ERASED TEST, YOU MAY BE INTERESTED ON Fortinet NSE7 - SDWAN 7.0
COMMENTS | STATISTICS | RECORDS |
---|
TAKE THE TEST
Title of test:
Fortinet NSE7 - SDWAN 7.0 Description: Collection from several Dump Author: FORTI Other tests from this author Creation Date: 28/09/2023 Category: Competitive Exam Number of questions: 88 |
Share the Test:
New Comment
No comments about this test.
Content:
Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes?
diagnose sys sdwan intf-sla-log diagnose sys sdwan health-check diagnose sys sdwan log diagnose sys sdwan sla-log. Which diagnostic command you can use to show interface-specific SLA logs for the last 10 minutes? diagnose sys virtual-wan-link health-check diagnose sys virtual-wan-link log diagnose sys virtual-wan-link sla-log diagnose sys virtual-wan-link intf-sla-log. Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.) Encapsulating Security Payload (ESP) Secure Shell (SSH) Internet Key Exchange (IKE) Security Association (SA). Which two settings can you configure to speed up routing convergence in BGP? (Choose two.) update-source set-route-tag link-down-failover holdtime-timer. Refer to the exhibits. Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status. The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule. Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule? The traffic will be load balanced across all three overlays. The traffic will be routed over T_INET_0_0 The traffic will be routed over T_MPLS_0. The traffic will be routed over T_INET_1_0. Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups. Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.) London generates an IKE information message that contains the Toronto public IP address. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1. The first packets from Toronto to London are routed through Hub 1 then to Hub 2. Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.) http icmp twamp dns. Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.) The traffic shaper drops packets if the bandwidth is less than 2500 KBps. The measured bandwidth is less than 100 KBps. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps. Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec? type must be set to static. mode-cfg must be enabled. exchange-interface-ip must be enabled. add-route must be disabled. Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation? get router info routing-table all diagnose debug application ike diagnose vpn tunnel list get ipsec tunnel list. Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate. Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2? https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/view/3/ port1 is assigned a manual IP address. port1 is referenced in a firewall policy. port2 is referenced in a static route. port1 and port2 are not administratively down. Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.) The sdwan_service_id flag in the session information is 0. All SD-WAN rules have the default setting enabled. Traffic does not match any of the entries in the policy route table. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting. An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0. Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.) The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0. T_INET_0_0 does not have a valid route to the destination. T_INET_1_0 has a higher member configuration priority than T_INET_0_0. Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.) FortiGate flushes all sessions. FortiGate terminates the old sessions. FortiGate does not change existing sessions. FortiGate evaluates new sessions. Which two statements about SD-WAN central management are true? (Choose two.) The objects are saved in the ADOM common object database. It does not support meta fields. It uses templates to configure SD-WAN on managed devices. It supports normalized interfaces for SD-WAN member configuration. The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped. The packet size exceeded the outgoing interface MTU. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped. Which are two benefits of using CLI templates in FortiManager? (Choose two.) You can reference meta fields. You can configure interfaces as SD-WAN members without having to remove references first. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template. You can configure advanced CLI settings. Multiple IPsec VPNs are formed between two hub-and-spokes groups, and site-to-site between Hub 1 and Hub 2. The administrator configured ADVPN on the dual regions topology. Which two statements are correct if a user in Toronto sends traffic to London? (Choose two.) Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1. The first packets from Toronto to London are routed through Hub 1 then to Hub 2. London generates an IKE information message that contains the Toronto public IP address. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN. Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy. FortiGate is not performing traffic shaping as expected, based on the policies shown in the exhibits. To correct this traffic shaping issue on FortiGate, what configuration change must be made on which policy? The URL category must be specified on the traffic shaping policy. The shaper mode must be applied per-IP shaper on the traffic shaping policy. The web filter profile must be enabled on the firewall policy. The application control profile must be enabled on the firewall policy. Which statement defines how a per-IP traffic shaper of 10 Mbps is applied to the entire network? The 10 Mbps bandwidth is shared equally among the IP addresses. Each IP is guaranteed a minimum 10 Mbps of bandwidth. FortiGate allocates each IP address a maximum 10 Mbps of bandwidth A single user uses the allocated bandwidth divided by total number of users. Which three parameters are available to configure SD-WAN rules? (Choose three.) Application signatures URL categories Internet service database (ISDB) address object Source and destination IP address Type of physical link connection. Which diagnostic command can you use to show the SD-WAN rules interface information and state? diagnose sys virtual-wan-link route-tag-list. diagnose sys virtual-wan-link service. diagnose sys virtual-wan-link member diagnose sys virtual-wan-link neighbor. Exhibit A shows the performance SLA exhibit B shows the SD-WAN diagnostics output. Based on the exhibits, which statement is correct? Port1 became dead because no traffic was offload through the egress of port1. SD-WAN member interfaces are affected by the SLA state of the inactive interface. Both SD-WAN member interfaces have used separate SLA targets. The SLA state of port1 is dead after five unanswered requests by the SLA servers. Which statement is correct about the SD-WAN and ADVPN? Spoke support dynamic VPN as a static interface. Dynamic VPN is not supported as an SD-WAN interface. ADVPN interface can be a member of SD-WAN interface. Hub FortiGate is limited to use ADVPN as SD-WAN member interface. Which two reasons make forward error correction (FEC) ideal to enable in a phase one VPN interface? (Choose two.) FEC is useful to increase speed at which traffic is routed through IPsec tunnels FEC transmits the original payload in full to recover the error in transmission. FEC transmits additional packets as redundant data to the remote device. FEC improves reliability, which overcomes adverse WAN conditions such as noisy links. FEC reduces the stress on the remote device jitter buffer to reconstruct packet loss. Exhibit A shows the source NAT global setting and exhibit B shows the routing table on FortiGate. Based on the exhibits, which two statements about increasing the port2 interface priority to 20 are true? (Choose two.) All the existing sessions that do not use SNAT will be flushed and routed through port1. All the existing sessions will continue to use port2, and new sessions will use port1. All the existing sessions using SNAT will be flushed and routed through port1. All the existing sessions will be blocked from using port1 and port2. Which components make up the secure SD-WAN solution? FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy Application, antivirus, and URL, and SSL inspection Datacenter, branch offices, and public cloud Telephone, ISDN, and telecom network. Which two statements about the status of the VPN tunnel are true? (Choose two.) There are separate virtual interfaces for each dial-up client. VPN static routes are prevented from populating the FortiGate routing table. FortiGate created a single IPsec virtual interface that is shared by all clients. 100.64.3.1 is one of the remote IP address that comes through index interface 1. Exhibit A shows the SD-WAN rules and exhibit B shows the traffic logs. The SD-WAN traffic logs reflect how FortiGate processed traffic. Which two statements about how the configured SD-WAN rules are processing traffic are true? (Choose two.) The implicit rule overrides all other rules because parameters widely cover sources and destinations SD-WAN rules are evaluated in the same way as firewall policies: from top to bottom The All_Access_Rules rule load balances Vimeo application traffic among SD-WAN member interfaces. The initial session of an application goes through a learning phase in order to apply the correct rule. What are the two minimum configuration requirements for an outgoing interface to be selected once the SD-WAN logical interface is enabled? (Choose two.) Specify outgoing interface routing cost. Configure SD-WAN rules interface preference. Select SD-WAN balancing strategy. Specify incoming interfaces in SD-WAN rules. Based on the exhibit, which statement about FortiGate re-evaluating traffic is true? The type of traffic defined and allowed on firewall policy ID 1 is UDP. Changes have been made on firewall policy ID 1 on FortiGate. Firewall policy ID 1 has source NAT disabled. FortiGate has terminated the session after a change on policy ID 1. What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.) The FortiGate cloud key has not been added to the FortiGate cloud portal. FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager. FortiGAte has obtained a configuration from the platform template in FortiGate cloud. A factory reset performed on FortiGate. The zero-touch provisioning process has completed internally, behind FortiGate. Which two statements reflect the benefits of implementing the ADVPN solution to replace conventional VPN topologies? (Choose two.) It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links. It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance. It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub. It provides direct connectivity between all sites by creating on-demand tunnels between spokes. Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.) set cost 15. set source 100.64.1.1. set priority 10. set load-balance-mode source-ip-based. Which two statements about the debug output are correct? (Choose two.) The debug output shows per-IP shaper values and real-time readings. This traffic shaper drops traffic that exceeds the set limits. Traffic being controlled by the traffic shaper is under 1 Kbps. FortiGate provides statistics and reading based on historical traffic logs. In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default implicit SD-WAN rule? (Choose two.) Traffic has matched none of the FortiGate policy routes. Matched traffic failed RPF and was caught by the rule. The FIB lookup resolved interface was the SD-WAN interface. An absolute SD-WAN rule was defined and matched traffic. Which statement about the trace evaluation by FortiGate is true? Packets exceeding the configured maximum concurrent connection limit are denied by the per-IP shaper. The packet exceeded the configured bandwidth and was dropped based on the priority configuration. The packet exceeded the configured maximum bandwidth and was dropped by the shared shaper. Packets exceeding the configured concurrent connection limit are dropped based on the priority configuration. FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN. Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.) Specify a unique peer ID for each dial-up VPN interface. Use different proposals are used between the interfaces. Configure the IKE mode to be aggressive mode. Use unique Diffie Hellman groups on each VPN interface. Exhibit A shows the firewall policy and exhibit B shows the traffic shaping policy. The traffic shaping policy is being applied to all outbound traffic; however, inbound traffic is not being evaluated by the shaping policy. Based on the exhibits, what configuration change must be made in which policy so that traffic shaping can be applied to inbound traffic? The guaranteed-10mbps option must be selected as the per-IP shaper option. The guaranteed-10mbps option must be selected as the reverse shaper option. A new firewall policy must be created and SD-WAN must be selected as the incoming interface. The reverse shaper option must be enabled and a traffic shaper must be selected. What must you configure to enable ADVPN? ADVPN should only be enabled on unmanaged FortiGate devices. Each VPN device has a unique pre-shared key configured separately on phase one. The protected subnets should be set to address object to all (0.0.0.0/0). On the hub VPN, only the device needs additional phase one settings. Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.) A peer ID is included in the first packet from the initiator, along with suggested security policies. XAuth is enabled as an additional level of authentication, which requires a username and password. A total of six packets are exchanged between an initiator and a responder instead of three packets. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance. What are two benefits of using FortiManager to organize and manage the network for a group of FortiGate devices? (Choose two.) It simplifies the deployment and administration of SD-WAN on managed FortiGate devices. It improves SD-WAN performance on the managed FortiGate devices. It sends probe signals as health checks to the beacon servers on behalf of FortiGate. It acts as a policy compliance entity to review all managed FortiGate devices. It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server. QUESTION 27 - What would best describe the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth? Per-IP shaping mode Shared policy shaping mode Interface-based shaping mode Reverse policy shaping mode. Exhibit A, which shows the SD-WAN performance SLA and exhibit B shows the health of the participating SD-WAN members. Based on the exhibits, which statement is correct? The dead member interface stays unavailable until an administrator manually brings the interface back. Port2 needs to wait 500 milliseconds to change the status from alive to dead. The SLA state of port2 has exceeded three consecutive unanswered requests from the SLA server. Check interval is the time to wait before a packet sent by a member interface considered as lost. What is the lnkmtd process responsible for? Flushing route tags addresses Monitoring links for any bandwidth saturation Logging interface quality information Processing performance SLA probes. Which statement reflects how BGP tags work with SD-WAN rules? VPN topologies are formed using only BGP dynamic routing with SD-WAN. Route tags are used for a BGP community and the SD-WAN rules are assigned the same tag. BGP tags require that the adding of static routes be enabled on all ADVPN interfaces. BGP tags match the SD-WAN rule based on the order that these rules were installed. QUESTION 31 Which statement about using BGP routes in SD-WAN is true? Adding static routes must be enabled on all ADVPN interfaces. VPN topologies must be form using only BGP dynamic routing with SD-WAN. Learned routes can be used as dynamic destinations in SD-WAN rules. Dynamic routing protocols can be used only with non-encrypted traffic. An administrator is troubleshooting VoIP quality issues that occur when calling external phone numbers. The SD-WAN interface on the edge FortiGate is configured with the default settings, and is using two upstream links. One link has random jitter and latency issues, and is based on a wireless connection. Which two actions must the administrator apply simultaneously on the edge FortiGate to improve VoIP quality using SD-WAN rules? (Choose two.) Select the corresponding SD-WAN balancing strategy in the SD-WAN rule. Choose the suitable interface based on the interface cost and weight. Use the performance SLA targets to detect latency and jitter instantly. Place the troublesome link at the top of the interface preference list. Configure an SD-WAN rule to load balance all traffic without VoIP. QUESTION 33 - Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN interface and the static routes configuration. Port1 and port2 are member interfaces of the SD-WAN, and port2 becomes a dead member after reaching the failure thresholds. Which statement about the dead member is correct? Port2 might become alive when a single response is received from an SLA server. Dead members require manual administrator access to bring them back alive. Subnets 100.64.1.0/24 and 172.20.0.0/16 are reachable only through port1. SD-WAN interface becomes disabled and port1 becomes the WAN interface. QUESTION 34 What are two roles that SD-WAN orchestrator plays when it works with FortiManager? (Choose two.) It configures and monitors SD-WAN networks on FortiGate devices that are managed by FortiManager. It acts as a standalone device to assist FortiManager to manage SD-WAN interfaces on the managed FortiGate devices. It acts as a hub FortiGate with an SD-WAN interface enabled and managed along with other FortiGate devices by FortiManager. It acts as an application that is released and signed by Fortinet to run as a part of management extensions on FortiManager. Which statement about the command route-tag in the SD-WAN rule is true? It ensures route tags match the SD-WAN rule based on the rule order. It tags each route and references the tag in the routing table. It enables the SD-WAN rule to load balance and assign traffic with a route tag It uses route tags for a BGP community and assigns the SD-WAN rules with same tag. Which templates are created by the SD-WAN Overlay Template for a hub device? SD-WAN, Static Route, IPsec BGP, IPsec, CLI IPsec, Static Route, BGP IPsec, SD-WAN, BGP. By default, what member information does FortiGate consider when selecting the best member in a lowest cost (SLA) SD-WAN rule? Status of configured SLA targets, cost, and priority Status of configured SLA targets, cost, and corrected metric Status of configured SLA targets, interface index number, and priority Interface index number, cost, and priority. If the outgoing interface for an established SNATED session change, which two requirements must the configuration meet so that FortiGate continues forwarding packets from that session to the new outgoing interface? (Choose two.) You must set firewall-session-dirty to check-new on the new matching firewall policy You must enable the snat-route-change setting. You must configure FortiGate so the SNAT IP address doesn’t change. You must have a firewall policy that accepts the new traffic flow for the session. Which statement about SLA targets under a performance SLA is true? You must configure an SLA target when you configure a performance SLA. You can configure only one SLA target per performance SLA. SLA targets are required only for the Lowest Cost (SLA) and Maximize Bandwidth (SLA) rules strategies. SLA targets prevent flapping. Which session flag indicates the ID of the matching SD-WAN member? sdwan_service_id policy_id serial sdwan_mbr_seq. In which rule strategy are cost and interface preference not considered selection factors? Maximize Bandwidth (SLA) Manual Lowest Cost (SLA) Best Quality. An administrator configured a best-quality SD-WAN rule with WAN1 and WAN2 as members. WAN1 has the highest configuration priority, and link-cost-threshold is set to 10. FortiGate reports a latency of 100 ms and 120 ms for WAN1 and WAN2, respectively. Which change in the measured latency will make WAN2 the new preferred member? When WAN2 has a latency of 100 ms When WAN2 has a latency lower than ~91 ms When WAN1 has a latency lower than 100 ms When WAN1 has a latency of 120 ms. Which two statements about SD-WAN zones are true? (Choose two.) You must configure the SD-WAN zone with a minimum of two members. After you add an interface to SD-WAN as a member, you must use zones to reference the member in firewall policies. You can configure only one SD-WAN zone per VDOM. You are allowed to create static routes that reference an SD-WAN zone. In a spoke IPsec phase 1 configuration, which setting must be enabled in order for the spoke to participate in ADVPN? auto-discovery-receiver auto-discovery-shortcuts auto-discovery-forwarder auto-discovery-sender. What does forward error correction do? It generates parity packets with redundant data. It buffers packets and transmits them at the appropriate speed. It reorders packets at the destination. It sends the same packets across multiple links. Which statement about SD-WAN management on FortiManager is true? You can configure SD-WAN using central management mode only. You can import an existing SD-WAN configuration into SD-WAN templates. You must manually refresh the SD-WAN monitor page to get the latest status information. You can’t reference metadata variables in CLI templates and SD-WAN templates. Which SD-WAN rule strategy enables you to select a customized profile as quality criteria? Lowest cost (SLA) Maximize bandwidth (SLA) Manual Best quality. Which SD-WAN rule strategy load balances traffic among selected SD-WAN members using the round-robin method? Lowest Cost (SLA) Best Quality Maximize Bandwidth (SLA) Manual. Which two interfaces can be added to SD-WAN as members? (Choose two.) Select one or more: VLAN Virtual wire pair Zone IPsec interface. Which statement best defines Source_Destination IP load balancing? Sessions from the same source IP address use the same interface. Sessions from the same source and destination IP pair use the same interface. Sessions are distributed based on weights assigned on the source and destination interfaces. Sessions from the same destination IP address use the same interface. Which two statements about SD-WAN rules are true? (Choose two.) Select one or more: SD-WAN rules can be used only to define load balancing methods. SD-WAN rules take precedence over static routes. Regular policy routes take precedence over SD-WAN rules. SD-WAN rules are treated as static routes. When is an SD-WAN member considered to be in the dead state? When the SD-WAN member meets the SLA target requirement When the SD-WAN member reaches the failure threshold When both servers used for health checks are reachable by an interface member When the SD-WAN member has an active route in a routing table. In an SD-WAN rule, which setting can be used to add BGP learned routes as dynamic destinations? dscp-forward-tag route-tag tos-mask src-negate. Which two statements about the Update Static Route setting under the Performance SLA section are true? (Choose two.) If Update Static Route is enabled, FortiGate removes all SD-WAN routes from the routing table. If Update Static Route is enabled, FortiGate marks static routes using the same gateway as an alive member, as active. If Update Static Route is disabled, FortiGate stops sending probes to monitor members. If Update Static Route is enabled, FortiGate marks static routes using the same gateway as a dead member, as inactive. Which three protocols can be used for the status check in a performance SLA? (Choose three.) SSH HTTP DNS traceroute TWAMP. Which SD-WAN rule strategy allows you to send traffic to a specific member without using any performance SLA? Lowest Cost (SLA) Best Quality Manual Maximize Bandwidth (SLA). What is the lnkmtd process responsible for? Monitoring links for any bandwidth saturation Processing performance SLA probes Flushing route tags addresses Logging interface quality information. Which statement is correct about the SD-WAN and ADVPN? ADVPN interface can be a member of SD-WAN interface. Dynamic VPN is not supported as an SD-Wan interface. Spoke support dynamic VPN as a static interface. Hub FortiGate is limited to use ADVPN as SD-WAN member interface. Learned routes can be used as dynamic destinations in SD-WAN rules Adding static routes must be enabled on all ADVPN interfaces. VPN topologies must be form using only BGP dynamic routing with SD-WAN Learned routes can be used as dynamic destinations in SD-WAN rules Dynamic routing protocols can be used only with non-encrypted traffic. Which diagnostic command can you use to show the SD-WAN rules interface information and state? diagnose sys virtual-wan-link neighbor. diagnose sys virtual—wan—link route-tag-list diagnose sys virtual—wan—link member. diagnose sys virtual-wan-link service. What are two roles that SD-WAN orchestrator plays when it works with FortiManager? (Choose two ) It configures and monitors SD-WAN networks on FortiGate devices that are managed by FortiManager. It acts as a standalone device to assist FortiManager to manage SD-WAN interfaces on the managed FortiGate devices. It acts as a hub FortiGate with an SD-WAN interface enabled and managed along with other FortiGate devices by FortiManager. It acts as an application that is released and signed by Fortinet to run as a part of management extensions on FortiManager. In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default implicit SD-WAN rule? (Choose two ) Traffic has matched none of the FortiGate policy routes. Matched traffic failed RPF and was caught by the rule. The FIB lookup resolved interface was the SD-WAN interface. An absolute SD-WAN rule was defined and matched traffic. What are the two minimum configuration requirements for an outgoing interface to be selected once the SD-WAN logical interface is enabled? Specify outgoing interface routing cost. Configure SD-WAN rules interface preference. Select SD-WAN balancing strategy. Specify incoming interfaces in SD-WAN rules. The device exchanges routes using IBGP. Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.) Each BGP route is three hops away from the destination. ibgp-multipath is disabled. The device exchanges routes using IBGP. Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.) Each BGP route is three hops away from the destination. ibgp-multipath is disabled. the additional path is enabled. You can run the get router info routing-table database command to display the additional paths. In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.) It provides the benefits of a full-mesh topology in a hub-and-spoke network. It provides direct connectivity between spokes by creating shortcuts. It enables spokes to bypass the hub during shortcut negotiation. It enables spokes to establish shortcuts to third-party gateways. Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules? All traffic from a source IP to a destination IP is sent to the same interface. All traffic from a source IP is sent to the same interface. All traffic from a source IP is sent to the most used interface. All traffic from a source IP to a destination IP is sent to the least used interface. Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.) FortiGate does not install IPsec static routes for remote protected networks in the routing table. The phase 1 configuration supports the network-overlay setting. FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0. Dead peer detection is disabled. Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate. Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.) FortiGate flags the sessions as dirty. FortiGate continues routing the sessions with no SNAT, over port2. FortiGate performs a route lookup for the original traffic only. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2. Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status. Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.) The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member. Most Voted FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member. Non-TCP Facebook and YouTube traffic are not used for performance measurement. Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration. Based on the exhibits, which two statements are correct? (Choose two.) FortiGate updated the outgoing interface list on the rule so it prefers port2. Port2 has the highest member priority. Port2 has a lower latency than port1. SD-WAN rule ID 1 is set to lowest cost (SLA) mode. Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt. When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule. Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0? Enable auxiliary-session under config system settings. Disable tсp-session-without-syn under config system settings. Enable snat-route-change under config system global. Disable allow-subnet-overlap under config system settings. |
Report abuse