Two hub-and-spoke groups are connected through redundant site-to-site IPsec VPNs between Hub1 and Hub2.
Which two configuration settings are required for the spoke A1 to establish an ADVPN shortcut with the spoke B2? (Choose two.)
AOn hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.
BOn hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to hubs.
COn hubs, auto-discovery-receiver must be enabled on the IPsec VPNs to spokes.
DOn hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to spokes.
Refer to the exhibit.
The exhibit shows output of the command diagnose sys sdwan service4 collected on a FortiGate device
The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10 0.1.0/255.255.255.192 and with a destination of the social media application Facebook.
Based on the exhibits, which two statements are correct? (Choose two.)
AFortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2.
BWhen FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1, HQ_T2, HQ_T3.
CThere is no service defined for the Facebook application, so FortiGate appliesservice rule 3 and directs the traffic to headquarters.
DWhen FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1.
Refer to the exhibit.
The administrator used the SD-WAN overlay template to prepare an IPsec tunnels configuration for a hub-and-spoke SD-WAN topology. The exhibit shows the FortiManager installation preview for one FortiGate device.
Based on the exhibit, which statement best describes the configuration applied to the FortiGate device?
AIt is a spoke device that establishes dynamic IPsec tunnels to the hub. The local subnet range is 10.10 128.0/23.
BIt is a hub device. It can send ADVPN shortcut offers.
CIt is a hub device. It will automatically discover the spoke devices and add them to the SD-WAN topology.
DIt is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.
Which two statements correctly describe what happens when traffic matches the implicit SD-WAN rule? (Choose two.)
AThe session information output displays no SD-WAN service id.
BTraffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
CFortiGate flags the session with may_dirty and vwl_default.
DTraffic does not match any of the entries in the policy route table.
EThe traffic is distributed, regardless of weight, through all available static routes.
Refer to the exhibit.
The administrator analyzed the traffic between a branch FortiGate and the server located in the data center, and noticed the behavior shown in the diagram. When the LAN clients located behind FGT1 establish a session to a server behind DC-1, the administrator observes that, on DC-1, the reply traffic is routed over T2, even though T1 is the preferred member in the matching SD-WAN rule.
What can the administrator do to instruct DC-1 to route the reply traffic through the member with the best performance?
AEnable auxiliary-session under config system settings.
BEnable snat-route-change under config system global.
CEnable reply-session under config system sdwan.
DFortiGate route lookup for reply traffic only considers routes over the original ingress interface.
Refer to the exhibit.
Which statement best describe the role of the ADVPN device in handling traffic?
AThis is a hub that has received a query from a spoke and has forwarded it to another spoke.
BThis is a hub in a dual-region topology. The remote hub tunnel ID is 10.0.2.101.
CThis is a spoke that has received a shortcut query from another spoke and has forwarded the response to its hub.
DThis is a spoke. The kernel received a shortcut request and forwards the query to another spoke.
Refer to the exhibit.
For your ZTP deployment, you review the CSV file shown in exhibit and note that it is missing important information.
Which two elements must you change before you can import it into FortiManager? (Choose two.)
AYou must associate a device blueprint with each device.
BYou must define a value for each device and each metadata variable that defines an IP address.
CYou must define a value for each device and each user-defined metadata variable.
DYou must define a name for each device.
Within the context of SD-WAN, what does SIA correspond to?
ARemote Breakout
BSoftware Internet Access
CSecure Internet Authorization
DLocal Breakout
Refer to the exhibit.
Which SD-WAN rule and interface uses FortiGate to steer the traffic from the LAN subnet 10.0.1.0/24 to the corporate server 10.2.5.254?
ASD-WAN service rule 3 and interface HUB1-VPN2.
BSD-WAN service rule 3 and interface HUB1-VPN3.
CSD-WAN service rule 4 and interface port2.
DSD-WAN service rule 4 and port1 or port.
When a customer delegates the installation and management of its SD-WAN infrastructure to an MSP, the MSSP usually keeps the hub within its infrastructure for ease of management and to share costly resources.
In which two situations will the MSSP install the hub in customer premises? (Choose two.)
AThe administrator expects a large volume of traffic between the branches.
BThe customer requires SIA with centralized breakout
CThe customer expects a large amount of VoIP traffic.
DThe majority of the branch traffic is directed to a corporate data center.
The exhibits show the configuration for SD.WAN performance, SD-WAN rule, the application IDs of Facebook and YouTube along with the firewall policy configuration and the underlay zone status.
Which two statements are true about the health and performance of SD.WAN members 3 and 4? (Choose two.)
AThe performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member
BOnly related TCP traffic is used for performance measurement
CFortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
DEncrypted traffic is not used for the performance measurement.
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.
What can you conclude about the zone and member configuration on this device?
AThe overlay-factories zone contains no member.
BThe underlay zone contains three members.
CYou can move HUB1-VPN3 from the HUB1 zone to the overlay-shops zone.
DYou can delete the virtual-wan-link zones.
Refer to the exhibit.
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network.
The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1-VPN1.
However, the traffic is routed over HUB1-VPN3.
Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.)
A.HUB1.VPN3 has a higher member configuration priority than HUB1-VPN1.
BThe traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device.
CHUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.
DHUB1-VPN1 does not have a valid route to the destination.
Refer to the exhibit.
Which action will FortiGate take if it detects SD-WAN members as dead?
AFortiGate bounces port5 after it detects all SD-WAN members as dead.
BFortiGate fails over to the secondary device after it detects port5 as dead.
CFortiGate sends alert messages through port5 when it detects all SD-WAN members as dead.
DFortiGate brings down port5 after it detects all SD-WAN members as dead.
Preview
