NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

There are no IPsec tunnel statistics log messages for ADVPN cuts.

There is one shortcut tunnel built from master tunnel T_MPLS_0.

The VPN tunnel T_MPLS_0 is a shortcut tunnel.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut. 

Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Set additional-path to send

Enable route-reflector-client

Set advertisement-interval to the number of additional paths to advertise

Set adv-additional-path to the number of additional paths to advertise

Enable soft-reconfiguration

VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

IPsec recommended template guides the administrator to use Fortinet recommended settings.

IPsec recommended template ensures consistent settings between phase1 and phase2

Routes for ADVPN shortcuts must be manually configured.

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

You must use IKEv2 on IPsec tunnels.

The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.

You can delete the default zones.

The default zones are virtual-wan-link and SASE.

An SD-WAN member can belong to two or more zones.

Set priority 10.

Set cost 15.

Set load-balance-mode source-ip-ip-based.

Set source 100.64.1.1.

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

During passive monitoring, FortiGate can’t detect dead members.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

FortiGate passively monitors the member if TCP traffic is passing through the member.

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.

Two hubs, 10.0.1.101 and 10.0.2.101, are receiving and forwarding queries between each other.

This is a hub that has received a query from a spoke and has forwarded it to another spoke.

Two spokes, 192.2.0.1 and 10.0.2.101, forward their queries to their hubs.

To indicate the routes for health check probes.

To indicate the destination of a rule based on learned BGP prefixes.

To indicate the routes that can be used for routing SD-WAN traffic.

To indicate the members that can be used to route SD-WAN traffic.

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

The reply direction of the asymmetric traffic flows from port2 to port3.

The auxiliary session can be offloaded to hardware.

The original direction of the symmetric traffic flows from port3 to port2.

The main session cannot be offloaded to hardware.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

The zero-touch provisioning process has completed internally, behind FortiGate.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

A factory reset performed on FortiGate.

You can reference meta fields.

You can configure interfaces as SD-WAN members without having to remove references first.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

You can configure advanced CLI settings.

On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.

auto-discovery-forwarder must be enabled on all IPsec VPNs.

On the hubs, net-device must be enabled on all IPsec VPNs.

The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

The packet size exceeded the outgoing interface MTU.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

An SD-WAN zone can contain only one type of interface.

An SD-WAN zone can contain between 0 and 512 members.

You cannot use an SD-WAN zone in static route definitions.

You can configure up to 32 SD-WAN zones per VDOM.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

On the receiver FortiGate, packet-de-duplication is enabled.

The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.

On the sender FortiGate, duplication-max-num is set to 3.

FortiGate does not install IPsec static routes for remote protected networks in the routing table. Most Voted

The phase 1 configuration supports the network-overlay setting. Most Voted

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

Dead peer detection is disabled.

FortiGate performs route lookups for new sessions only.

Regular policy routes have precedence over SD-WAN rules.

SD-WAN rules have precedence over ISDB routes.

By default, SD-WAN members are skipped if they do not have a valid route to the destination.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

Each region has its own SD-WAN topology

It is not compatible with ADVPN.

Regions must correspond to geographical areas.

Routing between the hub and spokes must be BGP.

Destination internet service must be enabled on the traffic shaping policy.

Application control must be enabled on the firewall policy.

Web filtering must be enabled on the firewall policy.

Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

The objects are saved in the ADOM common object database.

It does not support meta fields.

It uses templates to configure SD-WAN on managed devices.

It supports normalized interfaces for SD-WAN member configuration.