Fortinet NSE7_SDW-7.2 Exam Questions Instant Access

Question 1

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

AEnable auxiliary-session under config system settings.

BDisable tp-session-without-syn under config system settings.

CEnable snat-route-change under config system global.

DDisable allow-subnet-overlap under config system settings.

Answer : A

Question 2

Exhibit.

Which conclusion about the packet debug flow output is correct?

AThe total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

BThe packet size exceeded the outgoing interface MTU.

CThe number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

DThe number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Answer : C

In a Per-IP shaper configuration, if an IP address exceeds the configured concurrent session limit, the message 'Denied by quota check' appears. SD-WAN 7.0 Study Guide page 287

Question 3

Refer to the exhibits.

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

AIn the dc1-lan-rm route map configuration, set set-route-tag to 10.

BIn SD-WAN rule ID 1, change the destination to use ISDB entries.

CIn the dc1-lan-rm route map configuration, unset match-community.

DIn the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

Answer : A

Question 4

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.

The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.

Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

ADestination internet service must be enabled on the traffic shaping policy.

BApplication control must be enabled on the firewall policy.

CWeb filtering must be enabled on the firewall policy.

DIndividual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Answer : C

Question 5

Which are two benefits of using CLI templates in FortiManager? (Choose two.)

AYou can reference meta fields.

BYou can configure interfaces as SD-WAN members without having to remove references first.

CYou can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

DYou can configure advanced CLI settings.

Answer : A, D

Question 6

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.

Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.)

AFortiGate flags the sessions as dirty.

BFortiGate continues routing the sessions with no SNAT, over port2.

CFortiGate performs a route lookup for the original traffic only.

DFortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

Answer : A, D

Question 7

Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.)

AA peer ID is included in the first packet from the initiator, along with suggested security policies.

BXAuth is enabled as an additional level of authentication, which requires a username and password.

CThree packets are exchanged between an initiator and a responder instead of six packets.

DThe use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Answer : A, C

Fortinet NSE 7 - SD-WAN 7.2 NSE7_SDW-7.2 Exam Questions