DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Get Prepared for the Fortinet Exam with NSE 7 SD-WAN 7.2 Study Materials

Aspiring to ace the Fortinet NSE 7 SD-WAN 7.2 certification exam? SPOTO offers a comprehensive range of exam questions and answers, test questions, and exam preparation materials to help you succeed. Our meticulously crafted study resources cover every aspect of the exam syllabus, ensuring you're well-equipped to tackle the challenging questions. With our mock exams and exam resources, you can simulate the real exam environment, identify your strengths and weaknesses, and gain the confidence to pass successfully on your first attempt. Don't leave your success to chance – leverage SPOTO's proven exam preparation solutions and embark on your journey to becoming a certified SD-WAN expert today.
Take other online exams
Question #1
Refer to the exhibit.In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti-replay setting on the hubs?
A. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance
B. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs
C. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance
D. It instructs the hub to skip content inspection on TCP traffic, to improve performance
View answer
Correct Answer: B
Question #2
Which two reasons make forward error correction (FEC) ideal to enable in a phase one VPN interface? (Choose two.)
A. ortiGate, FortiManager, FortiAnalyzer, and FortiDeploy
B. pplication, antivirus, and URL, and SSL inspection
C. atacenter, branch offices, and public cloud
D. elephone, ISDN, and telecom network
View answer
Correct Answer: CD
Question #3
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
A. et router info routing-table all
B. iagnose debug application ike
C. iagnose vpn tunnel list
D. et ipsec tunnel list
View answer
Correct Answer: B
Question #4
Refer to exhibits. Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.FortiGate is not performing traffic shaping as expected, based on the policies shown in the exhibits.To correct this traffic shaping issue on FortiGate, what configuration change must be made on which policy?
A. he 10 Mbps bandwidth is shared equally among the IP addresses
B. ach IP is guaranteed a minimum 10 Mbps of bandwidth
C. ortiGate allocates each IP address a maximum 10 Mbps of bandwidth
D. single user uses the allocated bandwidth divided by total number of users
View answer
Correct Answer: C
Question #5
Refer to the exhibit.The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)
A. The reply direction of the asymmetric traffic flows from port2 to port3
B. The auxiliary session can be offloaded to hardware
C. The original direction of the symmetric traffic flows from port3 to port2
D. The main session cannot be offloaded to hardware
View answer
Correct Answer: AB
Question #6
Refer to the exhibit.Based on output shown in the exhibit, which two settings can be used by SD-WAN rules? (Choose two.)
A. set source 100
B. set priority 10
C. set load-balance-mode source-ip-based
D. set cost 15
View answer
Correct Answer: BC
Question #7
What is a benefit of using application steering in SD-WAN?
A. The traffic always skips the regular policy routes
B. You steer traffic based on the detected application
C. You do not need to enable SSL inspection
D. You do not need to configure firewall policies that accept the SD-WAN traffic
View answer
Correct Answer: B
Question #8
Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes?
A. iagnose sys sdwan intf-sla-log
B. iagnose sys sdwan health-check
C. iagnose sys sdwan log
D. iagnose sys sdwan sla-log
View answer
Correct Answer: D
Question #9
Refer to the exhibit.Which statement about the role of the ADVPN device in handling traffic is true?
A. This is a spoke that has received a query from a remote hub and has forwarded the response to its hub
B. Two hubs, 10
C. This is a hub that has received a query from a spoke and has forwarded it to another spoke
D. Two spokes, 192
View answer
Correct Answer: C
Question #10
Refer to the exhibits.Exhibit A -Exhibit B -Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy. The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic. Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?
A. estination internet service must be enabled on the traffic shaping policy
B. pplication control must be enabled on the firewall policy
C. eb filtering must be enabled on the firewall policy
D. ndividual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy
View answer
Correct Answer: B
Question #11
Which two statements about the SD-WAN zone configuration are true? (Choose two.)
A. The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination
B. You can delete the default zones
C. The default zones are virtual-wan-link and SASE
D. An SD-WAN member can belong to two or more zones
View answer
Correct Answer: AC
Question #12
Refer to the exhibit.Multiple IPsec VPNs are formed between two hub-and-spokes groups, and site-to-site between Hub 1 and Hub 2. The administrator configured ADVPN on the dual regions topology. Which two statements are correct if a user in Toronto sends traffic to London? (Choose two.)
A. he URL category must be specified on the traffic shaping policy
B. he shaper mode must be applied per-IP shaper on the traffic shaping policy
C. he web filter profile must be enabled on the firewall policy
D. he application control profile must be enabled on the firewall policy
View answer
Correct Answer: AD
Question #13
Refer to the exhibit.Based on the exhibit, which action does FortiGate take?
A. FortiGate bounces port5 after it detects all SD-WAN members as dead
B. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead
C. FortiGate brings up port5 after it detects all SD-WAN members as alive
D. FortiGate brings down port5 after it detects all SD-WAN members as dead
View answer
Correct Answer: B
Question #14
Refer to the exhibits.Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups. Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)
A. ype must be set to static
B. ode-cfg must be enabled
C. xchange-interface-ip must be enabled
D. dd-route must be disabled
View answer
Correct Answer: BD
Question #15
Refer to the exhibit.The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes pr
A. Set additional-path to send
B. Enable route-reflector-client
C. Set advertisement-interval to the number of additional paths to advertise
D. Set adv-additional-path to the number of additional paths to advertise
E. Enable soft-reconfiguration
View answer
Correct Answer: ABC
Question #16
Refer to the exhibit.Which conclusion about the packet debug flow output is correct?
A. The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped
B. The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped
C. The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped
D. The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped
View answer
Correct Answer: D
Question #17
Refer to exhibits. Exhibit A shows the performance SLA exhibit B shows the SD-WAN diagnostics output. Based on the exhibits, which statement is correct?
A. ort1 became dead because no traffic was offload through the egress of port1
B. D-WAN member interfaces are affected by the SLA state of the inactive interface
C. oth SD-WAN member interfaces have used separate SLA targets
D. he SLA state of port1 is dead after five unanswered requests by the SLA servers
View answer
Correct Answer: D
Question #18
Which two tasks are part of using central VPN management? (Choose two.)
A. ou can configure full mesh, star, and dial-up VPN topologies
B. ou must enable VPN zones for SD-WAN deployments
C. ortiManager installs VPN settings on both managed and external gateways
D. ou configure VPN communities to define common IPsec settings shared by all VPN gateways
View answer
Correct Answer: AD
Question #19
Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?
A. hold-down-time
B. link-down-failover
C. auto-discovery-shortcuts
D. idle-timeout
View answer
Correct Answer: A
Question #20
What are two benefits of using forward error correction (FEC) in IPsec VPNs? (Choose two.)
A. FEC supports hardware offloading
B. FEC improves reliability of noisy links
C. FEC transmits parity packets that can be used to reconstruct packet loss
D. FEC can leverage multiple IPsec tunnels for parity packets transmission
View answer
Correct Answer: BC
Question #21
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)
A. he traffic will be load balanced across all three overlays
B. he traffic will be routed over T_INET_0_0
C. he traffic will be routed over T_MPLS_0
D. he traffic will be routed over T_INET_1_0
View answer
Correct Answer: AC
Question #22
Refer to the exhibit.Which statement explains the output shown in the exhibit?
A. FortiGate performed standard FIB routing on the session
B. FortiGate will not re-evaluate the session following a firewall policy change
C. FortiGate used 192
D. FortiGate must re-evaluate the session due to routing change
View answer
Correct Answer: D
Question #23
Refer to the exhibit.Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and- spoke groups.If an ADVPN on-demand tunnel is established between Toronto and London, which two configuration settings are required for ADVPN to work? (Choose two.)
A. On the hubs, auto-discovery-sender is enabled on the IPsec VPNs to spokes
B. auto-discovery-forwarder is enabled on all IPsec VPNs
C. On the hubs, tunnel-search is set selectors
D. On the spokes, auto-discovery-receiver is enabled on the IPsec VPN to the hub
View answer
Correct Answer: BD
Question #24
Refer to the exhibit.The exhibit shows the SD-WAN rule status and configuration. Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?
A. hen T_INET_0_0 and T_MPLS_0 have the same latency
B. hen T_MPLS_0 has a latency of 100 ms
C. hen T_INET_0_0 has a latency of 250 ms
D. hen T_N1PLS_0 has a latency of 80 ms
View answer
Correct Answer: D
Question #25
Which statement is correct about SD-WAN and ADVPN?
A. You must use OSPF
B. SD-WAN can steer traffic to ADVPN shortcuts established over IPsec overlays configured as SD-WAN members
C. Routes for ADVPN shortcuts must be manually configured
D. SD-WAN does not monitor the health and performance of ADVPN shortcuts
View answer
Correct Answer: B
Question #26
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?
A. nterface-based shaping mode
B. everse-policy shaping mode
C. hared-policy shaping mode
D. er-IP shaping mode
View answer
Correct Answer: A
Question #27
Refer to the exhibits.An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit
A. fter generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B
A. ortiGate did not refresh the routing information on the session after the application was detected
B. ort1 and port2 do not have a valid route to the destination
C. ull SSL inspection is not enabled on the matching firewall policy
D. he session 3-tuple did not match any of the existing entries in the ISDB application cache
View answer
Correct Answer: AC
Question #28
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
A. get ipsec tunnel list
B. get router info routing-table
C. diagnose debug application ike
D. diagnose sys virtual-wan-link service
View answer
Correct Answer: B
Question #29
Which diagnostic command can you use to show interface-specific SLA logs for the last 10 minutes?
A. diagnose sys sdwan log
B. diagnose sys sdwan health-check
C. diagnose sys sdwan intf-sla-log
D. diagnose sys sdwan sla-log
View answer
Correct Answer: C
Question #30
Refer to the exhibit.The exhibit shows the SD-WAN rule status and configuration.Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?
A. When all three members have the same packet loss
B. When T_INET_0_0 has 4% packet loss
C. When T_INET_0_0 has 12% packet loss
D. When T_INET_1_0 has 4% packet loss
View answer
Correct Answer: A
Question #31
Refer to the exhibit.Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)
A. FortiGate creates separate virtual interfaces for each dial-up client
B. FortiGate creates a single IPsec virtual interface that is shared by all clients
C. FortiGate maps the remote gateway 100
D. FortiGate does not install IPsec static routes for remote protected networks in the routing table
View answer
Correct Answer: AC
Question #32
Which two interfaces are considered overlay links? (Choose two.)
A. IPsec
B. Physical
C. LAG
D. GRE
View answer
Correct Answer: AD
Question #33
Which two tasks about using central VPN management are true? (Choose two.)
A. You can configure full mesh, star, and dial-up VPN topologies
B. FortiManager installs VPN settings on both managed and external gateways
C. You configure VPN communities to define common IPsec settings shared by all VPN gateways
D. You must enable VPN zones for SD-WAN deployments
View answer
Correct Answer: BC
Question #34
Which two benefits from using forward error correction (FEC) in IPsec VPNs are true? (Choose two.)
A. FEC transmits the original payload in full to recover the error in transmission
B. FEC reduces the stress on the remote device buffer to reconstruct packet loss
C. FEC transmits additional packets as redundant data to the remote device
D. FEC improves reliability, which overcomes adverse WAN conditions such as noisy links
View answer
Correct Answer: AC
Question #35
Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)
A. ortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic
B. y default, local-out traffic does not use SD-WAN
C. y default, FortiGate does not check if the selected member has a valid route to the destination
D. ou must configure each local-out feature individually, to use SD-WAN
View answer
Correct Answer: BD
Question #36
Refer to the exhibit.Based on the exhibit, which two actions does FortiGate perform on traffic passing through port2? (Choose two.)
A. FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change
B. FortiGate performs routing lookups for new sessions only, after a route change
C. FortiGate always blocks all traffic, after a route change
D. FortiGate flushes all routing information from the session table, after a route change
View answer
Correct Answer: AB
Question #37
Refer to the exhibits.Exhibit B ­Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
A. ort1 is assigned a manual IP address
B. ort1 is referenced in a firewall policy
C. ort2 is referenced in a static route
D. ort1 and port2 are not administratively down
View answer
Correct Answer: B
Question #38
Refer to the exhibits.Exhibit A -Exhibit B -Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.If port2 is detected dead by FortiGate, what is the expected behavior?
A. ort2 becomes alive after three successful probes are detected
B. ortiGate removes all static routes for port2
C. he administrator manually restores the static routes for port2, if port2 becomes alive
D. ost 8
View answer
Correct Answer: B
Question #39
Which two statements about SLA targets and SD-WAN rules are true? (Choose two.)
A. Member metrics are measured only if an SLA target is configured
B. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy
C. When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA
D. SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements
View answer
Correct Answer: CD
Question #40
Which diagnostic command can you use to show the SD-WAN rules interface information and state?
A. iagnose sys virtual-wan-link route-tag-list
B. iagnose sys virtual-wan-link service
C. iagnose sys virtual-wan-link member
D. iagnose sys virtual-wan-link neighbor
View answer
Correct Answer: C
Question #41
Which are three key routing principles in SD-WAN? (Choose three.)
A. pplication, antivirus, and URL, and SSL inspection
B. atacenter, branch offices, and public cloud
C. ortiGate, FortiManager, FortiAnalyzer, and FortiDeploy
D. elephone, ISDN, and telecom network
View answer
Correct Answer: BDE
Question #42
Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)
A. ype of physical link connection
B. nternet service database (ISDB) address object
C. ource and destination IP address
D. RL categories
E. pplication signatures
View answer
Correct Answer: BCE
Question #43
Refer to the exhibits.ExhibitA shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
A. port2 is referenced in a static route
B. port1 is assigned a manual IP address
C. port1 and port2 are not administratively down
D. port1 is referenced in a firewall policy
View answer
Correct Answer: D
Question #44
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?
A. ou must set ike-version to 1
B. ou must enable net-device
C. ou must enable auto-discovery-sender
D. ou must disable idle-timeout
View answer
Correct Answer: B
Question #45
What are two common use cases for remote internet access (RIA)? (Choose two.)
A. Provide direct internet access on spokes
B. Provide internet access through the hub
C. Centralize security inspection on the hub
D. Provide thorough inspection on spokes
View answer
Correct Answer: BC
Question #46
Refer to the exhibit.Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WANrules?
A. ll traffic from a source IP to a destination IP is sent to the same interface
B. ll traffic from a source IP is sent to the same interface
C. ll traffic from a source IP is sent to the most used interface
D. ll traffic from a source IP to a destination IP is sent to the least used interface
View answer
Correct Answer: A
Question #47
Refer to the exhibit.Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)
A. he total number of daily sessions for 10
B. he packet size exceeded the outgoing interface MTU
C. he number of concurrent sessions for 10
D. he number of concurrent sessions for 10
View answer
Correct Answer: CD
Question #48
Refer to the exhibits.Exhibit A -Exhibit B -Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt. When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.Based on the information shown in the exhibits, what configuration ch
A. nable auxiliary-session under config system settings
B. isable tp-session-without-syn under config system settings
C. nable snat-route-change under config system global
D. isable allow-subnet-overlap under config system settings
View answer
Correct Answer: A
Question #49
Which statement is correct about the SD-WAN and ADVPN?
A. poke support dynamic VPN as a static interface
B. ynamic VPN is not supported as an SD-WAN interface
C. DVPN interface can be a member of SD-WAN interface
D. ub FortiGate is limited to use ADVPN as SD-WAN member interface
View answer
Correct Answer: C
Question #50
Refer to the exhibits.Exhibit A shows the SD-WAN rules and exhibit B shows the traffic logs. The SD-WAN traffic logs reflect how FortiGate distributes traffic.Based on the exhibits, what are two expected behaviors when FortiGate processes SD-WAN traffic? (Choose two.)
A. The first Vimeo session may not match the Vimeo SD-WAN rule because the session is used for the application learning phase
B. The implicit rule overrides all other rules because parameters widely cover sources and destinations
C. The Vimeo SD-WAN rule steers Vimeo application traffic among all SD-WAN member interfaces
D. SD-WAN rules are evaluated in the same way as firewall policies: from top to bottom
View answer
Correct Answer: AD
Question #51
Which two statements about SD-WAN central management are true? (Choose two.)
A. It does not allow you to monitor the status of SD-WAN members
B. It is enabled or disabled on a per-ADOM basis
C. It is enabled by default
D. It uses templates to configure SD-WAN on managed devices
View answer
Correct Answer: BD
Question #52
Refer to the exhibits.Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member and the static routes configuration.If port2 is detected dead by FortiGate, which expected behavior is correct?
A. Port2 becomes alive after one successful probe is detected
B. The SD-WAN interface becomes disabled and port1 becomes the WAN interface
C. Dead members require manual administrator access to bring them back alive
D. Subnets 10
View answer
Correct Answer: D
Question #53
Refer to the exhibit.Which are two expected behaviors of the traffic that matches the traffic shaper? (Choose two.)
A. he number of simultaneous connections among all source IP addresses cannot exceed five connections
B. he traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec
C. he number of simultaneous connections allowed for each source IP address cannot exceed five connections
D. he traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec
View answer
Correct Answer: CD
Question #54
Refer to the exhibit.Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)
A. he type of traffic defined and allowed on firewall policy ID 1 is UDP
B. ortiGate has terminated the session after a change on policy ID 1
C. hanges have been made on firewall policy ID 1 on FortiGate
D. irewall policy ID 1 has source NAT disabled
View answer
Correct Answer: AB
Question #55
Which diagnostic command you can use to show interface-specific SLA logs for the last 10 minutes?
A. iagnose sys virtual-wan-link health-check
B. iagnose sys virtual-wan-link log
C. iagnose sys virtual-wan-link sla-log
D. iagnose sys virtual-wan-link intf-sla-log
View answer
Correct Answer: C
Question #56
Refer to the exhibit.Which are two expected behaviors of the traffic that matches the traffic shaper? (Choose two.)
A. The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec
B. The number of simultaneous connections among all source IP addresses can exceed 5 connections
C. The number of simultaneous connections allowed for each source IP address can exceed 5 connections
D. The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec
View answer
Correct Answer: AC
Question #57
What is the route-tag setting in an SD-WAN rule used for?
A. o indicate the routes for health check probes
B. o indicate the destination of a rule based on learned BGP prefixes
C. o indicate the routes that can be used for routing SD-WAN traffic
D. o indicate the members that can be used to route SD-WAN traffic
View answer
Correct Answer: B
Question #58
Refer to the exhibit.Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)
A. On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes
B. On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub
C. auto-discovery-forwarder must be enabled on all IPsec VPNs
D. On the hubs, net-device must be enabled on all IPsec VPNs
View answer
Correct Answer: AB

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.