NSE7_SDW-7.2 Sample Questions Answers

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.

Assign an sdwan_id metadata variable to each device (branch and hub).

Assign a branch_id metadata variable to each branch device.

Create policy packages for branch devices.

Configure SD-WAN rules.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

hold-down-time

link-down-failover

auto-discovery-shortcuts

idle-timeout

On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes.

On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub.

auto-discovery-forwardermust be enabled on all IPsec VPNs.

On the hubs,net-devicemust be enabled on all IPsec VPNs.

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

The phase 1 configuration supports the network-overlay setting.

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

Dead peer detection is disabled.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

It provides direct connectivity between spokes by creating shortcuts.

It enables spokes to bypass the hub during shortcut negotiation.

It enables spokes to establish shortcuts to third-party gateways.

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

The objects are saved in the ADOM common object database.

It does not support meta fields.

It uses templates to configure SD-WAN on managed devices.

It supports normalized interfaces for SD-WAN member configuration.

You can apply a system template and a CLI template to the same FortiGate device.

A CLI template can be of type CLI script or Perl script.

A template group can include a system template and an SD-WAN template.

A template group can contain CLI templates of both types.

Templates are applied in order, from top to bottom.

Create dynamic mapping for the LAN interface for all devices in the installation target list.

Use a metadata variable instead of a dynamic interface to define the firewall policy.

Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt.

Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

FortiGate flushes all sessions.

FortiGate terminates the old sessions.

FortiGate does not change existing sessions.

FortiGate evaluates new sessions.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

The zero-touch provisioning process has completed internally, behind FortiGate.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

A factory reset performed on FortiGate.

An SD-WAN zone can contain only one type of interface.

An SD-WAN zone can contain between 0 and 512 members.

You cannot use an SD-WAN zone in static route definitions.

You can configure up to 32 SD-WAN zones per VDOM.

diagnose sys sdwan zone

diagnose sys sdwan service

diagnose sys sdwan member

diagnose sys sdwan interface

This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.

Two hubs,10.0.1.101and10.0.2.101, are receiving and forwarding queries between each other.

This is a hub that has received a query from a spoke and has forwarded it to another spoke.

Two spokes,192.2.0.1and10.0.2.101, forward their queries to their hubs.

Each region has its own SD-WAN topology

It is not compatible with ADVPN.

Regions must correspond to geographical areas.

Routing between the hub and spokes must be BGP.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.

By default, local-out traffic does not use SD-WAN.

By default, FortiGate does not check if the selected member has a valid route to the destination.

You must configure each local-out feature individually, to use SD-WAN.

In the dc1-lan-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the dc1-lan-rm route map configuration, unset match-community.

In the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)