NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

In the firewall policy, select Proxy-based as Inspection Mode.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

The zero-touch provisioning process has completed internally, behind FortiGate.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

A factory reset performed on FortiGate.

Traffic has matched none of the FortiGate policy routes.

Matched traffic failed RPF and was caught by the rule.

The FIB lookup resolved interface was the SD-WAN interface.

An absolute SD-WAN rule was defined and matched traffic.

The traffic will be load balanced across all three overlays.

The traffic will be routed over T_INET_0_0.

The traffic will be routed over T_MPLS_0.

The traffic will be routed over T_INET_1_0.

You can reference meta fields.

You can configure interfaces as SD-WAN members without having to remove references first.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

You can configure advanced CLI settings.

hold-down-time

link-down-failover

auto-discovery-shortcuts

idle-timeout

You can configure full mesh, star, and dial-up VPN topologies.

You must enable VPN zones for SD-WAN deployments.

FortiManager installs VPN settings on both managed and external gateways.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.

You must set ike-version to 1.

You must enable net-device.

You must enable auto-discovery-sender.

You must disable idle-timeout.

You can manually define the SD-WAN members sequence number.

Interfaces of type virtual wire pair can be used as SD-WAN members.

Interfaces of type VLAN can be used as SD-WAN members.

An SD-WAN member can belong to two or more SD-WAN zones.

The objects are saved in the ADOM common object database.

It does not support meta fields.

It uses templates to configure SD-WAN on managed devices.

It supports normalized interfaces for SD-WAN member configuration.

Routes for ADVPN shortcuts must be manually configured.

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

You must use IKEv2 on IPsec tunnels.

FortiGate flushes all sessions.

FortiGate terminates the old sessions.

FortiGate does not change existing sessions.

FortiGate evaluates new sessions.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

FortiGate has terminated the session after a change on policy ID 1.

Changes have been made on firewall policy ID 1 on FortiGate.

Firewall policy ID 1 has source NAT disabled.

FortiGate performs route lookups for new sessions only.

Regular policy routes have precedence over SD-WAN rules.

SD-WAN rules have precedence over ISDB routes.

By default, SD-WAN members are skipped if they do not have a valid route to the destination.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

FortiGate applies traffic shaping to the original traffic direction only.

FortiGate shares 10 Mbps of bandwidth equally among all source IP addresses.

RIAS

Fortigate limits each source ip address to a maximum bandwidth of 10 Mbps.

FortiGate guarantees a minimum of 10 Mbps of bandwidth to each source IP address.

http

icmp

twamp

dns

update-source

set-route-tag

holdtime-timer

link-down-failover

The reply direction of the asymmetric traffic flows from port2 to port3.

The auxiliary session can be offloaded to hardware.

The original direction of the symmetric traffic flows from port3 to port2.

The main session cannot be offloaded to hardware.

FEC supports hardware offloading.

FEC improves reliability of noisy links.

FEC transmits parity packets that can be used to reconstruct packet loss.

FEC can leverage multiple IPsec tunnels for parity packets transmission.

You must use BGP to route traffic for both overlay and underlay links.

You must configure AS path prepending.

You must configure BGP communities.

IBGP is preferred over EBGP, because IBGP preserves next hop information.

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)

System template

BGP template

IPsec tunnel template

CLI template

Overlay template

Interface-based shaping mode

Reverse-policy shaping mode

Shared-policy shaping mode

Per-IP shaping mode

LAG

IPsec

Physical

GRE

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.