Summer Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

What are two benefits of choosing packet duplication over FEC for data loss correction on noisy links? (Choose two.)

A.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

B.

Packet duplication does not require a route to the destination.

C.

Packet duplication supports hardware offloading.

D.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

Full Access
Question # 5

Which two statements about SD-WAN central management are true? (Choose two.)

A.

It does not allow you to monitor the status of SD-WAN members.

B.

It is enabled or disabled on a per-ADOM basis.

C.

It is enabled by default.

D.

It uses templates to configure SD-WAN on managed devices.

Full Access
Question # 6

Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

A.

You can delete the virtual-wan-link zone because it contains no member.

B.

The corporate zone contains no member.

C.

You can move port1 from the underlay zone to the overlay zone.

D.

The overlay zone contains four members.

Full Access
Question # 7

What are two common use cases for remote internet access (RIA)? (Choose two.)

A.

Provide direct internet access on spokes

B.

Provide internet access through the hub

C.

Centralize security inspection on the hub

D.

Provide thorough inspection on spokes

Full Access
Question # 8

Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)

A.

Type of physical link connection

B.

Internet service database (ISDB) address object

C.

Source and destination IP address

D.

URL categories

E.

Application signatures

Full Access
Question # 9

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

A.

Enable auxiliary-session under config system settings.

B.

Disable tсp-session-without-syn under config system settings.

C.

Enable snat-route-change under config system global.

D.

Disable allow-subnet-overlap under config system settings.

Full Access
Question # 10

Refer to the exhibit.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.

Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)

A.

The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.

B.

T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.

C.

T_INET_0_0 does not have a valid route to the destination.

D.

T_INET_1_0 has a higher member configuration priority than T_INET_0_0.

Full Access
Question # 11

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

A.

The sdwan_service_id flag in the session information is 0.

B.

All SD-WAN rules have the default setting enabled.

C.

Traffic does not match any of the entries in the policy route table.

D.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Full Access
Question # 12

Refer to the exhibit.

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.

Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)

A.

Set additional-path to send

B.

Enable route-reflector-client

C.

Set advertisement-interval to the number of additional paths to advertise

D.

Set adv-additional-path to the number of additional paths to advertise

E.

Enable soft-reconfiguration

Full Access
Question # 13

Refer to the exhibits.

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

A.

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

B.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

C.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

D.

In the dcl-lab-rm route map configuration, unset match-community.

Full Access
Question # 14

What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in a hub-and-spoke topology? (Choose two.)

A.

VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

B.

FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

C.

IPsec recommended template guides the administrator to use Fortinet recommended settings.

D.

IPsec recommended template ensures consistent settings between phase1 and phase2

Full Access
Question # 15

In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)

A.

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

B.

It provides direct connectivity between spokes by creating shortcuts.

C.

It enables spokes to bypass the hub during shortcut negotiation.

D.

It enables spokes to establish shortcuts to third-party gateways.

Full Access
Question # 16

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

  • diagnose sys sdwan service

  • diagnose sys sdwan route-tag-list

  • diagnose sys sdwan member

A.

diagnose sys sdwan neighbor

Full Access
Question # 17

Which action fortigate performs on the traffic that is subject to a per-IP traffic shaper of 10 Mbps?

A.

FortiGate applies traffic shaping to the original traffic direction only.

B.

FortiGate shares 10 Mbps of bandwidth equally among all source IP addresses.

RIAS

C.

Fortigate limits each source ip address to a maximum bandwidth of 10 Mbps.

D.

FortiGate guarantees a minimum of 10 Mbps of bandwidth to each source IP address.

Full Access
Question # 18

Refer to the exhibit.

The exhibit shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?

A.

When all three members have the same packet loss.

B.

When T_INET_0_0 has 4% packet loss.

C.

When T_INET_0_0 has 12% packet loss.

D.

When T_INET_1_0 has 4% packet loss.

Full Access
Question # 19

Which type statements about the SD-WAN members are true? (Choose two.)

A.

You can manually define the SD-WAN members sequence number.

B.

Interfaces of type virtual wire pair can be used as SD-WAN members.

C.

Interfaces of type VLAN can be used as SD-WAN members.

D.

An SD-WAN member can belong to two or more SD-WAN zones.

Full Access
Question # 20

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.

If port2 is detected dead by FortiGate, what is the expected behavior?

A.

Port2 becomes alive after three successful probes are detected.

B.

FortiGate removes all static routes for port2.

C.

The administrator manually restores the static routes for port2, if port2 becomes alive.

D.

Host 8.8.8.8 is reachable through port1 and port2.

Full Access
Question # 21

Which two settings can you configure to speed up routing convergence in BGP? (Choose two.)

A.

update-source

B.

set-route-tag

C.

holdtime-timer

D.

link-down-failover

Full Access
Question # 22

Refer to the exhibit.

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)

A.

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

B.

During passive monitoring, FortiGate can’t detect dead members.

C.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

D.

FortiGate passively monitors the member if TCP traffic is passing through the member.

Full Access
Question # 23

Refer to the exhibit.

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)

A.

FortiGate flushes all sessions.

B.

FortiGate terminates the old sessions.

C.

FortiGate does not change existing sessions.

D.

FortiGate evaluates new sessions.

Full Access
Question # 24

Refer to the exhibit.

Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)

A.

Cost

B.

Interface member

C.

Priority

D.

Gateway IP

Full Access
Question # 25

Refer to the exhibit.

FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.

Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)

A.

Specify a unique peer ID for each dial-up VPN interface.

B.

Use different proposals are used between the interfaces.

C.

Configure the IKE mode to be aggressive mode.

D.

Use unique Diffie Hellman groups on each VPN interface.

Full Access
Question # 26

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

A.

All traffic from a source IP to a destination IP is sent to the same interface.

B.

All traffic from a source IP is sent to the same interface.

C.

All traffic from a source IP is sent to the most used interface.

D.

All traffic from a source IP to a destination IP is sent to the least used interface.

Full Access
Question # 27

What is a benefit of using application steering in SD-WAN?

A.

The traffic always skips the regular policy routes.

B.

You steer traffic based on the detected application.

C.

You do not need to enable SSL inspection.

D.

You do not need to configure firewall policies that accept the SD-WAN traffic.

Full Access