NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Provide direct internet access on spokes

Provide internet access through the hub

Centralize security inspection on the hub

Provide thorough inspection on spokes

Each BGP route is three hops away from the destination.

ibgp-multipath is disabled.

additional-path is enabled.

You can run the get router info routing-table database command to display the additional paths.

You can manually define the SD-WAN members sequence number.

Interfaces of type virtual wire pair can be used as SD-WAN members.

Interfaces of type VLAN can be used as SD-WAN members.

An SD-WAN member can belong to two or more SD-WAN zones.

You can apply a system template and a CLI template to the same FortiGate device.

A CLI template can be of type CLI script or Perl script.

A template group can include a system template and an SD-WAN template.

A template group can contain CLI templates of both types.

Templates are applied in order, from top to bottom.

Cost

Interface member

Priority

Gateway IP

The session information output displays no SD-WAN-specific details.

All SD-WAN rules have the default and gateway setting enabled.

Traffic does not match any of the entries in the policy route table.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Assign an sdwan_id metadata variable to each device (branch and hub).

Assign a branch_id metadata variable to each branch device.

Create policy packages for branch devices.

Configure SD-WAN rules.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

System template

BGP template

IPsec tunnel template

CLI template

Overlay template

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

port1 is assigned a manual IP address.

port1 is referenced in a firewall policy.

port2 is referenced in a static route.

port1 and port2 are not administratively down.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

FortiGate has terminated the session after a change on policy ID 1.

Changes have been made on firewall policy ID 1 on FortiGate.

Firewall policy ID 1 has source NAT disabled.

LAG

IPsec

Physical

GRE

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

Static_IPsec_Recommended

Hub_IPsec_Recommended

Branch_IPsec_Recommended

IPsec_Fortinet_Recommended

Routes for ADVPN shortcuts must be manually configured.

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

You must use IKEv2 on IPsec tunnels.

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

In the firewall policy, select Proxy-based as Inspection Mode.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

diagnose sys sdwan zone

diagnose sys sdwan service

diagnose sys sdwan member

diagnose sys sdwan interface

Port2 becomes alive after three successful probes are detected.

FortiGate removes all static routes for port2.

The administrator manually restores the static routes for port2, if port2 becomes alive.

Host 8.8.8.8 is reachable through port1 and port2.

In the dc1-lan-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the dc1-lan-rm route map configuration, unset match-community.

In the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

FortiGate performed standard FIB routing on the session.

FortiGate will not re-evaluate the session following a firewall policy change.

FortiGate used192.2.0.1as the gateway for the original direction of the traffic.

FortiGate must re-evaluate the session due to routing change.

On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes.

On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub.

auto-discovery-forwardermust be enabled on all IPsec VPNs.

On the hubs,net-devicemust be enabled on all IPsec VPNs.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

The ISDB is dynamically updated and reduces administrative overhead.

The ISDB requires application control to maintain signatures and perform load balancing.

The ISDB applies rules to traffic from specific sources, based on application type.

The ISDB contains the IP addresses and port ranges of well-known internet services.

You must set ike-version to 1.

You must enable net-device.

You must enable auto-discovery-sender.

You must disable idle-timeout.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

A total of six packets are exchanged between an initiator and a responder instead of three packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.