Practice Free NSE7_SDW-7.2 Exam Online Questions
Refer to the exhibits.
Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)
- A . On the receiver FortiGate, packet-de-duplication is enabled.
- B . The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.
- C . The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
- D . On the sender FortiGate, duplication-max-num is set to 3.
What is a benefit of using application steering in SD-WAN?
- A . The traffic always skips the regular policy routes.
- B . You steer traffic based on the detected application.
- C . You do not need to enable SSL inspection.
- D . You do not need to configure firewall policies that accept the SD-WAN traffic.
Which FortiGate feature is used to dynamically choose the best WAN path for traffic?
- A . Routing Information Protocol
- B . Session Initiation Protocol
- C . SD-WAN
- D . Virtual LAN
Exhibit.
The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device.
Which two statements are correct about the health check status on this FortiGate device? (Choose two.)
- A . The health-check VPN_PING orders the members according to the lowest jitter.
- B . The interface T_INET_1 missed one SLA target.
- C . There is no SLA criteria configured for the health-check Level3_DNS.
- D . The interface T_INET_0 missed three SLA targets.
AC
Explanation:
According to the FortiGate / FortiOS 6.4.2 Administration Guide, the health check status command displays the status of the health check probes for each SD-WAN member interface.
The output includes the following information:
state: the current state of the interface, either alive or dead
packet-loss: the percentage of packets lost during the health check
latency: the average round-trip time in milliseconds
jitter: the variation in latency
mos: the mean opinion score, a measure of voice quality
bandwidth: the available bandwidth in kilobits per second for each direction (up, down, bi) sla map: a bitmap that indicates which SLA criteria are met or failed
Based on the exhibit, the following statements are correct:
The health-check VPN_PING orders the members according to the lowest jitter. This means that the interface with the lowest jitter value is listed first, followed by the next lowest, and so on1. In the exhibit, the order is T_MPLS, T_INET_1, and T_INET_0.
There is no SLA criteria configured for the health-check Level3_DNS. This means that the health check does not use any SLA parameters to determine the state of the interface2. In the exhibit, the sla map value is 0x0 for both port1 and port2, indicating that no SLA criteria are applied.
Which type statements about the SD-WAN members are true? (Choose two.)
- A . You can manually define the SD-WAN members sequence number.
- B . Interfaces of type virtual wire pair can be used as SD-WAN members.
- C . Interfaces of type VLAN can be used as SD-WAN members.
- D . An SD-WAN member can belong to two or more SD-WAN zones.
AC
Explanation:
SD-WAN members can be manually ordered by changing their sequence number (A), which allows administrators to prioritize the interfaces according to the routing requirements. Also, VLAN interfaces can be used as SD-WAN members (C), providing flexibility in network design and the use of existing VLAN infrastructure within the SD-WAN setup.
Exhibit.
The exhibit shows VPN event logs on FortiGate.
In the output shown in the exhibit, which statement is true?
- A . There are no IPsec tunnel statistics log messages for ADVPN cuts.
- B . There is one shortcut tunnel built from master tunnel T_MPLS_0.
- C . The VPN tunnel T_MPLS_0 is a shortcut tunnel.
- D . The master tunnel T_INET_0 cannot accept the ADVPN shortcut.
B
Explanation:
VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel.
The output includes the following information:
logid: the log ID number
type: the log type, either traffic or event
subtype: the log subtype, either vpn or ipsec
level: the log level, either error, warning, or notice
vd: the virtual domain name
logdesc: the log description
msg: the log message
action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats
remip: the remote IP address
locip: the local IP address
remport: the remote port number
locport: the local port number
outintf: the outgoing interface name
cookies: the IKE SA cookies
user: the user name
group: the user group name
useralt: the alternative user name
xauthuser: the XAuth user name
authgroup: the XAuth user group name
assignip: the assigned IP address
vpntunnel: the VPN tunnel name
tunnellip: the tunnel loopback IP address
tunnelid: the tunnel ID number
tunneltype: the tunnel type, either ipsec or ssl
duration: the tunnel duration in seconds
sentbyte: the number of bytes sent
rcvdbyte: the number of bytes received
nextstat: the next statistics interval in seconds
advpnsc: the ADVPN shortcut flag, either 0 or 1
Based on the exhibit, the following statement is true:
There is one shortcut tunnel built from master tunnel T_MPLS_0. This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up. The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.
Which two statements describe how IPsec phase 1 main mode id different from aggressive mode when performing IKE negotiation? (Choose two.)
- A . A peer ID is included in the first packet from the initiator, along with suggested security policies.
- B . XAuth is enabled as an additional level of authentication, which requires a username and password.
- C . Three packets are exchanged between an initiator and a responder instead of six packets.
- D . The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.
Refer to the exhibit.
Exhibit A shows the firewall policy and exhibit B shows the traffic shaping policy.
The traffic shaping policy is being applied to all outbound traffic; however, inbound traffic is not being evaluated by the shaping policy.
Based on the exhibits, what configuration change must be made in which policy so that traffic shaping can be applied to inbound traffic?
- A . Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.
- B . In the traffic shaping policy, select Assign Shaping Class ID as Action.
- C . In the firewall policy, select Proxy-based as Inspection Mode.
- D . In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.
Refer to the exhibit.
Based on the output, which two conclusions are true? (Choose two.)
- A . There is more than one SD-WAN rule configured.
- B . The SD-WAN rules take precedence over regular policy routes.
- C . The all_rules rule represents the implicit SD-WAN rule.
- D . Entry 1(id=1) is a regular policy route.
In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default implicit SD-WAN rule? (Choose two)
- A . Traffic has matched none of the FortiGate policy routes.
- B . Matched traffic failed RPF and was caught by the rule.
- C . The FIB lookup resolved interface was the SD-WAN interface.
- D . An absolute SD-WAN rule was defined and matched traffic.