NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Question and Answers

It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links.

It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance.

It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub.

It provides direct connectivity between all sites by creating on-demand tunnels between spokes.

When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements.

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.

Member metrics are measured only if an SLA target is configured.

The objects are saved in the ADOM common object database.

It does not support meta fields.

It uses templates to configure SD-WAN on managed devices.

It supports normalized interfaces for SD-WAN member configuration.

When T_INET_0_0 and T_MPLS_0 have the same latency.

When T_MPLS_0 has a latency of 100 ms.

When T_INET_0_0 has a latency of 250 ms.

When T_N1PLS_0 has a latency of 80 ms.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes.

On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub.

auto-discovery-forwardermust be enabled on all IPsec VPNs.

On the hubs,net-devicemust be enabled on all IPsec VPNs.

Set priority 10.

Set cost 15.

Set load-balance-mode source-ip-ip-based.

Set source 100.64.1.1.

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

In the firewall policy, select Proxy-based as Inspection Mode.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

Three packets are exchanged between an initiator and a responder instead of six packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.

By default, local-out traffic does not use SD-WAN.

By default, FortiGate does not check if the selected member has a valid route to the destination.

You must configure each local-out feature individually, to use SD-WAN.

System template

BGP template

IPsec tunnel template

CLI template

Overlay template

Interface-based shaping mode

Reverse-policy shaping mode

Shared-policy shaping mode

Per-IP shaping mode

Setadditional-pathtosend

Enableroute-reflector-client

Setadvertisement-intervalto the number of additional paths to advertise

Setadv-additional-pathto the number of additional paths to advertise

Enablesoft-reconfiguration

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Traffic has matched none of the FortiGate policy routes.

Matched traffic failed RPF and was caught by the rule.

The FIB lookup resolved interface was the SD-WAN interface.

An absolute SD-WAN rule was defined and matched traffic.

FEC supports hardware offloading.

FEC improves reliability of noisy links.

FEC transmits parity packets that can be used to reconstruct packet loss.

FEC can leverage multiple IPsec tunnels for parity packets transmission.

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

The phase 1 configuration supports the network-overlay setting.

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

Dead peer detection is disabled.

You can apply a system template and a CLI template to the same FortiGate device.

A CLI template can be of type CLI script or Perl script.

A template group can include a system template and an SD-WAN template.

A template group can contain CLI templates of both types.

Templates are applied in order, from top to bottom.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

Port2 has the highest member priority.

Port2 has a lower latency than port1.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

port1 is assigned a manual IP address.

port1 is referenced in a firewall policy.

port2 is referenced in a static route.

port1 and port2 are not administratively down.

You can use metadata variables only to define interface members and the gateway IP.

All SD-WAN template fields support metadata variables.

Any field Identified with a dollar sign ($) in a magnifying glass.

Any field identified with an "M" in a circle.