NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Application, antivirus, and URL, and SSL inspection

Datacenter, branch offices, and public cloud

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

Telephone, ISDN, and telecom network.

type must be set to static.

mode-cfg must be enabled.

exchange-interface-ip must be enabled.

add-route must be disabled.

FEC supports hardware offloading.

FEC improves reliability of noisy links.

FEC transmits parity packets that can be used to reconstruct packet loss.

FEC can leverage multiple IPsec tunnels for parity packets transmission.

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.

When all three members have the same packet loss.

When T_INET_0_0 has 4% packet loss.

When T_INET_0_0 has 12% packet loss.

When T_INET_1_0 has 4% packet loss.

You can reference meta fields.

You can configure interfaces as SD-WAN members without having to remove references first.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

You can configure advanced CLI settings.

The sdwan_service_id flag in the session information is 0.

All SD-WAN rules have the default setting enabled.

Traffic does not match any of the entries in the policy route table.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

An SD-WAN zone can contain only one type of interface.

An SD-WAN zone can contain between 0 and 512 members.

You cannot use an SD-WAN zone in static route definitions.

You can configure up to 32 SD-WAN zones per VDOM.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

FortiGate did not refresh the routing information on the session after the application was detected.

Port1 and port2 do not have a valid route to the destination.

Full SSL inspection is not enabled on the matching firewall policy.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

The zero-touch provisioning process has completed internally, behind FortiGate.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

A factory reset performed on FortiGate.

VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

IPsec recommended template guides the administrator to use Fortinet recommended settings.

IPsec recommended template ensures consistent settings between phase1 and phase2

Traffic has matched none of the FortiGate policy routes.

Matched traffic failed RPF and was caught by the rule.

The FIB lookup resolved interface was the SD-WAN interface.

An absolute SD-WAN rule was defined and matched traffic.

This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.

Two hubs, 10.0.1.101 and 10.0.2.101, are receiving and forwarding queries between each other.

This is a hub that has received a query from a spoke and has forwarded it to another spoke.

Two spokes, 192.2.0.1 and 10.0.2.101, forward their queries to their hubs.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements

Member metrics are measured only if an SLA target is configured

When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy

FortiGate flushes all sessions.

FortiGate terminates the old sessions.

FortiGate does not change existing sessions.

FortiGate evaluates new sessions.

diagnose sys sdwan neighbor

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

Create policy packages for branch devices.

Assign an sdwan_id metadata variable to each device (branch and hub}.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

Assign a branch_id metadata variable to each branch device.

Configure SD-WAN rules.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

Set additional-path to send

Enable route-reflector-client

Set advertisement-interval to the number of additional paths to advertise

Set adv-additional-path to the number of additional paths to advertise

Enable soft-reconfiguration

diagnose sys sdwan zone

diagnose sys sdwan service

diagnose sys sdwan member

diagnose sys sdwan interface

The ISDB is dynamically updated and reduces administrative overhead.

The ISDB requires application control to maintain signatures and perform load balancing.

The ISDB applies rules to traffic from specific sources, based on application type.

The ISDB contains the IP addresses and port ranges of well-known internet services.

You can apply a system template and a CLI template to the same FortiGate device.

A CLI template can be of type CLI script or Perl script.

A template group can include a system template and an SD-WAN template.

A template group can contain CLI templates of both types.

Templates are applied in order, from top to bottom.

LAG

IPsec

Physical

GRE