Fortinet NSE7_SDW-7.2 Exam Practice Test Instant Access

Question 1

Refer to the exhibits.

Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel.

Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device.

Which statement best explain the cause for this issue?

AYou can assign only one template with a tunnel of fype static to each FortiGate device

BYou can define only one IPsec tunnel from branch devices to HUB1.

CYou can assign only one IPsec template to each FortiGate device.

DYou should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

Answer : C

The error message in Exhibit B indicates a conflicting template assignment. This occurs because FortiManager does not allow the assignment of multiple IPsec templates that define VPN tunnels with the same name or settings to the same FortiGate device. The conflict arises from trying to assign a second IPsec template to a device that already has one assigned. Reference: This is based on Fortinet's best practices and administrative guidelines which state that each FortiGate device should be assigned a unique IPsec template to avoid configuration conflicts.

Question 2

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.

Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

ALondon generates an IKE information message that contains the Toronto public IP address.

BTraffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

CToronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

DThe first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Answer : B, D

Question 3

Exhibit.

The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

AThe health-check VPN_PING orders the members according to the lowest jitter.

BThe interface T_INET_1 missed one SLA target.

CThere is no SLA criteria configured for the health-check Level3_DNS.

DThe interface T_INET_0 missed three SLA targets.

Answer : A, C

According to theFortiGate / FortiOS 6.4.2 Administration Guide, the health check status command displays the status of the health check probes for each SD-WAN member interface. The output includes the following information:

state: the current state of the interface, either alive or dead

packet-loss: the percentage of packets lost during the health check

latency: the average round-trip time in milliseconds

jitter: the variation in latency

mos: the mean opinion score, a measure of voice quality

bandwidth: the available bandwidth in kilobits per second for each direction (up, down, bi)

sla map: a bitmap that indicates which SLA criteria are met or failed

Based on the exhibit, the following statements are correct:

The health-check VPN_PING orders the members according to the lowest jitter.This means that the interface with the lowest jitter value is listed first, followed by the next lowest, and so on1. In the exhibit, the order is T_MPLS, T_INET_1, and T_INET_0.

There is no SLA criteria configured for the health-check Level3_DNS.This means that the health check does not use any SLA parameters to determine the state of the interface2. In the exhibit, the sla map value is 0x0 for both port1 and port2, indicating that no SLA criteria are applied.

Question 4

Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)

AThe traffic shaper drops packets if the bandwidth is less than 2500 KBps.

BThe measured bandwidth is less than 100 KBps.

CThe traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

DThe traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

Answer : B, C

Question 5

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

Adiagnose sys sdwan service

Bdiagnose sys sdwan route-tag-list

Cdiagnose sys sdwan member

Ddiagnose sys sdwan neighbor

Answer : A

Question 6

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.

Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)

AThe performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

BFortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

CFortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

DNon-TCP Facebook and YouTube traffic are not used for performance measurement.

Answer : A, D

Study Guide 7.2, pages 103 - 104. Another comment said 'because without using application Control on the firewall policy, SDWAN can't work' but there is a app control 'default' defined on config.

Question 7

Refer to the exhibit.

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)

AFortiGate flushes all sessions.

BFortiGate terminates the old sessions.

CFortiGate does not change existing sessions.

DFortiGate evaluates new sessions.

Answer : C, D

FortiGate not to flag existing impacted session as dirty by setting firewall-session-dirty to check new. The results is that FortiGate evaluates only new session against the new firewall policy.

Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test