PassLeader - Fortinet.NSE7 SDW-7.0.Dumps.35.Q&As

Vendor: Fortinet
Exam Code: NSE7_SDW-7.0
Exam Name: Fortinet NSE 7 - SD-WAN 7.0
Version: 23.061
Question: 1
Which diagnostic command can you use to show the member utilization statistics measured by
performance SLAs for the last 10 minutes?
A. diagnose sys sdwan intf-sla-log

B. diagnose sys sdwan health-check
C. diagnose sys sdwan log
D. diagnose sys sdwan sla-log
Answer: D
Explanation:
Question: 2
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)
A. Encapsulating Security Payload (ESP)

B. Secure Shell (SSH)
C. Internet Key Exchange (IKE)
D. Security Association (SA)
Answer: A, C
Explanation:
Question: 3
Which two settings can you configure to speed up routing convergence in BGP? (Choose two.)
A. update-source
B. set-route-tag
C. holdtime-timer
D. link-down-failover
Answer: C, D
Get Latest & Actual NSE7_SDW-7.0 Exam Questions and Answers from PassLeader.
https://www.passleader.com/
Explanation:
Question: 4
Refer to the exhibits.
Exhibit A
Exhibit B -
Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing
table, and the member status.
The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule. Based on the
exhibits, what can the administrator expect for traffic matching the SD-WAN rule?
A. The traffic will be load balanced across all three overlays.

B. The traffic will be routed over T_INET_0_0.
C. The traffic will be routed over T_MPLS_0.
D. The traffic will be routed over T_INET_1_0.
Answer: C
Explanation:
Question: 5
Refer to the exhibit.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub
2. The administrator configured ADVPN on both hub-and-spoke groups.
Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)
A. London generates an IKE information message that contains the Toronto public IP address.
B. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
C. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
D. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
Answer: B, D
Explanation:
Question: 6
Which two performance SLA protocols enable you to verify that the server response contains a specific value?
(Choose two.)
A. http
B. icmp
C. twamp
D. dns
Answer: A, D
Explanation:
Question: 7
Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)
A. The traffic shaper drops packets if the bandwidth is less than 2500 KBps.
B. The measured bandwidth is less than 100 KBps.
C. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.
D. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.
Answer: B, C
Explanation:
Question: 8
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange
routes over IPsec?
A. type must be set to static.

B. mode-cfg must be enabled.
C. exchange-interface-ip must be enabled.
D. add-route must be disabled.
Answer: D
Explanation:
for using "non ike" routes (for example BGP/static and so on) you must do disable the add-route that
inject automatically kernel route based on p2 selectors from the remote site from the SD-
WAN_7.2_Study_Guide page 236
Question: 9
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
A. get router info routing-table all

B. diagnose debug application ike
C. diagnose vpn tunnel list
D. get ipsec tunnel list
Answer: B
Explanation:
Question: 10
Exhibit B –
Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the
managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an
SD-WAN zone for port1 and port2?
A. port1 is assigned a manual IP address.

B. port1 is referenced in a firewall policy.
C. port2 is referenced in a static route.
D. port1 and port2 are not administratively down.
Answer: B
Explanation:
Question: 11
Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)
A. The sdwan_service_id flag in the session information is 0.

B. All SD-WAN rules have the default setting enabled.
C. Traffic does not match any of the entries in the policy route table.
D. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
Answer: A, C
Explanation:
Question: 12
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to
the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over
T_INET_0_0. However, the traffic is routed over T_INET_1_0.
Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)
A. The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.
B. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.
C. T_INET_0_0 does not have a valid route to the destination.
D. T_INET_1_0 has a higher member configuration priority than T_INET_0_0.
Answer: A, C
Explanation:
Question: 13
Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change?
(Choose two.)
A. FortiGate flushes all sessions.

B. FortiGate terminates the old sessions.
C. FortiGate does not change existing sessions.
D. FortiGate evaluates new sessions.
Answer: C, D
Explanation:
FortiGate not to flag existing impacted session as dirty by setting firewall-session-dirty to check new. The results
is that FortiGate evaluates only new session against the new firewall policy.
Question: 14
Which two statements about SD-WAN central management are true? (Choose two.)
A. The objects are saved in the ADOM common object database.

B. It does not support meta fields.
C. It uses templates to configure SD-WAN on managed devices.
D. It supports normalized interfaces for SD-WAN member configuration.
Answer: AC
Explanation:
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and
add interface members to the SD-WAN zones. You must bind the interface members by name to physical
interfaces or VPN interfaces.
https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-new-features/794804/new-sd-wan-template-fmg
Question: 15
Exhibit.
Which conclusion about the packet debug flow output is correct?
A. The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions
configured in the traffic shaper, and the packet was dropped.
B. The packet size exceeded the outgoing interface MTU.
C. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions
configured in the traffic shaper, and the packet was dropped.
D. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions
configured in the firewall policy, and the packet was dropped.
Answer: C
Explanation:
Question: 16
10
Which are two benefits of using CLI templates in FortiManager? (Choose two.)
A. You can reference meta fields.

B. You can configure interfaces as SD-WAN members without having to remove references first.
C. You can configure FortiManager to sync local configuration changes made on the managed device, to the
CLI template.
D. You can configure advanced CLI settings.
Answer: A, D
Explanation:
Question: 17
What is the route-tag setting in an SD-WAN rule used for?
A. To indicate the routes for health check probes.

B. To indicate the destination of a rule based on learned BGP prefixes.
C. To indicate the routes that can be used for routing SD-WAN traffic.
D. To indicate the members that can be used to route SD-WAN traffic.
Answer: B
Explanation:
Question: 18
11
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?
A. When T_INET_0_0 and T_MPLS_0 have the same latency.

B. When T_MPLS_0 has a latency of 100 ms.
C. When T_INET_0_0 has a latency of 250 ms.
D. When T_N1PLS_0 has a latency of 80 ms.
Answer: D
Explanation:
Question: 19
Exhibit A -
12
13
Exhibit B -
Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.
The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator
determines that FortiGate does not apply traffic shaping on YouTube traffic.
Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs
traffic shaping on YouTube traffic?
A. Destination internet service must be enabled on the traffic shaping policy.

B. Application control must be enabled on the firewall policy.
C. Web filtering must be enabled on the firewall policy.
D. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.
Answer: B
Explanation:
Question: 20
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.
14
What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?
A. You must set ike-version to 1.

B. You must enable net-device.
C. You must enable auto-discovery-sender.
D. You must disable idle-timeout.
Answer: B
Explanation:
Question: 21
Exhibit A -
15
Exhibit B -
16
17
Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows
the system global and system settings configuration on dc1_fgt.
When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply
traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN
rule.
Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt
routes the reply traffic over T_INET_1_0?
A. Enable auxiliary-session under config system settings.

B. Disable tсp-session-without-syn under config system settings.
C. Enable snat-route-change under config system global.
D. Disable allow-subnet-overlap under config system settings.
Answer: A
Explanation:
Controlling return path with auxiliary session When multiple incoming or outgoing interfaces are used in
ECMP or for load balancing, changes to routing, incoming, or return traffic interfaces impacts how an existing
sessions handles the traffic. Auxiliary sessions can be used to handle these changes to traffic patterns.
https://docs.fortinet.com/document/fortigate/7.0.11/administration-guide/14295/controlling-return-
path-with-auxiliary-session
Question: 22
Exhibit A -
18
Exhibit B -
19
Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing
table, and the performance SLA status.
If port2 is detected dead by FortiGate, what is the expected behavior?
A. Port2 becomes alive after three successful probes are detected.

B. FortiGate removes all static routes for port2.
C. The administrator manually restores the static routes for port2, if port2 becomes alive.
D. Host 8.8.8.8 is reachable through port1 and port2.
Answer: B
Explanation:
This is due to Update static route is enable which removes the static route entry referencing the interface if the
interface is dead
Question: 23
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available
bandwidth?
A. Interface-based shaping mode

B. Reverse-policy shaping mode
C. Shared-policy shaping mode
D. Per-IP shaping mode
Answer: A
Explanation:
Interface-based shaping goes further, enabling traffic controls based on percentage of the interface
20
bandwidth.
Question: 24
Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?
A. All traffic from a source IP to a destination IP is sent to the same interface.

B. All traffic from a source IP is sent to the same interface.
C. All traffic from a source IP is sent to the most used interface.
D. All traffic from a source IP to a destination IP is sent to the least used interface.
Answer: A
Explanation:
Question: 25
21
Which are three key routing principles in SD-WAN? (Choose three.)
A. FortiGate performs route lookups for new sessions only.

B. Regular policy routes have precedence over SD-WAN rules.
C. SD-WAN rules have precedence over ISDB routes.
D. By default, SD-WAN members are skipped if they do not have a valid route to the destination.
E. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Answer: BDE
Explanation:
Question: 26
The device exchanges routes using IBGP.

Which two statements are correct about the IBGP configuration and routing information on the device? (Choose
two.)
A. Each BGP route is three hops away from the destination.

B. ibgp-multipath is disabled.
C. additional-path is enabled.
D. You can run the get router info routing-table database command to display the additional paths.
Answer: CD
Explanation:
Question: 27
In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)
A. It provides the benefits of a full-mesh topology in a hub-and-spoke network.

B. It provides direct connectivity between spokes by creating shortcuts.
C. It enables spokes to bypass the hub during shortcut negotiation.
D. It enables spokes to establish shortcuts to third-party gateways.
Answer: AB
22
Explanation:
Question: 28
Which components make up the secure SD-WAN solution?
A. Application, antivirus, and URL, and SSL inspection

B. Datacenter, branch offices, and public cloud
C. FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy
D. Telephone, ISDN, and telecom network.
Answer: C
Explanation:
Question: 29
Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used
to select an outgoing interface in an SD-WAN rule? (Choose two.)
A. Set priority 10.

B. Set cost 15.
C. Set load-balance-mode source-ip-ip-based.
D. Set source 100.64.1.1.
Answer: A,B
23
Explanation:
Question: 30
What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process?
(Choose two.)
A. The FortiGate cloud key has not been added to the FortiGate cloud portal.
B. FortiDeploy has connected with FortiGate and provided the initial configuration to contact
FortiManager
C. The zero-touch provisioning process has completed internally, behind FortiGate.
D. FortiGate has obtained a configuration from the platform template in FortiGate cloud.
E. A factory reset performed on FortiGate.
Answer: AC
Explanation:
Question: 31
Which two statements describe how IPsec phase 1 main mode is different from aggressive mode when
performing IKE negotiation? (Choose two )
A. A peer ID is included in the first packet from the initiator, along with suggested security policies.
B. XAuth is enabled as an additional level of authentication, which requires a username and
password.
C. A total of six packets are exchanged between an initiator and a responder instead of three packets.
D. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.
Answer: BC
Explanation:
Question: 32
24
Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?
A. The type of traffic defined and allowed on firewall policy ID 1 is UDP.

B. FortiGate has terminated the session after a change on policy ID 1.
C. Changes have been made on firewall policy ID 1 on FortiGate.
D. Firewall policy ID 1 has source NAT disabled.
Answer: C
Explanation:
Question: 33
What are two reasons for using FortiManager to organize and manage the network for a group of FortiGate
devices? (Choose two )
A. It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

B. It improves SD-WAN performance on the managed FortiGate devices.
C. It sends probe signals as health checks to the beacon servers on behalf of FortiGate.
D. It acts as a policy compliance entity to review all managed FortiGate devices.
E. It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.
Answer: AE
Explanation:
Question: 34
In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default
implicit SD-WAN rule? (Choose two )
A. Traffic has matched none of the FortiGate policy routes.

B. Matched traffic failed RPF and was caught by the rule.
C. The FIB lookup resolved interface was the SD-WAN interface.
D. An absolute SD-WAN rule was defined and matched traffic.
25
Answer: AC
Explanation:
Question: 35
FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.
Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to
match all possible IPsec dial-up interfaces? (Choose two.)
A. Specify a unique peer ID for each dial-up VPN interface.

B. Use different proposals are used between the interfaces.
C. Configure the IKE mode to be aggressive mode.
26
D. Use unique Diffie Hellman groups on each VPN interface.
Answer: AC
Explanation:
27

PassLeader - Fortinet.NSE7 SDW-7.0.Dumps.35.Q&As

Uploaded by

Copyright:

Available Formats

PassLeader - Fortinet.NSE7 SDW-7.0.Dumps.35.Q&As

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PassLeader - Fortinet.NSE7 SDW-7.0.Dumps.35.Q&As

Uploaded by

Copyright:

Available Formats

Vendor: Fortinet

Exam Code: NSE7_SDW-7.0

Exam Name: Fortinet NSE 7 - SD-WAN 7.0

A. diagnose sys sdwan intf-sla-log

A. Encapsulating Security Payload (ESP)

Refer to the exhibits.

A. The traffic will be load balanced across all three overlays.

Refer to the exhibit.

Refer to the exhibit.

Refer to the exhibit.

A. type must be set to static.

A. get router info routing-table all

Refer to the exhibit.

A. port1 is assigned a manual IP address.

A. The sdwan_service_id flag in the session information is 0.

Refer to the exhibit.

Refer to the exhibit.

A. FortiGate flushes all sessions.

A. The objects are saved in the ADOM common object database.

Which conclusion about the packet debug flow output is correct?

A. You can reference meta fields.

What is the route-tag setting in an SD-WAN rule used for?

A. To indicate the routes for health check probes.

Refer to the exhibit.

A. When T_INET_0_0 and T_MPLS_0 have the same latency.

Refer to the exhibits.

A. Destination internet service must be enabled on the traffic shaping policy.

A. You must set ike-version to 1.

Refer to the exhibits.

A. Enable auxiliary-session under config system settings.

Refer to the exhibits.

A. Port2 becomes alive after three successful probes are detected.

A. Interface-based shaping mode

Refer to the exhibit.

A. All traffic from a source IP to a destination IP is sent to the same interface.

A. FortiGate performs route lookups for new sessions only.

Refer to the exhibit.

The device exchanges routes using IBGP.

A. Each BGP route is three hops away from the destination.

A. It provides the benefits of a full-mesh topology in a hub-and-spoke network.

Which components make up the secure SD-WAN solution?

A. Application, antivirus, and URL, and SSL inspection

Refer to the exhibit.

A. Set priority 10.

Refer to the exhibit.

A. The type of traffic defined and allowed on firewall policy ID 1 is UDP.

A. It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

A. Traffic has matched none of the FortiGate policy routes.

Refer to the exhibit.

A. Specify a unique peer ID for each dial-up VPN interface.

You might also like