AFortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.
BFortiGate always blocks all traffic, after a route change.
CFortiGate performs routing lookups for new sessions only, after a route change.
DFortiGate flushes all routing information from the session table, after a route change.
What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in an hub-and-spoke topology? (Choose two.)
AIt ensures consistent settings between phase1 and phase2.
BIt guides the administrator to use Fortinet recommended settings.
CThe VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.
DIt automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.
In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)
AIt provides the benefits of a full-mesh topology in a hub-and-spoke network.
BIt enables spokes to establish shortcuts to third-party gateways.
CIt provides direct connectivity between spokes by creating shortcuts.
DIt enables spokes to bypass the hub during shortcut negotiation.
Refer to the exhibit.
The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)
AEnable soft-reconfiguration
BEnable route-reflector-client
CSet additional-path to send
DSet adv-additional-path to the number of additional paths to advertise
ESet advertisement-interval to the number of additional paths to advertise
Question 6
Monitoring and Troubleshooting
0
Question 7
Routing and Sessions
Question 8
Routing and Sessions
Question 9
Introduction
Question 10
Members, Zones, and Performance SLAs
Question 11
Introduction
Question 12
Rules
Question 13
Routing and Sessions
Question 14
Rules
Question 15
Members, Zones, and Performance SLAs
Question 16
Members, Zones, and Performance SLAs
Question 17
Monitoring and Troubleshooting
Question 18
Routing and Sessions
Question 19
SD-WAN Overlay Design and Best Practices
Question 20
Rules
Question 21
Rules
Question 22
Routing and Sessions
Question 23
Members, Zones, and Performance SLAs
Question 24
Monitoring and Troubleshooting
Question 25
SD-WAN Overlay Design and Best Practices
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
Aget router info routing-table all
Bget ipsec tunnel list
Cdiagnose vpn tunnel list
Ddiagnose debug application ike
Refer to the exhibit.
The exhibit shows output of the command diagnose sys sdwan service collected on a FortiGate device.
The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HQ servers 10.0.0.1.
Based on the exhibits, which two statements are correct? (Choose two.)
AThere is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.
BFortiGate steers traffic to HQ servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.
CWhen FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.
DFortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.
Refer to the exhibit.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)
AOn the hubs, net-device must be enabled on all IPsec VPNs.
Bauto-discovery-forwarder must be enabled on all IPsec VPNs.
COn the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.
DOn the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.
What are two common use cases for remote internet access (RIA)? (Choose two.)
AProvide internet access through the hub.
BCentralize security inspection on the hub.
CProvide thorough inspection on spokes.
DProvide direct internet access on spokes.
Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?
Adiagnose sys sdwan member
Bdiagnose sys sdwan interface
Cdiagnose sys sdwan zone
Ddiagnose sys sdwan service
Which statement is correct about SD-WAN and ADVPN?
ASD-WAN can steer traffic to ADVPN shortcuts only for rules defined with strategy manual or best quality.
BSD-WAN does not monitor the health and performance of ADVPN shortcuts.
CSD-WAN cannot steer traffic to ADVPN shortcuts established over IPSec overlays if the zone contains physical interfaces.
DSD-WAN can steer traffic to ADVPN shortcuts established over IPsec overlays configured as SD-WAN members.
Refer to the exhibits.
Exhibit A.
Exhibit B.
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why some log messages show that the traffic matched the implicit SD-WAN rule? (Choose two.)
APort1 and port2 do not have a valid route to the destination.
BThe session 3-tuple did not match any of the existing entries in the ISDB application cache.
CFull SSL inspection is not enabled on the matching firewall policy.
DFortiGate did not refresh the routing information on the session after the application was detected.
What is a benefit of using application steering in SD-WAN?
AThe traffic always skips the regular policy routes.
BYou do not need to configure firewall policies that accept the SD-WAN traffic.
CYou steer traffic based on the detected application.
DYou do not need to enable SSL inspection.
Refer to the exhibit.
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?
AWhen T_INET_0_0 has a latency of 250 ms.
BWhen T_MPLS_0 has a latency of 80 ms.
CWhen T_INET_0_0 and T_MPLS_0 have the same latency.
DWhen T_MPLS_0 has a latency of 100 ms.
Which two statements about the SD-WAN members are true? (Choose two.)
AInterfaces of type virtual wire pair can be used as SD-WAN members.
BYou can manually define the SD-WAN members sequence number.
CAn SD-WAN member can belong to two or more SD-WAN zones.
DInterfaces of type VLAN can be used as SD-WAN members.
Refer to the exhibit.
Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)
AAfter FortiGate switches to active mode, the SLA performance rule never fallsback to passive monitoring.
BFortiGate passively monitors the member if TCP traffic is passing through the member.
CFortiGate can offload the traffic that is subject to passive monitoring to hardware.
DDuring passive monitoring, the SLA performance rule cannot detect dead members.
Refer to the exhibit.
Based on the output, which two conclusions are true? (Choose two.)
AEntry 1 (id=1) is a regular policy route.
BThere is more than one SD-WAN rule configured.
CThe SD-WAN rules take precedence over regular policy routes.
DThe all_rules rule represents the implicit SD-WAN rule.
Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)
ABy default, FortiGate does not check if the selected member has a valid route to the destination.
BYou must configure each local-out feature individually, to use SD-WAN.
CBy default, local-out traffic does not use SD-WAN.
DFortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.
Refer to the exhibit.
Which statement about the role of the ADVPN device in handling traffic is true?
AThis is a spoke that has received an offer from a remote hub.
BTwo spokes, 192.2.0.1 and 10.0.2.101, establish a shortcut.
CThis is a hub that has received an offer from a spoke and has forwarded it to another spoke.
DAn IKE session is established between 10.0.1.101 and 10.0.2.101 in the process of forming a shortcut tunnel.
In which SD-WAN template field can you use a metadata variable?
AYou can use metadata variables only to define interface members and the gateway IP.
BAny field identified with a dollar sign (S) in a magnifying glass.
CAny field identified with an "M" in a circle.
DAll SD-WAN template fields support metadata variables.
Refer to the exhibits.
Exhibit A -
Exhibit B -
Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on a FortiGate device acting as the sender. Exhibit B shows the sniffer output on a FortiGate device acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior?
(Choose two.)
AThe ICMP echo request packets sent over T_INET_0 and T_MPLS were dropped along the way.
BOn the receiver FortiGate, packet-de-duplication is enabled.
COn the sender FortiGate, duplication-max-num is set to 3.
DThe sender FortiGate has anti-replay enabled to block duplicate ICMP replies.
Refer to the exhibit.
The device exchanges routes using IBGP.
Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)
AEach BGP route is three hops away from the destination.
Bibgp-multipath is disabled.
CYou can run the get router info routing-table database command to display the additional paths.
Dadditional-path is enabled.
Refer to the exhibits.
Exhibit A -
Exhibit B -
Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.
If port2 is detected dead by FortiGate, what is the expected behavior?
AHost 8.3.8.8 is reachable through port1 and port2.
BPort2 becomes alive after three successful probes are detected.
CThe administrator manually restores the static routes for port2, if port2 becomes alive.
DFortiGate disables all static routes for port2.
Refer to the exhibit, which shows output of the command diagnose sys sdwan health-check status collected on a FortiGate device.
Which two statements are correct about the health check status on this FortiGate device? (Choose two.)
AThe interface T_INET_0 missed three SLA targets.
BThe interface T_INET_1 missed one SLA target.
CThere is no SLA criteria configured for the health-check Level3_DNS.
DThe health-check VPN_PING orders the members according to the measured jitter.
Within IPsec tunnel templates available on FortiManager, which template will you use to configure static tunnels for a hub and spoke topology?
