Question 21
Refer to the exhibits.
Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)
A. FortiGate does not install IPsec static routes for remote protected networks in the routing table.
B. The phase 1 configuration supports the network-overlay setting.
C. FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
D. Dead peer detection is disabled.
Question 22
Refer to the exhibits.
Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.
Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.)
A. FortiGate flags the sessions as dirty.
B. FortiGate continues routing the sessions with no SNAT, over port2.
C. FortiGate performs a route lookup for the original traffic only.
D. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
Question 23
Refer to the exhibits.
Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.
Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)
A. The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
B. FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
C. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
D. Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Question 24
Refer to the exhibits.
Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.
Based on the exhibits, which two statements are correct? (Choose two.)
A. FortiGate updated the outgoing interface list on the rule so it prefers port2.
B. Port2 has the highest member priority.
C. Port2 has a lower latency than port1.
D. SD-WAN rule ID 1 is set to lowest cost (SLA) mode.
Question 25
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?
A. Interface-based shaping mode
B. Reverse-policy shaping mode
C. Shared-policy shaping mode
D. Per-IP shaping mode
Question 26
Which two interfaces are considered overlay links? (Choose two.)
A. LAG
B. IPsec
C. Physical
D. GRE
Question 27
Refer to the exhibits.
Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.
When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.
Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?
A. Enable auxiliary-session under config system settings.
B. Disable tсp-session-without-syn under config system settings.
C. Enable snat-route-change under config system global.
D. Disable allow-subnet-overlap under config system settings.
Question 28
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)
A. The ISDB is dynamically updated and reduces administrative overhead.
B. The ISDB requires application control to maintain signatures and perform load balancing.
C. The ISDB applies rules to traffic from specific sources, based on application type.
D. The ISDB contains the IP addresses and port ranges of well-known internet services.
Question 29
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.
What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?
A. You must set ike-version to 1.
B. You must enable net-device.
C. You must enable auto-discovery-sender.
D. You must disable idle-timeout.
Question 30
Which statement is correct about SD-WAN and ADVPN?
A. Routes for ADVPN shortcuts must be manually configured.
B. SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.
C. SD-WAN does not monitor the health and performance of ADVPN shortcuts.
D. You must use IKEv2 on IPsec tunnels.
