ExamGecko
Search Search Login
Home Home / Fortinet / NSE7_SDW-7.2

Fortinet NSE7_SDW-7.2 Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)
Refer to the exhibit. Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)
In which SD-WAN template field can you use a metadata variable?
Exhibit B -- Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate. Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
Refer to the exhibit. Which statement explains the output shown in the exhibit?
What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in a hub-and-spoke topology? (Choose two.)
Refer to the exhibit. The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device. The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1. Based on the exhibits, which two statements are correct? (Choose two.)
Refer to the exhibit. FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN. Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)
Exhibit. The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?
Exhibit. The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

Question 41

Report
Export
Collapse

Refer to the exhibit.

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

A.
type must be set to static.
A.
type must be set to static.
Answers
B.
mode-cfg must be enabled.
B.
mode-cfg must be enabled.
Answers
C.
exchange-interface-ip must be enabled.
C.
exchange-interface-ip must be enabled.
Answers
D.
add-route must be disabled.
D.
add-route must be disabled.
Answers
Suggested answer: D

Question 42

Report
Export
Collapse

Which statement about SD-WAN zones is true?

A.
An SD-WAN zone can contain only one type of interface.
A.
An SD-WAN zone can contain only one type of interface.
Answers
B.
An SD-WAN zone can contain between 0 and 512 members.
B.
An SD-WAN zone can contain between 0 and 512 members.
Answers
C.
You cannot use an SD-WAN zone in static route definitions.
C.
You cannot use an SD-WAN zone in static route definitions.
Answers
D.
You can configure up to 32 SD-WAN zones per VDOM.
D.
You can configure up to 32 SD-WAN zones per VDOM.
Answers
Suggested answer: D

Explanation:

SD-WAN zones are a group of interfaces that share the same SD-WAN settings, such as health check, SLA, and load balancing. Some characteristics of SD-WAN zones are:

An SD-WAN zone can contain different types of interfaces, such as physical, VLAN, aggregate, and tunnel interfaces1.

An SD-WAN zone can contain up to 512 members1.

You can use an SD-WAN zone in static route definitions, as long as the destination interface is also an SD-WAN zone1.

You can configure up to 32 SD-WAN zones per VDOM1.

Question 43

Report
Export
Collapse

Which two statements about the SD-WAN zone configuration are true? (Choose two.)

A.
The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.
A.
The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.
Answers
B.
You can delete the default zones.
B.
You can delete the default zones.
Answers
C.
The default zones are virtual-wan-link and SASE.
C.
The default zones are virtual-wan-link and SASE.
Answers
D.
An SD-WAN member can belong to two or more zones.
D.
An SD-WAN member can belong to two or more zones.
Answers
Suggested answer: A, C

Question 44

Report
Export
Collapse

Exhibit.

The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

A.
The health-check VPN_PING orders the members according to the lowest jitter.
A.
The health-check VPN_PING orders the members according to the lowest jitter.
Answers
B.
The interface T_INET_1 missed one SLA target.
B.
The interface T_INET_1 missed one SLA target.
Answers
C.
There is no SLA criteria configured for the health-check Level3_DNS.
C.
There is no SLA criteria configured for the health-check Level3_DNS.
Answers
D.
The interface T_INET_0 missed three SLA targets.
D.
The interface T_INET_0 missed three SLA targets.
Answers
Suggested answer: A, C

Explanation:

According to theFortiGate / FortiOS 6.4.2 Administration Guide, the health check status command displays the status of the health check probes for each SD-WAN member interface. The output includes the following information:

state: the current state of the interface, either alive or dead

packet-loss: the percentage of packets lost during the health check

latency: the average round-trip time in milliseconds

jitter: the variation in latency

mos: the mean opinion score, a measure of voice quality

bandwidth: the available bandwidth in kilobits per second for each direction (up, down, bi)

sla map: a bitmap that indicates which SLA criteria are met or failed

Based on the exhibit, the following statements are correct:

The health-check VPN_PING orders the members according to the lowest jitter.This means that the interface with the lowest jitter value is listed first, followed by the next lowest, and so on1. In the exhibit, the order is T_MPLS, T_INET_1, and T_INET_0.

There is no SLA criteria configured for the health-check Level3_DNS.This means that the health check does not use any SLA parameters to determine the state of the interface2. In the exhibit, the sla map value is 0x0 for both port1 and port2, indicating that no SLA criteria are applied.

Question 45

Report
Export
Collapse

Refer to the exhibits.

Exhibit A

Exhibit B -

Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status.

The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule.

Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?

A.
The traffic will be load balanced across all three overlays.
A.
The traffic will be load balanced across all three overlays.
Answers
B.
The traffic will be routed over T_INET_0_0.
B.
The traffic will be routed over T_INET_0_0.
Answers
C.
The traffic will be routed over T_MPLS_0.
C.
The traffic will be routed over T_MPLS_0.
Answers
D.
The traffic will be routed over T_INET_1_0.
D.
The traffic will be routed over T_INET_1_0.
Answers
Suggested answer: C

Question 46

Report
Export
Collapse

Exhibit.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

A.
There are no IPsec tunnel statistics log messages for ADVPN cuts.
A.
There are no IPsec tunnel statistics log messages for ADVPN cuts.
Answers
B.
There is one shortcut tunnel built from master tunnel T_MPLS_0.
B.
There is one shortcut tunnel built from master tunnel T_MPLS_0.
Answers
C.
The VPN tunnel T_MPLS_0 is a shortcut tunnel.
C.
The VPN tunnel T_MPLS_0 is a shortcut tunnel.
Answers
D.
The master tunnel T_INET_0 cannot accept the ADVPN shortcut.
D.
The master tunnel T_INET_0 cannot accept the ADVPN shortcut.
Answers
Suggested answer: B

Explanation:

VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel. The output includes the following information:

logid: the log ID number

type: the log type, either traffic or event

subtype: the log subtype, either vpn or ipsec

level: the log level, either error, warning, or notice

vd: the virtual domain name

logdesc: the log description

msg: the log message

action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats

remip: the remote IP address

locip: the local IP address

remport: the remote port number

locport: the local port number

outintf: the outgoing interface name

cookies: the IKE SA cookies

user: the user name

group: the user group name

useralt: the alternative user name

xauthuser: the XAuth user name

authgroup: the XAuth user group name

assignip: the assigned IP address

vpntunnel: the VPN tunnel name

tunnellip: the tunnel loopback IP address

tunnelid: the tunnel ID number

tunneltype: the tunnel type, either ipsec or ssl

duration: the tunnel duration in seconds

sentbyte: the number of bytes sent

rcvdbyte: the number of bytes received

nextstat: the next statistics interval in seconds

advpnsc: the ADVPN shortcut flag, either 0 or 1

Based on the exhibit, the following statement is true:

There is one shortcut tunnel built from master tunnel T_MPLS_0.This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up. The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.

Question 47

Report
Export
Collapse

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.

Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.)

A.
FortiGate flags the sessions as dirty.
A.
FortiGate flags the sessions as dirty.
Answers
B.
FortiGate continues routing the sessions with no SNAT, over port2.
B.
FortiGate continues routing the sessions with no SNAT, over port2.
Answers
C.
FortiGate performs a route lookup for the original traffic only.
C.
FortiGate performs a route lookup for the original traffic only.
Answers
D.
FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
D.
FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
Answers
Suggested answer: B, D

Question 48

Report
Export
Collapse

What is the route-tag setting in an SD-WAN rule used for?

A.
To indicate the routes for health check probes.
A.
To indicate the routes for health check probes.
Answers
B.
To indicate the destination of a rule based on learned BGP prefixes.
B.
To indicate the destination of a rule based on learned BGP prefixes.
Answers
C.
To indicate the routes that can be used for routing SD-WAN traffic.
C.
To indicate the routes that can be used for routing SD-WAN traffic.
Answers
D.
To indicate the members that can be used to route SD-WAN traffic.
D.
To indicate the members that can be used to route SD-WAN traffic.
Answers
Suggested answer: B

Question 49

Report
Export
Collapse

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.

Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

A.
London generates an IKE information message that contains the Toronto public IP address.
A.
London generates an IKE information message that contains the Toronto public IP address.
Answers
B.
Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
B.
Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
Answers
C.
Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
C.
Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
Answers
D.
The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
D.
The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
Answers
Suggested answer: B, D

Question 50

Report
Export
Collapse

Refer to the exhibit.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.

Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)

A.
The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.
A.
The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.
Answers
B.
T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.
B.
T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.
Answers
C.
T_INET_0_0 does not have a valid route to the destination.
C.
T_INET_0_0 does not have a valid route to the destination.
Answers
D.
T_INET_1_0 has a higher member configuration priority than T_INET_0_0.
D.
T_INET_1_0 has a higher member configuration priority than T_INET_0_0.
Answers
Suggested answer: A, C
Total 97 questions
Go to page: of 10
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms