NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

The session information output displays no SD-WAN-specific details.

All SD-WAN rules have the default and gateway setting enabled.

Traffic does not match any of the entries in the policy route table.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

When all three members have the same packet loss.

When T_INET_0_0 has 4% packet loss.

When T_INET_0_0 has 12% packet loss.

When T_INET_1_0 has 4% packet loss.

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)

System template

BGP template

IPsec tunnel template

CLI template

Overlay template

You can delete the virtual-wan-link zone because it contains no member.

The corporate zone contains no member.

You can move port1 from the underlay zone to the overlay zone.

The overlay zone contains four members.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

Specify a unique peer ID for each dial-up VPN interface.

Use different proposals are used between the interfaces.

Configure the IKE mode to be aggressive mode.

Use unique Diffie Hellman groups on each VPN interface.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

Three packets are exchanged between an initiator and a responder instead of six packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

You can reference meta fields.

You can configure interfaces as SD-WAN members without having to remove references first.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

You can configure advanced CLI settings.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

FortiGate flushes all sessions.

FortiGate terminates the old sessions.

FortiGate does not change existing sessions.

FortiGate evaluates new sessions.

Application, antivirus, and URL, and SSL inspection

Datacenter, branch offices, and public cloud

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

Telephone, ISDN, and telecom network.

This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.

Two hubs, 10.0.1.101 and 10.0.2.101 , are receiving and forwarding queries between each other.

This is a hub that has received a query from a spoke and has forwarded it to another spoke.

Two spokes, 192.2.0.1 and 10.0.2.101 , forward their queries to their hubs.

FortiGate did not refresh the routing information on the session after the application was detected.

Port1 and port2 do not have a valid route to the destination.

Full SSL inspection is not enabled on the matching firewall policy.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

Each BGP route is three hops away from the destination.

ibgp-multipath is disabled.

additional-path is enabled.

You can run the get router info routing-table database command to display the additional paths.

Set priority 10.

Set cost 15.

Set load-balance-mode source-ip-ip-based.

Set source 100.64.1.1.

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.

By default, local-out traffic does not use SD-WAN.

By default, FortiGate does not check if the selected member has a valid route to the destination.

You must configure each local-out feature individually, to use SD-WAN.

diagnose sys sdwan neighbor

Traffic has matched none of the FortiGate policy routes.

Matched traffic failed RPF and was caught by the rule.

The FIB lookup resolved interface was the SD-WAN interface.

An absolute SD-WAN rule was defined and matched traffic.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.