NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Question and Answers

Specify a unique peer ID for each dial-up VPN interface.

Use different proposals are used between the interfaces.

Configure the IKE mode to be aggressive mode.

Use unique Diffie Hellman groups on each VPN interface.

It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links.

It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance.

It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub.

It provides direct connectivity between all sites by creating on-demand tunnels between spokes.

FortiGate did not refresh the routing information on the session after the application was detected.

Port1 and port2 do not have a valid route to the destination.

Full SSL inspection is not enabled on the matching firewall policy.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

In the dcl-lab-rm route map configuration, unset match-community.

An SD-WAN zone can contain only one type of interface.

An SD-WAN zone can contain between 0 and 512 members.

You cannot use an SD-WAN zone in static route definitions.

You can configure up to 32 SD-WAN zones per VDOM.

You can configure full mesh, star, and dial-up VPN topologies.

You must enable VPN zones for SD-WAN deployments.

FortiManager installs VPN settings on both managed and external gateways.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

Application, antivirus, and URL, and SSL inspection

Datacenter, branch offices, and public cloud

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

Telephone, ISDN, and telecom network.

The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

The packet size exceeded the outgoing interface MTU.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Each region has its own SD-WAN topology

It is not compatible with ADVPN.

Regions must correspond to geographical areas.

Routing between the hub and spokes must be BGP.

Each BGP route is three hops away from the destination.

ibgp-multipath is disabled.

additional-path is enabled.

You can run the get router info routing-table database command to display the additional paths.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

You can manually define the SD-WAN members sequence number.

Interfaces of type virtual wire pair can be used as SD-WAN members.

Interfaces of type VLAN can be used as SD-WAN members.

An SD-WAN member can belong to two or more SD-WAN zones.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

London generates an IKE information message that contains the Toronto public IP address.

Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

Port2 becomes alive after three successful probes are detected.

FortiGate removes all static routes for port2.

The administrator manually restores the static routes for port2, if port2 becomes alive.

Host 8.8.8.8 is reachable through port1 and port2.

Learned routes can be used as dynamic destinations in SD-WAN rules.

You must use BGP to route traffic for both overlay and underlay links.

You must configure AS path prepending.

You must use external BGP.

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

In the firewall policy, select Proxy-based as Inspection Mode.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

Set additional-path to send

Enable route-reflector-client

Set advertisement-interval to the number of additional paths to advertise

Set adv-additional-path to the number of additional paths to advertise

Enable soft-reconfiguration

Create dynamic mapping for the LAN interface for all devices in the installation target list.

Use a metadata variable instead of a dynamic interface to define the firewall policy.

Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt.

Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.

By default, local-out traffic does not use SD-WAN.

By default, FortiGate does not check if the selected member has a valid route to the destination.

You must configure each local-out feature individually, to use SD-WAN.

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

diagnose sys sdwan zone

diagnose sys sdwan service

diagnose sys sdwan member

diagnose sys sdwan interface