SD-WAN 4/4

Two hub-and-spoke groups are connected through redundant site-to-site IPsec VPNs between Hub 1 and Hub 2 Which two configuration settings are required for the spoke A1 to establish an ADVPN shortcut with the spoke B2? (Choose two.). On hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to hubs. On hubs, auto-discovery-receiver must be enabled on the IPsec VPNs to spokes. On hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to spokes. On hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

Refer to the exhibit. Which SD-WAN rule and interface uses FortiGate to steer the traffic from the LAN subnet 10.0.1.0/24 to the corporate server 10.2.5.254?. SD-WAN service rule 3 and interface HUB1-VPN2. SD-WAN service rule 3 and interface HUB1-VPN3. SD-WAN service rule 4 and port1 or port2. SD-WAN service rule 4 and interface port2.

Refer to the exhibit. You want to configure SD-WAN on a network as shown in the exhibit. The network contains many FortiGate devices. Some are used as NGFW, and some are installed with extensions such as FortiSwitch. FortiAP. or Forti Ex tender. What should you consider when planning your deployment?. You can build an SD-WAN topology that includes all devices. The hubs can be FortiGate devices with Forti Extender. You can build an SD-WAN topology that includes all devices. The hubs must be devices without extensions. You must use FortiManager to manage your SD-WAN topology. You must build multiple SD-WAN topologies. Each topology must contain only one type of extension.

Refer to the exhibit that shows event logs on FortiGate. Based on the output shown in the exhibit, what can you say about the tunnels on this device?. The master tunnel HU82-VPN3 cannot accept ADVPN shortcuts. The device steers voice traffic through the VPN tunnel HUB1-VPN3. The VPN tunnel HUB1-VPN1_0 is a shortcut tunnel. There is one shortcut tunnel built from master tunnel VPN4.

You are planning a large SD-WAN deployment with approximately 1000 spokes and want to allow ADVPN between the spokes. Some remote sites use FortiSASE to connect to the company's SD-WAN hub. Which overlay routing configuration should you use?. BGP on loopback with dynamic BGP for ADVPN shortcut routing. BGP on loopback with IPsec phase2 selectors for ADVPN shortcut routing. BGP per overlay with dynamic BGP for ADVPN shortcut routing. BGP per overlay with BGP next-hop convergence for ADVPN shortcut routing.

You connect to a device behind a branch FortiGate device and initiate a ping test. The device is part of the LAN subnet and its IP address is 10.0.1.101. Based on the exhibits, which interface uses branch 1_fgt to steer the test traffic?. port4. HUB1-VPN1. port1. port2.

You manage an SD-WAN topology. You will soon deploy 50 new branches. Which three tasks can you do in advance to simplify this deployment? (Choose three.). Update the DHCP server configuration. Create model devices. Create a ZTP template. Define metadata variables value for each device. Create policy blueprint.

Refer to the exhibit. An administrator configures SD-WAN rules for a DIA setup using the FortiGate GUI. The page to configure the source and destination part of the rule looks as shown in the exhibit. The GUI page shows no option to configure an application as the destination of the SD-WAN rule Why?. You cannot use applications as the destination when FortiGate is used for a DIA setup. FortiGate allows the configuration of applications as the destination of SD-WAN rules only on the CLI. You must enable the feature on the CLI. You must enable the feature first using the GUI menu System > Feature Visibility.

You are planning a new SD-WAN deployment with the following criteria: - Two regions - Most of the traffic is expected to remain within its region - No requirement for inter-region ADVPN To remain within the recommended best practices, which routing protocol should you select for the overlays?. OSPF for the routing within each region and EBGP between the regions. IBGP with BGP on loopback within each region and EBGP between the regions. IBGP with BGP per overlays within each region and IBGP with BGP on loopback between the regions. IBGP within each region and between the regions.

Exhibit. The administrator configured the IPsec tunnel VPN1 on a FortiGate device with the parameters shown in exhibit. Based on the configuration, which three conclusions can you draw about the characteristics and requirements of the VPN tunnel? (Choose three.). The remote end can be a third-party IPsec device. The tunnel interface IP address on the spoke side is provided by the hub. The administrator must manually assign the tunnel interface IP address on the hub side. This configuration allows user-defined overlay IP addresses. The remote end must support IKEv2.

You have a FortiGate configuration with three user-defined SD-WAN zones and two members in each of these zones. One SD-WAN member is no longer in use in health-check and SD-WAN rules. You want to delete it. What happens if you delete the SD-WAN member from the FortiGate GUI?. FodiGate accepts the deletion and removes routes as required. FortiGate displays an error message. You must use the CLI to delete an SD-WAN member. FortiGate displays an error message. SD-WAN zones must contain at least two members. FortiGate accepts the deletion and places the member in the default SD-WAN zone.

When you use the command diagnose sys session list, how do you identify the sessions that correspond to traffic steered according to SD-WAN rules?. You identify sessions steered according to SD-WAN rules with the flag vwl. You cannot identify SD-WAN sessions. You must use the sdwar. session filter. You identify sessions steered according to SD-WAN rules with the data vwl_mbr_seq. You identify sessions steered according to SD-WAN rules with the data Sdwan_service_id.

SD-WAN interacts with many other FortiGate features. Some of them are required to allow SD-WAN to steer the traffic. Which three configuration elements that you must configure before FortiGate can steer traffic according to SD-WAN rules? (Choose three.). Firewall policies. Interfaces. Security profiles. Traffic shaping. Routing.

Which three characteristics apply to provisioning templates available on FortiManager? (Choose three.). A template group can include a system template and an SD-WAN template. Each template group can contain up to three IPsec tunnel templates. CLI templates are applied in order, from top to bottom. A CLI template group can contain CLI templates of both types. A CLI template can be of type CLI script or Perl script.

An administrator checks the status of an SD-WAN topology using the FortiManager SD-WAN monitor menus. All members are configured with one or two SLAs. Which two conclusions can you draw from the output shown? (Choose two.). One member of branch2_fgt is missing the SLAs. branch2_fgt establishes six tunnels to the hubs and they are all up. This SD-WAN topology contains only two branch devices. The template view should be used to see the hub devices.

You are tasked with configuring ADVPN 2.0 on an SD-WAN topology already configured for ADVPN. What should you do to implement ADVPN 2.0 in this scenario?. Update the IPsec tunnel configurations on the hub. Update the SD-WAN configuration on the branches. Update the IPsec tunnel configuration on the branches. Delete the existing ADVPN configuration and configure ADVPN 2.0.

Which statement describes FortiGate behavior when you reference a zone in a static route?. FoftiGate installs ECMP static routes for the first two members of the zone. FortiGate ignores the static routes defined through members referenced in the zone. FortiGate routes the traffic through the best performing member of the zone. FortiGate installs a static route for each member in the zone.

Refer to the exhibit. An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1-VPN1. However, the traffic is routed over HUB1-VPN3. Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.). HUB1-VPN3 has a higher member configuration priority than HUB1-VPN1. The traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device. HUB1-VPN1 does not have a valid route to the destination. HUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.

Refer to the exhibit. The administrator analyzed the traffic between a branch FortiGate and the server located in the data center, and noticed the behavior shown in the diagram. When the LAN clients located behind FGT1 establish a session to a server behind DC-1, the administrator observes that, on DC-1, the reply traffic is routed overT2. even though T1 is the preferred member in the matching SD-WAN rule. What can the administrator do to instruct DC-1 to route the reply traffic through the member with the best performance?. Enable auxiliary-session under config system settings. Enable snat-route-change under config system global. Enable reply-session under config system sdwan. FortiGate route lookup for reply traffic only considers routes over the original ingress interface.

When a customer delegate the installation and management of its SD-WAN infrastructure to an MSSP, the MSSP usually keeps the hub within its infrastructure for ease of management and to share costly resources. In which two situations will the MSSP install the hub in customer premises? (Choose two.). The customer requires SIA with centralized breakout. The administrator expects a large volume of traffic between the branches. The customer expects a large amount of VoIP traffic. The majority of the branch traffic is directed to a corporate data center.

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are two mandatory post-run tasks that must be performed? (Choose two.). Configure routing through the overlay tunnels created by the SD-WAN overlay template. Create policy packages and assign them to the branch devices. Assign a hub id metadata variable to each hub device. Configure SD-WAN rules. Assign an sdwan_id metadata variable to each device (branch and hub).

You use FortiManager to configure SD-WAN on three branch devices. When you install the device settings. FortiManager prompts you with the error "Copy Failed" for the device branch1_fat When you click the log button. FortiManager displays the message shown in the exhibit. Based on the exhibits, which statement best describes the issue and how you can resolve it?. Remove the installation target for the SD-WAN member port4. You cannot combine metadata variable and installation targets. Gateways for all members in a zone must be defined the same way. Specify the gateway of the SDWAN member port! without metadata variables. Check the metadata variable definitions, and review the per-device mapping configuration. Check the connection between branch1_fgt and FortiManager.

Within the context of SD-WAN, what does SIA correspond to?. Remote Breakout. Local Breakout. Software Internet Access. Secure Internet Authorization.

Refer to the exhibit. The exhibit shows output of the command diagnose sys adwan aervice4 collected on a FortiGate device. The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the social media application Facebook. Based on the exhibits, which two statements are correct? (Choose two.). When FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1. There is no service defined for the Facebook application, so FortiGate appliesservice rule 3 and directs the traffic to headquarters. FortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2. When FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1. HQ_T2. HQ_T3.

Exhibit. For your ZTP deployment, you review the CSV file shown in exhibit and note that it is missing important information. Which two elements must you change before you can import it into FortiManager? (Choose two.). You must associate a device blueprint with each device. You must define a name for each device. You must define a value for each device and each metadata variable that defines an IP address. You must define a value for each device and each user-defined metadata variable.

An administrator is configuring SD-WAN to load balance their network traffic. Which two things should they consider when setting up SD-WAN? (Choose two.). You can select the outbandwidth hash mode with all strategies that allow load balancing. Only the manual and best-quality strategies allow SD-WAN load balancing. When applicable. FortiGate load balances the traffic through all members that meet the SLA target. SD-WAN load balancing is possible only using the best quality and lowest cost (SLA) strategies.

Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule? (Choose two.). The session information output displays no SD-WAN service id. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting. The traffic is distributed, regardless of weight, through all available static routes. Traffic does not match any of the entries in the policy route table. FortiGate flags the session with may_dirty and vwl_def ault.

Refer to the exhibit. Which statement best describe the role of the ADVPN device in handling traffic?. This is a hub that has received a query from a spoke and has forwarded it to another spoke. This is a hub in a dual-region topology. The remote hub tunnel ID is 10.0.2.101. This is a spoke that has received a shortcut query from another spoke and has forwarded the response to its hub.. This is a spoke. The kernel received a shortcut request and forwards the query to another spoke.

Refer to the exhibits. You use FortiManager to manage the branch devices and configure the SD-WAN template. You have configured direct internet access (DIA) for the IT department users. Now. you must configure secure internet access (SIA) for all local LAN users and have set the firewall policies as shown in the second exhibit. Then, when you use the install wizard to install the configuration and the policy package on the branch devices, FortiManager reports an error as shown in the third exhibit. Which statement describes why FortiManager could not install the configuration on the branches?. You must direct SIA traffic to a VPN tunnel. You cannot install firewall policies that reference an SD-WAN zone. You cannot install firewall policies that reference an SD-WAN member. You cannot install SIA and DIA rules on the same device.

What are three key routing principles of SD-WAN? (Choose three.). Directly connected routes have precedence over SD-WAN rules. Policy routes have precedence over SD-WAN rules. SD-WAN rules are skipped if the best route to the destination is a static route. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member. SD-WAN members are skipped if they do not have a valid route to the destination.