Fortinet NSE7_SDW-7.2 Practice Test - Questions Answers, Page 5

SD-WAN zones are a group of interfaces that share the same SD-WAN settings, such as health check, SLA, and load balancing. Some characteristics of SD-WAN zones are:

An SD-WAN zone can contain different types of interfaces, such as physical, VLAN, aggregate, and tunnel interfaces1.

An SD-WAN zone can contain up to 512 members1.

You can use an SD-WAN zone in static route definitions, as long as the destination interface is also an SD-WAN zone1.

You can configure up to 32 SD-WAN zones per VDOM1.

According to theFortiGate / FortiOS 6.4.2 Administration Guide, the health check status command displays the status of the health check probes for each SD-WAN member interface. The output includes the following information:

state: the current state of the interface, either alive or dead

packet-loss: the percentage of packets lost during the health check

latency: the average round-trip time in milliseconds

jitter: the variation in latency

mos: the mean opinion score, a measure of voice quality

bandwidth: the available bandwidth in kilobits per second for each direction (up, down, bi)

sla map: a bitmap that indicates which SLA criteria are met or failed

Based on the exhibit, the following statements are correct:

The health-check VPN_PING orders the members according to the lowest jitter.This means that the interface with the lowest jitter value is listed first, followed by the next lowest, and so on1. In the exhibit, the order is T_MPLS, T_INET_1, and T_INET_0.

There is no SLA criteria configured for the health-check Level3_DNS.This means that the health check does not use any SLA parameters to determine the state of the interface2. In the exhibit, the sla map value is 0x0 for both port1 and port2, indicating that no SLA criteria are applied.

VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel. The output includes the following information:

logid: the log ID number

type: the log type, either traffic or event

subtype: the log subtype, either vpn or ipsec

level: the log level, either error, warning, or notice

vd: the virtual domain name

logdesc: the log description

msg: the log message

action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats

remip: the remote IP address

locip: the local IP address

remport: the remote port number

locport: the local port number

outintf: the outgoing interface name

cookies: the IKE SA cookies

user: the user name

group: the user group name

useralt: the alternative user name

xauthuser: the XAuth user name

authgroup: the XAuth user group name

assignip: the assigned IP address

vpntunnel: the VPN tunnel name

tunnellip: the tunnel loopback IP address

tunnelid: the tunnel ID number

tunneltype: the tunnel type, either ipsec or ssl

duration: the tunnel duration in seconds

sentbyte: the number of bytes sent

rcvdbyte: the number of bytes received

nextstat: the next statistics interval in seconds

advpnsc: the ADVPN shortcut flag, either 0 or 1

Based on the exhibit, the following statement is true:

There is one shortcut tunnel built from master tunnel T_MPLS_0.This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up. The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.