NSE7_SDW-7.2 Questions and Answers

The sdwan_service_id flag in the session information is 0.

All SD-WAN rules have the default setting enabled.

Traffic does not match any of the entries in the policy route table.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Each BGP route is three hops away from the destination.

ibgp-multipath is disabled.

additional-path is enabled.

You can run the get router info routing-table database command to display the additional paths.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

diagnose sys sdwan zone

diagnose sys sdwan service

diagnose sys sdwan member

diagnose sys sdwan interface

diagnose sys sdwan neighbor

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

It provides direct connectivity between spokes by creating shortcuts.

It enables spokes to bypass the hub during shortcut negotiation.

It enables spokes to establish shortcuts to third-party gateways.

To indicate the routes for health check probes.

To indicate the destination of a rule based on learned BGP prefixes.

To indicate the routes that can be used for routing SD-WAN traffic.

To indicate the members that can be used to route SD-WAN traffic.

Specify a unique peer ID for each dial-up VPN interface.

Use different proposals are used between the interfaces.

Configure the IKE mode to be aggressive mode.

Use unique Diffie Hellman groups on each VPN interface.

LAG

IPsec

Physical

GRE

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)

type must be set to static.

mode-cfg must be enabled.

exchange-interface-ip must be enabled.

add-route must be disabled.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

A total of six packets are exchanged between an initiator and a responder instead of three packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements.

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.

Member metrics are measured only if an SLA target is configured.

Set priority 10.

Set cost 15.

Set load-balance-mode source-ip-ip-based.

Set source 100.64.1.1.

An SD-WAN zone can contain only one type of interface.

An SD-WAN zone can contain between 0 and 512 members.

You cannot use an SD-WAN zone in static route definitions.

You can configure up to 32 SD-WAN zones per VDOM.

Traffic has matched none of the FortiGate policy routes.

Matched traffic failed RPF and was caught by the rule.

The FIB lookup resolved interface was the SD-WAN interface.

An absolute SD-WAN rule was defined and matched traffic.

On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.

auto-discovery-forwarder must be enabled on all IPsec VPNs.

On the hubs, net-device must be enabled on all IPsec VPNs.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

Port2 has the highest member priority.

Port2 has a lower latency than port1.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.

You can delete the default zones.

The default zones are virtual-wan-link and SASE.

An SD-WAN member can belong to two or more zones.