Your FortiGate is in production. To optimize WAN link use and improve redundancy, you enable and configure SD-WAN.
What must you do as part of this configuration update process?
AReplace references to interfaces used as SD-WAN members in the routing configuration.
BDisable the interface that you want to use as an SD-WAN member.
CReplace references to interfaces used as SD-WAN members in the firewall policies.
DPurchase and install the SD-WAN license, and reboot the FortiGate device.
As an IT manager, you want to delegate the installation and management of your SD-WAN deployment to a managed security service provider (MSSP).
Each site must maintain direct internet access and be secure. You expect significant traffic flow between the sites and want to delegate as much of the network administration and management as possible to the MSSP.
Which two MSSP deployment blueprints address your requirements? (Choose two.)
AInstall the hub and spokes on the customer premises, and enable the MSSP to manage the SD-WAN deployment using FortiManager with a dedicated ADOM.
BUse a shared hub on the MSSP premises and a dedicated hub on the customer premises, and install the spokes on the customer premises.
CInstall a dedicated hub on the MSSP premises for the customer, and install the spokes on the customer premises.
DUse a shared hub on the MSSP premises with a dedicated VDOM for the customer, and install the spokes on the customer premises.
Refer to the exhibit that shows a diagnose output on a FortiGate device.
Based on the output shown in the exhibit, what can you conclude about the device role and how it handles health checks?
AThe device is a spoke and it receives health-check measures for the tunnels of another spoke.
BThe device is a hub and it receives health-check measures for the tunnels of a spoke.
CThe device is a spoke and it provides embedded health-check measures for each tunnel to the hub.
DThe device is a hub and it receives embedded health-check measures for each tunnel from the spoke.
You have a FortiGate configuration with three user-defined SD-WAN zones and two members in each of these zones. One SD-WAN member is no longer in use in health-check and SD-WAN rules. You want to delete it.
What happens if you delete the SD-WAN member from the FortiGate GUI?
AFortiGate accepts the deletion and places the member in the default SD-WAN zone.
BFortiGate displays an error message. SD-WAN zones must contain at least two members.
CFortiGate accepts the deletion and removes static routes as required.
DFortiGate accepts the SD-WAN member deletion with no further action.
Refer to the exhibit.
Which action will FortiGate take if it detects SD-WAN members as dead?
AFortiGate bounces port5 after it detects all SD-WAN members as dead.
BFortiGate brings down port5 after it detects all SD-WAN members as dead.
CFortiGate sends alert messages through port5 when it detects all SD-WAN members as dead.
DFortiGate fails over to the secondary device after it detects port5 as dead.
What are three characteristics of the provisioning templates available on FortiManager? (Choose three.)
AA template group can include a system template and an SD-WAN template.
BA CLI template can be of type CLI script or Perl script.
CCLI templates are applied in order, from top to bottom.
DA CLI template group can contain CLI templates of different types.
EEach template group can contain up to three IPsec tunnel templates.
Refer to the exhibit.
FortiGate router policy and diagnose output
How does FortiGate handle the traffic with the source IP 10.0.1.130 and the destination IP 128.66.0.125?
AFortiGate steers the traffic flow through port2.
BFortiGate routes the traffic flow according to the FIB.
CFortiGate load balances the traffic flow through port1 and port2.
DFortiGate drops the traffic flow.
Refer to the exhibit.
The administrator configured the IPsec tunnel VPN1 on a FortiGate device with the parameters shown in exhibit.
Based on the configuration, which three conclusions can you draw about the characteristics and requirements of the VPN tunnel? (Choose three.)
AThe remote end can be a third-party IPsec device.
BThe remote end must support IKEv2.
CThe tunnel interface IP address on the spoke side is provided by the hub.
DThis configuration allows user-defined overlay IP addresses.
EThe administrator must manually assign the tunnel interface IP address on the hub side.
Refer to the exhibit.
SD-WAN Network Topology -
You want to configure SD-WAN on a network, as shown in the exhibit.
The network contains many FortiGate devices. Some are used as next-generation firewalls (NGFW), and some are installed with extensions such as FortiSwitch, FortiAP, or FortiExtender.
Which factors should you consider when planning your deployment?
AYou should build multiple SD-WAN topologies. Each topology should contain only one type of extension.
BYou can build an SD-WAN topology that includes all devices. The hubs must be devices without extensions.
CYou should exclude the FortiGate devices with FortiLink connection from the SD-WAN topology.
DYou can build an SD-WAN topology that includes all devices. The hubs can be FortiGate devices with FortiExtender.
Refer to the exhibit.
FortiManager SD-WAN monitor -
To check the status of an SD-WAN topology using the FortiManager SD-WAN monitor menus, you place your mouse next to branch1_fgt and receive the output shown in the exhibit.
Which conclusion can you draw from the output shown in the exhibit?
AThree tunnels of branch2_fgt are out of SLA.
BThe template Corp-SOT defines a single-hub topology.
Cbranch3_fgt is configured with three SD-WAN overlay tunnels and one is dead.
DThe three spokes have tunnels that are out of SLA.
Refer to the exhibit.
Diagnose output -
The exhibit shows output of the command diagnose sys sdwan service4 collected on a FortiGate device.
The administrator wants to know through which interface FortiGate will steer traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the social media application Facebook.
Based on the exhibits, which two statements are correct? (Choose two.)
AWhen FortiGate cannot recognize the application of the flow, it load balances the traffic through the tunnels HQ_T1, HQ_T2, HQ_T3.
BFortiGate steers traffic for social media applications according to the service rule 2 and steers traffic through port2.
CWhen FortiGate cannot recognize the application of the flow, it steers the traffic through the preferred member of rule 3, HQ_T1.
DThere is no service defined for the Facebook application, so FortiGate applies service rule 3 and directs the traffic to headquarters.
Refer to the exhibit.
The health-check configuration on a FortiGate device used as a spoke is shown.
You notice that the hub FortiGate does not prioritize the traffic as expected.
Which two configuration elements should you check on the hub? (Choose two.)
AThis performance SLA uses the same members.
BThe performance SLA is configured with set embedded-measure accept.
CThe performance SLA uses the same criteria.
DThe performance SLA has the parameter priority-out-sla configured.
Refer to the exhibit.
Two hub-and-spoke groups are connected through redundant site-to-site IPsec VPNs between Hub 1 and Hub 2.
Which two configuration settings are required for spoke A1 to establish an auto-discovery VPN (ADVPN) shortcut with spoke B2? (Choose two.)
AOn the hubs, auto-discovery-receiver must be enabled on the IPsec VPNs to spokes.
BOn the hubs, auto-discovery-forwarder must be enabled on the IPsec VPNs to hubs.
COn the spokes, auto-discovery-receiver must be enabled on the IPsec VPNs to the hub.
DOn the spokes, auto-discovery-sender must be enabled on the IPsec VPNs to hubs.
Refer to the exhibit.
Diagnose output -
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1-VPN1. However, the traffic is routed over HUB1-VPN.
Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.)
AHUB1-VPN1 does not have a valid route to the destination.
BHUB1-VPN3 has a higher member configuration priority than HUB1-VPN1.
CThe traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device.
DHUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.
Refer to the exhibit, which shows the SD-WAN rule status and configuration.
SD-WAN rules status and configuration
Based on the exhibit, which change in the measured packet loss will make HUB1-VPN3 the new preferred member?
AWhen all three members have the same packet loss
BWhen HUB1-VPN3 has 4% packet loss
CWhen HUB1-VPN1 has 12% packet loss
DWhen HUB1-VPN1 has 4% packet loss
Refer to the exhibits.
Interface details -
Static route details -
Firewall policies on managed FortiGate
The interface details, static route configuration, and firewall policies on the managed FortiGate device are shown.
You want to configure a new SD-WAN zone, named Underlay, that contains the interfaces port1 and port2.
What should be your first action?
ADelete the static routes.
BDelete the SD-WAN Zone Test.
CDelete the firewall policies.
DDefine port1 as an SD-WAN member.
You manage an SD-WAN topology and you will soon deploy 50 new branches.
Which two tasks can you do in advance to simplify this deployment? (Choose two.)
ACreate a policy blueprint.
BDefine metadata variable values for each device.
CCreate model devices.
DCreate a zero-touch provisioning (ZTP) template.
Refer to the exhibit.
The event log on a FortiGate device is shown.
Based on the output shown in the exhibit, what can you conclude about the tunnels on this device?
AThe voice traffic is steered through the VPN tunnel HUB1-VPN3.
DThere is one shortcut tunnel built from the master tunnel VPN4.
You want FortiGate to use SD-WAN rules to steer ping local-out traffic.
Which two constraints should you consider? (Choose two.)
ABy default, local-out traffic does not use SD-WAN.
BYou must configure each local-out feature individually to use SD-WAN.
CBy default, FortiGate uses SD-WAN rules only for local-out traffic that corresponds to ping and traceroute.
DYou can steer local-out traffic only with SD-WAN rules that use the manual strategy.
Refer to the exhibit.
You configure the SD-WAN rule ID 4 with two members (port1 and port2) and the strategy lowest cost (SLA).
Which two statements about the session shown in the exhibit are true? (Choose two.)
AFortiGate steered this flow according to the application detected and the outgoing interface is port3.
BFortiGate will reevaluate this session if the outgoing interface goes down.
CFortiGate steered this flow according to the SD-WAN rule 4.
DFortiGate will reevaluate this session if you update the routing table.
You are configuring ADVPN 2.0 on an SD-WAN topology already configured for ADVPN.
What should you do to implement ADVPN 2.0 in this scenario?
AUpdate the IPsec tunnel configuration on the branches.
BDelete the existing ADVPN configuration and configure ADVPN 2.0.
CUpdate the IPsec tunnel configurations on the hub.
DUpdate the SD-WAN configuration on the branches.
Refer to the exhibit.
SD-WAN rule -
You configure SD-WAN on a standalone FortiGate device.
You want to create an SD-WAN rule that steers traffic related to Facebook and LinkedIn through the less costly internet link.
What must you do to set Facebook and LinkedIn applications as destinations from the GUI?
AIn the Internet service field, select Facebook and LinkedIn.
BEnable the visibility of the applications field as destinations of the SD-WAN rule.
CYou cannot configure applications as destinations of an SD-WAN rule on a standalone FortiGate device.
DInstall a license to allow applications as destinations of SD-WAN rules.
Which three factors about SLA targets and SD-WAN rules should you consider when configuring SD-WAN rules? (Choose three.)
ASLA targets are used only by SD-WAN rules that are configured with a Lowest Cost (SLA) strategy.
BSD-WAN rules can use SLA targets to check whether the preferred members meet the SLA requirements.
CMember metrics are measured only if a rule uses the SLA target.
DWhen configuring an SD-WAN rule, you can select multiple SLA targets if they are from the same performance SLA.
EWhen configuring an SD-WAN rule, you can select multiple SLA targets from different performance SLAs.
You plan a large SD-WAN deployment for a global company. You want to divide the network architecture into five geographical regions and install two hubs in each region for increased redundancy.
You expect a significant amount of traffic within each region and limited traffic flow between spokes in different regions. You plan to connect the small branch sites to only the closest hub in their regions and the large branch sites to the two hubs in the regions.
Which statement about your plan is true?
AIt is possible. You should use FortiManager and the overlay orchestrator multihub topology to simplify the deployment.
BIt is possible. You should use EBGP as the routing protocol between the regions.
CIt is not possible. In a region, all spokes must have either single-hub or dual-hub connectivity.
DIt is not possible. FortiOS 7.6 supports multihub topologies with up to four hubs.
Refer to the exhibits.
SD-WAN overlay template advanced settings
Underlay and network advertisement configuration
The SD-WAN overlay template, advanced settings, and the underlay and network advertisement settings are shown.
These are the configurations for the secondary hub of a dual-hub SD-WAN topology created with the FortiManager SD-WAN overlay orchestrator.
Which two conclusions can you draw from the information shown in the exhibits? (Choose two.)
AFortiManager will define port5 as a BGP neighbor.
BFortiManager will create an overlay tunnel on the port2 interface.
CFortiManager will define port2 as a BGP neighbor.
DFortiManager will create an overlay tunnel on the port1 interface.
Preview
