Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

The traffic always skips the regular policy routes.

You steer traffic based on the detected application.

You do not need to enable SSL inspection.

You do not need to configure firewall policies that accept the SD-WAN traffic.

Set additional-path to send

Enable route-reflector-client

Set advertisement-interval to the number of additional paths to advertise

Set adv-additional-path to the number of additional paths to advertise

Enable soft-reconfiguration

On the receiver FortiGate, packet-de-duplication is enabled.

The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.

On the sender FortiGate, duplication-max-num is set to 3.

Routes for ADVPN shortcuts must be manually configured.

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

You must use IKEv2 on IPsec tunnels.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

Three packets are exchanged between an initiator and a responder instead of six packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

You can configure full mesh, star, and dial-up VPN topologies.

You must enable VPN zones for SD-WAN deployments.

FortiManager installs VPN settings on both managed and external gateways.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

There are no IPsec tunnel statistics log messages for ADVPN cuts.

There is one shortcut tunnel built from master tunnel T_MPLS_0.

The VPN tunnel T_MPLS_0 is a shortcut tunnel.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut. 

type must be set to static.

mode-cfg must be enabled.

exchange-interface-ip must be enabled.

add-route must be disabled.

diagnose sys sdwan neighbor

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

In the dcl-lab-rm route map configuration, unset match-community.

The objects are saved in the ADOM common object database.

It does not support meta fields.

It uses templates to configure SD-WAN on managed devices.

It supports normalized interfaces for SD-WAN member configuration.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

get router info routing-table all

diagnose debug application ike

diagnose vpn tunnel list

get ipsec tunnel list

When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements.

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.

Member metrics are measured only if an SLA target is configured.

FortiGate did not refresh the routing information on the session after the application was detected.

Port1 and port2 do not have a valid route to the destination.

Full SSL inspection is not enabled on the matching firewall policy.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

http

icmp

twamp

dns

You can assign only one template with a tunnel of fype static to each FortiGate device

You can define only one IPsec tunnel from branch devices to HUB1.

You can assign only one IPsec template to each FortiGate device.

You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)

hold-down-time

link-down-failover

auto-discovery-shortcuts

idle-timeout

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements

Member metrics are measured only if an SLA target is configured

When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy

You can reference meta fields.

You can configure interfaces as SD-WAN members without having to remove references first.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

You can configure advanced CLI settings.

The reply direction of the asymmetric traffic flows from port2 to port3.

The auxiliary session can be offloaded to hardware.

The original direction of the symmetric traffic flows from port3 to port2.

The main session cannot be offloaded to hardware.

Cost

Interface member

Priority

Gateway IP

You can use metadata variables only to define interface members and the gateway IP.

All SD-WAN template fields support metadata variables.

Any field Identified with a dollar sign ($) in a magnifying glass.

Any field identified with an "M" in a circle.