Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

You can delete the virtual-wan-link zone because it contains no member.

The corporate zone contains no member.

You can move port1 from the underlay zone to the overlay zone.

The overlay zone contains four members.

Provide direct internet access on spokes

Provide internet access through the hub

Centralize security inspection on the hub

Provide thorough inspection on spokes

Type of physical link connection

Internet service database (ISDB) address object

Source and destination IP address

URL categories

Application signatures

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.

T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.

T_INET_0_0 does not have a valid route to the destination.

T_INET_1_0 has a higher member configuration priority than T_INET_0_0.

The sdwan_service_id flag in the session information is 0.

All SD-WAN rules have the default setting enabled.

Traffic does not match any of the entries in the policy route table.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Set additional-path to send

Enable route-reflector-client

Set advertisement-interval to the number of additional paths to advertise

Set adv-additional-path to the number of additional paths to advertise

Enable soft-reconfiguration

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

In the dcl-lab-rm route map configuration, unset match-community.

VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

FortiManager automatically installs IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

IPsec recommended template guides the administrator to use Fortinet recommended settings.

IPsec recommended template ensures consistent settings between phase1 and phase2

It provides the benefits of a full-mesh topology in a hub-and-spoke network.

It provides direct connectivity between spokes by creating shortcuts.

It enables spokes to bypass the hub during shortcut negotiation.

It enables spokes to establish shortcuts to third-party gateways.

diagnose sys sdwan neighbor

FortiGate applies traffic shaping to the original traffic direction only.

FortiGate shares 10 Mbps of bandwidth equally among all source IP addresses.

RIAS

Fortigate limits each source ip address to a maximum bandwidth of 10 Mbps.

FortiGate guarantees a minimum of 10 Mbps of bandwidth to each source IP address.

When all three members have the same packet loss.

When T_INET_0_0 has 4% packet loss.

When T_INET_0_0 has 12% packet loss.

When T_INET_1_0 has 4% packet loss.

You can manually define the SD-WAN members sequence number.

Interfaces of type virtual wire pair can be used as SD-WAN members.

Interfaces of type VLAN can be used as SD-WAN members.

An SD-WAN member can belong to two or more SD-WAN zones.

Port2 becomes alive after three successful probes are detected.

FortiGate removes all static routes for port2.

The administrator manually restores the static routes for port2, if port2 becomes alive.

Host 8.8.8.8 is reachable through port1 and port2.

update-source

set-route-tag

holdtime-timer

link-down-failover

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

During passive monitoring, FortiGate can’t detect dead members.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

FortiGate passively monitors the member if TCP traffic is passing through the member.

FortiGate flushes all sessions.

FortiGate terminates the old sessions.

FortiGate does not change existing sessions.

FortiGate evaluates new sessions.

Cost

Interface member

Priority

Gateway IP

Specify a unique peer ID for each dial-up VPN interface.

Use different proposals are used between the interfaces.

Configure the IKE mode to be aggressive mode.

Use unique Diffie Hellman groups on each VPN interface.

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

The traffic always skips the regular policy routes.

You steer traffic based on the detected application.

You do not need to enable SSL inspection.

You do not need to configure firewall policies that accept the SD-WAN traffic.