ExamGecko
Login
Home / Fortinet / NSE7_SDW-7.2 / List of questions
Ask Question

Fortinet NSE7_SDW-7.2 Practice Test - Questions Answers, Page 3

Add to Whishlist

List of questions

Question 21

Report Export Collapse

Refer to the exhibits.

Fortinet NSE7_SDW-7.2 image Question 21 27221 09182024190937000000

Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel.

Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device.

Which statement best explain the cause for this issue?

You can assign only one template with a tunnel of fype static to each FortiGate device
You can assign only one template with a tunnel of fype static to each FortiGate device
You can define only one IPsec tunnel from branch devices to HUB1.
You can define only one IPsec tunnel from branch devices to HUB1.
You can assign only one IPsec template to each FortiGate device.
You can assign only one IPsec template to each FortiGate device.
You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.
You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.
Suggested answer: C
Explanation:

The error message in Exhibit B indicates a conflicting template assignment. This occurs because FortiManager does not allow the assignment of multiple IPsec templates that define VPN tunnels with the same name or settings to the same FortiGate device. The conflict arises from trying to assign a second IPsec template to a device that already has one assigned.

Reference: This is based on Fortinet's best practices and administrative guidelines which state that each FortiGate device should be assigned a unique IPsec template to avoid configuration conflicts.

asked 18/09/2024
Aaron Case
49 questions

Question 22

Report Export Collapse

Which statement about using BGP for ADVPN is true?

You must use BGP to route traffic for both overlay and underlay links.
You must use BGP to route traffic for both overlay and underlay links.
You must configure AS path prepending.
You must configure AS path prepending.
You must configure BGP communities.
You must configure BGP communities.
IBGP is preferred over EBGP, because IBGP preserves next hop information.
IBGP is preferred over EBGP, because IBGP preserves next hop information.
Suggested answer: D
Explanation:

ADVPN is a technology that allows dynamic creation of IPsec tunnels between branch sites without requiring pre-configured policies or keys. BGP is a routing protocol that can be used to exchange routes between ADVPN peers. IBGP is a type of BGP that runs between routers in the same autonomous system (AS), while EBGP is a type of BGP that runs between routers in different ASes. IBGP is preferred over EBGP for ADVPN, because IBGP preserves the next hop information of the routes, which is needed to establish the IPsec tunnels. EBGP changes the next hop information to the EBGP peer address, which may not be reachable by the ADVPN peers. Therefore, using IBGP for ADVPN avoids the need to configure additional static routes or redistribute routes between BGP and another routing protocol.Reference=ADVPN with BGP as the routing protocol,ADVPN,SD-WAN self-healing with BGP,Technical Tip: ADVPN with BGP as the routing protocol

The statement that IBGP is preferred over EBGP for ADVPN because IBGP preserves next hop information (D) is true. In a typical ADVPN deployment, it's beneficial to maintain next hop information across the network to ensure proper routing and optimal path selection.

Reference: This understanding comes from my knowledge of Fortinet's SD-WAN and ADVPN configurations, where BGP's behavior in terms of next hop preservation is a key consideration.

asked 18/09/2024
Mellisa Stroman
44 questions

Question 23

Report Export Collapse

Which are three key routing principles in SD-WAN? (Choose three.)

FortiGate performs route lookups for new sessions only.
FortiGate performs route lookups for new sessions only.
Regular policy routes have precedence over SD-WAN rules.
Regular policy routes have precedence over SD-WAN rules.
SD-WAN rules have precedence over ISDB routes.
SD-WAN rules have precedence over ISDB routes.
By default, SD-WAN members are skipped if they do not have a valid route to the destination.
By default, SD-WAN members are skipped if they do not have a valid route to the destination.
By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Suggested answer: B, D, E
Explanation:

Study Guide 7.2, pages 125, 129, 151

asked 18/09/2024
Joshin Ogele
40 questions

Question 24

Report Export Collapse

Refer to the exhibit.

Fortinet NSE7_SDW-7.2 image Question 24 27224 09182024190937000000

Which statement explains the output shown in the exhibit?

FortiGate performed standard FIB routing on the session.
FortiGate performed standard FIB routing on the session.
FortiGate will not re-evaluate the session following a firewall policy change.
FortiGate will not re-evaluate the session following a firewall policy change.
FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
FortiGate must re-evaluate the session due to routing change.
FortiGate must re-evaluate the session due to routing change.
Suggested answer: D
Explanation:

The snat-route-change option is enabled by default. This option enables FortiGate to re-evaluate the routing table and select a new egress interface if the next hop IP address changes. This option only applies to sessions in the dirty state. Sessions in the log state are not affected by routing changes.

asked 18/09/2024
Graham Munengami
37 questions

Question 25

Report Export Collapse

What are two common use cases for remote internet access (RIA)? (Choose two.)

Provide direct internet access on spokes
Provide direct internet access on spokes
Provide internet access through the hub
Provide internet access through the hub
Centralize security inspection on the hub
Centralize security inspection on the hub
Provide thorough inspection on spokes
Provide thorough inspection on spokes
Suggested answer: B, C
Explanation:

B . Provide internet access through the hub: This involves routing branch or remote office internet traffic through a central hub, ensuring consistent security policies and possibly better management of network resources.

C . Centralize security inspection on the hub: With this approach, all internet-bound traffic from various spokes is inspected at the hub, leveraging centralized security mechanisms for thorough inspection and policy enforcement.

asked 18/09/2024
junjie wang
44 questions

Question 26

Report Export Collapse

Refer to the exhibits.

Fortinet NSE7_SDW-7.2 image Question 26 27226 09182024190937000000

Fortinet NSE7_SDW-7.2 image Question 26 27226 09182024190937000000

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.

After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.

Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)

FortiGate did not refresh the routing information on the session after the application was detected.
FortiGate did not refresh the routing information on the session after the application was detected.
Port1 and port2 do not have a valid route to the destination.
Port1 and port2 do not have a valid route to the destination.
Full SSL inspection is not enabled on the matching firewall policy.
Full SSL inspection is not enabled on the matching firewall policy.
The session 3-tuple did not match any of the existing entries in the ISDB application cache.
The session 3-tuple did not match any of the existing entries in the ISDB application cache.
Suggested answer: B, C
Explanation:

Study guide 7.2 Page 191

asked 18/09/2024
Avinash Kumar
35 questions

Question 27

Report Export Collapse

Refer to the exhibit.

Fortinet NSE7_SDW-7.2 image Question 27 27227 09182024190937000000

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

All traffic from a source IP to a destination IP is sent to the same interface.
All traffic from a source IP to a destination IP is sent to the same interface.
All traffic from a source IP is sent to the same interface.
All traffic from a source IP is sent to the same interface.
All traffic from a source IP is sent to the most used interface.
All traffic from a source IP is sent to the most used interface.
All traffic from a source IP to a destination IP is sent to the least used interface.
All traffic from a source IP to a destination IP is sent to the least used interface.
Suggested answer: A
Explanation:

Study Guide 7.2, page 176.

asked 18/09/2024
Marco Di Munno
38 questions

Question 28

Report Export Collapse

Refer to the exhibits.

Exhibit A

Fortinet NSE7_SDW-7.2 image Question 28 27228 09182024190937000000

Exhibit B

Fortinet NSE7_SDW-7.2 image Question 28 27228 09182024190937000000

Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.

Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Suggested answer: A, D
Explanation:

Study Guide 7.2, pages 103 - 104. Another comment said 'because without using application Control on the firewall policy, SDWAN can't work' but there is a app control 'default' defined on config.

asked 18/09/2024
Muhammad Waheed
45 questions

Question 29

Report Export Collapse

Refer to the exhibit.

Fortinet NSE7_SDW-7.2 image Question 29 27229 09182024190937000000

Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)

FortiGate does not install IPsec static routes for remote protected networks in the routing table. Most Voted
FortiGate does not install IPsec static routes for remote protected networks in the routing table. Most Voted
The phase 1 configuration supports the network-overlay setting. Most Voted
The phase 1 configuration supports the network-overlay setting. Most Voted
FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
Dead peer detection is disabled.
Dead peer detection is disabled.
Suggested answer: A, C
asked 18/09/2024
Jarod Simmons
46 questions

Question 30

Report Export Collapse

Refer to the exhibits.

Fortinet NSE7_SDW-7.2 image Question 30 27230 09182024190937000000

Fortinet NSE7_SDW-7.2 image Question 30 27230 09182024190937000000

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

In the dcl-lab-rm route map configuration, set set-route-tag to 10.
In the dcl-lab-rm route map configuration, set set-route-tag to 10.
In SD-WAN rule ID 1, change the destination to use ISDB entries.
In SD-WAN rule ID 1, change the destination to use ISDB entries.
In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.
In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.
In the dcl-lab-rm route map configuration, unset match-community.
In the dcl-lab-rm route map configuration, unset match-community.
Suggested answer: C
asked 18/09/2024
Nicholas Stoner
47 questions
Total 99 questions
Go to page: of 10
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)
In which SD-WAN template field can you use a metadata variable?
Refer to the exhibit. The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)
What are two reasons for using FortiManager to organize and manage the network for a group of FortiGate devices? (Choose two.)
Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.)
Refer to the exhibit. Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)
Refer to the exhibit. Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)
Refer to the exhibit. In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti-replay setting on the hubs?
Refer to the exhibit. Which statement explains the output shown in the exhibit?