Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes? diagnose sys sdwan intf-sla-log diagnose sys sdwan health-check diagnose sys sdwan log diagnose sys sdwan sla-log.
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.) Encapsulating Security Payload (ESP) Secure Shell (SSH) Internet Key Exchange (IKE) Security Association (SA).
Which two settings can you configure to speed up routing convergence in BGP? (Choose two.) update-source set-route-tag holdtime-timer link-down-failover.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.
Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.) London generates an IKE information message that contains the Toronto public IP address. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status.
The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule.
Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule? The traffic will be load balanced across all three overlays The traffic will be routed over T_INET_0_0. The traffic will be routed over T_MPLS_0. The traffic will be routed over T_INET_1_0.
Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.) http icmp twamp dns.
Refer to the exhibit.
Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.) The traffic shaper drops packets if the bandwidth is less than 2500 KBps. The measured bandwidth is less than 100 KBps. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.
Refer to the exhibit.
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec? type must be set to static. mode-cfg must be enabled. exchange-interface-ip must be enabled. add-route must be disabled.
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation? get router info routing-table all diagnose debug application ike diagnose vpn tunnel list get ipsec tunnel list.
Refer to the exhibits.
Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2? port1 is assigned a manual IP address. port1 is referenced in a firewall policy. port2 is referenced in a static route. port1 and port2 are not administratively down.
Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.) The sdwan_service_id flag in the session information is 0. All SD-WAN rules have the default setting enabled. Traffic does not match any of the entries in the policy route table. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
Refer to the exhibit.
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.
Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.) The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0. T_INET_0_0 does not have a valid route to the destination. T_INET_1_0 has a higher member configuration priority than T_INET_0_0.
Refer to the exhibit.
Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.) FortiGate flushes all sessions. FortiGate terminates the old sessions. FortiGate does not change existing sessions. FortiGate evaluates new sessions.
Which two statements about SD-WAN central management are true? (Choose two.) The objects are saved in the ADOM common object database. It does not support meta fields. It uses templates to configure SD-WAN on managed devices. It supports normalized interfaces for SD-WAN member configuration.
Refer to the exhibit.
Which conclusion about the packet debug flow output is correct? The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped. The packet size exceeded the outgoing interface MTU. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.
Which are two benefits of using CLI templates in FortiManager? (Choose two.) You can reference meta fields. You can configure interfaces as SD-WAN members without having to remove references first. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template. You can configure advanced CLI settings.
Refer to the exhibits.
Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.
If port2 is detected dead by FortiGate, what is the expected behavior? Port2 becomes alive after three successful probes are detected. FortiGate removes all static routes for port2. The administrator manually restores the static routes for port2, if port2 becomes alive. Host 8.8.8.8 is reachable through port1 and port2.
Refer to the exhibit.
The device exchanges routes using IBGP.
Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.) Each BGP route is three hops away from the destination. ibgp-multipath is disabled. additional-path is enabled. You can run the get router info routing-table database command to display the additional paths.
In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.) It provides the benefits of a full-mesh topology in a hub-and-spoke network. It provides direct connectivity between spokes by creating shortcuts. It enables spokes to bypass the hub during shortcut negotiation. It enables spokes to establish shortcuts to third-party gateways.
Refer to the exhibit.
Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules? All traffic from a source IP to a destination IP is sent to the same interface. All traffic from a source IP is sent to the same interface. All traffic from a source IP is sent to the most used interface. All traffic from a source IP to a destination IP is sent to the least used interface.
Refer to the exhibits.
Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.) FortiGate does not install IPsec static routes for remote protected networks in the routing table. The phase 1 configuration supports the network-overlay setting. FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0. Dead peer detection is disabled.
Refer to the exhibits.
Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.
Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.) FortiGate flags the sessions as dirty. FortiGate continues routing the sessions with no SNAT, over port2. FortiGate performs a route lookup for the original traffic only. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
Refer to the exhibits.
Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.
Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.) The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member. FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member. Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Refer to the exhibits.
Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.
Based on the exhibits, which two statements are correct? (Choose two.) FortiGate updated the outgoing interface list on the rule so it prefers port2. Port2 has the highest member priority. Port2 has a lower latency than port1. SD-WAN rule ID 1 is set to lowest cost (SLA) mode.
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth? Interface-based shaping mode Reverse-policy shaping mode Shared-policy shaping mode Per-IP shaping mode.
Which two interfaces are considered overlay links? (Choose two.) LAG IPsec Physical GRE.
Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.
When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.
Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0? Enable auxiliary-session under config system settings. Disable tсp-session-without-syn under config system settings. Enable snat-route-change under config system global. Disable allow-subnet-overlap under config system settings.
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.) The ISDB is dynamically updated and reduces administrative overhead. The ISDB requires application control to maintain signatures and perform load balancing The ISDB applies rules to traffic from specific sources, based on application type. The ISDB contains the IP addresses and port ranges of well-known internet services.
which are three key rounting in SD-WAN? (choose three) FortiGate performs route lookups for new sessions only. Regular policy routes have precedence over SD-WAN rules. SD-WAN rules have precedence over ISDB routes. By default, SD-WAN members are skipped if they do not have a valid route to the destination. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Refer to the exhibit.
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member? When T_INET_0_0 and T_MPLS_0 have the same latency. When T_MPLS_0 has a latency of 100 ms. When T_INET_0_0 has a latency of 250 ms. When T_MPLS_0 has a latency of 80 ms.
Refer to the exhibits.
Exhibit A -
Exhibit B -
Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.
The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.
Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic? Destination internet service must be enabled on the traffic shaping policy. Application control must be enabled on the firewall policy. Web filtering must be enabled on the firewall policy. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.
What is the route-tag setting in an SD-WAN rule used for? To indicate the routes for health check probes. To indicate the destination of a rule based on learned BGP prefixes. To indicate the routes that can be used for routing SD-WAN traffic. To indicate the members that can be used to route SD-WAN traffic.
Which statement is correct about SD-WAN and ADVPN? You must use OSPF. SD-WAN can steer traffic to ADVPN shortcuts established over IPsec overlays configured as SD-WAN members. Routes for ADVPN shortcuts must be manually configured. SD-WAN does not monitor the health and performance of ADVPN shortcuts.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.
Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.) London generates an IKE information message that contains the Toronto public IP address. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
Which three matching traffic criteria are available in SD-WAN rules? (Choose three.) Type of physical link connection Internet service database (ISDB) address object Source and destination IP address URL categories Application signatures.
Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members? diagnose sys sdwan zone diagnose sys sdwan service diagnose sys sdwan member diagnose sys sdwan interface.
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.
What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN? You must disable idle-timeout. You must set ike-version to 1. You must enable auto-discovery-sender. You must enable net-device.
Refer to the exhibit.
Based on the output, which two conclusions are true? (Choose two.) There is more than one SD-WAN rule configured. The SD-WAN rules take precedence over regular policy routes. The all_rules rule represents the implicit SD-WAN rule. Entry 1(id=1) is a regular policy route.
Which two tasks are part of using central VPN management? (Choose two.) You can configure full mesh, star, and dial-up VPN topologies. You must enable VPN zones for SD-WAN deployments. FortiManager installs VPN settings on both managed and external gateways. You configure VPN communities to define common IPsec settings shared by all VPN gateways.
Refer to the exhibit
which statement about the role of the ADVPN device in handing traffic is true? This is a spoke that has received an offer from a remote hub. Two spokes, 192.2.0.1 and 10.0.2.101, establish a shortcut. This is a hub that has received an offer from a spoke and has forwarded it to another spoke. An IKE session is established between 10.0.1.101 and 10.0.2.101 in the process of forming a shortcut tunnel.
Refer to the exhibit.
Which statement about the role of the ADVPN device in handling traffic is true? This is a spoke that has received a query from a remote hub and has forwarded the response to its hub. Two hubs, 10.0.1.101 and 10.0.2.101, are receiving and forwarding queries between each other. This is a hub that has received a query from a spoke and has forwarded it to another spoke. Two spokes, 192.2.0.1 and 10.0.2.101, forward their queries to their hubs.
Which two statements about the SD-WAN zone configuration are true? (Choose two.) The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination You can delete the default zones. The default zones are virtual-wan-link and SASE. An SD-WAN member can belong to two or more zones.
Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts? hold-down-time link-down-failover auto-discovery-shortcuts idle-timeout.
Refer to the exhibit
Based on the exhibit, which two actions does FortiGate perform on traffic passing through port2? (choose two.) FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change. FortiGate performs routing lookups for new sessions only, after a route change. FortiGate always blocks all traffic, after a route change. FortiGate flushes all routing information from the session table, after a route change.
What are two common use cases for remote internet access (RIA)? (Choose two.) Provide direct internet access on spokes Provide internet access through the hub Centralize security inspection on the hub Provide thorough inspection on spokes.
What are two benefits of using forward error correction (FEC) in IPsec VPNs? (Choose two.) FEC supports hardware offloading. FEC improves reliability of noisy links. FEC transmits parity packets that can be used to reconstruct packet loss. FEC can leverage multiple IPsec tunnels for parity packets transmission.
Refer to the exhibit
Based on the exhibit, which two statements are correct about the health of the selected members? (choose two.) After FortiGate switches to active mode, FortiGate never fails back to passive monitoring. During passive monitoring, FortiGate can’t detect dead members. FortiGate can offload the traffic that is subject to passive monitoring to hardware. FortiGate passively monitors the member if TCP traffic is passing through the member.
which two statements are true about using SD-WAN to steer local-out traffic? (choose two.) FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic. By default, local-out traffic does not use SD-WAN. By default, FortiGate does not check if the selected member has a valid route to the destination. You must configure each local-out feature individually, to use SD-WAN.
Refer to the exhibit
Which statements explains the output shown in the exhibit? FortiGate performed standard FIB routing on the session. FortiGate will not re-evaluate the session following a firewall policy change. FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic. FortiGate must re-evaluate the session due to routing change.
what does enable the exchange-interface-ip setting enable fortigate devices to exchange? The gateway address of their IPsec interfaces The tunnel ID of their IPsec interfaces The IP address of their IPsec interfaces The name of their IPsec interfaces.
Refer to the exhibits.
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.) FortiGate did not refresh the routing information on the session after the application was detected. Port1 and port2 do not have a valid route to the destination. Full SSL inspection is not enabled on the matching firewall policy. The session 3-tuple did not match any of the existing entries in the ISDB application cache.
Refer to the exhibit.
The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading.
Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.) The main session cannot be offloaded to hardware. The original direction of the symmetric traffic flows from port3 to port2. The reply direction of the asymmetric traffic flows from port2 to port3. The auxiliary session can be offloaded to hardware.
Refer to the exhibit.
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member? When all three members have the same packet loss. When T_INET_0_0 has 4% packet loss. When T_INET_0_0 has 12% packet loss. When T_INET_1_0 has 4% packet loss.
|
