Weekend Special Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Questions 4

Which two settings can you configure to speed up routing convergence in BGP? (Choose two.)

Options:

A.

update-source

B.

set-route-tag

C.

holdtime-timer

D.

link-down-failover

Buy Now
Questions 5

Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?

Options:

A.

Interface-based shaping mode

B.

Reverse-policy shaping mode

C.

Shared-policy shaping mode

D.

Per-IP shaping mode

Buy Now
Questions 6

Exhibit.

Which conclusion about the packet debug flow output is correct?

Options:

A.

The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

B.

The packet size exceeded the outgoing interface MTU.

C.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

D.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Buy Now
Questions 7

Refer to the exhibit.

The exhibit shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?

Options:

A.

When all three members have the same packet loss.

B.

When T_INET_0_0 has 4% packet loss.

C.

When T_INET_0_0 has 12% packet loss.

D.

When T_INET_1_0 has 4% packet loss.

Buy Now
Questions 8

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.

Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)

Options:

A.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

B.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

C.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

D.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

Buy Now
Questions 9

Refer to the exhibit.

Based on the exhibit, which action does FortiGate take?

Options:

A.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

B.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

C.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

D.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

Buy Now
Questions 10

What does enabling theexchange-interface-ipsetting enable FortiGate devices to exchange?

Options:

A.

The gateway address of their IPsec interfaces

B.

The tunnel ID of their IPsec interfaces

C.

The IP address of their IPsec interfaces

D.

The name of their IPsec interfaces

Buy Now
Questions 11

What is the route-tag setting in an SD-WAN rule used for?

Options:

A.

To indicate the routes for health check probes.

B.

To indicate the destination of a rule based on learned BGP prefixes.

C.

To indicate the routes that can be used for routing SD-WAN traffic.

D.

To indicate the members that can be used to route SD-WAN traffic.

Buy Now
Questions 12

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

    diagnose sys sdwan service

    diagnose sys sdwan route-tag-list

    diagnose sys sdwan member

Options:

A.

diagnose sys sdwan neighbor

Buy Now
Questions 13

Refer to the exhibit.

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.

Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)

Options:

A.

Setadditional-pathtosend

B.

Enableroute-reflector-client

C.

Setadvertisement-intervalto the number of additional paths to advertise

D.

Setadv-additional-pathto the number of additional paths to advertise

E.

Enablesoft-reconfiguration

Buy Now
Questions 14

Refer to the exhibit.

Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)

Options:

A.

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

B.

The phase 1 configuration supports the network-overlay setting.

C.

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

D.

Dead peer detection is disabled.

Buy Now
Questions 15

Exhibit A shows the firewall policy and exhibit B shows the traffic shaping policy.

The traffic shaping policy is being applied to all outbound traffic; however, inbound traffic is not being evaluated by the shaping policy.

Based on the exhibits, what configuration change must be made in which policy so that traffic shaping can be applied to inbound traffic?

Options:

A.

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

B.

In the traffic shaping policy, select Assign Shaping Class ID as Action.

C.

In the firewall policy, select Proxy-based as Inspection Mode.

D.

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

Buy Now
Questions 16

Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.)

Options:

A.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

B.

XAuth is enabled as an additional level of authentication, which requires a username and password.

C.

Three packets are exchanged between an initiator and a responder instead of six packets.

D.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Buy Now
Questions 17

Which action fortigate performs on the traffic that is subject to a per-IP traffic shaper of 10 Mbps?

Options:

A.

FortiGate applies traffic shaping to the original traffic direction only.

B.

FortiGate shares 10 Mbps of bandwidth equally among all source IP addresses.

RIAS

C.

Fortigate limits each source ip address to a maximum bandwidth of 10 Mbps.

D.

FortiGate guarantees a minimum of 10 Mbps of bandwidth to each source IP address.

Buy Now
Questions 18

Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)

Options:

A.

Encapsulating Security Payload (ESP)

B.

Secure Shell (SSH)

C.

Internet Key Exchange (IKE)

D.

Security Association (SA)

Buy Now
Questions 19

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are three mandatory post-run tasks that must be performed? (Choose three.)

Options:

A.

Assign an sdwan_id metadata variable to each device (branch and hub).

B.

Assign a branch_id metadata variable to each branch device.

C.

Create policy packages for branch devices.

D.

Configure SD-WAN rules.

E.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

Buy Now
Questions 20

Refer to the exhibit.

The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)

Options:

A.

The reply direction of the asymmetric traffic flows from port2 to port3.

B.

The auxiliary session can be offloaded to hardware.

C.

The original direction of the symmetric traffic flows from port3 to port2.

D.

The main session cannot be offloaded to hardware.

Buy Now
Questions 21

Which are two benefits of using CLI templates in FortiManager? (Choose two.)

Options:

A.

You can reference meta fields.

B.

You can configure interfaces as SD-WAN members without having to remove references first.

C.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

D.

You can configure advanced CLI settings.

Buy Now
Questions 22

Which components make up the secure SD-WAN solution?

Options:

A.

Application, antivirus, and URL, and SSL inspection

B.

Datacenter, branch offices, and public cloud

C.

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

D.

Telephone, ISDN, and telecom network.

Buy Now
Questions 23

Refer to the exhibit.

In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling theanti-replaysetting on the hubs?

Options:

A.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

B.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

C.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

D.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

Buy Now
Questions 24

Which two statements describe how IPsec phase 1 main mode is different from aggressive mode when performing IKE negotiation? (Choose two )

Options:

A.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

B.

XAuth is enabled as an additional level of authentication, which requires a username and password.

C.

A total of six packets are exchanged between an initiator and a responder instead of three packets.

D.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Buy Now
Questions 25

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

Options:

A.

Enable auxiliary-session under config system settings.

B.

Disable tсp-session-without-syn under config system settings.

C.

Enable snat-route-change under config system global.

D.

Disable allow-subnet-overlap under config system settings.

Buy Now
Questions 26

Which two tasks are part of using central VPN management? (Choose two.)

Options:

A.

You can configure full mesh, star, and dial-up VPN topologies.

B.

You must enable VPN zones for SD-WAN deployments.

C.

FortiManager installs VPN settings on both managed and external gateways.

D.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.

Buy Now
Questions 27

Refer to the exhibit.

Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?

Options:

A.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

B.

FortiGate has terminated the session after a change on policy ID 1.

C.

Changes have been made on firewall policy ID 1 on FortiGate.

D.

Firewall policy ID 1 has source NAT disabled.

Buy Now
Questions 28

Refer to the exhibit.

The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device.

The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1.

Based on the exhibits, which two statements are correct? (Choose two.)

Options:

A.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

B.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

C.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

D.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Buy Now
Questions 29

Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

Options:

A.

get router info routing-table all

B.

diagnose debug application ike

C.

diagnose vpn tunnel list

D.

get ipsec tunnel list

Buy Now
Exam Code: NSE7_SDW-7.2
Exam Name: Fortinet NSE 7 - SD-WAN 7.2
Last Update: Feb 22, 2025
Questions: 99
NSE7_SDW-7.2 pdf

NSE7_SDW-7.2 PDF

$25.5  $84.99
 Add to Cart
NSE7_SDW-7.2 Engine

NSE7_SDW-7.2 Testing Engine

$30  $99.99
 Add to Cart
NSE7_SDW-7.2 PDF + Engine

NSE7_SDW-7.2 PDF + Testing Engine

$40.5  $134.99
 Add to Cart