Login
Login

NSE7_SDW-7.2 Exam Questions

Total 91 Questions

Last Updated Exam : 16-Dec-2024

Which two statements describe how IPsec phase 1 main mode is different from aggressive mode when performing IKE negotiation? (Choose two )


A. A peer ID is included in the first packet from the initiator, along with suggested security policies.


B. XAuth is enabled as an additional level of authentication, which requires a username and password.


C. A total of six packets are exchanged between an initiator and a responder instead of three packets.


D. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.





B.   XAuth is enabled as an additional level of authentication, which requires a username and password.

C.   A total of six packets are exchanged between an initiator and a responder instead of three packets.

Which two statements about the SD-WAN zone configuration are true? (Choose two.)


A. The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.


B. You can delete the default zones.


C. The default zones are virtual-wan-link and SASE.


D. An SD-WAN member can belong to two or more zones.





A.   The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.

C.   The default zones are virtual-wan-link and SASE.

Which are two benefits of using CLI templates in FortiManager? (Choose two.)


A. You can reference meta fields.


B. You can configure interfaces as SD-WAN members without having to remove references first.


C. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.


D. You can configure advanced CLI settings.





A.   You can reference meta fields.

D.   You can configure advanced CLI settings.

Refer to the exhibits.

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A. After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1. Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)


A. FortiGate did not refresh the routing information on the session after the application was detected.


B. Port1 and port2 do not have a valid route to the destination.


C. Full SSL inspection is not enabled on the matching firewall policy.


D. The session 3-tuple did not match any of the existing entries in the ISDB application cache.





B.   Port1 and port2 do not have a valid route to the destination.

C.   Full SSL inspection is not enabled on the matching firewall policy.

Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)


A. FortiGate does not consider the source address of the packet when matching an SDWAN rule for local-out traffic.


B. By default, local-out traffic does not use SD-WAN.


C. By default, FortiGate does not check if the selected member has a valid route to the destination.


D. You must configure each local-out feature individually, to use SD-WAN.





B.   By default, local-out traffic does not use SD-WAN.

D.   You must configure each local-out feature individually, to use SD-WAN.

Refer to the exhibit.

The exhibit shows the SD-WAN rule status and configuration. Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?


A. When all three members have the same packet loss.


B. When T_INET_0_0 has 4% packet loss.


C. When T_INET_0_0 has 12% packet loss.


D. When T_INET_1_0 has 4% packet loss.





D.   When T_INET_1_0 has 4% packet loss.

Exhibit.

The exhibit shows the output of the command diagnose sys sdwan health-check status collected on a FortiGate device. Which two statements are correct about the health check status on this FortiGate device? (Choose two.)


A. The health-check VPN_PING orders the members according to the lowest jitter.


B. The interface T_INET_1 missed one SLA target.


C. There is no SLA criteria configured for the health-check Level3_DNS.


D. The interface T_INET_0 missed three SLA targets.





A.   The health-check VPN_PING orders the members according to the lowest jitter.

C.   There is no SLA criteria configured for the health-check Level3_DNS.

Explanation:
According to the FortiGate / FortiOS 6.4.2 Administration Guide, the health check status command displays the status of the health check probes for each SD-WAN member interface. 


The output includes the following information:

State: the current state of the interface, either alive or dead
Packet-loss: the percentage of packets lost during the health check
Latency: the average round-trip time in milliseconds
Jitter: the variation in latency
Mos: the mean opinion score, a measure of voice quality
Bandwidth: the available bandwidth in kilobits per second for each direction (up, down, bi)
Sla map: a bitmap that indicates which SLA criteria are met or failed

Based on the exhibit, the following statements are correct:

The health-check VPN_PING orders the members according to the lowest jitter. This means that the interface with the lowest jitter value is listed first, followed by the next lowest, and so on1. In the exhibit, the order is T_MPLS, T_INET_1, and T_INET_0.
 
There is no SLA criteria configured for the health-check Level3_DNS. This means that the health check does not use any SLA parameters to determine the state of the interface2. In the exhibit, the sla map value is 0x0 for both port1 and port2, indicating that no SLA criteria are applied.

Which two statements about SD-WAN central management are true? (Choose two.)


A. It does not allow you to monitor the status of SD-WAN members.


B. It is enabled or disabled on a per-ADOM basis.


C. It is enabled by default.


D. It uses templates to configure SD-WAN on managed devices.





B.   It is enabled or disabled on a per-ADOM basis.

D.   It uses templates to configure SD-WAN on managed devices.

What does enabling the exchange-interface-ip setting enable FortiGate devices to exchange?


A. The gateway address of their IPsec interfaces


B. The tunnel ID of their IPsec interfaces


C. The IP address of their IPsec interfaces


D. The name of their IPsec interfaces





C.   The IP address of their IPsec interfaces

Refer to the exhibit.

Which statement explains the output shown in the exhibit?


A. FortiGate performed standard FIB routing on the session.


B. FortiGate will not re-evaluate the session following a firewall policy change.


C. FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.


D. FortiGate must re-evaluate the session due to routing change.





D.   FortiGate must re-evaluate the session due to routing change.

Explanation:

The snat-route-change option is enabled by default. This option enables FortiGate to reevaluate the routing table and select a new egress interface if the next hop IP address changes. This option only applies to sessions in the dirty state. Sessions in the log state are not affected by routing changes.


Page 2 out of 10 Pages
Previous

Copyright © - All Rights Reserved