NSE7_SDW-7.2 Questions and Answers

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

The measured bandwidth is less than 100 KBps.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

Assign an sdwan_id metadata variable to each device (branch and hub).

Assign a branch_id metadata variable to each branch device.

Create policy packages for branch devices.

Configure SD-WAN rules.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

get router info routing-table all

diagnose debug application ike

diagnose vpn tunnel list

get ipsec tunnel list

Routes for ADVPN shortcuts must be manually configured.

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

You must use IKEv2 on IPsec tunnels.

LAG

IPsec

Physical

GRE

There is more than one SD-WAN rule configured.

The SD-WAN rules take precedence over regular policy routes.

Theall_rulesrule represents the implicit SD-WAN rule.

Entry1(id=1)is a regular policy route.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

Three packets are exchanged between an initiator and a responder instead of six packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Application, antivirus, and URL, and SSL inspection

Datacenter, branch offices, and public cloud

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

Telephone, ISDN, and telecom network.

London generates an IKE information message that contains the Toronto public IP address.

Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

Learned routes can be used as dynamic destinations in SD-WAN rules.

You must use BGP to route traffic for both overlay and underlay links.

You must configure AS path prepending.

You must use external BGP.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

Theservice-sla-tie-breaksetting enables you to configure preferred member selection based on the best route to the destination.

You can delete the default zones.

The default zones are virtual-wan-link and SASE.

An SD-WAN member can belong to two or more zones.

The traffic always skips the regular policy routes.

You steer traffic based on the detected application.

You do not need to enable SSL inspection.

You do not need to configure firewall policies that accept the SD-WAN traffic.

You can delete the virtual-wan-link zone because it contains no member.

The corporate zone contains no member.

You can move port1 from the underlay zone to the overlay zone.

The overlay zone contains four members.

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

Cost

Interface member

Priority

Gateway IP

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

Setadditional-pathtosend

Enableroute-reflector-client

Setadvertisement-intervalto the number of additional paths to advertise

Setadv-additional-pathto the number of additional paths to advertise

Enablesoft-reconfiguration

type must be set to static.

mode-cfg must be enabled.

exchange-interface-ip must be enabled.

add-route must be disabled.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

It provides direct connectivity between spokes by creating shortcuts.

It enables spokes to bypass the hub during shortcut negotiation.

It enables spokes to establish shortcuts to third-party gateways.

Specify a unique peer ID for each dial-up VPN interface.

Use different proposals are used between the interfaces.

Configure the IKE mode to be aggressive mode.

Use unique Diffie Hellman groups on each VPN interface.

FortiGate performs route lookups for new sessions only.

Regular policy routes have precedence over SD-WAN rules.

SD-WAN rules have precedence over ISDB routes.

By default, SD-WAN members are skipped if they do not have a valid route to the destination.

By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.