SDWAN 3/3

What are two common use cases for remote internet access (RIA)? (Choose two.). Provide direct internet access on spokes. Provide internet access through the hub. Centralize security inspection on the hub. Provide thorough inspection on spokes.

Refer to the exhibit. Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD- WAN rules?. All traffic from a source IP to a destination IP is sent to the same interface. All traffic from a source IP is sent to the same interface. All traffic from a source IP is sent to the most used interface. All traffic from a source IP to a destination IP is sent to the least used interface.

Refer to the exhibit. Which statement about the role of the ADVPN device in handling traffic is true?. An IKE session is established between 10.0.1.101 and 10.0.2.101 in the process of forming a shortcut tunnel. This is a hub that has received an offer from a spoke and has forwarded it to another spoke. Two spokes. 192.2. 1 and 10.0.2.101. establish a shortcut. This is a spoke that has received an offer from a remote hub.

What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.). The ISDB is dynamically updated and reduces administrative overhead. The ISDB requires application control to maintain signatures and perform load balancing. The ISDB applies rules to traffic from specific sources, based on application type. The ISDB contains the IP addresses and port ranges of well-known internet services.

What three characteristics apply to provisioning templates available on FortiManager? (Choose three.). You can apply a system template and a CLI template to the same FortiGate device. A CLI template can be of type CLI script or Perl script. A template group can include a system template and an SD-WAN template. A template group can contain CLI templates of both types. Templates are applied in order, from top to bottom.

Refer to the exhibits. Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status. The administrator wants to understand the expected behavior for traffic matching the SD- WAN rule. Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?. The traffic will be load balanced across all three overlays. The traffic will be routed over T_INET_0_0. The traffic will be routed over T_MPLS_0. The traffic will be routed over T_INET_1_0.

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI. Based on the exhibit, which statement is true?. You can delete the virtual-wan-link zone because it contains no member. The corporate zone contains no member. You can move port1 from the underlay zone to the overlay zone. The overlay zone contains four members.

Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?. hold-down-time. link-down-failover. auto-discovery-shortcuts. idle-timeout.

Refer to the exhibit. In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling theanti- replaysetting on the hubs?. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance. It instructs the hub to skip content inspection on TCP traffic, to improve performance.

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are three mandatory post-run tasks that must be performed? (Choose three.). Assign an sdwan_id metadata variable to each device (branch and hub). Assign a branch_id metadata variable to each branch device. Create policy packages for branch devices. Configure SD-WAN rules. Configure routing through overlay tunnels created by the SD-WAN overlay template.

Refer to the exhibit. Which statement explains the output shown in the exhibit?. FortiGate performed standard FIB routing on the session. FortiGate will not re-evaluate the session following a firewall policy change. FortiGate used192.2.0.1as the gateway for the original direction of the traffic. FortiGate must re-evaluate the session due to routing change.

Refer to the exhibits. An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A. After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1. Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.). FortiGate did not refresh the routing information on the session after the application was detected. Port1 and port2 do not have a valid route to the destination. Full SSL inspection is not enabled on the matching firewall policy. The session 3-tuple did not match any of the existing entries in the ISDB application cache.

Which components make up the secure SD-WAN solution?. Application, antivirus, and URL, and SSL inspection. Datacenter, branch offices, and public cloud. FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy. Telephone, ISDN, and telecom network.

Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke. What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD- WAN?. You must set ike-version to 1. You must enable net-device. You must enable auto-discovery-sender. You must disable idle-timeout.

Refer to the exhibit Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy. The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?. Destination internet service must be enabled on the traffic shaping policy. Application control must be enabled on the firewall policy. Web filtering must be enabled on the firewall policy. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Refer to the exhibit. An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0. Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.). The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0. T_INET_0_0 does not have a valid route to the destination. T_INET_1_0 has a higher member configuration priority than T_INET_0_0.

Refer to the exhibit The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?. There are no IPsec tunnel statistics log messages for ADVPN cuts. There is one shortcut tunnel built from master tunnel T_MPLS_0. The VPN tunnel T_MPLS_0 is a shortcut tunnel. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.

Which two statements about SD-WAN central management are true? (Choose two.). It does not allow you to monitor the status of SD-WAN members. It is enabled or disabled on a per-ADOM basis. It is enabled by default. It uses templates to configure SD-WAN on managed devices.

Which diagnostic command can you use to show the SD-WAN rules interface information and state?. diagnose sys virtual-wan-link route-tag-list. diagnose sys virtual-wan-link service. diagnose sys virtual-wan-link member. diagnose sys virtual-wan-link neighbor.

Refer to the exhibit. The exhibit shows the SD-WAN rule status and configuration. Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?. When all three members have the same packet loss. When T_INET_0_0 has 4% packet loss. When T_INET_0_0 has 12% packet loss. When T_INET_1_0 has 4% packet loss.

Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.). A peer ID is included in the first packet from the initiator, along with suggested security policies. Auth is enabled as an additional level of authentication, which requires a username and password. Three packets are exchanged between an initiator and a responder instead of six packets. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Which statement is correct about SD-WAN and ADVPN?. Routes for ADVPN shortcuts must be manually configured. SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SDWAN members. SD-WAN does not monitor the health and performance of ADVPN shortcuts. You must use IKEv2 on IPsec tunnels.

Refer to the exhibit. Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?. The type of traffic defined and allowed on firewall policy ID 1 is UDP. FortiGate has terminated the session after a change on policy ID 1. Changes have been made on firewall policy ID 1 on FortiGate. Firewall policy ID 1 has source NAT disabled.

Refer to the exhibit. FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN. Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.). Specify a unique peer ID for each dial-up VPN interface. Use different proposals are used between the interfaces. Configure the IKE mode to be aggressive mode. Use unique Diffie Hellman groups on each VPN interface.

Refer to the exhibits. Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10. Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration. The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1. However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1. Based on the exhibits, which configuration change is required to fix issue?. In the dc1-lan-rm route map configuration, set set-route-tag to 10. In SD-WAN rule ID 1, change the destination to use ISDB entries. In the dc1-lan-rm route map configuration, unset match-community. In the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

What does enabling theexchange-interface-ipsetting enable FortiGate devices to exchange?. The gateway address of their IPsec interfaces. The tunnel ID of their IPsec interfaces. The IP address of their IPsec interfaces. The name of their IPsec interfaces.