Top Tips Of Down To Date NSE7_SDW-7.2 Free Download

NEW QUESTION 1
Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?

• A. diagnose sys sdwan zone
• B. diagnose sys sdwan service
• C. diagnose sys sdwan member
• D. diagnose sys sdwan interface

Answer: C

NEW QUESTION 2
What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.)

• A. Packet duplication can leverage multiple IPsec overlays for sending additional data.
• B. Packet duplication does not require a route to the destination.
• C. Packet duplication supports hardware offloading.
• D. Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Answer: AC

NEW QUESTION 3
Refer to the exhibits.

Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)

• A. On the receiver FortiGate, packet-de-duplication is enabled.
• B. The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.
• C. The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
• D. On the sender FortiGate, duplication-max-num is set to 3.

Answer: AD

NEW QUESTION 4
What is the route-tag setting in an SD-WAN rule used for?

• A. To indicate the routes for health check probes.
• B. To indicate the destination of a rule based on learned BGP prefixes.
• C. To indicate the routes that can be used for routing SD-WAN traffic.
• D. To indicate the members that can be used to route SD-WAN traffic.

Answer: B

NEW QUESTION 5
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.\

Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

• A. London generates an IKE information message that contains the Toronto public IP address.
• B. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
• C. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
• D. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Answer: BD

NEW QUESTION 6
Refer to the exhibit.

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)

• A. Set additional-path to send
• B. Enable route-reflector-client
• C. Set advertisement-interval to the number of additional paths to advertise
• D. Set adv-additional-path to the number of additional paths to advertise
• E. Enable soft-reconfiguration

Answer: ABD

NEW QUESTION 7
Which statement is correct about SD-WAN and ADVPN?

• A. Routes for ADVPN shortcuts must be manually configured.
• B. SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.
• C. SD-WAN does not monitor the health and performance of ADVPN shortcuts.
• D. You must use IKEv2 on IPsec tunnels.

Answer: B

NEW QUESTION 8
Refer to the exhibit.

Based on the exhibit, which action does FortiGate take?

• A. FortiGate bounces port5 after it detects all SD-WAN members as dead.
• B. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.
• C. FortiGate brings up port5 after it detects all SD-WAN members as alive.
• D. FortiGate brings down port5 after it detects all SD-WAN members as dead.

Answer: A

NEW QUESTION 9
Which two statements about the SD-WAN zone configuration are true? (Choose two.)

• A. The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.
• B. You can delete the default zones.
• C. The default zones are virtual-wan-link and SASE.
• D. An SD-WAN member can belong to two or more zones.

Answer: AC

NEW QUESTION 10
Exhibit A –

Exhibit B –

Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?

• A. port1 is assigned a manual IP address.
• B. port1 is referenced in a firewall policy.
• C. port2 is referenced in a static route.
• D. port1 and port2 are not administratively down.

Answer: B

NEW QUESTION 11
Refer to the exhibit.

Which conclusion about the packet debug flow output is correct?

• A. The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.
• B. The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.
• C. The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.
• D. The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

Answer: D

NEW QUESTION 12
Exhibit A shows the firewall policy and exhibit B shows the traffic shaping policy.


The traffic shaping policy is being applied to all outbound traffic; however, inbound traffic is not being evaluated by the shaping policy.
Based on the exhibits, what configuration change must be made in which policy so that traffic shaping can be applied to inbound traffic?

• A. Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.
• B. In the traffic shaping policy, select Assign Shaping Class ID as Action.
• C. In the firewall policy, select Proxy-based as Inspection Mode.
• D. In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

Answer: D

NEW QUESTION 13
Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD- WAN rules?

• A. All traffic from a source IP to a destination IP is sent to the same interface.
• B. All traffic from a source IP is sent to the same interface.
• C. All traffic from a source IP is sent to the most used interface.
• D. All traffic from a source IP to a destination IP is sent to the least used interface.

Answer: A

Explanation:
Study Guide 7.2, page 176.

NEW QUESTION 14
Refer to the exhibit.

Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)

• A. Cost
• B. Interface member
• C. Priority
• D. Gateway IP

Answer: BD

NEW QUESTION 15
Refer to the exhibit.

FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.
Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)

• A. Specify a unique peer ID for each dial-up VPN interface.
• B. Use different proposals are used between the interfaces.
• C. Configure the IKE mode to be aggressive mode.
• D. Use unique Diffie Hellman groups on each VPN interface.

Answer: AC

NEW QUESTION 16
Exhibit.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

• A. There are no IPsec tunnel statistics log messages for ADVPN cuts.
• B. There is one shortcut tunnel built from master tunnel T_MPLS_0.
• C. The VPN tunnel T_MPLS_0 is a shortcut tunnel.
• D. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.

Answer: B

Explanation:
VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel. The output includes the following information:
✑ logid: the log ID number
✑ type: the log type, either traffic or event
✑ subtype: the log subtype, either vpn or ipsec
✑ level: the log level, either error, warning, or notice
✑ vd: the virtual domain name
✑ logdesc: the log description
✑ msg: the log message
✑ action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats
✑ remip: the remote IP address
✑ locip: the local IP address
✑ remport: the remote port number
✑ locport: the local port number
✑ outintf: the outgoing interface name
✑ cookies: the IKE SA cookies
✑ user: the user name
✑ group: the user group name
✑ useralt: the alternative user name
✑ xauthuser: the XAuth user name
✑ authgroup: the XAuth user group name
✑ assignip: the assigned IP address
✑ vpntunnel: the VPN tunnel name
✑ tunnellip: the tunnel loopback IP address
✑ tunnelid: the tunnel ID number
✑ tunneltype: the tunnel type, either ipsec or ssl
✑ duration: the tunnel duration in seconds
✑ sentbyte: the number of bytes sent
✑ rcvdbyte: the number of bytes received
✑ nextstat: the next statistics interval in seconds
✑ advpnsc: the ADVPN shortcut flag, either 0 or 1 Based on the exhibit, the following statement is true:
✑ There is one shortcut tunnel built from master tunnel T_MPLS_0. This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up. The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.

NEW QUESTION 17
Refer to the exhibits.
Exhibit A

Exhibit B

Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.
Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)

• A. The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
• B. FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
• C. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
• D. Non-TCP Facebook and YouTube traffic are not used for performance measurement.

Answer: AD

Explanation:
Study Guide 7.2, pages 103 - 104. Another comment said "because without using application Control on the firewall policy, SDWAN can't work" but there is a app control "default" defined on config.

NEW QUESTION 18
Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?

• A. hold-down-time
• B. link-down-failover
• C. auto-discovery-shortcuts
• D. idle-timeout

Answer: A

NEW QUESTION 19
Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

• A. diagnose sys sdwan service
• B. diagnose sys sdwan route-tag-list
• C. diagnose sys sdwan member
• D. diagnose sys sdwan neighbor

Answer: A

NEW QUESTION 20
Which type statements about the SD-WAN members are true? (Choose two.)

• A. You can manually define the SD-WAN members sequence number.
• B. Interfaces of type virtual wire pair can be used as SD-WAN members.
• C. Interfaces of type VLAN can be used as SD-WAN members.
• D. An SD-WAN member can belong to two or more SD-WAN zones.

Answer: AC

Explanation:
SD-WAN members can be manually ordered by changing their sequence number (A), which allows administrators to prioritize the interfaces according to the routing requirements. Also, VLAN interfaces can be used as SD-WAN members (C), providing flexibility in network design and the use of existing VLAN infrastructure within the SD-WAN setup.

NEW QUESTION 21
......