100% Guarantee Fortinet NSE7_SDW-7.2 Answers Online

NEW QUESTION 1
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

• A. You can delete the virtual-wan-link zone because it contains no member.
• B. The corporate zone contains no member.
• C. You can move port1 from the underlay zone to the overlay zone.
• D. The overlay zone contains four members.

Answer: B

Explanation:
Based on the exhibit, the "corporate" zone contains no member (B). In the FortiGate GUI, zones without members do not display any interfaces listed under them, which is the case for the corporate zone in the exhibit. References: This conclusion is based on standard Fortinet GUI interpretation and the operational logic of SD-WAN zones as per Fortinet's guidelines and user interface standards.

NEW QUESTION 2
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

• A. get router info routing-table all
• B. diagnose debug application ike
• C. diagnose vpn tunnel list
• D. get ipsec tunnel list

Answer: B

Explanation:
IKE real-time debug - useful when debugging ADVPN shortcut messages and spoke-to- spoke negotiations.
• diagnose debug console timestamp enable
• diagnose vpn ike log filter clear
• diagnose vpn ike log filter mdst-addr4 <ip.of.hub> <ip.of.spoke>
• diagnose debug application ike -1
• diagnose debug enable

NEW QUESTION 3
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.

What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD- WAN?

• A. You must set ike-version to 1.
• B. You must enable net-device.
• C. You must enable auto-discovery-sender.
• D. You must disable idle-timeout.

Answer: B

NEW QUESTION 4
Refer to the exhibits.
Exhibit A

Exhibit B -

Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status.
The administrator wants to understand the expected behavior for traffic matching the SD- WAN rule.
Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?

• A. The traffic will be load balanced across all three overlays.
• B. The traffic will be routed over T_INET_0_0.
• C. The traffic will be routed over T_MPLS_0.
• D. The traffic will be routed over T_INET_1_0.

Answer: C

NEW QUESTION 5
Exhibit.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

• A. There are no IPsec tunnel statistics log messages for ADVPN cuts.
• B. There is one shortcut tunnel built from master tunnel T_MPLS_0.
• C. The VPN tunnel T_MPLS_0 is a shortcut tunnel.
• D. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.

Answer: B

Explanation:
VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel. The output includes the following information:
✑ logid: the log ID number
✑ type: the log type, either traffic or event
✑ subtype: the log subtype, either vpn or ipsec
✑ level: the log level, either error, warning, or notice
✑ vd: the virtual domain name
✑ logdesc: the log description
✑ msg: the log message
✑ action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats
✑ remip: the remote IP address
✑ locip: the local IP address
✑ remport: the remote port number
✑ locport: the local port number
✑ outintf: the outgoing interface name
✑ cookies: the IKE SA cookies
✑ user: the user name
✑ group: the user group name
✑ useralt: the alternative user name
✑ xauthuser: the XAuth user name
✑ authgroup: the XAuth user group name
✑ assignip: the assigned IP address
✑ vpntunnel: the VPN tunnel name
✑ tunnellip: the tunnel loopback IP address
✑ tunnelid: the tunnel ID number
✑ tunneltype: the tunnel type, either ipsec or ssl
✑ duration: the tunnel duration in seconds
✑ sentbyte: the number of bytes sent
✑ rcvdbyte: the number of bytes received
✑ nextstat: the next statistics interval in seconds
✑ advpnsc: the ADVPN shortcut flag, either 0 or 1 Based on the exhibit, the following statement is true:
✑ There is one shortcut tunnel built from master tunnel T_MPLS_0. This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up. The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.

NEW QUESTION 6
Which two interfaces are considered overlay links? (Choose two.)

• A. LAG
• B. IPsec
• C. Physical
• D. GRE

Answer: BD

NEW QUESTION 7
Refer to the exhibit.

Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)

• A. Set priority 10.
• B. Set cost 15.
• C. Set load-balance-mode source-ip-ip-based.
• D. Set source 100.64.1.1.

Answer: AB

NEW QUESTION 8
Which action fortigate performs on the traffic that is subject to a per-IP traffic shaper of 10 Mbps?

• A. FortiGate applies traffic shaping to the original traffic direction only.
• B. FortiGate shares 10 Mbps of bandwidth equally among all source IP addresse
• C. RIAS
• D. Fortigate limits each source ip address to a maximum bandwidth of 10 Mbps.
• E. FortiGate guarantees a minimum of 10 Mbps of bandwidth to each source IP address.

Answer: C

NEW QUESTION 9
Refer to the exhibits. Exhibit A -

Exhibit B -

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.
The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.
Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

• A. Destination internet service must be enabled on the traffic shaping policy.
• B. Application control must be enabled on the firewall policy.
• C. Web filtering must be enabled on the firewall policy.
• D. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Answer: C

NEW QUESTION 10
Refer to the exhibit.

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)

• A. After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.
• B. During passive monitoring, FortiGate can’t detect dead members.
• C. FortiGate can offload the traffic that is subject to passive monitoring to hardware.
• D. FortiGate passively monitors the member if TCP traffic is passing through the member.

Answer: BD

NEW QUESTION 11
Refer to the exhibit.

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)

• A. FortiGate flushes all sessions.
• B. FortiGate terminates the old sessions.
• C. FortiGate does not change existing sessions.
• D. FortiGate evaluates new sessions.

Answer: CD

Explanation:
FortiGate not to flag existing impacted session as dirty by setting firewall-session-dirty to check new. The results is that FortiGate evaluates only new session against the new firewall policy.

NEW QUESTION 12
The administrator uses the FortiManager SD-WAN overlay template to prepare an SD- WAN deployment. With information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on spoke and hub devices.
Select three templates created by the SD-WAN overlay template for a spoke device. (Choose three.)

• A. System template
• B. BGP template
• C. IPsec tunnel template
• D. CLI template
• E. Overlay template

Answer: ACE

Explanation:
In a FortiManager SD-WAN overlay template configuration for a spoke device, the system template (A) is created to provide basic device settings. The IPsec tunnel template (C) is generated to establish secure tunnels between the spoke and the hub devices. Lastly, the overlay template (E) is configured to specify the overlay network settings, which often include the SD-WAN rules and performance SLAs.

NEW QUESTION 13
Which components make up the secure SD-WAN solution?

• A. Application, antivirus, and URL, and SSL inspection
• B. Datacenter, branch offices, and public cloud
• C. FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy
• D. Telephone, ISDN, and telecom network.

Answer: C

NEW QUESTION 14
Exhibit.

The exhibit shows the output of the command diagnose sys sdwan health-check status
collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

• A. The health-check VPN_PING orders the members according to the lowest jitter.
• B. The interface T_INET_1 missed one SLA target.
• C. There is no SLA criteria configured for the health-check Level3_DNS.
• D. The interface T_INET_0 missed three SLA targets.

Answer: AC

Explanation:
According to the FortiGate / FortiOS 6.4.2 Administration Guide, the health check status command displays the status of the health check probes for each SD-WAN member interface. The output includes the following information:
✑ state: the current state of the interface, either alive or dead
✑ packet-loss: the percentage of packets lost during the health check
✑ latency: the average round-trip time in milliseconds
✑ jitter: the variation in latency
✑ mos: the mean opinion score, a measure of voice quality
✑ bandwidth: the available bandwidth in kilobits per second for each direction (up, down, bi)
✑ sla map: a bitmap that indicates which SLA criteria are met or failed Based on the exhibit, the following statements are correct:
✑ The health-check VPN_PING orders the members according to the lowest jitter. This means that the interface with the lowest jitter value is listed first, followed by the next lowest, and so on1. In the exhibit, the order is T_MPLS, T_INET_1, and T_INET_0.
✑ There is no SLA criteria configured for the health-check Level3_DNS. This means that the health check does not use any SLA parameters to determine the state of the interface2. In the exhibit, the sla map value is 0x0 for both port1 and port2, indicating that no SLA criteria are applied.

NEW QUESTION 15
Which are three key routing principles in SD-WAN? (Choose three.)

• A. FortiGate performs route lookups for new sessions only.
• B. Regular policy routes have precedence over SD-WAN rules.
• C. SD-WAN rules have precedence over ISDB routes.
• D. By default, SD-WAN members are skipped if they do not have a valid route to thedestination.
• E. By default, SD-WAN rules are skipped if the best route to the destination is not an SD- WAN member.

Answer: BDE

Explanation:
Study Guide 7.2, pages 125, 129, 151

NEW QUESTION 16
Refer to the Exhibits:

Exhibit A, which shows the SD-WAN performance SLA and exhibit B shows the health of the participating SD-WAN members.
Based on the exhibits, which statement is correct?

• A. The dead member interface stays unavailable until an administrator manually brings the interface back.
• B. Port2 needs to wait 500 milliseconds to change the status from alive to dead.
• C. Static routes using port2 are active in the routing table.
• D. FortiGate has not received three consecutive requests from the SLA server configured for port2.

Answer: C

NEW QUESTION 17
What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in an hub-and-spoke topology? (Choose two.)

• A. It ensures consistent settings between phase1 and phase2.
• B. It guides the administrator to use Fortinet recommended settings.
• C. It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.
• D. The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

Answer: AB

Explanation:
The use of an IPsec recommended template offers the advantage of ensuring consistent settings between phase1 and phase2 (A), which is essential for the stability and security of the IPsec tunnel. Additionally, it guides the administrator to use Fortinet's recommended settings (B), which are designed to optimize performance and security based on Fortinet's best practices. References: The benefits of using IPsec recommended templates are outlined in Fortinet's SD-WAN documentation, which emphasizes the importance of consistency and adherence to recommended configurations.

NEW QUESTION 18
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)

• A. The ISDB is dynamically updated and reduces administrative overhead.
• B. The ISDB requires application control to maintain signatures and perform load balancing.
• C. The ISDB applies rules to traffic from specific sources, based on application type.
• D. The ISDB contains the IP addresses and port ranges of well-known internet services.

Answer: AD

NEW QUESTION 19
Which two statements about the SD-WAN zone configuration are true? (Choose two.)

• A. The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.
• B. You can delete the default zones.
• C. The default zones are virtual-wan-link and SASE.
• D. An SD-WAN member can belong to two or more zones.

Answer: AC

NEW QUESTION 20
Refer to the exhibit.

The device exchanges routes using IBGP.
Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)

• A. Each BGP route is three hops away from the destination.
• B. ibgp-multipath is disabled.
• C. additional-path is enabled.
• D. You can run the get router info routing-table database command to display the additional paths.

Answer: CD

NEW QUESTION 21
......