FCSSNS WDS 1

Based on the output shown in the exhibit, which statement is true?. There is one shortcut tunnel built from master tunnel T_MPLS_0. The master tunnel T_INET_0 cannot accept the ADVPN shortcut. There are no IPsec tunnel statistics log messages for ADVPN shortcuts. The VPN tunnel T_MPLS_0 is a shortcut tunnel.

Refer to the exhibit. Based on the exhibit which action does FortiGate take?. FortiGate brings down port5 after it detects all SD-WAN members as dead. FortiGate brings up port5 after it detects all SD-WAN members as alive. FortiGate bounces port5 after it detects all SD-WAN members as dead. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

Which two statements about SLA targets and SD-WAN rules are true? (Choose two.). SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements. Member metrics are measured only if an SLA target is configured. When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.). The session information output displays no SD-WAN-specific details. All SD-WAN rules have the default and gateway setting enabled. Traffic does not match any of the entries in the policy route table. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Refer to the exhibit. In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti-replay setting on the hubs?. It instructs the hub to skip content inspection on TCP traffic, to improve performance. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke. What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?. You must disable idle-timeout. You must set ike-version to 1. You must enable auto-discovery-sender. You must enable net-device.

Within IPsec tunnel templates available on FortiManager, which template will you use to configure static tunnels for a hub and spoke topology?. Hub_IPsec_Recommended. Static_IPsec_Recommended. IPsec Fortinet Recommended. Branch IPsec Recommended.

Refer to the exhibit. An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0. However, the traffic is routed over T_INET_1. Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.). T_INET_1 has a lower route priority value (higher priority) than T_INET_0. The traffic matches a regular policy route configured with T_INET_1 as the outgoing device. T_INET_1 has a higher member configuration priority than T_INET_0. T_INET_0 does not have a valid route to the destination.

Which two settings can you configure to speed up routing convergence in BGP? (Choose two.). link-down-failover. update-source. holdtime-timer. set-route-rag.

Refer to the exhibits. An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A. After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1. Which two reasons explain why some log messages show that the traffic matched the implicit SD-WAN rule? (Choose two.). Port1 and port2 do not have a valid route to the destination. The session 3-tuple did not match any of the existing entries in the ISDB application cache. Full SSL inspection is not enabled on the matching firewall policy. FortiGate did not refresh the routing information on the session after the application was detected.

What are two common use cases for remote internet access (RIA)? (Choose two.). Provide internet access through the hub. Centralize security inspection on the hub. Provide thorough inspection on spokes. Provide direct internet access on spokes.

What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.). Packet duplication does not require a route to the destination. Packet duplication can leverage multiple IPsec overlays for sending additional data. Packet duplication supports hardware offloading. Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Refer to the exhibit. Which statement explains the output shown in the exhibit?. FortiGate performed standard FIB routing on the session. FortiGate will not re-evaluate the session following a firewall policy change. FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic. FortiGate must re-evaluate the session due to routing change.

The exhibit shows output of the command diagnose sys sdwan service collected on a FortiGate device. The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HQ servers 10.0.0.1. Based on the exhibits, which two statements are correct? (Choose two.). There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1. FortiGate steers traffic to HQ servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected. When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3. FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Refer to the exhibit, which shows output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.). The interface T_INET_0 missed three SLA targets. The interface T_INET_1 missed one SLA target. There is no SLA criteria configured for the health-check Level3_DNS. The health-check VPN_PING orders the members according to the measured jitter.

Refer to the exhibit. Which statement about the role of the ADVPN device in handling traffic is true?. This is a spoke that has received an offer from a remote hub. Two spokes, 192.2.0.1 and 10.0.2.101, establish a shortcut. This is a hub that has received an offer from a spoke and has forwarded it to another spoke. An IKE session is established between 10.0.1.101 and 10.0.2.101 in the process of forming a shortcut tunnel.

Refer to the exhibit. The exhibit shows the SD-WAN rule status and configuration. Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?. When T_INET_0_0 has a latency of 250 ms. When T_MPLS_0 has a latency of 80 ms. When T_INET_0_0 and T_MPLS_0 have the same latency. When T_MPLS_0 has a latency of 100 ms.

What are two benefits of using forward error correction (FEC) in IPsec VPNs? (Choose two.). FEC can leverage multiple IPsec tunnels for parity packets transmission. FEC transmits parity packets that can be used to reconstruct packet loss. FEC improves reliability of noisy links. FEC supports hardware offloading.

Which statement is correct about SD-WAN and ADVPN?. SD-WAN can steer traffic to ADVPN shortcuts only for rules defined with strategy manual or best quality. SD-WAN does not monitor the health and performance of ADVPN shortcuts. SD-WAN cannot steer traffic to ADVPN shortcuts established over IPSec overlays if the zone contains physical interfaces. SD-WAN can steer traffic to ADVPN shortcuts established over IPsec overlays configured as SD-WAN members.

Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?. diagnose sys sdwan member. diagnose sys sdwan interface. diagnose sys sdwan zone. diagnose sys sdwan service.

What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in an hub-and-spoke topology? (Choose two.). It ensures consistent settings between phase1 and phase2. It guides the administrator to use Fortinet recommended settings. The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template. It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.