SDwan_7.4

Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule? (Choose two.). The session information output displays no SD-WAN service id. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting. FortiGate flags the session with may_dirty and vwl_default. Traffic does not match any of the entries in the policy route table. The traffic is distributed, regardless of weight, through all available static routes.

Two hub-and-spoke groups are connected through redundant site-to-site IPsec VPNs between Hub1 and Hub2. Which two configuration settings are required for the spoke A1 to establish an ADVPN shortcut with the spoke B2? (Choose two.). On hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes. On hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to hubs. On hubs, auto-discovery-receiver must be enabled on the IPsec VPNs to spokes. On hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to spokes.

The exhibit shows output of the command diagnose sys sdwan service4 collected on a FortiGate device The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10 0.1.0/255.255.255.192 and with a destination of the social media application Facebook. Based on the exhibits, which two statements are correct? (Choose two.). FortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2. When FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1, HQ_T2, HQ_T3. There is no service defined for the Facebook application, so FortiGate appliesservice rule 3 and directs the traffic to headquarters. When FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1.

The administrator used the SD-WAN overlay template to prepare an IPsec tunnels configuration for a hub-and-spoke SD-WAN topology. The exhibit shows the FortiManager installation preview for one FortiGate device. Based on the exhibit, which statement best describes the configuration applied to the FortiGate device?. It is a spoke device that establishes dynamic IPsec tunnels to the hub. The local subnet range is 10.10 128.0/23. It is a hub device. It can send ADVPN shortcut offers. It is a hub device. It will automatically discover the spoke devices and add them to the SD-WAN topology. It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

Which SD-WAN rule and interface uses FortiGate to steer the traffic from the LAN subnet 10.0.1.0/24 to the corporate server 10.2.5.254?. SD-WAN service rule 3 and interface HUB1-VPN2. SD-WAN service rule 3 and interface HUB1-VPN3. SD-WAN service rule 4 and port1 or port2. SD-WAN service rule 4 and interface port2.

Refer to the exhibit. You want to configure SD-WAN on a network as shown in the exhibit. The network contains many FortiGate devices. Some are used as NGFW, and some are installed with extensions such as FortiSwitch. FortiAP. or FortiExtender. What should you consider when planning your deployment?. You can build an SD-WAN topology that includes all devices. The hubs can be FortiGate devices with Forti Extender. You can build an SD-WAN topology that includes all devices. The hubs must be devices without extensions. You must use FortiManager to manage your SD-WAN topology. You must build multiple SD-WAN topologies. Each topology must contain only one type of extension.

Refer to the exhibit that shows event logs on FortiGate. Based on the output shown in the exhibit, what can you say about the tunnels on this device?. The master tunnel HU82-VPN3 cannot accept ADVPN shortcuts. The device steers voice traffic through the VPN tunnel HUB1-VPN3. The VPN tunnel HUB1-VPN1_0 is a shortcut tunnel. There is one shortcut tunnel built from master tunnel VPN4.

Which action will FortiGate take if it detects SD-WAN members as dead?. FoftiGate bounces port5 after it detects all SD-WAN members as dead. FortiGate fails over to the secondary device after it detects port5 as dead. FortiGate sends alert messages through poft5 when it detects all SD-WAN members as dead. FortiGate brings down port5 after it detects all SD-WAN members as dead.

You are planning a large SD-WAN deployment with approximately 1000 spokes and want to allow ADVPN between the spokes. Some remote sites use FortiSASE to connect to the company's SD-WAN hub. Which overlay routing configuration should you use?. BGP on loopback with dynamic BGP for ADVPN shortcut routing. BGP on loopback with IPsec phase2 selectors for ADVPN shortcut routing. BGP per overlay with dynamic BGP for ADVPN shortcut routing. BGP per overlay with BGP next-hop convergence for ADVPN shortcut routing.

You connect to a device behind a branch FortiGate device and initiate a ping test. The device is partof the LAN subnet and its IP address is 10.0.1.101.Based on the exhibits, which interface uses branch 1_fgt to steer the test traffic?. port4. HUB1-VPN1. port1. port2.

You manage an SD-WAN topology. You will soon deploy 50 new branches. Which three tasks can you do in advance to simplify this deployment? (Choose three.). Update the DHCP server configuration. Create model devices. Create a ZTP template. Define metadata variables value for each device. Create policy blueprint.

An administrator configures SD-WAN rules for a DIA setup using the FortiGate GUI. The page to configure the source and destination part of the rule looks as shown in the exhibit. The GUI page shows no option to configure an application as the destination of the SD-WAN rule Why?. You cannot use applications as the destination when FortiGate is used for a DIA setup. FortiGate allows the configuration of applications as the destination of SD-WAN rules only on the CLI. You must enable the feature on the CLI. You must enable the feature first using the GUI menu System > Feature Visibility.

You are planning a new SD-WAN deployment with the following criteria: - Two regions - Most of the traffic is expected to remain within its region - No requirement for inter-region ADVPN To remain within the recommended best practices, which routing protocol should you select for the overlays?. OSPF for the routing within each region and EBGP between the regions. IBGP with BGP on loopback within each region and EBGP between the regions. IBGP with BGP per overlays within each region and IBGP with BGP on loopback between the regions. IBGP within each region and between the regions.

The administrator configured the IPsec tunnel VPN1 on a FortiGate device with the parameters shown in exhibit. Based on the configuration, which three conclusions can you draw about the characteristics and requirements of the VPN tunnel? (Choose three.). The tunnel interface IP address on the spoke side is provided by the hub. The remote end can be a third-party IPsec device. The administrator must manually assign the tunnel interface IP address on the hub side. The remote end must support IKEv2. This configuration allows user-defined overlay IP addresses.

You have a FortiGate configuration with three user-defined SD-WAN zones and two members in each of these zones. One SD-WAN member is no longer in use in health-check and SD-WAN rules. You want to delete it. What happens if you delete the SD-WAN member from the FortiGate GUI?. FortiGate accepts the deletion and removes routes as required. FortiGate displays an error message. You must use the CLI to delete an SD-WAN member. FortiGate displays an error message. SD-WAN zones must contain at least two members. FortiGate accepts the deletion and places the member in the default SD-WAN zone.

The exhibits show the source NAT (SNAT) global setting. port2 interface settings, and the routing table on FortiGate. The administrator increases the member priority on port2 to 20. Upon configuration changes and the receipt of new packets, which two actions does FortiGate perform on existing sessions established over port2? (Choose two.). FortiGate continues routing all existing sessions over port2. FortiGate routes only new sessions over port2. FortiGate flags the SNAT session as dirty only if the administrator has assigned an IP pool to the firewall policies with NAT. FortiGate flags the sessions as dirty. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

The exhibits show the configuration for SD-WAN performance. SD-WAN rule, the application IDs of Facebook and YouTube along with the firewall policy configuration and the underlay zone status. Which two statements are true about the health and performance of SD-WAN members 3 and 4? (Choose two.). Only related TCP traffic is used for performance measurement. The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member. Encrypted traffic is not used for the performance measurement. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

When you use the command diagnose sys session list, how do you identify the sessions that correspond to traffic steered according to SD-WAN rules?. You identify sessions steered according to SD-WAN rules with the flag vwl. You cannot identify SD-WAN sessions. You must use the sdwar. session filter. You identify sessions steered according to SD-WAN rules with the data vwl_mbr_seq. You identify sessions steered according to SD-WAN rules with the data 3dwan_service_id.

SD-WAN interacts with many other FortiGate features. Some of them are required to allow SD-WAN to steer the traffic. Which three configuration elements that you must configure before FortiGate can steer traffic according to SD-WAN rules? (Choose three.). Firewall policies. Interfaces. Security profiles. Traffic shaping. Routing.

Which three characteristics apply to provisioning templates available on FortiManager? (Choose three.). A template group can include a system template and an SD-WAN template. Each template group can contain up to three IPsec tunnel templates. CLI templates are applied in order, from top to bottom. A CLI template group can contain CLI templates of both types. A CLI template can be of type CLI script or Perl script.

An administrator checks the status of an SD-WAN topology using the FortiManager SD-WAN monitor menus. All members are configured with one or two SLAs. Which two conclusions can you draw from the output shown? (Choose two.). The template view should be used to see the hub devices. One member of branch2_fgt is missing the SLAs. branch2_fgt establishes six tunnels to the hubs and they are all up. This SD-WAN topology contains only two branch devices.

You are tasked with configuring ADVPN 2.0 on an SD-WAN topology already configured for ADVPN. What should you do to implement ADVPN 2.0 in this scenario?. Update the IPsec tunnel configurations on the hub. Update the SD-WAN configuration on the branches. Update the IPsec tunnel configuration on the branches. Delete the existing ADVPN configuration and configure ADVPN 2.0.

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in the first exhibit. After generating GoToMeeting test traffic, the administrator examined the corresponding traffic log on FortiAnalyzer, which is shown in the second exhibit. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1. Which two reasons explain why some log messages show that the traffic matched the implicit SDWAN rule? (Choose two.). Full SSL inspection is not enabled on the matching firewall policy. The session 3-tuple did not match any of the existing entries in the ISDB application cache. FortiGate could not refresh the routing information on the session after the application was detected. No configured SD-WAN rule matches the traffic related to the collaboration application GoToMeeting.

Which statement describes FortiGate behavior when you reference a zone in a static route?. FoftiGate installs ECMP static routes for the first two members of the zone. FortiGate ignores the static routes defined through members referenced in the zone. FortiGate routes the traffic through the best performing member of the zone. FortiGate installs a static route for each member in the zone.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1-VPN1. However, the traffic is routed over HUB1-VPN3. Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.). HUB1-VPN3 has a higher member configuration priority than HUB1-VPN1. The traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device. HUB1-VPN1 does not have a valid route to the destination. HUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.

The administrator analyzed the traffic between a branch FortiGate and the server located in the data center, and noticed the behavior shown in the diagram. When the LAN clients located behind FGT1 establish a session to a server behind DC-1, the administrator observes that, on DC-1, the reply traffic is routed overT2. even though T1 is the preferred member in the matching SD-WAN rule. What can the administrator do to instruct DC-1 to route the reply traffic through the member with the best performance?. Enable snat-route-change under config system global. Enable reply-session under config system sdwan. Enable auxiliary-session under config system settings. FortiGate route lookup for reply traffic only considers routes over the original ingress interface.

When a customer delegate the installation and management of its SD-WAN infrastructure to an MSSP, the MSSP usually keeps the hub within its infrastructure for ease of management and to share costly resources. In which two situations will the MSSP install the hub in customer premises? (Choose two.). The customer requires SIA with centralized breakout. The administrator expects a large volume of traffic between the branches. The customer expects a large amount of VoIP traffic. The majority of the branch traffic is directed to a corporate data center.

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are two mandatory post-run tasks that must be performed? (Choose two.). Configure routing through the overlay tunnels created by the SD-WAN overlay template. Create policy packages and assign them to the branch devices. Assign a hub id metadata variable to each hub device. Configure SD-WAN rules. Assign an sdwan_id metadata variable to each device (branch and hub).

You use FortiManager to configure SD-WAN on three branch devices. When you install the device settings. FortiManager prompts you with the error "Copy Failed" for the device branch1_fat When you click the log button. FortiManager displays the message shown in the exhibit. Based on the exhibits, which statement best describes the issue and how you can resolve it?. Remove the installation target for the SD-WAN member port4. You cannot combine metadata variable and installation targets. Gateways for all members in a zone must be defined the same way. Specify the gateway of the SDWAN member port! without metadata variables. Check the metadata variable definitions, and review the per-device mapping configuration. Check the connection between branch1_fgt and FortiManager.

Within the context of SD-WAN, what does SIA correspond to?. Remote Breakout. Local Breakout. Software Internet Access. Secure Internet Authorization.

The administrator used the SD-WAN overlay template to prepare an IPsec tunnels configuration for a hub-and-spoke SD-WAN topology. The exhibit shows the FortiManager installation preview for one FortiGate device. Based on the exhibit, which statement best describes the configuration applied to the FortiGate device?. It is a spoke device that establishes dynamic IPsec tunnels to the hub. The local subnet range is 10.10.128.0/23. It is a hub device. It can send ADVPN shortcut offers. It is a hub device. It will automatically discover the spoke devices and add them to the SD-WAN topology. It is a spoke device that establishes dynamic IPsec tunnels to the hub It can send ADVPN shortcut requests.

The exhibits show two IPsec templates to define Branch IPsec 1 and Branch_IPsec_2. Each template defines a VPN tunnel. The error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device is also shown. Which statement best describes the cause of the issue?. You can assign only one template with a tunnel type of static to each FortiGate device. You can assign only one IPsec template to each FortiGate device. You should review the branch1_fgt configuration for configured tunnels in the rootVDOM. You should use the same outgoing interface of both templates.

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI. What can you conclude about the zone and member configuration on this device?. The underlay zone contains three members. You can delete the virtual-wan-link zones. The overlay-factories zone contains no member. You can move HUB1-VPN3 from the HUB1 zone to the overlay-shops zone.

The exhibit shows output of the command diagnose sys adwan aervice4 collected on a FortiGate device. The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the social media application Facebook. Based on the exhibits, which two statements are correct? (Choose two.). When FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1. There is no service defined for the Facebook application, so FortiGate appliesservice rule 3 and directs the traffic to headquarters. FortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2. When FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1. HQ_T2. HQ_T3.

For your ZTP deployment, you review the CSV file shown in exhibit and note that it is missing important information. Which two elements must you change before you can import it into FortiManager? (Choose two.). You must associate a device blueprint with each device. You must define a name for each device. You must define a value for each device and each metadata variable that defines an IP address. You must define a value for each device and each user-defined metadata variable.

An administrator is configuring SD-WAN to load balance their network traffic. Which two things should they consider when setting up SD-WAN? (Choose two.). You can select the outbandwidth hash mode with all strategies that allow load balancing. Only the manual and best-quality strategies allow SD-WAN load balancing. When applicable. FortiGate load balances the traffic through all members that meet the SLA target. SD-WAN load balancing is possible only using the best quality and lowest cost (SLA) strategies.

Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule? (Choose two.). The session information output displays no SD-WAN service id. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting. The traffic is distributed, regardless of weight, through all available static routes. Traffic does not match any of the entries in the policy route table. FortiGate flags the session with may_dirty and vwl_default.

Which statement best describe the role of the ADVPN device in handling traffic?. This is a hub that has received a query from a spoke and has forwarded it to another spoke. This is a hub in a dual-region topology. The remote hub tunnel ID is 10.0.2.101. This is a spoke that has received a shortcut query from another spoke and has forwarded the response to its hub. This is a spoke. The kernel received a shortcut request and forwards the query to another spoke.

You use FortiManager to manage the branch devices and configure the SD-WAN template. You have configured direct internet access (DIA) for the IT department users. Now. you must configure secure internet access (SIA) for all local LAN users and have set the firewall policies as shown in the second exhibit. Then, when you use the install wizard to install the configuration and the policy package on the branch devices, FortiManager reports an error as shown in the third exhibit. Which statement describes why FortiManager could not install the configuration on the branches?. You must direct SIA traffic to a VPN tunnel. You cannot install firewall policies that reference an SD-WAN zone. You cannot install firewall policies that reference an SD-WAN member. You cannot install SIA and DIA rules on the same device.

The exhibit shows the health-check configuration on a FortiGate device used as a spoke. You notice that the hub FortiGate doesn’t prioritize the traffic as expected. Which two configuration elements should you check on the hub? (Choose two.). The performance SLA has the parameter priority-out-sla configured. This performance SLA uses the same members. The performance SLA uses the same criteria. The performance SLA is configured with set embedded-measure accept.

Which statement best describe the role of the ADVPN device in handling traffic?. This is a hub that has received a query from a spoke and has forwarded it to another spoke. This is a hub in a dual-region topology. The remote hub tunnel ID is 10.0.2.101. This is a spoke that has received a shortcut query from another spoke and has forwarded the response to its hub. This is a spoke. The kernel received a shortcut request and forwards the query to another spoke.

The administrator uses the FortiManager SD-WAN overlay template to prepare an SD-WAN deployment. Using information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on the spoke and hub devices. What are the three templates created by the SD-WAN overlay template for a spoke device? (Choose three.). Static route template. Rules template. CLI template. BGP template. IPsec tunnel template.

What are three key routing principles of SD-WAN? (Choose three.). Directly connected routes have precedence over SD-WAN rules. Policy routes have precedence over SD-WAN rules. SD-WAN rules are skipped if the best route to the destination is a static route. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member. SD-WAN members are skipped if they do not have a valid route to the destination.

Refer to the exhibit, which shows the SD-WAN rule status and configuration. Based on the exhibit, which change in the measured packet loss will make HUB1-VPN3 the new preferred member?. When HUB1-VPN1 has 4% packet loss. When HUB1-VPN1 has 12% packet loss. When HUB1-VPN3 has 4% packet loss. When all three members have the same packet loss.

What conclusions can you draw about the traffic received by FortiGate originating from the source LAN device 10.0.1.133 and destined for the company’s SMTP mail server at 10.66.0.125?. FortiGate steers the traffic from the LAN device 10.0.1.133 to the company SMTP mail server 10.66 0.125 through port3. ForliGate steers the traffic from the LAN device 10.0.1.133 to the company SMTP mail server 10.66.0.125 through port2. FortiGate steers the traffic from the LAN device 10.0.1.133 to the company SMTP mail server 10.66.0.125 through the SD-WAN member ID 4. FortiGate steers the traffic from the LAN device 10.0.1.133 to the SMTP mail server 10.66.0.125 through the SD-WAN member ID 1 or 2.

Refer to the exhibit. How does FortiGate handle the traffic with the source IP 10.0.1.130 and the destination IP 128.66.0.125? (Choose one answer). FortiGate routes the traffic flow according to the FIB. FortiGate load balances the traffic flow through port1 and port2. FortiGate drops the traffic flow. FortiGate steers the traffic flow through port2.

Refer to the exhibits, which show the configuration of an SD-WAN rule and the corresponding rule status and routing table. The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule. Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule? (Choose one answer). The traffic will be routed over HUB1-VPN3. The traffic will be routed over HUB1-VPN2. The traffic will be routed over HUB1-VPN1. The traffic will be load balanced across all three overlays.

Refer to the exhibits. The administrator configured a device blueprint and CLI scripts as shown in the exhibits, to prepare for onboarding FortiGate devices in the company’s stores. Later, a technician prepares a FortiGate 51G with a basic configuration and connects it to the network. The basic configuration contains the port1 configuration and the minimal configuration required to allow the device to connect to FortiManager. After the device first connects to FortiManager, FortiManager updates the device configuration. Based on the exhibits, which actions does FortiManager perform? (Choose one answer). FortiManager updates the device configuration according to the selected templates. It applies the corp_st template first. FortiManager does not update the port1 configuration because FortiManager does not change the configuration of interfaces with fgfm access. FortiManager updates access rights only for port1. FortiManager cannot update the IP address because it was already set manually. FortiManager updates the configuration of port1, port2, and port5. The three ports might get new IP addresses.

Refer to the exhibits. The exhibits show the SD-WAN zone configuration of an SD-WAN template prepared on FortiManager and the policy package configuration. When the administrator tries to install the configuration changes, FortiManager fails to commit. What should the administrator do to fix the issue? (Choose one answer). Configure branch1_fgt as the installation target for policy 3. Configure HUB1 as the destination of policy 3. Configure a normalized interface for the IPsec tunnel HUB1-VPN1. Configure both HUB1-VPN1 and HUB1-VPN2 as the destination of policy 3.

As an MSSP administrator, you are asked to configure ADVPN on an existing SD-WAN topology. FortiManager manages the customer devices in a dedicated ADOM. The previous administrator used the SD-WAN overlay topology. Which two statements apply to this scenario? (Choose two answers). You can activate auto-discovery VPN in the SD-WAN overlay template only if it is a single hub topology. When auto-discovery VPN is enabled, FortiManager updates the IPsec and BGP templates in the hub. After you enable auto-discovery VPN in the overlay template, you must select between ADVPN 2.0 and ADVPN 1.0. You can activate auto-discovery VPN in the SD-WAN overlay template for any type of topology, including a primary-primary dual-hub topology.

As an IT manager for a healthcare company, you want to delegate the installation and management of your SD-WAN deployment to a managed security service provider (MSSP). Each site must maintain direct internet access and ensure that it is secure. You expect significant traffic flow between the sites and want to delegate as much of the network administration and management as possible to the MSSP. Which two MSSP deployment blueprints best address the customer's requirements? (Choose two answers). Use a shared hub at the MSSP premises with a dedicated VDOM for the new customer, and install the spokes at the customer premises. Use a shared hub at the MSSP premises and a dedicated hub at the customer premises and install the spokes at the customer premises. Install a dedicated hub at the MSSP premises for the new customer, and install the spokes at the customer premises. Install the hub and spokes at the customer premises and enable the MSSP to manage the SD-WAN deployment using FortiManager with a dedicated ADOM.

Refer to the exhibit. Which statement best describes the role of the ADVPN device in handling traffic? (Choose one answer). This is a spoke that has received a direct shortcut query from a remote spoke. This is a hub, and two spokes, 192.2.0.1 and 10.0.3.101, establish a shortcut. This is a hub that has received a shortcut query from a spoke and has forwarded it to another spoke. This is a spoke that has received a shortcut query from a remote hub.

Refer to the exhibit that shows a diagnose output on FortiGate. Based on the output shown in the exhibit, what can you say about the device role and how it handles health checks? (Choose one answer). The device is a spoke. It receives health-check measures for the tunnels of another spoke. The device is a hub. It receives embedded health-check measures for each tunnel from the spoke. The device is a spoke. It provides embedded health-check measures for each tunnel to the hub. The device is a hub. It receives health-check measures for the tunnels of a spoke.

Which three factors about SLA targets and SD-WAN rules should you consider when configuring SD-WAN rules? (Choose three answers). Member metrics are measured only if a rule uses the SLA target. SLA targets are used only by SD-WAN rules that are configured with a Lowest Cost (SLA) strategy. SD-WAN rules can use SLA targets to check whether the preferred members meet the SLA requirements. When configuring an SD-WAN rule, you can select multiple SLA targets if they are from the same performance SLA. When configuring an SD-WAN rule, you can select multiple SLA targets from different performance SLAs.

Refer to the exhibits. The interface details, static route configuration, and firewall policies on the managed FortiGate device are shown. You want to configure a new SD-WAN zone, named Underlay, that contains the interfaces port1 and port2. What must be your first action? (Choose one answer). Define port1 as an SD-WAN member. Delete the static routes. Delete the SD-WAN Zone Test. Delete the firewall policies.

You have configured the performance SLA with the probe mode as Prefer Passive. What are two observable impacts of this configuration? (Choose two answers). FortiGate passively monitors the member if TCP traffic is passing through the member. After FortiGate switches to active mode, the SLA performance rule falls back to passive monitoring after 3 minutes. FortiGate passively monitors the member if ICMP traffic is passing through the member. During passive monitoring, the SLA performance rule cannot detect dead members. FortiGate can offload the traffic that is subject to passive monitoring to hardware.

You want FortiGate to use SD-WAN rules to steer local-out traffic. Which two constraints should you consider? (Choose two answers). By default, FortiGate uses SD-WAN rules only for local-out traffic that corresponds to ping and traceroute. By default, local-out traffic does not use SD-WAN. You can steer local-out traffic only with SD-WAN rules that use the manual strategy. You must configure each local-out feature individually to use SD-WAN.