Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dumps65

DumpsWrap Logo

Fortinet NSE7_SDW-7.2 Dumps

Page: 1 / 10
Total 97 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF

Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Question 1

Refer to the exhibits.

Exhibit A -

as

Exhibit B -

as

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

Options:

A.

Enable auxiliary-session under config system settings.

B.

Disable tсp-session-without-syn under config system settings.

C.

Enable snat-route-change under config system global.

D.

Disable allow-subnet-overlap under config system settings.

Question 2

Which two statements about SD-WAN central management are true? (Choose two.)

Options:

A.

The objects are saved in the ADOM common object database.

B.

It does not support meta fields.

C.

It uses templates to configure SD-WAN on managed devices.

D.

It supports normalized interfaces for SD-WAN member configuration.

Question 3

Refer to the exhibits.

Exhibit A

as

Exhibit B

as

Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.

Based on the exhibits, which two statements are correct? (Choose two.)

Options:

A.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

B.

Port2 has the highest member priority.

C.

Port2 has a lower latency than port1.

D.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

Question 4

Which two statements reflect the benefits of implementing the ADVPN solution to replace conventional VPN topologies? (Choose two.)

Options:

A.

It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links.

B.

It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance.

C.

It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub.

D.

It provides direct connectivity between all sites by creating on-demand tunnels between spokes.

Question 5

What does enabling the exchange-interface-ip setting enable FortiGate devices to exchange?

Options:

A.

The gateway address of their IPsec interfaces

B.

The tunnel ID of their IPsec interfaces

C.

The IP address of their IPsec interfaces

D.

The name of their IPsec interfaces

Question 6

Refer to the exhibit.

as

Which conclusion about the packet debug flow output is correct?

Options:

A.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

B.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

C.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

D.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

Question 7

In which SD-WAN template field can you use a metadata variable?

Options:

A.

You can use metadata variables only to define interface members and the gateway IP.

B.

All SD-WAN template fields support metadata variables.

C.

Any field Identified with a dollar sign ($) in a magnifying glass.

D.

Any field identified with an "M" in a circle.

Question 8

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

    diagnose sys sdwan service

    diagnose sys sdwan route-tag-list

    diagnose sys sdwan member

Options:

A.

diagnose sys sdwan neighbor

Question 9

Refer to the exhibit.

as

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.

Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)

Options:

A.

On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

B.

On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.

C.

auto-discovery-forwarder must be enabled on all IPsec VPNs.

D.

On the hubs, net-device must be enabled on all IPsec VPNs.

Question 10

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

Options:

A.

The sdwan_service_id flag in the session information is 0.

B.

All SD-WAN rules have the default setting enabled.

C.

Traffic does not match any of the entries in the policy route table.

D.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Question 11

Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?

Options:

A.

hold-down-time

B.

link-down-failover

C.

auto-discovery-shortcuts

D.

idle-timeout

Question 12

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)

Options:

A.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

B.

It provides direct connectivity between spokes by creating shortcuts.

C.

It enables spokes to bypass the hub during shortcut negotiation.

D.

It enables spokes to establish shortcuts to third-party gateways.

Question 13

Refer to the exhibit.

as

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)

Options:

A.

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

B.

During passive monitoring, FortiGate can’t detect dead members.

C.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

D.

FortiGate passively monitors the member if TCP traffic is passing through the member.

Question 14

Refer to the exhibit.

as

The device exchanges routes using IBGP.

Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)

Options:

A.

Each BGP route is three hops away from the destination.

B.

ibgp-multipath is disabled.

C.

additional-path is enabled.

D.

You can run the get router info routing-table database command to display the additional paths.

Question 15

Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes?

Options:

A.

diagnose sys sdwan sla-log

B.

diagnose ays sdwan health-check

C.

diagnose sys sdwan intf-sla-log

D.

diagnose sys sdwan log

Question 16

Refer to the exhibits.

Exhibit A -

as

Exhibit B -

as

Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.

If port2 is detected dead by FortiGate, what is the expected behavior?

Options:

A.

Port2 becomes alive after three successful probes are detected.

B.

FortiGate removes all static routes for port2.

C.

The administrator manually restores the static routes for port2, if port2 becomes alive.

D.

Host 8.8.8.8 is reachable through port1 and port2.

Question 17

Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.)

Options:

A.

http

B.

icmp

C.

twamp

D.

dns

Question 18

Which two statements about the SD-WAN zone configuration are true? (Choose two.)

Options:

A.

The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.

B.

You can delete the default zones.

C.

The default zones are virtual-wan-link and SASE.

D.

An SD-WAN member can belong to two or more zones.

Question 19

Which components make up the secure SD-WAN solution?

Options:

A.

Application, antivirus, and URL, and SSL inspection

B.

Datacenter, branch offices, and public cloud

C.

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

D.

Telephone, ISDN, and telecom network.

Question 20

Refer to the exhibit.

as

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

Options:

A.

type must be set to static.

B.

mode-cfg must be enabled.

C.

exchange-interface-ip must be enabled.

D.

add-route must be disabled.

Question 21

Refer to the exhibit.

as

The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device.

The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1.

Based on the exhibits, which two statements are correct? (Choose two.)

Options:

A.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

B.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

C.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

D.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Question 22

Refer to the exhibit.

as

The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)

Options:

A.

The reply direction of the asymmetric traffic flows from port2 to port3.

B.

The auxiliary session can be offloaded to hardware.

C.

The original direction of the symmetric traffic flows from port3 to port2.

D.

The main session cannot be offloaded to hardware.

Question 23

Refer to the exhibit.

as

Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)

Options:

A.

Cost

B.

Interface member

C.

Priority

D.

Gateway IP

Question 24

Refer to the exhibits.

Exhibit A -

as

Exhibit B -

as

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.

The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.

Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

Options:

A.

Destination internet service must be enabled on the traffic shaping policy.

B.

Application control must be enabled on the firewall policy.

C.

Web filtering must be enabled on the firewall policy.

D.

Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Question 25

Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)

Options:

A.

Type of physical link connection

B.

Internet service database (ISDB) address object

C.

Source and destination IP address

D.

URL categories

E.

Application signatures

Question 26

What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in a hub-and-spoke topology? (Choose two.)

Options:

A.

VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

B.

FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

C.

IPsec recommended template guides the administrator to use Fortinet recommended settings.

D.

IPsec recommended template ensures consistent settings between phase1 and phase2

Question 27

What is a benefit of using application steering in SD-WAN?

Options:

A.

The traffic always skips the regular policy routes.

B.

You steer traffic based on the detected application.

C.

You do not need to enable SSL inspection.

D.

You do not need to configure firewall policies that accept the SD-WAN traffic.

Question 28

Refer to the exhibits.

as

as

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

Options:

A.

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

B.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

C.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

D.

In the dcl-lab-rm route map configuration, unset match-community.

Question 29

What are two reasons for using FortiManager to organize and manage the network for a group of FortiGate devices?  (Choose two.)

Options:

A.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

B.

It improves SD-WAN performance on the managed FortiGate devices.

C.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

D.

It acts as a policy compliance entity to review all managed FortiGate devices.

E.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

Load More NSE7_SDW-7.2 Questions
Page: 1 / 10
Total 97 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF