NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

The traffic always skips the regular policy routes.

You steer traffic based on the detected application.

You do not need to enable SSL inspection.

You do not need to configure firewall policies that accept the SD-WAN traffic.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

An SD-WAN zone can contain only one type of interface.

An SD-WAN zone can contain between 0 and 512 members.

You cannot use an SD-WAN zone in static route definitions.

You can configure up to 32 SD-WAN zones per VDOM.

FortiGate flags the sessions as dirty.

FortiGate continues routing the sessions with no SNAT, over port2.

FortiGate performs a route lookup for the original traffic only.

FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

The health-check VPN_PING orders the members according to the lowest jitter.

The interface T_INET_1 missed one SLA target.

There is no SLA criteria configured for the health-check Level3_DNS.

The interface T_INET_0 missed three SLA targets.

The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.

You can delete the default zones.

The default zones are virtual-wan-link and SASE.

An SD-WAN member can belong to two or more zones.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

Port2 has the highest member priority.

Port2 has a lower latency than port1.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

In the dcl-lab-rm route map configuration, unset match-community.

On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.

auto-discovery-forwarder must be enabled on all IPsec VPNs.

On the hubs, net-device must be enabled on all IPsec VPNs.

The ISDB is dynamically updated and reduces administrative overhead.

The ISDB requires application control to maintain signatures and perform load balancing.

The ISDB applies rules to traffic from specific sources, based on application type.

The ISDB contains the IP addresses and port ranges of well-known internet services.

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

During passive monitoring, FortiGate can’t detect dead members.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

FortiGate passively monitors the member if TCP traffic is passing through the member.

VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

IPsec recommended template guides the administrator to use Fortinet recommended settings.

IPsec recommended template ensures consistent settings between phase1 and phase2

There are no IPsec tunnel statistics log messages for ADVPN cuts.

There is one shortcut tunnel built from master tunnel T_MPLS_0.

The VPN tunnel T_MPLS_0 is a shortcut tunnel.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut. 

FortiGate does not install IPsec static routes for remote protected networks in the routing table. Most Voted

The phase 1 configuration supports the network-overlay setting. Most Voted

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

Dead peer detection is disabled.

update-source

set-route-tag

holdtime-timer

link-down-failover

Interface-based shaping mode

Reverse-policy shaping mode

Shared-policy shaping mode

Per-IP shaping mode

You can assign only one template with a tunnel of fype static to each FortiGate device

You can define only one IPsec tunnel from branch devices to HUB1.

You can assign only one IPsec template to each FortiGate device.

You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate brings down port5 after it detects all SD-WAN members as dead.