Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

Note! NSE7_SDW-7.0 has been withdrawn. The new exam code is NSE7_SDW-7.2

NSE7_SDW-7.0 Practice Exam Questions with Answers Fortinet NSE 7 - SD-WAN 7.0 Certification

Question # 6

Refer to the exhibit.

NSE7_SDW-7.0 question answer

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.

Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)

A.

On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.

B.

On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.

C.

auto-discovery-forwarder must be enabled on all IPsec VPNs.

D.

On the hubs, net-device must be enabled on all IPsec VPNs.

Full Access
Question # 7

Which components make up the secure SD-WAN solution?

A.

Application, antivirus, and URL, and SSL inspection

B.

Datacenter, branch offices, and public cloud

C.

FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy

D.

Telephone, ISDN, and telecom network.

Full Access
Question # 8

Refer to the exhibit.

NSE7_SDW-7.0 question answer

Based on the exhibit, which action does FortiGate take?

A.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

B.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

C.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

D.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

Full Access
Question # 9

Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

A.

get router info routing-table all

B.

diagnose debug application ike

C.

diagnose vpn tunnel list

D.

get ipsec tunnel list

Full Access
Question # 10

What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)

A.

The ISDB is dynamically updated and reduces administrative overhead.

B.

The ISDB requires application control to maintain signatures and perform load balancing.

C.

The ISDB applies rules to traffic from specific sources, based on application type.

D.

The ISDB contains the IP addresses and port ranges of well-known internet services.

Full Access
Question # 11

Refer to the exhibit.

NSE7_SDW-7.0 question answer

Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?

A.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

B.

FortiGate has terminated the session after a change on policy ID 1.

C.

Changes have been made on firewall policy ID 1 on FortiGate.

D.

Firewall policy ID 1 has source NAT disabled.

Full Access
Question # 12

Refer to the exhibits.

Exhibit A

NSE7_SDW-7.0 question answer

Exhibit B

NSE7_SDW-7.0 question answer

Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.

Based on the exhibits, which two statements are correct? (Choose two.)

A.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

B.

Port2 has the highest member priority.

C.

Port2 has a lower latency than port1.

D.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

Full Access
Question # 13

Which are two benefits of using CLI templates in FortiManager? (Choose two.)

A.

You can reference meta fields.

B.

You can configure interfaces as SD-WAN members without having to remove references first.

C.

You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.

D.

You can configure advanced CLI settings.

Full Access
Question # 14

What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.)

A.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

B.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

C.

The zero-touch provisioning process has completed internally, behind FortiGate.

D.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

E.

A factory reset performed on FortiGate.

Full Access
Question # 15

Refer to the exhibit.

NSE7_SDW-7.0 question answer

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

A.

type must be set to static.

B.

mode-cfg must be enabled.

C.

exchange-interface-ip must be enabled.

D.

add-route must be disabled.

Full Access
Question # 16

Refer to the exhibits.

Exhibit A

NSE7_SDW-7.0 question answer

Exhibit B

NSE7_SDW-7.0 question answer

Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.

Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.)

A.

FortiGate flags the sessions as dirty.

B.

FortiGate continues routing the sessions with no SNAT, over port2.

C.

FortiGate performs a route lookup for the original traffic only.

D.

FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.

Full Access
Question # 17

NSE7_SDW-7.0 question answer

Exhibit B –

NSE7_SDW-7.0 question answer

Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.

Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?

A.

port1 is assigned a manual IP address.

B.

port1 is referenced in a firewall policy.

C.

port2 is referenced in a static route.

D.

port1 and port2 are not administratively down.

Full Access
Question # 18

What are two common use cases for remote internet access (RIA)? (Choose two.)

A.

Provide direct internet access on spokes

B.

Provide internet access through the hub

C.

Centralize security inspection on the hub

D.

Provide thorough inspection on spokes

Full Access
Question # 19

Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.

NSE7_SDW-7.0 question answer

What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?

A.

You must set ike-version to 1.

B.

You must enable net-device.

C.

You must enable auto-discovery-sender.

D.

You must disable idle-timeout.

Full Access
Question # 20

Refer to the exhibits.

NSE7_SDW-7.0 question answer

NSE7_SDW-7.0 question answer

Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)

A.

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

B.

The phase 1 configuration supports the network-overlay setting.

C.

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

D.

Dead peer detection is disabled.

Full Access
Question # 21

Refer to the exhibits.

NSE7_SDW-7.0 question answer

Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.

The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.

Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)

A.

On the receiver FortiGate, packet-de-duplication is enabled.

B.

The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

C.

The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.

D.

On the sender FortiGate, duplication-max-num is set to 3.

Full Access