Fortinet NSE7_SDW-7.2 Exam Practice Test Instant Access

Question 1

What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in an hub-and-spoke topology? (Choose two.)

AIt ensures consistent settings between phase1 and phase2.

BIt guides the administrator to use Fortinet recommended settings.

CIt automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

DThe VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

Answer : A, B

The use of an IPsec recommended template offers the advantage of ensuring consistent settings between phase1 and phase2 (A), which is essential for the stability and security of the IPsec tunnel. Additionally, it guides the administrator to use Fortinet's recommended settings (B), which are designed to optimize performance and security based on Fortinet's best practices. Reference: The benefits of using IPsec recommended templates are outlined in Fortinet's SD-WAN documentation, which emphasizes the importance of consistency and adherence to recommended configurations.

Question 2

Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?

AInterface-based shaping mode

BReverse-policy shaping mode

CShared-policy shaping mode

DPer-IP shaping mode

Answer : A

Interface-based shaping goes further, enabling traffic controls based on percentage of the interface bandwidth.

Question 3

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.

If port2 is detected dead by FortiGate, what is the expected behavior?

APort2 becomes alive after three successful probes are detected.

BFortiGate removes all static routes for port2.

CThe administrator manually restores the static routes for port2, if port2 becomes alive.

DHost 8.8.8.8 is reachable through port1 and port2.

Answer : B

This is due to Update static route is enable which removes the static route entry referencing the interface if the interface is dead

Question 4

Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.

What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?

AYou must set ike-version to 1.

BYou must enable net-device.

CYou must enable auto-discovery-sender.

DYou must disable idle-timeout.

Answer : B

Question 5

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.

The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.

Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

ADestination internet service must be enabled on the traffic shaping policy.

BApplication control must be enabled on the firewall policy.

CWeb filtering must be enabled on the firewall policy.

DIndividual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Answer : B

Question 6

Exhibit.

Which conclusion about the packet debug flow output is correct?

AThe total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

BThe packet size exceeded the outgoing interface MTU.

CThe number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

DThe number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Answer : C

In a Per-IP shaper configuration, if an IP address exceeds the configured concurrent session limit, the message 'Denied by quota check' appears. SD-WAN 7.0 Study Guide page 287

Question 7

Which two statements about SD-WAN central management are true? (Choose two.)

AThe objects are saved in the ADOM common object database.

BIt does not support meta fields.

CIt uses templates to configure SD-WAN on managed devices.

DIt supports normalized interfaces for SD-WAN member configuration.

Answer : A, C

Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add interface members to the SD-WAN zones. You must bind the interface members by name to physical interfaces or VPN interfaces.https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-new-features/794804/new-sd-wan-template-fmg

Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test