabled.

C.

Traffic does not match any of the entries in the policy route table.

D.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Page: 1 / 10
Total 97 questions