NSE7 - SDW-7.0 Exam - Free Actual Q&As

29/10/23, 0:01 NSE7_SDW-7.
0 Exam – Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 1/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1 - Exam A
Question #1 Topic 1
Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes?
A. diagnose sys sdwan intf-sla-log
B. diagnose sys sdwan health-check
C. diagnose sys sdwan log
D. diagnose sys sdwan sla-log
Correct Answer: D
Community vote distribution

A (73%) D (27%)
  baker_gt Highly Voted  5 months ago
Selected Answer: A
Page 95 of study guide

upvoted 7 times
  xhshkurti Most Recent  1 week, 1 day ago
Selected Answer: A
diag sys sdwan sla-log is used to display member metrics

diag sys sdwan intf-sla-log is used to display member utilization
upvoted 1 times
  kalopilo 2 weeks, 2 days ago

Answer is A: A. diagnose sys sdwan intf-sla-log.
The answer is on page 321 SD-WAN 7.2 Study Guide.
upvoted 2 times
  alejandrofern43 2 weeks, 5 days ago
Selected Answer: A
A. diagnose sys sdwan intf-sla-log. The answers is in the pag 321 SD-WAN Study Guide.
D. diagnose sys sdwan sla-log is only for view the member metrics
upvoted 2 times

A. diagnose sys sdwan intf-sla-log. The answers is in the pag 321 SD-WAN Study Guide.
D. diagnose sys sdwan sla-log is only for view the member metrics
upvoted 1 times
  Bob_1515 2 weeks, 5 days ago

A. page 29 of 7.2 study guide - Member Utilization: dia sys sdwan intf-sla-log <INT>
upvoted 1 times
  Tobias1 3 weeks, 3 days ago

Just read the quetion carefully and look at the output of both commands. A is obviously correct as there is no "utilization statistics" in D
upvoted 1 times
  tami82 3 weeks, 4 days ago

are these questions still valid i want to book an appointment for my exam. Can anyone confirm?
Thanks in advance
upvoted 1 times
  jack987 1 month ago
Selected Answer: D
The correct answer is D.
SD-WAN 7.2 Study Guide page 321
You can view the stored member metrics by running the diagnose sys sdwan sla-log command. Note that you must include the name of the
performance SLA followed by the member configuration index number. To display the SLA logs per interface, you run the diagnose sys sdwan intf-
sla-log command.
upvoted 1 times
  karak008 1 month ago
Selected Answer: A

Page 95 of study guide 7.0 > utilization statistic
D is only for performance statistics
upvoted 2 times
  A81 2 months, 1 week ago

None of these questions are on the 7.0 test.
I failed today.
upvoted 3 times
  Jkay_Hippy 1 month, 1 week ago

Yes, it's true, I just failed today. I've got three questions from this database, the rest of them were new/different.
upvoted 2 times
  TheUsD 3 weeks, 6 days ago

You failed today because you didn't study and used an ExamDump as your study guide.
upvoted 4 times
  Jack2002 2 months, 1 week ago
Selected Answer: D
You can see it by entering this command in cli mode

"diagnose sys sdwan ?"
the return of this command show us the definition of each of them.
upvoted 3 times
  Dogbert 2 months, 3 weeks ago

None of these questions are on the 7.0 test
upvoted 1 times
  yuop 2 months, 2 weeks ago

How does the test look like ?
upvoted 1 times
  rollotap 3 months, 3 weeks ago

This is a tricky one, just read again the question and then the guide:
You can view the stored member metrics by running the diagnose sys sdwan sla-log command. Note that you must indicate the name of the
performance SLA followed by the member configuration index number. To display the stored member utilization, you run the diagnose sys sdwan
intf-sla-log command.
upvoted 3 times

Capital D ... pag. 95 in study 7.0 "name of the performance SLA"
upvoted 2 times
  JackCl 3 months, 3 weeks ago

These 35 questions aren't valid anymore. Most of the questins are not from these 35.
upvoted 3 times

How was the exam. how was it set up? your response will be highly appreciated.
upvoted 2 times
  ivanlean55 3 months, 3 weeks ago

Which kind of questions are involved now?
upvoted 2 times
  themageofsec 3 months, 3 weeks ago

Page 95 of study guide 7.0

upvoted 1 times

nope ... question asks "measured by performance SLAs". sla-log command accepts the performance SLA as an input parameter.
upvoted 2 times
Question #2 Topic 1
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)
A. Encapsulating Security Payload (ESP)
B. Secure Shell (SSH)
C. Internet Key Exchange (IKE)
D. Security Association (SA)
Correct Answer: AC

AC (100%)
Selected Answer: AC

upvoted 1 times
Selected Answer: AC

upvoted 1 times

upvoted 1 times

IKE, ESP

upvoted 2 times
  Welisson2 4 months, 2 weeks ago
Selected Answer: AC
IKE and ESP

upvoted 1 times
  JABarracus 4 months, 3 weeks ago

IKE, ESP - Answers AC
upvoted 1 times
  baker_gt 5 months ago
Selected Answer: AC
IKE
ESP

upvoted 1 times
Question #3 Topic 1
Which two settings can you configure to speed up routing convergence in BGP? (Choose two.)
A. update-source
B. set-route-tag
C. holdtime-timer
D. link-down-failover
Correct Answer: CD

CD (100%)

upvoted 1 times
Selected Answer: CD
Hold Timer, Link Down fail over

upvoted 2 times

Page 220 - Study Guide
ANS - CD
upvoted 1 times
  baker_gt 5 months ago
Selected Answer: CD
Hold Timer
Link Down fail over

upvoted 1 times
Question #4 Topic 1
Refer to the exhibits.
Exhibit A -
Exhibit B -
Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status.
The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule.
Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?
A. The traffic will be load balanced across all three overlays.
B. The traffic will be routed over T_INET_0_0.
C. The traffic will be routed over T_MPLS_0.
D. The traffic will be routed over T_INET_1_0.
Correct Answer: C

D (58%) C (42%)
  Yekoy Highly Voted  4 months, 2 weeks ago
Selected Answer: C
Because the gateway is enabled, Fortigate will not check if the member has a valid route to the destination, therefore MPLS will win because it has
the most SLAs that are met.
upvoted 9 times
  draven76 4 months, 1 week ago

Sorry, I have set up a specific lab to test it. The command "set gateway enable" is not enough to "blindly" send packets to the sd-wan member.
You need to also "set default enable" to make it work in that way.
upvoted 7 times
  dalmiroy2k Most Recent  2 weeks, 1 day ago
Sadly, I think the correct answer is T_MPLS_0
Even with T_INET_1_0 being succesfull in one SLA target (0x1), FortiGate checks how many SLA targets a member meets. The more SLA targets it
meets, the higher its preference. If there are two or more members that meet the same number of SLA targets, then FortiGate uses the member
cost as the tiebreaker, and then the member priority as the last tiebreaker.
With "set gateway enable", T_MPLS_0 should skip the FIB and use gateway 172.16.1.5. It doesn't matter if that gateway may not reach 10.0.0.0/8
set default enable is missing, so SD-WAN rules are skipped if the best route to the destination isn’t an SD-WAN member. They all are.
upvoted 1 times

Selected Answer: D
Please refer to page 227 SD study guide 7.2.

id the sla value is 0x0 - Meaning no Sla has been met.
MPLS has the most SLAs 0x3 but no route. INET_1 has 0x1 Sla Met and has a rout to destination.
upvoted 1 times
  jarz 2 months, 3 weeks ago

Is this question missing some info? I can't see the destination for the life of me.
upvoted 1 times

Selected Answer: D
MPLS has the most SLAs 0x3 but no route. INET_1 has one more SLA than the other. D
upvoted 2 times
  furymistrz 3 months, 1 week ago

If you want to send packets blindly through member gateway, then you must enable default and enable gateway.
Please, check page 145 of SD-WAN7.0. I spent 30 minutes of analyzing that example and thinking and my conclusion is that it must be D.
upvoted 2 times
  cstevens97 3 months, 2 weeks ago

Selected Answer: D
I thoroughly tested this in my home lab and strictly added the 'set gateway enable' command. Then tried to ping 8.8.4.4 from a LINUX server, with
no internet routes in the FIB. The ping failed. Then I added the 'set default enable' and my ping worked. Since this configuration on the list does
NOT have 'set default enable' I will continue to say the only valid answer is D. INET_1 has a valid route in this example.
upvoted 4 times
  jack987 1 month ago

I agree.
upvoted 1 times

Selected Answer: D
MPLS doesn´t has valid route for destination AND set gateway enable without also set default enable will not allow packets to flow to this member
without a valid route.
INET_1 has route and meets one sla target (0x1);
INET_0 has route but doesn´t meet sla targets (0x0).
upvoted 3 times
Selected Answer: D
INET_1 has route and meets one sla target (0x1).
INET_0 has route but doesn´t meet sla targets (0x0).
upvoted 1 times
  ducduc95 4 months, 1 week ago
Selected Answer: C
To see the valid route, you should look in the database routing table.
MPLS iface is a member of the sdwan rule so it has a valid route even if it is not the best(thus it is not present in the routing table)
upvoted 2 times

Selected Answer: D
INET_0 has route but doesn´t meet sla targets (0x0)
upvoted 4 times
Selected Answer: C
I found something maybe more explicative about the "set gateway enable":
https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-deployment-for-mssps/511005/sd-wan-routing-logic
in that document, the "set gateway enable" command is explained as a way to disable the general rule "SD-WAN Member is selected only if it has a
valid route to the destination (not necessarily the best route).". So in this case the correct answer would be C even if there isn't a valid route.
upvoted 1 times
  G33 4 months, 2 weeks ago

D - Fortigate would NOT send traffic to a route it cannot use, next best is INET_1
upvoted 1 times

D is correct.
MPLS doesn´t has valid route for destination.

INET_0 has route but doesn´t meet sla targets (0x0)
upvoted 1 times
  DeckedFern 4 months, 3 weeks ago
Selected Answer: D
Answer is "D". MPLS does not have a route to destination

upvoted 1 times
  Kero016 4 months, 3 weeks ago

D. is correct.
T_MPLS_0 does not have valid route.
"By default, SDWAN rules are skipped if none of the configured members in the rule have a valid route to the destination."
upvoted 1 times
  HajMar 4 months, 3 weeks ago

C is correct, SDWAN rule take precedence over routing table
upvoted 2 times
Question #5 Topic 1
Refer to the exhibit.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on
both hub-and-spoke groups.
Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)
A. London generates an IKE information message that contains the Toronto public IP address.
B. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
C. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
D. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
Correct Answer: BD

BD (100%)

Selected Answer: BD
B and D are correct

Page 237 on study guide 7.0
Page 269 on study guide 7.2
upvoted 2 times

Selected Answer: BD
B, D are correct
upvoted 1 times

B, D are correct
upvoted 1 times
Question #6 Topic 1
Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.)
A. http
B. icmp
C. twamp
D. dns
Correct Answer: AD

AD (100%)
Selected Answer: AD
A,D correct
Pages 85,86 in Study guide 7.0

Pages 100,101 in Study guide 7.2
upvoted 3 times

A,D correct
Study guide, pages 85,86

upvoted 2 times
  hugojt 4 months, 3 weeks ago

Hummm ok
upvoted 1 times
Question #7 Topic 1
Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)
A. The traffic shaper drops packets if the bandwidth is less than 2500 KBps.
B. The measured bandwidth is less than 100 KBps.
C. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.
D. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.
Correct Answer: BC

BC (100%)
  stickit 3 months, 1 week ago

These 35 questions aren't valid anymore. Most of the questions are not from these 35. Don't waste your money
upvoted 2 times

where do most question come from. 6.4? and how was the setup? your response will be highly appreciated.
upvoted 2 times
Selected Answer: BC
B,C are correct

upvoted 1 times

B,C correct
Study guide page 266
upvoted 2 times
Question #8 Topic 1
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?
A. type must be set to static.
B. mode-cfg must be enabled.
C. exchange-interface-ip must be enabled.
D. add-route must be disabled.
Correct Answer: D

D (100%)
Selected Answer: D
D is correct
Page 209 in Study_Guide 7.0
Page 236 in Study_Guide 7.2
add-route disable if dynamic routing is use

upvoted 2 times
Selected Answer: D
D is correct, SD-WAN_7.0 Study_Guide page 209

upvoted 1 times

D is correct, SD-WAN_7.0 Study_Guide page 209
add-route disable if dynamic routing is use
upvoted 1 times
  driguilim 5 months ago

Selected Answer: D
D is correct
upvoted 1 times
  Kero016 5 months ago

D. add-route disable if dynamic routing is use
upvoted 1 times
  mordechayd 5 months ago
Selected Answer: D
D. for using "non ike" routes (for example BGP/static and so on) you must do disable the add-route that inject automatically kernel route based on
p2 selectors from the remote site
from the SD-WAN_7.2_Study_Guide page 236
upvoted 1 times
  Michael348 5 months ago

B, interface needs and IP address and mode-cfg adds an IP from the Hub.
upvoted 1 times
Question #9 Topic 1
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
A. get router info routing-table all
B. diagnose debug application ike
C. diagnose vpn tunnel list
D. get ipsec tunnel list
Correct Answer: B

B (100%)

upvoted 1 times

where are the most questions coming 6.4?
upvoted 2 times
Selected Answer: B
B is correct
Page 248 in Study guide 7.0
Page 278 in Study guide 7.2
upvoted 2 times
  bahafuad61 4 months ago
Selected Answer: B
B is the correct answer

upvoted 1 times

Selected Answer: B
di de app ike -1
upvoted 1 times
  cstevens97 4 months, 4 weeks ago

Selected Answer: B
B is the correct answer

upvoted 1 times

Selected Answer: B
B. to debug the *negotiation* of an ipsec tunnel you souled user dia deb app ike -1
with the appropriate filters
nse7.2 study guide 278
upvoted 1 times

Answer - B
IKE real-time debug - useful when debugging ADVPN shortcut messages and spoke-to-spoke negotiations.
• diagnose debug console timestamp enable
• diagnose vpn ike log filter clear
• diagnose vpn ike log filter mdst-addr4 <ip.of.hub> <ip.of.spoke>
• diagnose debug application ike -1
• diagnose debug enable
upvoted 1 times
Question #10 Topic 1
Exhibit A -
Exhibit B -
Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
A. port1 is assigned a manual IP address.
B. port1 is referenced in a firewall policy.
C. port2 is referenced in a static route.
D. port1 and port2 are not administratively down.
Correct Answer: B

upvoted 1 times
  moesa 2 months ago

You and another user have commented the same thing, so what advice can you give us to get the valid one then?
upvoted 1 times
where can you advice someone to get the valid one?

upvoted 2 times
Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)
A. The sdwan_service_id flag in the session information is 0.
B. All SD-WAN rules have the default setting enabled.
C. Traffic does not match any of the entries in the policy route table.
D. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
Correct Answer: AD

AC (93%) 7%
  dalmiroy2k 2 weeks, 1 day ago
Selected Answer: AC
If you are familiar with ECMP, you probably know the v4-ecmp-mode setting available under config system settings. The v4-ecmp-mode setting
defines the algorithm that FortiGate uses to load balance sessions that match ECMP routes in the VDOM.
However, when you enable SD-WAN on FortiGate, FortiOS hides the v4-ecmp-mode setting and replaces it with the load-balance-mode setting
under config system sdwan. That is, after you enable SD-WAN, you now control the VDOM ECMP algorithm with the load-balance-mode setting.
upvoted 1 times

Both v4-ecmp-mode & load-balance-mode control the VDOM ECMP algorithm, but Load-balance-mode replaces v4-ecmp-mode when SD-WAN is
enabled. page 179 7.2 study guide. sdwan_mbr_seq and sdwan_service_id indicate the SD-WAN member & SD-WAN rule ID. If the session matched
the SD-WAN implicit rule, therefore handled using the standard FIB routing, these SD-WAN fields do not appear. 7.2 study guide page 149
upvoted 1 times
  ja7597 3 weeks, 3 days ago
Selected Answer: AC
D cannot be correct, as the correct command parameter is:

load-balance-mode not v4-ecmp-mode
upvoted 2 times
Selected Answer: AC
A,C are correct
sdwan_service_id is 0 = match SD-WAN implicit rule, study guide 7.0 page 120, 7.2 page 149
SD-WAN rules internally are interpreted as a Policy route, so when the traffic doesn't match with any policy route, it will be flowing by implict
policy.
upvoted 2 times
  Tcmh 4 months ago

Selected Answer: AC
AC, sdwan_service_id is 0 = match SD-WAN implicit rule, study guide page 120
upvoted 2 times

Selected Answer: AC
ans A, C
upvoted 1 times
  LULU23 4 months, 3 weeks ago
Selected Answer: AC
D should be not true becasue when using sd-wan doean't use the v4-ecmp-mode but use the load-balance-mode
upvoted 3 times
Selected Answer: AC
answer is A and C
upvoted 1 times
  matrixneo 5 months ago
Selected Answer: AC
The answer is A and C.
upvoted 1 times
Selected Answer: AD
A and D is correct
upvoted 1 times
  cstevens97 5 months ago

The answer is A and C.
upvoted 1 times

A and C. B and D can't be correct.
upvoted 2 times
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The
administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.
Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)
A. The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.
B. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.
C. T_INET_0_0 does not have a valid route to the destination.
D. T_INET_1_0 has a higher member configuration priority than T_INET_0_0.
Correct Answer: AB

AC (41%) BC (24%) CD (18%) Other
Selected Answer: AC
Do not confuse the member configuration priority with the Priority setting available on the SD-WAN member configuration. The latter is used for
the priority of static routes for members when you configure static routes for zones. The former refers to the member priority based on the
Interface Preference list configuration. Members that are configured first in the list have higher priority over those configured last. The Priority
setting is used as a tiebreaker for ECMP routes when matching the implicit SD-WAN rule.
upvoted 1 times
  Nappel 1 month, 4 weeks ago
Selected Answer: AB
A: Policy router have a higher precedence than a SD-WAN Rule: Page 192 SDWAN 7.2
B: The priority of T_INET_0_1 is lower than T_INET_0_0 and the mode is Manual.
upvoted 3 times
  alejof46 2 months, 2 weeks ago

why has priority 0, the priority is 1 to 65535.
but the most correct maybe is B and C.
upvoted 1 times
  divided7 2 weeks, 3 days ago

Incorrect. "Priority of the interface (0 - 65535). Used for SD-WAN rules or priority rules."
upvoted 1 times

upvoted 2 times
  jarz 3 months, 1 week ago
Selected Answer: BC
I think it’s B and C.
It’s clear that T_INET_0_0 and T_INET_0_1 have different priorities, there is no route using T_INET_0_0 interface.
upvoted 4 times
  jarz 2 months ago

SD-WAN interface priority, a lower value = better
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Priority-to-SD-WAN-Members-for-Default/ta-p/230911
upvoted 2 times

Do not confuse the member configuration priority with the Priority setting available on the SD-WAN member configuration. The latter is
used for the priority of static routes for members when you configure static routes for zones. The former refers to the member priority based
on the Interface Preference list configuration. Members that are configured first in the list have higher priority over those configured last. The
Priority setting is used as a tiebreaker for ECMP routes when matching the implicit SD-WAN rule.
The priority setting in manual rule configuration displayed is 0, while minimum priority setting for SD-WAN member configuration
(interface)is 1
upvoted 1 times
Selected Answer: AC
A, C are correct
upvoted 1 times
Selected Answer: CD
Answers are C & D

upvoted 3 times

A nad C is correct
upvoted 1 times

Selected Answer: AC
A and C is correct
upvoted 2 times

The answer is A and C
upvoted 1 times
Selected Answer: AC
A and C , priority ( on interface preferences) not considered on Manual strategy in sdwan rule
upvoted 3 times

A and C. Regular policy routes have priority, so this would take priority. There's no valid route for member 1 in the rule, so C as well.
upvoted 1 times
Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)
A. FortiGate flushes all sessions.
B. FortiGate terminates the old sessions.
C. FortiGate does not change existing sessions.
D. FortiGate evaluates new sessions.
Correct Answer: CD

CD (100%)
Selected Answer: CD
C, D are correct.
Study Guide 7.0 page 135.
Study Guide 7.2 page 161.
upvoted 3 times
Selected Answer: CD
key word , new session

upvoted 1 times
Selected Answer: CD
Study Guide page 135.

Fortigate evaluates only new sessions against the new firewall policy configuration and not to flag existing sessions
upvoted 1 times

Selected Answer: CD
Answer is C and D
upvoted 1 times

Answer C, D
FortiGate not to flag existing impacted session as dirty by setting firewall-session-dirty to check new.
The results is that FortiGate evaluates only new session against the new firewall policy.
upvoted 1 times
Which two statements about SD-WAN central management are true? (Choose two.)
A. The objects are saved in the ADOM common object database.
B. It does not support meta fields.
C. It uses templates to configure SD-WAN on managed devices.
D. It supports normalized interfaces for SD-WAN member configuration.
Correct Answer: CD

AC (100%)
Selected Answer: AC
A,C are correct.

Study Guide 7.0, page 36.
upvoted 2 times
Selected Answer: AC
A an C correct
upvoted 1 times
Selected Answer: AC
Study guide 7.0 Page 36

upvoted 1 times
Selected Answer: AC
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add interface members to the SD-
WAN zones. You must bind the interface members by name to physical interfaces or VPN
interfaces.https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-new-features/794804/new-sd-wan-template-fmg
upvoted 1 times

A and C. SD-WAN objects are stored in ADOM common object database and "central management" indicates templates will be used.
upvoted 2 times
Which conclusion about the packet debug flow output is correct?
A. The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper,
and the packet was dropped.
B. The packet size exceeded the outgoing interface MTU.
C. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper,
D. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy,
Correct Answer: C

C (100%)
Selected Answer: C
In a Per-IP shaper configuration, if an IP address exceeds the configured concurrent session limit, the message "Denied by quota check" appears.
SD-WAN 7.0 Study Guide page 287

upvoted 1 times
Which are two benefits of using CLI templates in FortiManager? (Choose two.)
A. You can reference meta fields.
B. You can configure interfaces as SD-WAN members without having to remove references first.
C. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.
D. You can configure advanced CLI settings.
Correct Answer: AD

AD (100%)
Selected Answer: AD
A,D are correct.

upvoted 1 times
Selected Answer: AD
Official study guide, page 42; "CLI templates are useful for pushing advanced CLI settings that reference meta fields."
upvoted 1 times

Answer A and D.
Useful for:
- Configuring advanced settings
- Referencing meta fields
upvoted 2 times
Exhibit A -
Exhibit B -
Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA
status.
If port2 is detected dead by FortiGate, what is the expected behavior?
A. Port2 becomes alive after three successful probes are detected.
B. FortiGate removes all static routes for port2.
C. The administrator manually restores the static routes for port2, if port2 becomes alive.
D. Host 8.8.8.8 is reachable through port1 and port2.
Correct Answer: B

B (100%)
Selected Answer: B
B is correct
upvoted 1 times
  Welisson2 4 months ago
Selected Answer: B
B is correct
upvoted 1 times
Selected Answer: B
Any static route for port 2 will be gone due to the configuration listed.
upvoted 1 times
  mhizha 4 months, 1 week ago

Which configuration exactly would cause that? "update static route" or the "cascade interface"
upvoted 1 times

update static route
cascade interface is another function
upvoted 1 times

B. FortiGate removes all static routes for port2.
- This is due to Update static route is enable which removes the static route entry referencing the interface if the interface is dead
upvoted 2 times
The device exchanges routes using IBGP.
Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)
A. Each BGP route is three hops away from the destination.
B. ibgp-multipath is disabled.
C. additional-path is enabled.
D. You can run the get router info routing-table database command to display the additional paths.
Correct Answer: AB

CD (100%)
  Michael348 Highly Voted  5 months ago

Answer C and D.
C - the [3] means that additional-path is enabled makes the duplicate routes are consolidated in the routing table
D - get router info routing table database - shows duplicate routes without the [3]
upvoted 5 times
  themageofsec Most Recent  3 months, 3 weeks ago
Selected Answer: CD
C,D are correct.

Study Guide 7.0, pages 222 - 224.
Study Guide 7.2, pages 252 - 254 .
upvoted 3 times

Selected Answer: CD
C, D is correct
upvoted 1 times

Selected Answer: CD
C and D are correct

upvoted 2 times
Selected Answer: CD
C and D are correct

upvoted 2 times
Selected Answer: CD
C and D is correct
upvoted 3 times

C and D because A and B are incorrect.
upvoted 3 times
In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)
A. It provides the benefits of a full-mesh topology in a hub-and-spoke network.
B. It provides direct connectivity between spokes by creating shortcuts.
C. It enables spokes to bypass the hub during shortcut negotiation.
D. It enables spokes to establish shortcuts to third-party gateways.
Correct Answer: AB

AB (100%)
Selected Answer: AB
A,B are correct

upvoted 1 times

A, B correct
ADVPN first packet will pass through hub, so C is wrong
ADVPN is Fortinet protocol, no other vendor, so D is wrong
upvoted 2 times
Selected Answer: AB
A and B are correct.

upvoted 1 times
Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?
A. All traffic from a source IP to a destination IP is sent to the same interface.
B. All traffic from a source IP is sent to the same interface.
C. All traffic from a source IP is sent to the most used interface.
D. All traffic from a source IP to a destination IP is sent to the least used interface.
Correct Answer: B

A (100%)
Selected Answer: A
A is correct
upvoted 2 times
Selected Answer: A
A is correct
upvoted 1 times
  G33 4 months, 2 weeks ago

A
By default when no sd-wan rule is matched, uses a source-IP load balancing algorithm, BUT from the exhibit the has been changed to Source-
Destination IP so A is the correct answer
set load-balance-mode source-dest-ip-based
upvoted 1 times
  shmoneyyy100 4 months, 3 weeks ago

Selected Answer: A
A. because the selected algorithm is source-dest-ip-based

upvoted 1 times
  shmoneyyy100 4 months, 3 weeks ago

Isn't B the answer because the question says "does not match any of the SD-WAN rules?" Source IP - The default algorithm.
upvoted 1 times
Selected Answer: A
Page 149 from study guie

upvoted 1 times
Selected Answer: A
A. like ecmp - src-dst is 2 tuple hash that match all session between pair of hosts and assign
them to the same interface
upvoted 1 times

Answer A
FortiGate sends sessions with the same source and destination IP pair to the same member (Interface)
upvoted 1 times

A. Page 195 on Study Guide.
upvoted 1 times
Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)
A. FortiGate does not install IPsec static routes for remote protected networks in the routing table.
B. The phase 1 configuration supports the network-overlay setting.
C. FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
D. Dead peer detection is disabled.
Correct Answer: AC

AB (69%) AC (23%) 8%
  karak008 Highly Voted  4 months, 2 weeks ago
Selected Answer: AB
D is false
C is false because there is no auto-discovery-receiver or sender so ADVPN is not configured
Has to be A and B
upvoted 5 times
  furymistrz 2 months, 3 weeks ago

Agree. And answer A is correct cause add-route is disabled, and B is correct as configuration "SUPPORTS" the network-overlay settings as it's
IKEv2.
upvoted 2 times
  ilbartonicola Most Recent  2 months, 1 week ago
Selected Answer: AB
A is correct cause add-route is disabled

B is correct as configuration "SUPPORTS" the network-overlay settings as it's IKEv2, dont ask that is enable only if it supports
C is false because there is no auto-discovery-receiver or sender so ADVPN is not configured
D is false because DPD on-demand is configured
upvoted 2 times

Selected Answer: AC
D is configured and B is not enabled so AC

upvoted 1 times

Selected Answer: BC
DPD is enable such as "on demand".

And instead in the config contains "add-route disable", in the diagnose output we can see the dst selector different of "0.0.0.0-255.255.255.255"
and in the line above, the parameter "add-route".
upvoted 1 times

Selected Answer: AB
The question asks if the config SUPPORTS (not if it's already enabled) "network-overlay" setting. It's true because the phase1-interface is configured
as IKE v2 (IKE v1 doesn't, you can test in any Fortigate just editing a fake phase1-interface). C and D are false (read other comments), so it's A & B.
upvoted 2 times
Selected Answer: AC
B is false because "set network-overlay enable" is not configured in the phase1

D is false because DPD on-demand is configured
upvoted 2 times
Exhibit A -
Exhibit B -
Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.
Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the
static route priority on port2 to 20? (Choose two.)
A. FortiGate flags the sessions as dirty.
B. FortiGate continues routing the sessions with no SNAT, over port2.
C. FortiGate performs a route lookup for the original traffic only.
D. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
Correct Answer: AD

AD (100%)
Selected Answer: AD
A,D are correct

upvoted 1 times
Selected Answer: AD
A, D is correct
upvoted 1 times
Exhibit A -
Exhibit B -
Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube.
Exhibit B shows the firewall policy configuration and the underlay zone status.
Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)
A. The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
B. FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
C. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
D. Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Correct Answer: AD

AD (75%) AB (25%)
Selected Answer: AD
A,D are correct

Another comment said "because without using application Control on the firewall policy, SDWAN can't work" but there is a app control "default"
defined on config.
upvoted 4 times
  Yekoy 4 months ago
Selected Answer: AD
D is correct - SD-WAN_7.0_Study_Guide p.88

upvoted 1 times
  Yekoy 4 months ago
Selected Answer: AD
If B is correct it should include latency since it didn't mentioned the Latency therefore it indicates that latency is able to measure so the argument
contradicts itself.
upvoted 1 times
Selected Answer: AB
B because without using application Control" on the firewall policy, SDWAN can't work with Youtube an Facebook configured
upvoted 2 times
Exhibit A -
Exhibit B -
Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.
Based on the exhibits, which two statements are correct? (Choose two.)
A. FortiGate updated the outgoing interface list on the rule so it prefers port2.
B. Port2 has the highest member priority.
C. Port2 has a lower latency than port1.
D. SD-WAN rule ID 1 is set to lowest cost (SLA) mode.
Correct Answer: AC

AC (100%)
Selected Answer: AC
A,C are correct

upvoted 1 times

B is obvious incorrect
D is not correct, in cli it is using set mode priority = best quality
so AC are correct
upvoted 1 times
Selected Answer: AC
AC correct. Fortigate updates the priority member due to latency

upvoted 2 times
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?
A. Interface-based shaping mode
B. Reverse-policy shaping mode
C. Shared-policy shaping mode
D. Per-IP shaping mode
Correct Answer: A

A (100%)
Selected Answer: A
study guide page 264, interface based

upvoted 1 times

Answer A.
Interface-based shaping
Interface-based shaping goes further, enabling traffic controls based on percentage of the interface bandwidth.
upvoted 1 times
Which two interfaces are considered overlay links? (Choose two.)
A. LAG
B. IPsec
C. Physical
D. GRE
Correct Answer: BD

BD (100%)
Selected Answer: BD
B,D are correct

upvoted 1 times
Selected Answer: BD
IPsec and GRE build based on underlay

upvoted 1 times
  Welisson2 4 months, 2 weeks ago

B and D correct
upvoted 1 times

Selected Answer: BD
IPSEC and GRE are overlay

LAG and Physical are underlay
upvoted 1 times
Exhibit A -
Exhibit B -
Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system
settings configuration on dc1_fgt.
When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0,
even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.
Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over
T_INET_1_0?
A. Enable auxiliary-session under config system settings.
B. Disable tсp-session-without-syn under config system settings.
C. Enable snat-route-change under config system global.
D. Disable allow-subnet-overlap under config system settings.
Correct Answer: B

A (100%)
  HKITer 2 weeks, 6 days ago
Selected Answer: A
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/14295/controlling-return-path-with-auxiliary-session
upvoted 1 times
  ccaiccie 2 months, 3 weeks ago

What stdugy guide are you guys referring to?
upvoted 2 times
Selected Answer: A
A is correct
Study Guide 7.0, pages 130 - 131
Study Guide 7.2, pages 156 - 157
upvoted 1 times
Selected Answer: A
Correct answer is A. Study guide 7.0 page 130

upvoted 1 times

Selected Answer: A
Controlling return path with auxiliary session

When multiple incoming or outgoing interfaces are used in ECMP or for load balancing, changes to routing, incoming, or return traffic interfaces
impacts how an existing sessions handles the traffic. Auxiliary sessions can be used to handle these changes to traffic
patterns.https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/14295/controlling-return-path-with-auxiliary-session
upvoted 1 times
  [Removed] 5 months ago

Answer A. To be the alternative "B" would have to disable the anti-replay
upvoted 1 times

Sorry, I mean "B" is corretc. Page 139.
upvoted 1 times

A is correct. Page 139 from study guide.
upvoted 1 times

Answer A.
as it will allow the replied traffic from dc1_fgt to be on T_INET_1_0 if that is the preferred member on dc1_fgt. traffic can continue to offload the
asymmetric traffic because it matches the auxiliary session (reflect session)
upvoted 1 times
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)
A. The ISDB is dynamically updated and reduces administrative overhead.
B. The ISDB requires application control to maintain signatures and perform load balancing.
C. The ISDB applies rules to traffic from specific sources, based on application type.
D. The ISDB contains the IP addresses and port ranges of well-known internet services.
Correct Answer: AD

AD (100%)
  Ouma 4 weeks ago
Selected Answer: AD
A,D are correct

upvoted 1 times
Selected Answer: AD
A,D are correct

Study Guide 7.0, page 156
upvoted 2 times
Selected Answer: AD
study guide page 156

upvoted 1 times
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.
What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?
A. You must set ike-version to 1.
B. You must enable net-device.
C. You must enable auto-discovery-sender.
D. You must disable idle-timeout.
Correct Answer: C

B (100%)
Selected Answer: B
B are correct
Study guide 7.0 below
Study guide 7.2, pages 242 and 270
upvoted 2 times
Selected Answer: B
"B" is the right one, official study guide, pages 215 and 239
upvoted 1 times
Selected Answer: B
B is correct.
upvoted 1 times

Selected Answer: B
This is a SPOKE so it must a receiver not a sender, so answer 'C' is out.

set net-device enable - Creates a dialup tunnel
upvoted 1 times
Selected Answer: B
I mean, for spoke you must enable "auto-discovery-receiver". So B is correct.

upvoted 1 times
Selected Answer: B
"C" is incorrect.
Auto-discovery-sender must be enable on HUB (Pag. 237 - Study Guide).
"B" is correct. Page 239 Study Guide.

For SPOKE you need to configure "net-device Enable" and a"uto-discovery-sender Enable".
upvoted 2 times
Selected Answer: B
The correct answer is B , according to study guide page 241 (7.2)

upvoted 2 times
Which statement is correct about SD-WAN and ADVPN?
A. Routes for ADVPN shortcuts must be manually configured.
B. SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.
C. SD-WAN does not monitor the health and performance of ADVPN shortcuts.
D. You must use IKEv2 on IPsec tunnels.
Correct Answer: B

B (100%)
Selected Answer: B
7.0 study guide page 235

upvoted 1 times
Selected Answer: B
Official study guide, page 6, last paragraph.

upvoted 1 times
What is the route-tag setting in an SD-WAN rule used for?
A. To indicate the routes for health check probes.
B. To indicate the destination of a rule based on learned BGP prefixes.
C. To indicate the routes that can be used for routing SD-WAN traffic.
D. To indicate the members that can be used to route SD-WAN traffic.
Correct Answer: B

B (100%)
  dosoriomartins 1 month, 2 weeks ago

B. Page 163 Study guide 7.0
upvoted 1 times
Selected Answer: B
Communities are learned from BGP routing.

upvoted 1 times
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?
A. When T_INET_0_0 and T_MPLS_0 have the same latency.
B. When T_MPLS_0 has a latency of 100 ms.
C. When T_INET_0_0 has a latency of 250 ms.
D. When T_N1PLS_0 has a latency of 80 ms.
Correct Answer: D

D (63%) B (38%)
  TheUsD 2 days, 7 hours ago
Selected Answer: B
Not sure why people are posting "D" as the answer. It is not an interface showing on the exhibits. Because of this, "B" "When T_MPLS_0 has a
latency of 100 ms." should be the correct answer. Did someone make a major typo?
upvoted 1 times
  TheUsD 2 days, 7 hours ago

Not sure why people are posting "D" as the answer. It is not an interface showing on the exhibits. Because of this, "B" "When T_MPLS_0 has a
latency of 100 ms." should be the correct answer. Did someone make a major typo?
upvoted 1 times
  shinichi18 2 weeks, 2 days ago
Selected Answer: B
T_N1PLS_0? where?
upvoted 2 times
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: D
D
Link-cost-threadhold =10
so actual latence of INT_0_0 = 101.349 * 0.9 =91.2141
so Int_MPLS less than 91.2141 to take over, so D is correct
upvoted 1 times

Selected Answer: D
D is correct
upvoted 1 times

Selected Answer: D
Official study guide, page 174. link-cost-treshold is set to 10 (percent) so the other link must have a latency of less than 90% of the preferred link
upvoted 1 times

Official study guide, page 174. link-cost-treshold is set to 10 (percent) so the other link must have a latency of less than 90% of the preferred link
upvoted 1 times
Selected Answer: D
D is the correct answer.

upvoted 1 times
Exhibit A -
Exhibit B -
Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.
The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not
apply traffic shaping on YouTube traffic.
Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?
A. Destination internet service must be enabled on the traffic shaping policy.
B. Application control must be enabled on the firewall policy.
C. Web filtering must be enabled on the firewall policy.
D. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.
Correct Answer: B

B (100%)

Selected Answer: B
B is correct
upvoted 1 times

Selected Answer: B
Application control missing

answer is B
upvoted 1 times
Selected Answer: B
Application control must be enabled

upvoted 1 times

B is corect. Page 269 from study guide.
upvoted 1 times
Which are three key routing principles in SD-WAN? (Choose three.)
A. FortiGate performs route lookups for new sessions only.
B. Regular policy routes have precedence over SD-WAN rules.
C. SD-WAN rules have precedence over ISDB routes.
D. By default, SD-WAN members are skipped if they do not have a valid route to the destination.
E. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Correct Answer: ABD

BDE (100%)
Selected Answer: BDE
B,D,E are correct

Study Guide 7.0, such as below.
Study Guide 7.2, pages 125, 129, 151
upvoted 2 times

B, D, E is correct
upvoted 1 times
Sorry, page 104

upvoted 1 times
Page 103 of the study guide.

upvoted 1 times

B - Correct - Regular policy routes have precedence over SD-WAN rules.

D - Correct - A a valid route must be in the route table (tested in my lab)
E - Correct - if a better route exist in the route table the SD-WAN rule will be skipped (tested in my lab)
A - Incorrect - route lookup are after route changes
C - Incorrect - ISDB routes become policy routes, which take precedence over SD-WAN rules
upvoted 1 times
  matrixneo 5 months ago
study guide page 125
BDE correct
upvoted 1 times

Answer B, C, D
Page 104 Study Guide
A - should not be correct.
FortiGate Performs route look up for both original and reply traffic.
Dirty session re-evaluated that also take route-lookup.
B - Correct - Regular policy routes have precedence over SD-WAN rules.

C and D - Correct
By default, SD-WAN rules are skipped if:
- Best route to destination isn't an SD-WAN member
- None of the members have a valid route to destination
upvoted 2 times
so itìs B, D, E
upvoted 1 times

I agree with you! There is no explicatin on Study Guide for letter "A" be correct, so the correct is "B, C, D".
upvoted 1 times

C is incorrect, 7.0 study guide p.108
ISDB route with precedence to SDWAN rule
upvoted 1 times
Based on the output, which two conclusions are true? (Choose two.)
A. There is more than one SD-WAN rule configured.
B. The SD-WAN rules take precedence over regular policy routes.
C. The all_rules rule represents the implicit SD-WAN rule.
D. Entry 1(id=1) is a regular policy route.
Correct Answer: AD

AD (100%)
  Tcmh 3 months, 1 week ago
Selected Answer: AD
B is wrong, Policy route over SDWAN

C is wrong, implicit rule with ID=0
upvoted 1 times

Selected Answer: AD
A,D are correct

upvoted 1 times

A , D is correct
upvoted 1 times
Which two statements about SLA targets and SD-WAN rules are true? (Choose two.)
A. When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA.
B. SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements.
C. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.
D. Member metrics are measured only if an SLA target is configured.
Correct Answer: BC

BC (50%) BD (50%)
  karumiathi 4 days, 9 hours ago
Selected Answer: BC
page 216
upvoted 1 times
  ninjanaja 1 week, 6 days ago
Selected Answer: BD
I Think B<D
upvoted 1 times

B and D
upvoted 1 times
  Veeta 2 weeks ago

B,D
C incorrect because SLA targets are optional, however, SLA targets are used by Lowest Cost and Maximize Bandwidth rule strategies
upvoted 1 times

Answer should be B, D.
upvoted 1 times
What does enabling the exchange-interface-ip setting enable FortiGate devices to exchange?
A. The gateway address of their IPsec interfaces
B. The tunnel ID of their IPsec interfaces
C. The IP address of their IPsec interfaces
D. The name of their IPsec interfaces
Correct Answer: C

C
The exchange-interface-ip option is enabled to allow the exchange of IPsec interface IP addresses. This allows a point to multipoint connection to
the hub FortiGate.
upvoted 2 times
Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?
A. diagnose sys sdwan zone
B. diagnose sys sdwan service
C. diagnose sys sdwan member
D. diagnose sys sdwan interface
Correct Answer: C

A (100%)

A - page 89 study guide 7.2
upvoted 1 times
  mrinmoy1971 4 weeks ago
Selected Answer: A
Answer is# A
upvoted 2 times

Answer is# A
SD-WAn 7.0 Study guide| Page 73|
diagnose sys sdwan zone displays the configured zones and their members. Note that the output
indicates the kernel interface index number of a member, which should match the index displayed by
diagnose netlink interface list.
upvoted 3 times
  Morcego74 4 weeks, 1 day ago
Selected Answer: A
A is the correct answer

upvoted 1 times
  SuporteKsecurity 4 weeks, 1 day ago
Selected Answer: A
A, tested on lab
upvoted 2 times
Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the
sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate
forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)
A. On the receiver FortiGate, packet-de-duplication is enabled.
B. The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.
C. The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
D. On the sender FortiGate, duplication-max-num is set to 3.
Correct Answer: AD

AD (100%)

Selected Answer: AD
Refer to Study Guide 7.2 Page 259 -260
upvoted 1 times
Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)
A. Cost
B. Interface member
C. Priority
D. Gateway IP
Correct Answer: BD
  BetoHernandezz 1 week, 4 days ago

7.0 Study Guide - Page 37
upvoted 1 times
Which statement about using BGP for ADVPN is true?
A. IBGP is preferred over EBGP, because IBGP preserves next hop information.
B. You must use BGP to route traffic for both overlay and underlay links.
C. You must configure BGP communities.
D. You must configure AS path prepending.
Correct Answer: A
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in
exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The
administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)
A. FortiGate did not refresh the routing information on the session after the application was detected.
B. Port1 and port2 do not have a valid route to the destination.
C. Full SSL inspection is not enabled on the matching firewall policy.
D. The session 3-tuple did not match any of the existing entries in the ISDB application cache.
Correct Answer: AC
  xxismailh0 2 weeks, 2 days ago
Selected Answer: AD
Study guide 7.2 Page 191

upvoted 1 times
  shinichi18 2 weeks, 2 days ago

no debiese ser D? cuales serian las correcta
upvoted 1 times
Which are two expected behaviors of the traffic that matches the traffic shaper? (Choose two.)
A. The number of simultaneous connections among all source IP addresses cannot exceed five connections.
B. The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.
C. The number of simultaneous connections allowed for each source IP address cannot exceed five connections.
D. The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.
Correct Answer: CD
Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)
A. FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.
B. By default, local-out traffic does not use SD-WAN.
C. By default, FortiGate does not check if the selected member has a valid route to the destination.
D. You must configure each local-out feature individually, to use SD-WAN.
Correct Answer: BD
Selected Answer: BD
Study guides refer 7.2 Page; 175

upvoted 2 times
Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)
A. Type of physical link connection
B. Internet service database (ISDB) address object
C. Source and destination IP address
D. URL categories
E. Application signatures
Correct Answer: BCE
Which conclusion about the packet debug flow output is correct?
A. The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.
B. The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.
C. The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.
D. The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.
Correct Answer: D
The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes
to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not
see the prefixes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes
prefixes and their additional paths? (Choose three.)
A. Set additional-path to send
B. Enable route-reflector-client
C. Set advertisement-interval to the number of additional paths to advertise
D. Set adv-additional-path to the number of additional paths to advertise
E. Enable soft-reconfiguration
Correct Answer: ABC
  borghetti79 3 days, 12 hours ago
Selected Answer: ABD
Study Guide 7.0 - Page 223.

upvoted 1 times
Study Guide 7.2 - Page 240. However, advertisement-interval is used to speed up the convergence (study guide - 7.2)
upvoted 1 times

ABD - adv-additional-path used to advertise additional paths while advertisement-interval used for speeding up conversion.
upvoted 1 times

ABD is correct
upvoted 2 times
  dacula 1 month ago

ABD is correct
upvoted 3 times
  dacula 1 month ago

ABD is correct
upvoted 3 times
Which statement explains the output shown in the exhibit?
A. FortiGate performed standard FIB routing on the session.
B. FortiGate will not re-evaluate the session following a firewall policy change.
C. FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
D. FortiGate must re-evaluate the session due to routing change.
Correct Answer: D
The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware
offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)
A. The reply direction of the asymmetric traffic flows from port2 to port3.
B. The auxiliary session can be offloaded to hardware.
C. The original direction of the symmetric traffic flows from port3 to port2.
D. The main session cannot be offloaded to hardware.
Correct Answer: AB

Selected Answer: AB
AB Correct
dev=7-> 6/6->7
study guide 7.2 Page 156
upvoted 1 times
In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti-replay setting on the hubs?
A. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.
B. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and
forth between the hubs.
C. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.
D. It instructs the hub to skip content inspection on TCP traffic, to improve performance.
Correct Answer: B
Selected Answer: B
Page: 164 on 7.2 Guide.

upvoted 1 times
Selected Answer: B
Page: 164 on 7.2 Guide.

upvoted 1 times
Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?
A. hold-down-time
B. link-down-failover
C. auto-discovery-shortcuts
D. idle-timeout
Correct Answer: A
Selected Answer: A
wait until the hold down time passes and then take action. Accurate monitoring
upvoted 1 times

Selected Answer: A
Page 285 Guide 7.2

upvoted 1 times
Which statement about the role of the ADVPN device in handling traffic is true?
A. This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.
B. Two hubs, 10.0.1.101 and 10.0.2.101, are receiving and forwarding queries between each other.
C. This is a hub that has received a query from a spoke and has forwarded it to another spoke.
D. Two spokes, 192.2.0.1 and 10.0.2.101, forward their queries to their hubs.
Correct Answer: C

Study Guide 7.0 - Page 249
upvoted 1 times
Based on the exhibit, which two actions does FortiGate perform on traffic passing through port2? (Choose two.)
A. FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.
B. FortiGate performs routing lookups for new sessions only, after a route change.
C. FortiGate always blocks all traffic, after a route change.
D. FortiGate flushes all routing information from the session table, after a route change.
Correct Answer: AB
Selected Answer: AB
Page : 359 on 7.2 Guide

upvoted 1 times
What is a benefit of using application steering in SD-WAN?
A. The traffic always skips the regular policy routes.
B. You steer traffic based on the detected application.
C. You do not need to enable SSL inspection.
D. You do not need to configure firewall policies that accept the SD-WAN traffic.
Correct Answer: B
Which two statements about the SD-WAN zone configuration are true? (Choose two.)
A. The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.
B. You can delete the default zones.
C. The default zones are virtual-wan-link and SASE.
D. An SD-WAN member can belong to two or more zones.
Correct Answer: AC
  Learner60 2 weeks, 1 day ago
Selected Answer: AC
"The default SD-WAN zones are virtual-wan-link and SASE."

https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/942095/sd-wan-zones
This may vary with firmware version.

upvoted 1 times

Selected Answer: AD
SASE is not a default Zone

upvoted 1 times

SASE is Default Zone
https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/942095/sd-wan-zones
upvoted 1 times
What are two common use cases for remote internet access (RIA)? (Choose two.)
A. Provide direct internet access on spokes
B. Provide internet access through the hub
C. Centralize security inspection on the hub
D. Provide thorough inspection on spokes
Correct Answer: BC

Study Guide 7.0 - Page 12
upvoted 1 times
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)
A. On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.
B. On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.
C. auto-discovery-forwarder must be enabled on all IPsec VPNs.
D. On the hubs, net-device must be enabled on all IPsec VPNs.
Correct Answer: AB

Selected Answer: AB
Page 269: 7.2 Guide

upvoted 1 times
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?
A. When all three members have the same packet loss.
B. When T_INET_0_0 has 4% packet loss.
C. When T_INET_0_0 has 12% packet loss.
D. When T_INET_1_0 has 4% packet loss.
Correct Answer: A
Based on the exhibit, which action does FortiGate take?
A. FortiGate bounces port5 after it detects all SD-WAN members as dead.
B. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.
C. FortiGate brings up port5 after it detects all SD-WAN members as alive.
D. FortiGate brings down port5 after it detects all SD-WAN members as dead.
Correct Answer: B
  07blaaack 2 weeks, 4 days ago
Selected Answer: D
The answer is D
upvoted 1 times

D - Member state change Actions - Cascade INT - Alert INT is down if all members are dead page 115-116 (7.2 study guide)
upvoted 1 times
Selected Answer: D
This feature extends fail-detect to aggregate and redundant interfaces. When an aggregate or a redundant interface goes down, the corresponding
fail-alert-interface will be changed to down. When the aggregate or redundant interface comes up, the corresponding fail-alert-interface will be
changed to up.
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/517328/extend-interface-failure-detection-to-aggregate-interfaces
upvoted 1 times
  clauz 3 weeks, 1 day ago
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: D
Answer is#D
upvoted 1 times

D
Study guide 7.0 page 99
This slide shows the effect of Cascade Interfaces based on the configuration shown in the previous slide. If
there is at least one alive member—port1 in the example—the alert interface (port5) is up. However, if all
members are dead, port5 is brought down.
upvoted 1 times
What are two benefits of using forward error correction (FEC) in IPsec VPNs? (Choose two.)
A. FEC supports hardware offloading.
B. FEC improves reliability of noisy links.
C. FEC transmits parity packets that can be used to reconstruct packet loss.
D. FEC can leverage multiple IPsec tunnels for parity packets transmission.
Correct Answer: BC
Selected Answer: BC
Page 256: Guide 7.2

upvoted 2 times
Which two tasks are part of using central VPN management? (Choose two.)
A. You can configure full mesh, star, and dial-up VPN topologies.
B. You must enable VPN zones for SD-WAN deployments.
C. FortiManager installs VPN settings on both managed and external gateways.
D. You configure VPN communities to define common IPsec settings shared by all VPN gateways.
Correct Answer: AD
Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)
A. After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.
B. During passive monitoring, FortiGate can’t detect dead members.
C. FortiGate can offload the traffic that is subject to passive monitoring to hardware.
D. FortiGate passively monitors the member if TCP traffic is passing through the member.
Correct Answer: BD

NSE7 - SDW-7.0 Exam - Free Actual Q&As

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSE7 - SDW-7.0 Exam - Free Actual Q&As

Uploaded by

Copyright:

Available Formats

29/10/23, 0:01 NSE7_SDW-7.

0 Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

A. diagnose sys sdwan intf-sla-log

B. diagnose sys sdwan health-check

C. diagnose sys sdwan log

D. diagnose sys sdwan sla-log

Community vote distribution

  baker_gt Highly Voted  5 months ago

A. diagnose sys sdwan intf-sla-log

Page 95 of study guide

  xhshkurti Most Recent  1 week, 1 day ago

diag sys sdwan sla-log is used to display member metrics

  kalopilo 2 weeks, 2 days ago

  alejandrofern43 2 weeks, 5 days ago

  alejandrofern43 2 weeks, 5 days ago

  Bob_1515 2 weeks, 5 days ago

  Tobias1 3 weeks, 3 days ago

  tami82 3 weeks, 4 days ago

  jack987 1 month ago

The correct answer is D.

SD-WAN 7.2 Study Guide page 321

  karak008 1 month ago

A. diagnose sys sdwan intf-sla-log

  A81 2 months, 1 week ago

  Jkay_Hippy 1 month, 1 week ago

  TheUsD 3 weeks, 6 days ago

  Jack2002 2 months, 1 week ago

You can see it by entering this command in cli mode

  Dogbert 2 months, 3 weeks ago

  yuop 2 months, 2 weeks ago

  rollotap 3 months, 3 weeks ago

  rollotap 3 months, 3 weeks ago

  JackCl 3 months, 3 weeks ago

  yuop 2 months, 3 weeks ago

  ivanlean55 3 months, 3 weeks ago

  themageofsec 3 months, 3 weeks ago

Page 95 of study guide 7.0

  rollotap 3 months, 3 weeks ago

A. Encapsulating Security Payload (ESP)

B. Secure Shell (SSH)

C. Internet Key Exchange (IKE)

D. Security Association (SA)

Community vote distribution

  kalopilo 2 weeks, 2 days ago

Page 232 of study guide 7.2

  alejandrofern43 2 weeks, 5 days ago

Page 232 of study guide 7.2

  Dogbert 2 months, 3 weeks ago

  themageofsec 3 months, 3 weeks ago

Page 204 of study guide 7.0

  Welisson2 4 months, 2 weeks ago

IKE and ESP

  JABarracus 4 months, 3 weeks ago

  baker_gt 5 months ago

Page 204 of study guide

Community vote distribution

  Dogbert 2 months, 3 weeks ago

  themageofsec 3 months, 3 weeks ago

Hold Timer, Link Down fail over

Page 220 of study guide 7.0

  JABarracus 4 months, 3 weeks ago