SDWAN 2/3

Refer to the exhibit. Which are two expected behaviors of the traffic that matches the traffic shaper? (Choose two.). The number of simultaneous connections among all source IP addresses cannot exceed five connections. The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec. The number of simultaneous connections allowed for each source IP address cannot exceed five connections. The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

Refer to the exhibit. Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups. Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.). London generates an IKE information message that contains the Toronto public IP address. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Refer to the exhibit. Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration. Based on the exhibits, which two statements are correct? (Choose two.). FortiGate updated the outgoing interface list on the rule so it prefers port2. Port2 has the highest member priority. Port2 has a lower latency than port1. SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

Refer to the exhibit. The device exchanges routes using IBGP. Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.). Each BGP route is three hops away from the destination. bgp-multipath is disabled. additional-path is enabled. You can run the get router info routing-table database command to display the additional paths.

Refer to the exhibits. Exhibit A shows a policy package definition Exhibit B shows the install log that the administrator received when he tried to install the policy package on FortiGate devices. Based on the output shown in the exhibits, what can the administrator do to solve the Issue?. Create dynamic mapping for the LAN interface for all devices in the installation target list. Use a metadata variable instead of a dynamic interface to define the firewall policy. Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt. Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

Refer to the exhibit. The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device. The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1. Based on the exhibits, which two statements are correct? (Choose two.). When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3. FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected. There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1. FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Refer to the exhibit. Based on the exhibit, which two actions does FortiGate perform on traffic passing through port2? (Choose two.). FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change. FortiGate performs routing lookups for new sessions only, after a route change. FortiGate always blocks all traffic, after a route change. FortiGate flushes all routing information from the session table, after a route change.

Refer to the exhibit. Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate. Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.). FortiGate flags the sessions as dirty. FortiGate continues routing the sessions with no SNAT, over port2. FortiGate performs a route lookup for the original traffic only. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

In which SD-WAN template field can you use a metadata variable?. You can use metadata variables only to define interface members and the gateway IP. All SD-WAN template fields support metadata variables. Any field Identified with a dollar sign ($) in a magnifying glass. Any field identified with an "M" in a circle.

Which are two benefits of using CLI templates in FortiManager? (Choose two.). You can reference meta fields. You can configure interfaces as SD-WAN members without having to remove references first. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template. You can configure advanced CLI settings.

Refer to the exhibit. Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.). Cost. Interface member. Priority. Gateway IP.

Refer to the exhibit. Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.). FortiGate does not install IPsec static routes for remote protected networks in the routing table. The phase 1 configuration supports the network-overlay setting. FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0. Dead peer detection is disabled.

Refer to the exhibit. The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths. Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.). Setadditional-pathtosend. Enableroute-reflector-client. Setadvertisement-intervalto the number of additional paths to advertise. Setadv-additional-pathto the number of additional paths to advertise. Enablesoft-reconfiguration.

Refer to the exhibit. Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.). After FortiGate switches to active mode, FortiGate never fails back to passive monitoring. During passive monitoring, FortiGate can't detect dead members. FortiGate can offload the traffic that is subject to passive monitoring to hardware. FortiGate passively monitors the member if TCP traffic is passing through the member.

Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?. diagnose sys sdwan zone. diagnose sys sdwan service. diagnose sys sdwan member. diagnose sys sdwan interface.

Refer to the exhibit. Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.). On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes. On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub. auto-discovery-forwardermust be enabled on all IPsec VPNs. On the hubs,net-devicemust be enabled on all IPsec VPNs.

What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.). The FortiGate cloud key has not been added to the FortiGate cloud portal. FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager. The zero-touch provisioning process has completed internally, behind FortiGate. FortiGate has obtained a configuration from the platform template in FortiGate cloud. A factory reset performed on FortiGate.

Which two statements about SLA targets and SD-WAN rules are true? (Choose two.). When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA. SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy. Member metrics are measured only if an SLA target is configured.

What is a benefit of using application steering in SD-WAN?. The traffic always skips the regular policy routes. You steer traffic based on the detected application. You do not need to enable SSL inspection. You do not need to configure firewall policies that accept the SD-WAN traffic.

Refer to the exhibit. An administrator used the SD-WAN overlay template to prepare an IPsec configuration for a hub-andspoke SD-WAN topology. The exhibit shows the installation preview for one FortiGate device. In the exhibit, which statement best describes the configuration applied to the FortiGate device?. It is a hub device. It can send ADVPN shortcut offers. It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23. It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests. It is a hub device and will automatically discover the spoke devices that are in the SD- WAN topology.

Which two tasks are part of using central VPN management? (Choose two.). You can configure full mesh, star, and dial-up VPN topologies. You must enable VPN zones for SD-WAN deployments. FortiManager installs VPN settings on both managed and external gateways. You configure VPN communities to define common IPsec settings shared by all VPN gateways.

Which two statements describe how IPsec phase 1 main mode is different from aggressive mode when performing IKE negotiation? (Choose two ). A peer ID is included in the first packet from the initiator, along with suggested security policies. XAuth is enabled as an additional level of authentication, which requires a username and password. A total of six packets are exchanged between an initiator and a responder instead of three packets. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.). Encapsulating Security Payload (ESP). Secure Shell (SSH). Internet Key Exchange (IKE). Security Association (SA).

Refer to the exhibits. Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt. When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule. Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?. Enable auxiliary-session under config system settings. Disable tp-session-without-syn under config system settings. Enable snat-route-change under config system global. Disable allow-subnet-overlap under config system settings.

Refer to the exhibits. The exhibit shows the SD-WAN rule status and configuration. Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?. When T_INET_0_0 and T_MPLS_0 have the same latency. When T_MPLS_0 has a latency of 100 ms. When T_INET_0_0 has a latency of 250 ms. When T_N1PLS_0 has a latency of 80 ms.

Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.). FortiGate does not consider the source address of the packet when matching an SD- WAN rule for local-out traffic. By default, local-out traffic does not use SD-WAN. By default, FortiGate does not check if the selected member has a valid route to the destination. You must configure each local-out feature individually, to use SD-WAN.

What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.). Packet duplication can leverage multiple IPsec overlays for sending additional data. Packet duplication does not require a route to the destination. Packet duplication supports hardware offloading. Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Which statement about SD-WAN zones is true?. An SD-WAN zone can contain only one type of interface. An SD-WAN zone can contain between 0 and 512 members. You cannot use an SD-WAN zone in static route definitions. You can configure up to 32 SD-WAN zones per VDOM.

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.). It provides the benefits of a full-mesh topology in a hub-and-spoke network. It provides direct connectivity between spokes by creating shortcuts. It enables spokes to bypass the hub during shortcut negotiation. It enables spokes to establish shortcuts to third-party gateways.

Which statement about using BGP routes in SD-WAN is true?. Learned routes can be used as dynamic destinations in SD-WAN rules. You must use BGP to route traffic for both overlay and underlay links. You must configure AS path prepending. You must use external BGP.

Refer to the exhibit. Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?. type must be set to static. mode-cfg must be enabled. exchange-interface-ip must be enabled. add-route must be disabled.

Refer to the exhibit. Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.). Set priority 10. Set cost 15. Set load-balance-mode source-ip-ip-based. Set source 100.64.1.1.

Refer to the exhibit. Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status. Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.). The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member. FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member. Non-TCP Facebook and YouTube traffic are not used for performance measurement.

What are two reasons for using FortiManager to organize and manage the network for a group of FortiGate devices? (Choose two.). It simplifies the deployment and administration of SD-WAN on managed FortiGate devices. It improves SD-WAN performance on the managed FortiGate devices. It sends probe signals as health checks to the beacon servers on behalf of FortiGate. It acts as a policy compliance entity to review all managed FortiGate devices. It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

Which statement about using BGP for ADVPN is true?. You must use BGP to route traffic for both overlay and underlay links. You must configure AS path prepending. You must configure BGP communities. IBGP is preferred over EBGP, because IBGP preserves next hop information.

Refer to the exhibit. Based on the exhibit, which action does FortiGate take?. FortiGate bounces port5 after it detects all SD-WAN members as dead. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead. FortiGate brings up port5 after it detects all SD-WAN members as alive. FortiGate brings down port5 after it detects all SD-WAN members as dead.

Refer to the exhibit. Based on the output, which two conclusions are true? (Choose two.). There is more than one SD-WAN rule configured. The SD-WAN rules take precedence over regular policy routes. Theall_rulesrule represents the implicit SD-WAN rule. Entry1(id=1)is a regular policy route.

Exhibit. The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.). The health-check VPN_PING orders the members according to the lowest jitter. The interface T_INET_1 missed one SLA target. There is no SLA criteria configured for the health-check Level3_DNS. The interface T_INET_0 missed three SLA targets.