NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Set priority 10.

Set cost 15.

Set load-balance-mode source-ip-ip-based.

Set source 100.64.1.1.

Setadditional-pathtosend

Enableroute-reflector-client

Setadvertisement-intervalto the number of additional paths to advertise

Setadv-additional-pathto the number of additional paths to advertise

Enablesoft-reconfiguration

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements

Member metrics are measured only if an SLA target is configured

When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy

FortiGate performs route lookups for new sessions only.

Regular policy routes have precedence over SD-WAN rules.

SD-WAN rules have precedence over ISDB routes.

By default, SD-WAN members are skipped if they do not have a valid route to the destination.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.

FortiGate performs routing lookups for new sessions only, after a route change.

FortiGate always blocks all traffic, after a route change.

FortiGate flushes all routing information from the session table, after a route change.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

update-source

set-route-tag

holdtime-timer

link-down-failover

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

The traffic will be load balanced across all three overlays.

The traffic will be routed over T_INET_0_0.

The traffic will be routed over T_MPLS_0.

The traffic will be routed over T_INET_1_0.

http

icmp

twamp

dns

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

You can reference meta fields.

You can configure interfaces as SD-WAN members without having to remove references first.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

You can configure advanced CLI settings.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.

Theservice-sla-tie-breaksetting enables you to configure preferred member selection based on the best route to the destination.

You can delete the default zones.

The default zones are virtual-wan-link and SASE.

An SD-WAN member can belong to two or more zones.

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

The phase 1 configuration supports the network-overlay setting.

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

Dead peer detection is disabled.

You can configure full mesh, star, and dial-up VPN topologies.

You must enable VPN zones for SD-WAN deployments.

FortiManager installs VPN settings on both managed and external gateways.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.

The dead member interface stays unavailable until an administrator manually brings the interface back.

Port2 needs to wait 500 milliseconds to change the status from alive to dead.

Static routes using port2 are active in the routing table.

FortiGate has not received three consecutive requests from the SLA server configured for port2.

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

In the firewall policy, select Proxy-based as Inspection Mode.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

You can assign only one template with a tunnel of fype static to each FortiGate device

You can define only one IPsec tunnel from branch devices to HUB1.

You can assign only one IPsec template to each FortiGate device.

You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

Interface-based shaping mode

Reverse-policy shaping mode

Shared-policy shaping mode

Per-IP shaping mode

System template

BGP template

IPsec tunnel template

CLI template

Overlay template

Provide direct internet access on spokes

Provide internet access through the hub

Centralize security inspection on the hub

Provide thorough inspection on spokes

Destination internet service must be enabled on the traffic shaping policy.

Application control must be enabled on the firewall policy.

Web filtering must be enabled on the firewall policy.

Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.