SD-WAN 7.2-V2

What are two common use cases for remote internet access (RIA)? (Choose two.). Provide direct internet access on spokes. Provide internet access through the hub. Centralize security inspection on the hub. Provide thorough inspection on spokes.

Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.). Encapsulating Security Payload (ESP). Secure Shell (SSH). Internet Key Exchange (IKE). Security Association (SA).

Which statement about the role of the ADVPN device in handling traffic is true?. This is a spoke that has received a query from a remote hub and has forwarded the response to its hub. Two hubs,10.0.1.101and10.0.2.101, are receiving and forwarding queries between each other. This is a hub that has received a query from a spoke and has forwarded it to another spoke. D. Two spokes,192.2.0.1and10.0.2.101, forward their queries to their hubs.

Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?. The type of traffic defined and allowed on firewall policy ID 1 is UDP. FortiGate has terminated the session after a change on policy ID 1. Changes have been made on firewall policy ID 1 on FortiGate. Firewall policy ID 1 has source NAT disabled.

What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?. You must set ike-version to 1. You must enable net-device. You must enable auto-discovery-sender. You must disable idle-timeout.

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.). After FortiGate switches to active mode, FortiGate never fails back to passive monitoring. During passive monitoring, FortiGate can’t detect dead members. FortiGate can offload the traffic that is subject to passive monitoring to hardware. FortiGate passively monitors the member if TCP traffic is passing through the member.

Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.). The traffic shaper drops packets if the bandwidth is less than 2500 KBps. The measured bandwidth is less than 100 KBps. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

Which type statements about the SD-WAN members are true? (Choose two.). You can manually define the SD-WAN members sequence number. Interfaces of type virtual wire pair can be used as SD-WAN members. Interfaces of type VLAN can be used as SD-WAN members. An SD-WAN member can belong to two or more SD-WAN zones.

Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke. What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?. You must set ike-version to 1. You must enable net-device. You must enable auto-discovery-sender. You must disable idle-timeout.

Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel. Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device. Which statement best explain the cause for this issue?. You can assign only one template with a tunnel of fype static to each FortiGate device. You can define only one IPsec tunnel from branch devices to HUB1. You can assign only one IPsec template to each FortiGate device. You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.). The health-check VPN_PING orders the members according to the lowest jitter. The interface T_INET_1 missed one SLA target. There is no SLA criteria configured for the health-check Level3_DNS. The interface T_INET_0 missed three SLA targets.

Which conclusion about the packet debug flow output is correct?. The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped. The packet size exceeded the outgoing interface MTU. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?. hold-down-time. link-down-failover. auto-discovery-shortcuts. idle-timeout.

Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?. diagnose sys sdwan zone. diagnose sys sdwan service. diagnose sys sdwan member. diagnose sys sdwan interface.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?. All traffic from a source IP to a destination IP is sent to the same interface. All traffic from a source IP is sent to the same interface. All traffic from a source IP is sent to the most used interface. All traffic from a source IP to a destination IP is sent to the least used interface.

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.). The session information output displays no SD-WAN-specific details. All SD-WAN rules have the default and gateway setting enabled. Traffic does not match any of the entries in the policy route table. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Which two statements about SLA targets and SD-WAN rules are true? (Choose two.). When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA. SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy. Member metrics are measured only if an SLA target is configured.

Which two settings can you configure to speed up routing convergence in BGP? (Choose two.). update-source. set-route-tag. holdtime-timer. link-down-failover.

Exhibit A shows a policy package definition Exhibit B shows the install log that the administrator received when he tried to install the policy package on FortiGate devices. Based on the output shown in the exhibits, what can the administrator do to solve the Issue?. Create dynamic mapping for the LAN interface for all devices in the installation target list. Use a metadata variable instead of a dynamic interface to define the firewall policy. Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt. Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

Which two statements reflect the benefits of implementing the ADVPN solution to replace conventional VPN topologies? (Choose two.). It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links. It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance. It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub. It provides direct connectivity between all sites by creating on-demand tunnels between spokes.

Based on the exhibit, which action does FortiGate take?. FortiGate bounces port5 after it detects all SD-WAN members as dead. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead. FortiGate brings up port5 after it detects all SD-WAN members as alive. FortiGate brings down port5 after it detects all SD-WAN members as dead.

In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default implicit SD-WAN rule? (Choose two ). Traffic has matched none of the FortiGate policy routes. Matched traffic failed RPF and was caught by the rule. The FIB lookup resolved interface was the SD-WAN interface. An absolute SD-WAN rule was defined and matched traffic.

What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.). Packet duplication can leverage multiple IPsec overlays for sending additional data. Packet duplication does not require a route to the destination. Packet duplication supports hardware offloading. Packet duplication uses smaller parity packets which results in less bandwidth consumption.

FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN. Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.). Specify a unique peer ID for each dial-up VPN interface. Use different proposals are used between the interfaces. Configure the IKE mode to be aggressive mode. Use unique Diffie Hellman groups on each VPN interface.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?. There are no IPsec tunnel statistics log messages for ADVPN cuts. There is one shortcut tunnel built from master tunnel T_MPLS_0. The VPN tunnel T_MPLS_0 is a shortcut tunnel. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI. Based on the exhibit, which statement is true?. You can delete the virtual-wan-link zone because it contains no member. The corporate zone contains no member. You can move port1 from the underlay zone to the overlay zone. The overlay zone contains four members.

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are three mandatory post-run tasks that must be performed? (Choose three.). Assign an sdwan_id metadata variable to each device (branch and hub). Assign a branch_id metadata variable to each branch device. Create policy packages for branch devices. Configure SD-WAN rules. Configure routing through overlay tunnels created by the SD-WAN overlay template.

Which two statements about SLA targets and SD-WAN rules are true? (Choose two.). SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements. Member metrics are measured only if an SLA target is configured. When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.

What is true about SD-WAN multiregion topologies?. Each region has its own SD-WAN topology. It is not compatible with ADVPN. Regions must correspond to geographical areas. Routing between the hub and spokes must be BGP.

Which two interfaces are considered overlay links? (Choose two.). LAG. IPsec. Physical. GRE.

Which components make up the secure SD-WAN solution?. Application, antivirus, and URL, and SSL inspection. Datacenter, branch offices, and public cloud. FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy. Telephone, ISDN, and telecom network.

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?. type must be set to static. mode-cfg must be enabled. exchange-interface-ip must be enabled. add-route must be disabled.

Which are two benefits of using CLI templates in FortiManager? (Choose two.). You can reference meta fields. You can configure interfaces as SD-WAN members without having to remove references first. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template. You can configure advanced CLI settings.

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?. diagnose sys sdwan route-tag-list. diagnose sys sdwan service. diagnose sys sdwan member. diagnose sys sdwan neighbor.

What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.). The FortiGate cloud key has not been added to the FortiGate cloud portal. FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager. The zero-touch provisioning process has completed internally, behind FortiGate. FortiGate has obtained a configuration from the platform template in FortiGate cloud. A factory reset performed on FortiGate.

Which two statements about SD-WAN central management are true? (Choose two.). The objects are saved in the ADOM common object database. It does not support meta fields. It uses templates to configure SD-WAN on managed devices. It supports normalized interfaces for SD-WAN member configuration.

Within IPsec tunnel templates available on FortiManager. which template will you use to configure static tunnels for a hub and spoke topology?. Static_IPsec_Recommended. Hub_IPsec_Recommended. Branch_IPsec_Recommended. IPsec_Fortinet_Recommended.

What three characteristics apply to provisioning templates available on FortiManager? (Choose three.). You can apply a system template and a CLI template to the same FortiGate device. A CLI template can be of type CLI script or Perl script. A template group can include a system template and an SD-WAN template. A template group can contain CLI templates of both types. Templates are applied in order, from top to bottom.

Which statement is correct about SD-WAN and ADVPN?. Routes for ADVPN shortcuts must be manually configured. SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SDWAN members. SD-WAN does not monitor the health and performance of ADVPN shortcuts. You must use IKEv2 on IPsec tunnels.

Which three matching traffic criteria are available in SD-WAN rules? (Choose three.). Type of physical link connection. Internet service database (ISDB) address object. Source and destination IP address. URL categories. Application signatures.

What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in a hub-andspoke topology? (Choose two.). VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template. FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM. IPsec recommended template guides the administrator to use Fortinet recommended settings. IPsec recommended template ensures consistent settings between phase1 and phase2.

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.). On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes. On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub. auto-discovery-forwardermust be enabled on all IPsec VPNs. On the hubs,net-devicemust be enabled on all IPsec VPNs.