Weekend Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Activedumpsnet Logo
  1. Home
  2. Fortinet
  3. NSE 7 Network Security Architect
  4. NSE7_SDW-7.2
  5. NSE7_SDW-7.2 - Fortinet NSE 7 - SD-WAN 7.2

Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

Page: 1 / 10
Total 99 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF

Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Question 1

Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?

Options:

A.

hold-down-time

B.

link-down-failover

C.

auto-discovery-shortcuts

D.

idle-timeout

Question 2

Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.)

Options:

A.

http

B.

icmp

C.

twamp

D.

dns

Question 3

Which two settings can you configure to speed up routing convergence in BGP? (Choose two.)

Options:

A.

update-source

B.

set-route-tag

C.

holdtime-timer

D.

link-down-failover

Question 4

Refer to the exhibits.

Question # 4

Question # 4

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

Options:

A.

In the dc1-lan-rm route map configuration, set set-route-tag to 10.

B.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

C.

In the dc1-lan-rm route map configuration, unset match-community.

D.

In the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

Question 5

What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.)

Options:

A.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

B.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

C.

The zero-touch provisioning process has completed internally, behind FortiGate.

D.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

E.

A factory reset performed on FortiGate.

Question 6

Refer to the exhibits.

Exhibit A -

Question # 6

Exhibit B -

Question # 6

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

Options:

A.

Enable auxiliary-session under config system settings.

B.

Disable tсp-session-without-syn under config system settings.

C.

Enable snat-route-change under config system global.

D.

Disable allow-subnet-overlap under config system settings.

Question 7

Refer to the exhibit.

Question # 7

FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.

Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)

Options:

A.

Specify a unique peer ID for each dial-up VPN interface.

B.

Use different proposals are used between the interfaces.

C.

Configure the IKE mode to be aggressive mode.

D.

Use unique Diffie Hellman groups on each VPN interface.

Question 8

Question # 8

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.

Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

Options:

A.

London generates an IKE information message that contains the Toronto public IP address.

B.

Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

C.

Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

D.

The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Question 9

Refer to the exhibit.

Question # 9

Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)

Options:

A.

Cost

B.

Interface member

C.

Priority

D.

Gateway IP

Question 10

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

Options:

A.

The session information output displays no SD-WAN-specific details.

B.

All SD-WAN rules have the default and gateway setting enabled.

C.

Traffic does not match any of the entries in the policy route table.

D.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Question 11

Which statement about using BGP routes in SD-WAN is true?

Options:

A.

Learned routes can be used as dynamic destinations in SD-WAN rules.

B.

You must use BGP to route traffic for both overlay and underlay links.

C.

You must configure AS path prepending.

D.

You must use external BGP.

Question 12

Which statement about SD-WAN zones is true?

Options:

A.

An SD-WAN zone can contain only one type of interface.

B.

An SD-WAN zone can contain between 0 and 512 members.

C.

You cannot use an SD-WAN zone in static route definitions.

D.

You can configure up to 32 SD-WAN zones per VDOM.

Question 13

In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default implicit SD-WAN rule? (Choose two )

Options:

A.

Traffic has matched none of the FortiGate policy routes.

B.

Matched traffic failed RPF and was caught by the rule.

C.

The FIB lookup resolved interface was the SD-WAN interface.

D.

An absolute SD-WAN rule was defined and matched traffic.

Question 14

Refer to the exhibit.

Question # 14

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.

Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)

Options:

A.

The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.

B.

T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.

C.

T_INET_0_0 does not have a valid route to the destination.

D.

T_INET_1_0 has a higher member configuration priority than T_INET_0_0.

Question 15

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

    diagnose sys sdwan service

    diagnose sys sdwan route-tag-list

    diagnose sys sdwan member

Options:

A.

diagnose sys sdwan neighbor

Question 16

What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)

Options:

A.

The ISDB is dynamically updated and reduces administrative overhead.

B.

The ISDB requires application control to maintain signatures and perform load balancing.

C.

The ISDB applies rules to traffic from specific sources, based on application type.

D.

The ISDB contains the IP addresses and port ranges of well-known internet services.

Question 17

Refer to the exhibit.

Question # 17

The device exchanges routes using IBGP.

Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)

Options:

A.

Each BGP route is three hops away from the destination.

B.

ibgp-multipath is disabled.

C.

additional-path is enabled.

D.

You can run the get router info routing-table database command to display the additional paths.

Question 18

Which statement about using BGP for ADVPN is true?

Options:

A.

You must use BGP to route traffic for both overlay and underlay links.

B.

You must configure AS path prepending.

C.

You must configure BGP communities.

D.

IBGP is preferred over EBGP, because IBGP preserves next hop information.

Question 19

Refer to the exhibits.

Exhibit A

Question # 19

Exhibit B

Question # 19

Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.

Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.)

Options:

A.

FortiGate flags the sessions as dirty.

B.

FortiGate continues routing the sessions with no SNAT, over port2.

C.

FortiGate performs a route lookup for the original traffic only.

D.

FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

Question 20

The administrator uses the FortiManager SD-WAN overlay template to prepare an SD-WAN deployment. With information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on spoke and hub devices.

Select three templates created by the SD-WAN overlay template for a spoke device. (Choose three.)

Options:

A.

System template

B.

BGP template

C.

IPsec tunnel template

D.

CLI template

E.

Overlay template

Question 21

Question # 21

Exhibit B –

Question # 21

Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.

Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?

Options:

A.

port1 is assigned a manual IP address.

B.

port1 is referenced in a firewall policy.

C.

port2 is referenced in a static route.

D.

port1 and port2 are not administratively down.

Question 22

Refer to the exhibit.

Question # 22

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

Options:

A.

type must be set to static.

B.

mode-cfg must be enabled.

C.

exchange-interface-ip must be enabled.

D.

add-route must be disabled.

Question 23

What are two benefits of using forward error correction (FEC) in IPsec VPNs? (Choose two.)

Options:

A.

FEC supports hardware offloading.

B.

FEC improves reliability of noisy links.

C.

FEC transmits parity packets that can be used to reconstruct packet loss.

D.

FEC can leverage multiple IPsec tunnels for parity packets transmission.

Question 24

What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.)

Options:

A.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

B.

Packet duplication does not require a route to the destination.

C.

Packet duplication supports hardware offloading.

D.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Question 25

Which action fortigate performs on the traffic that is subject to a per-IP traffic shaper of 10 Mbps?

Options:

A.

FortiGate applies traffic shaping to the original traffic direction only.

B.

FortiGate shares 10 Mbps of bandwidth equally among all source IP addresses.

RIAS

C.

Fortigate limits each source ip address to a maximum bandwidth of 10 Mbps.

D.

FortiGate guarantees a minimum of 10 Mbps of bandwidth to each source IP address.

Question 26

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)

Options:

A.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

B.

It provides direct connectivity between spokes by creating shortcuts.

C.

It enables spokes to bypass the hub during shortcut negotiation.

D.

It enables spokes to establish shortcuts to third-party gateways.

Question 27

Refer to the exhibits.

Exhibit A

Question # 27

Exhibit B

Question # 27

Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.

Based on the exhibits, which two statements are correct? (Choose two.)

Options:

A.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

B.

Port2 has the highest member priority.

C.

Port2 has a lower latency than port1.

D.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

Question 28

Exhibit.

Question # 28

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

Options:

A.

There are no IPsec tunnel statistics log messages for ADVPN cuts.

B.

There is one shortcut tunnel built from master tunnel T_MPLS_0.

C.

The VPN tunnel T_MPLS_0 is a shortcut tunnel.

D.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut. 

Question 29

Refer to the exhibits.

Question # 29

Question # 29

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.

After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.

Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)

Options:

A.

FortiGate did not refresh the routing information on the session after the application was detected.

B.

Port1 and port2 do not have a valid route to the destination.

C.

Full SSL inspection is not enabled on the matching firewall policy.

D.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

Load More NSE7_SDW-7.2 Questions 
Page: 1 / 10
Total 99 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF