Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

get router info routing-table all

What are two common use cases for remote internet access (RIA)? (Choose two.)

Provide internet access through the hub

Centralize security inspection on the hub

Provide thorough inspection on spokes.

Provide direct internet access on spokes.

An administrator is testing application steering in SD-WAN. Before generating test tra®c, the administrator collected the information shown in exhibit A. After generating GoToMeeting test tra®c, the administrator examined the respective tra®c log on FortiAnalyzer, which is shown in exhibit B. Theadministrator noticed that the tra®c matched the implicit SD-WAN rule, but they expected the tra®c to match rule ID 1. Which two reasons explain why some log messages show that the tra®c matched the implicit SD-WAN rule? (Choose two.)

The session 3-tuple did not match any of the existing entries in the ISDB application cache

FortiGate did not refresh the routing information on the session after the application was detected.

Port1 and port2 do not have a valid route to the destination.

Full SSL inspection is not enabled on the matching ¬rewall policy.

Which statement is correct about SD-WAN and ADVPN?

SD-WAN can steer tra®c to ADVPN shortcuts established over IPsec overlays con¬gured as SD-WAN members.

SD-WAN can steer tra®c to ADVPN shortcuts only for rules de¬ned with strategy manual or best quality

SD-WAN does not monitor the health and performance of ADVPN shortcuts

SD-WAN cannot steer tra®c to ADVPN shortcuts established over IPSec overlays if the zone contains physical interfaces.

The exhibit shows the SD-WAN rule status and con¬guration. Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?

When T_MPLS_0 has a latency of 80 ms

When T_INET_0_0 has a latency of 250 ms

When T_INET_0_0 and T_MPLS_0 have the same latency

When T_MPLS_0 has a latency of 100 ms.

What is a bene¬t of using application steering in SD-WAN?

You steer traffic based on the detected application.

The tra®c always skips the regular policy routes

You do not need to con¬gure ¬rewall policies that accept the SD-WAN tra®c

You do not need to enable SSL inspection.

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)

FortiGate passively monitors the member if TCP tra®c is passing through the member.

During passive monitoring, the SLA performance rule cannot detect dead members.

After FortiGate switches to active mode, the SLA performance rule never fallsback to passive monitoring

FortiGate can o¯oad the tra®c that is subject to passive monitoring to hardware.

Which two statements about the SD-WAN members are true? (Choose two.)

You can manually de¬ne the SD-WAN members sequence number.

Interfaces of type VLAN can be used as SD-WAN members.

Interfaces of type virtual wire pair can be used as SD-WAN members

An SD-WAN member can belong to two or more SD-WAN zones.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates tra®c to the 10.0.0.0/8 network. The administrator expects the tra®c to match SD-WAN rule ID 1 and be routed over T_INET_0. However, the tra®c is routed over T_INET_1. Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)

The tra®c matches a regular policy route con¬gured with T_INET_1 as the outgoing device.

T_INET_0 does not have a valid route to the destination

T_INET_1 has a lower route priority value (higher priority) than T_INET_0.

T_INET_1 has a higher member con¬guration priority than T_INET_0

Based on the output, which two conclusions are true? (Choose two.)

Entry 1 (id=1) is a regular policy route.

There is more than one SD-WAN rule con¬gured.

The SD-WAN rules take precedence over regular policy routes.

The all_rules rule represents the implicit SD-WAN rule.

What are two bene¬ts of using forward error correction (FEC) in IPsec VPNs? (Choose two.)

FEC transmits parity packets that can be used to reconstruct packet loss.

FEC improves reliability of noisy links.

FEC can leverage multiple IPsec tunnels for parity packets transmission.

FEC supports hardware offloading

Based on the exhibit, which statement is true?

You can move port1 from the underlay zone to the overlay zone.

You can delete the virtual-wan-link zone because it contains no member.

The corporate zone contains no member.

The overlay zone contains four members.

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)

FortiGate evaluates new sessions

FortiGate does not change existing sessions.

FortiGate terminates the old sessions

The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)

The reply direction of the asymmetric traffic flows from port2 to port3

The auxiliary session can be offloaded to hardware

The main session cannot be offloaded to hardware

The original direction of the symmetric traffic flows from port3 to port2

The SD-WAN overlay template helps to prepare SD-WAN deployments. To complete the tasks performed by the SD-WAN overlay template, the administrator must perform some post-run tasks. What are three mandatory post-run tasks that must be performed? (Choose three.)

Assign a branch_id metadata variable to each branch device.

Create policy packages for branch devices.

Assign an sdwan_id metadata variable to each device (branch and hub)

Con¬gure routing through overlay tunnels created by the SD-WAN overlay template.

In a dual-hub hub-and-spoke SD-WAN deployment, which is a bene¬t of disabling the anti-replay setting on the hubs?

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

The session information output displays no SD-WAN-speci¬c details

Tra®c does not match any of the entries in the policy route table

All SD-WAN rules have the default and gateway setting enabled

Tra®c is load balanced using the algorithm set for the v4-ecmp-mode setting.

Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on a FortiGate device acting as the sender. Exhibit B shows the sniffer output on a FortiGate device acting as the receiver. The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1. Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)

On the receiver FortiGate, packet-de-duplication is enabled

On the sender FortiGate, duplication-max-num is set to 3

The ICMP echo request packets sent over T_INET_0 and T_MPLS were dropped along the way

The sender FortiGate has anti-replay enabled to block duplicate ICMP replies.

Which statement about the role of the ADVPN device in handling traffic is true?

This is a spoke that has received an offer from a remote hub.

Two spokes, 192.2.0.1 and 10.0.2.101, establish a shortcut.

This is a hub that has received an offer from a spoke and has forwarded it to another spoke

An IKE session is established between 10.0.1.101 and 10.0.2.101 in the process of forming a shortcut tunnel

Which two statements are true about using SD-WAN to steer local-out tra®c? (Choose two.)

You must con¬gure each local-out feature individually, to use SD-WAN

By default, local-out tra®c does not use SD-WAN

By default, FortiGate does not check if the selected member has a valid route to the destination

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out tra®c.

Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status. If port2 is detected dead by FortiGate, what is the expected behavior?

FortiGate disables all static routes for port2.

Host 8.3.8.8 is reachable through port1 and port2

Port2 becomes alive after three successful probes are detected.

The administrator manually restores the static routes for port2, if port2 becomes alive.

In which SD-WAN template field can you use a metadata variable?

Any field identified with a dollar sign (S) in a magnifying glass

You can use metadata variables only to define interface members and the gateway IP.

Any field identified with an "M" in a circle

The device exchanges routes using IBGP. Which two statements are correct about the IBGP con¬guration and routing information on the device? (Choose two.)

You can run the get router info routing-table database command to display the additional paths.

Each BGP route is three hops away from the destination.

Which two statements are correct about the health check status on this FortiGate device? (Choose two.)

There is no SLA criteria con¬gured for the health-check Level3_DNS

The health-check VPN_PING orders the members according to the measured jitter

The interface T_INET_0 missed three SLA targets

The interface T_INET_1 missed one SLA target.

Exhibit A shows a policy package de¬nition. Exhibit B shows the install log that the administrator received when he tried to install the policy package on FortiGate devices. Based on the output shown in the exhibits, what can the administrator do to solve the issue?

Create dynamic mapping for the LAN interface for all devices in the installation target list

Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt

Use a metadata variable instead of a dynamic interface to define the firewall policy

What is true about SD-WAN multiregion topologies?

Each region has its own SD-WAN topology

It is not compatible with ADVPN.

Routing between the hub and spokes must be BGP

Regions must correspond to geographical areas

What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?

You must enable auto-discovery-sender.

Which statement about using BGP for ADVPN is true?

IBGP is preferred over EBGP, because IBGP preserves next hop information.

You must con¬gure AS path prepending.

You must con¬gure BGP communities.

You must use BGP to route tra®c for both overlay and underlay links.

Based on the output shown in the exhibit, which statement is true?

The VPN tunnel T_MPLS_0 is a shortcut tunnel

There is one shortcut tunnel built from master tunnel T_MPLS_0.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut

There are no IPsec tunnel statistics log messages for ADVPN shortcuts.

Based on the exhibit which action does FortiGate take?

FortiGate brings down port5 after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface

All traffic from a source IP is sent to the same interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

Exhibit A shows two IPsec templates to de¬ne BranchIPsec_1 and Branch_IPsec_2. Each template de¬nes a VPN tunnel. Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device. Which statement best explain the cause for this issue?

You can assign only one IPsec template to each FortiGate device.

You should review the branch1_fgt con¬guration for the already con¬gured tunnel with the name HUB1-VPN2.

You can de¬ne only one IPsec tunnel from branch devices to HUB1

You can assign only one template with a tunnel of type static to each FortiGate device.

Which two statements about SLA targets and SD-WAN rules are true? (Choose two.)

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements.

SLA targets are used only by SD-WAN rules that are con¬gured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.

Member metrics are measured only if an SLA target is con¬gured.

When con¬guring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA.

Which two statements about the SD-WAN zone con¬guration are true? (Choose two.)

You can use the service-sla-tie-break setting to con¬gure preferred member selection based on the best route to the destination.

The default zone is virtual-wan-link.

You can delete the default zones.

An SD-WAN member can belong to two or more zones.

Which statement explains the output shown in the exhibit?

FortiGate must re-evaluate the session due to routing change

FortiGate performed standard FIB routing on the session.

FortiGate will not re-evaluate the session following a firewall policy change.

FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings con¬guration on dc1_fgt. When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply tra®c is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule. Based on the information shown in the exhibits, what con¬guration change must be made on dc1_fgt so dc1_fgt routes the reply tra®c over T_INET_1_0?

Enable auxiliary-session under con¬g system settings.

Disable tcp-session-without-syn under con¬g system settings

Disable allow-subnet-overlap under con¬g system settings

Enable snat-route-change under con¬g system global.

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

exchange-interface-ip must be enabled.

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator con¬gured ADVPN on both hub-and-spoke groups. Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

London generates an IKE information message that contains the Toronto public IP address.

. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes?

diagnose sys sdwan intf-sla-log

diagnose sys sdwan health-check

SD_WAN

Quiz

•

Other

•

Professional Development

•

Practice Problem

•

Hard

Jancker jancker

FREE Resource

70 questions

Show all answers

MULTIPLE SELECT QUESTION

30 sec • 1 pt

The exhibit shows the BGP con¬guration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise pre¬xes from spokes
to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not
see the pre¬xes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator con¬gure inside each BGP neighbor group so spokes can learn other spokes
pre¬xes and their additional paths? (Choose three.)

Enable soft-recon¬guration

Enable route-reector-client

Set additional-path to send

Set adv-additional-path to the number of additional paths to advertise

Set advertisement-interval to the number of additional paths to advertise

MULTIPLE SELECT QUESTION

30 sec • 1 pt

What are two advantages of using an IPsec recommended template to con¬gure an IPsec tunnel in an hub-and-spoke topology? (Choose two.)

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

The VPN monitor tool provides additional statistics for tunnels de¬ned with an IPsec recommended template.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Refer to the exhibit

FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.

FortiGate always blocks all tra®c, after a route change.

FortiGate performs routing lookups for new sessions only, after a route change.

FortiGate ushes all routing information from the session table, after a route change.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)

It provides the bene¬ts of a full-mesh topology in a hub-and-spoke network

It enables spokes to establish shortcuts to third-party gateways

It provides direct connectivity between spokes by creating shortcuts.

It enables spokes to bypass the hub during shortcut negotiation.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

The exhibit shows output of the command diagnose sys sdwan service collected on a FortiGate device.
The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and
with a destination of the business application Salesforce located on HQ servers 10.0.0.1.
Based on the exhibits, which two statements are correct? (Choose two.)

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface
T_HQ1

FortiGate steers traffic to HQ servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

When FortiGate cannot recognize the application of the ow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

FortiGate steers tra®c for business application according to service rule 2 and steers traffic through port2.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Which are three key routing principles in SD-WAN? (Choose three.)

By default. SD-WAN members are skipped if they do not have a valid route to the destination

By default. SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.

FortiGate performs route lookups for new sessions only

SD-WAN rules have precedence over ISDB routes

Regular policy routes have precedence over SD-WAN rules

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two con¬guration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)

On the hubs, net-device must be enabled on all IPsec VPNs

auto-discovery-forwarder must be enabled on all IPsec VPNs.

On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub

On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

73 questions

T LEVEL Health and Safety Legislation Quiz

Quiz

•

Professional Development

73 questions

Volume 3

Quiz

•

Professional Development

70 questions

OES Challenge

Quiz

•

Professional Development

70 questions

WKF Kumite Test 1

Quiz

•

Professional Development

70 questions

HVAC FC 06

Quiz

•

Professional Development

73 questions

ACCENTURE MOCK TEST-1 SJIT ECE

Quiz

•

Professional Development

70 questions

Kosakata Modul Bab 3

Quiz

•

Professional Development

72 questions

Milady CIMA Ch. 05 Infection Control

Quiz

•

Professional Development

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

54 questions

Analyzing Line Graphs & Tables

Quiz

•

4th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

15 questions

Equivalent Fractions

Quiz

•

4th Grade

Discover more resources for Other

20 questions

Black History Month Trivia Game #1

Quiz

•

Professional Development

100 questions

Screening Test Customer Service

Quiz

•

Professional Development

20 questions

90s Cartoons

Quiz

•

Professional Development

10 questions

Reading a ruler in Inches

Quiz

•

4th Grade - Professio...

16 questions

Parallel, Perpendicular, and Intersecting Lines

Quiz

•

KG - Professional Dev...

12 questions

Valentines Day Trivia

Quiz

•

Professional Development

SD_WAN

70 questions

What are two advantages of using an IPsec recommended template to con¬gure an IPsec tunnel in an hub-and-spoke topology? (Choose two.)

Refer to the exhibit

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)

Which are three key routing principles in SD-WAN? (Choose three.)

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.Which two con¬guration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)

Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

What are two common use cases for remote internet access (RIA)? (Choose two.)

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Other

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two con¬guration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)