ExamGecko
Search Search Login
Home Home / Fortinet / NSE7_SDW-7.2

Fortinet NSE7_SDW-7.2 Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)
Refer to the exhibit. Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)
In which SD-WAN template field can you use a metadata variable?
Exhibit B -- Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate. Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
Refer to the exhibit. Which statement explains the output shown in the exhibit?
What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in a hub-and-spoke topology? (Choose two.)
Refer to the exhibit. The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device. The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1. Based on the exhibits, which two statements are correct? (Choose two.)
Refer to the exhibit. FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN. Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)
Exhibit. The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?
Exhibit. The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

Question 21

Report
Export
Collapse

Refer to the exhibits.

Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel.

Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device.

Which statement best explain the cause for this issue?

A.
You can assign only one template with a tunnel of fype static to each FortiGate device
A.
You can assign only one template with a tunnel of fype static to each FortiGate device
Answers
B.
You can define only one IPsec tunnel from branch devices to HUB1.
B.
You can define only one IPsec tunnel from branch devices to HUB1.
Answers
C.
You can assign only one IPsec template to each FortiGate device.
C.
You can assign only one IPsec template to each FortiGate device.
Answers
D.
You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.
D.
You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.
Answers
Suggested answer: C

Explanation:

The error message in Exhibit B indicates a conflicting template assignment. This occurs because FortiManager does not allow the assignment of multiple IPsec templates that define VPN tunnels with the same name or settings to the same FortiGate device. The conflict arises from trying to assign a second IPsec template to a device that already has one assigned.

Reference: This is based on Fortinet's best practices and administrative guidelines which state that each FortiGate device should be assigned a unique IPsec template to avoid configuration conflicts.

Question 22

Report
Export
Collapse

Which statement about using BGP for ADVPN is true?

A.
You must use BGP to route traffic for both overlay and underlay links.
A.
You must use BGP to route traffic for both overlay and underlay links.
Answers
B.
You must configure AS path prepending.
B.
You must configure AS path prepending.
Answers
C.
You must configure BGP communities.
C.
You must configure BGP communities.
Answers
D.
IBGP is preferred over EBGP, because IBGP preserves next hop information.
D.
IBGP is preferred over EBGP, because IBGP preserves next hop information.
Answers
Suggested answer: D

Explanation:

ADVPN is a technology that allows dynamic creation of IPsec tunnels between branch sites without requiring pre-configured policies or keys. BGP is a routing protocol that can be used to exchange routes between ADVPN peers. IBGP is a type of BGP that runs between routers in the same autonomous system (AS), while EBGP is a type of BGP that runs between routers in different ASes. IBGP is preferred over EBGP for ADVPN, because IBGP preserves the next hop information of the routes, which is needed to establish the IPsec tunnels. EBGP changes the next hop information to the EBGP peer address, which may not be reachable by the ADVPN peers. Therefore, using IBGP for ADVPN avoids the need to configure additional static routes or redistribute routes between BGP and another routing protocol.Reference=ADVPN with BGP as the routing protocol,ADVPN,SD-WAN self-healing with BGP,Technical Tip: ADVPN with BGP as the routing protocol

The statement that IBGP is preferred over EBGP for ADVPN because IBGP preserves next hop information (D) is true. In a typical ADVPN deployment, it's beneficial to maintain next hop information across the network to ensure proper routing and optimal path selection.

Reference: This understanding comes from my knowledge of Fortinet's SD-WAN and ADVPN configurations, where BGP's behavior in terms of next hop preservation is a key consideration.

Question 23

Report
Export
Collapse

Which are three key routing principles in SD-WAN? (Choose three.)

A.
FortiGate performs route lookups for new sessions only.
A.
FortiGate performs route lookups for new sessions only.
Answers
B.
Regular policy routes have precedence over SD-WAN rules.
B.
Regular policy routes have precedence over SD-WAN rules.
Answers
C.
SD-WAN rules have precedence over ISDB routes.
C.
SD-WAN rules have precedence over ISDB routes.
Answers
D.
By default, SD-WAN members are skipped if they do not have a valid route to the destination.
D.
By default, SD-WAN members are skipped if they do not have a valid route to the destination.
Answers
E.
By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
E.
By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Answers
Suggested answer: B, D, E

Explanation:

Study Guide 7.2, pages 125, 129, 151

Question 24

Report
Export
Collapse

Refer to the exhibit.

Which statement explains the output shown in the exhibit?

A.
FortiGate performed standard FIB routing on the session.
A.
FortiGate performed standard FIB routing on the session.
Answers
B.
FortiGate will not re-evaluate the session following a firewall policy change.
B.
FortiGate will not re-evaluate the session following a firewall policy change.
Answers
C.
FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
C.
FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
Answers
D.
FortiGate must re-evaluate the session due to routing change.
D.
FortiGate must re-evaluate the session due to routing change.
Answers
Suggested answer: D

Explanation:

The snat-route-change option is enabled by default. This option enables FortiGate to re-evaluate the routing table and select a new egress interface if the next hop IP address changes. This option only applies to sessions in the dirty state. Sessions in the log state are not affected by routing changes.

Question 25

Report
Export
Collapse

What are two common use cases for remote internet access (RIA)? (Choose two.)

A.
Provide direct internet access on spokes
A.
Provide direct internet access on spokes
Answers
B.
Provide internet access through the hub
B.
Provide internet access through the hub
Answers
C.
Centralize security inspection on the hub
C.
Centralize security inspection on the hub
Answers
D.
Provide thorough inspection on spokes
D.
Provide thorough inspection on spokes
Answers
Suggested answer: B, C

Explanation:

B . Provide internet access through the hub: This involves routing branch or remote office internet traffic through a central hub, ensuring consistent security policies and possibly better management of network resources.

C . Centralize security inspection on the hub: With this approach, all internet-bound traffic from various spokes is inspected at the hub, leveraging centralized security mechanisms for thorough inspection and policy enforcement.

Question 26

Report
Export
Collapse

Refer to the exhibits.

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.

After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.

Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)

A.
FortiGate did not refresh the routing information on the session after the application was detected.
A.
FortiGate did not refresh the routing information on the session after the application was detected.
Answers
B.
Port1 and port2 do not have a valid route to the destination.
B.
Port1 and port2 do not have a valid route to the destination.
Answers
C.
Full SSL inspection is not enabled on the matching firewall policy.
C.
Full SSL inspection is not enabled on the matching firewall policy.
Answers
D.
The session 3-tuple did not match any of the existing entries in the ISDB application cache.
D.
The session 3-tuple did not match any of the existing entries in the ISDB application cache.
Answers
Suggested answer: B, C

Explanation:

Study guide 7.2 Page 191

Question 27

Report
Export
Collapse

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

A.
All traffic from a source IP to a destination IP is sent to the same interface.
A.
All traffic from a source IP to a destination IP is sent to the same interface.
Answers
B.
All traffic from a source IP is sent to the same interface.
B.
All traffic from a source IP is sent to the same interface.
Answers
C.
All traffic from a source IP is sent to the most used interface.
C.
All traffic from a source IP is sent to the most used interface.
Answers
D.
All traffic from a source IP to a destination IP is sent to the least used interface.
D.
All traffic from a source IP to a destination IP is sent to the least used interface.
Answers
Suggested answer: A

Explanation:

Study Guide 7.2, page 176.

Question 28

Report
Export
Collapse

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.

Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)

A.
The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
A.
The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
Answers
B.
FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
B.
FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
Answers
C.
FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
C.
FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
Answers
D.
Non-TCP Facebook and YouTube traffic are not used for performance measurement.
D.
Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Answers
Suggested answer: A, D

Explanation:

Study Guide 7.2, pages 103 - 104. Another comment said 'because without using application Control on the firewall policy, SDWAN can't work' but there is a app control 'default' defined on config.

Question 29

Report
Export
Collapse

Refer to the exhibit.

Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)

A.
FortiGate does not install IPsec static routes for remote protected networks in the routing table. Most Voted
A.
FortiGate does not install IPsec static routes for remote protected networks in the routing table. Most Voted
Answers
B.
The phase 1 configuration supports the network-overlay setting. Most Voted
B.
The phase 1 configuration supports the network-overlay setting. Most Voted
Answers
C.
FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
C.
FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
Answers
D.
Dead peer detection is disabled.
D.
Dead peer detection is disabled.
Answers
Suggested answer: A, C

Question 30

Report
Export
Collapse

Refer to the exhibits.

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

A.
In the dcl-lab-rm route map configuration, set set-route-tag to 10.
A.
In the dcl-lab-rm route map configuration, set set-route-tag to 10.
Answers
B.
In SD-WAN rule ID 1, change the destination to use ISDB entries.
B.
In SD-WAN rule ID 1, change the destination to use ISDB entries.
Answers
C.
In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.
C.
In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.
Answers
D.
In the dcl-lab-rm route map configuration, unset match-community.
D.
In the dcl-lab-rm route map configuration, unset match-community.
Answers
Suggested answer: C
Total 97 questions
Go to page: of 10
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms