Guaranteed Success in NSE 7 Network Security Architect NSE7_SDW-7.2 Exam Dumps
Fortinet NSE7_SDW-7.2 Daily Practice Exam New 2024 Updated 99 Questions
NEW QUESTION # 58 
Exhibit B -
Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
- A. port1 is referenced in a firewall policy.
- B. port1 and port2 are not administratively down.
- C. port1 is assigned a manual IP address.
- D. port2 is referenced in a static route.
Answer: A
NEW QUESTION # 59
Which diagnostic command can you use to show the member utilization statistics measured by performance
SLAs for the last 10 minutes?
- A. diagnose sys sdwan intf-sla-log
- B. diagnose sys sdwan sla-log
- C. diagnose sys sdwan log
- D. diagnose ays sdwan health-check
Answer: B
NEW QUESTION # 60
Refer to the exhibits.
Exhibit A shows a policy package definition Exhibit B shows the install log that the administrator received when he tried to install the policy package on FortiGate devices.
Based on the output shown in the exhibits, what can the administrator do to solve the Issue?
- A. Create dynamic mapping for the LAN interface for all devices in the installation target list.
- B. Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.
- C. Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt.
- D. Use a metadata variable instead of a dynamic interface to define the firewall policy.
Answer: A
NEW QUESTION # 61
Refer to the exhibits.
Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.
Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map
configuration.
The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.
However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.
Based on the exhibits, which configuration change is required to fix issue?
- A. In SD-WAN rule ID 1, change the destination to use ISDB entries.
- B. In the dcl-lab-rm route map configuration, unset match-community.
- C. In the dcl-lab-rm route map configuration, set set-route-tag to 10.
- D. In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.
Answer: D
NEW QUESTION # 62
Refer to the exhibit.
The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?
- A. When T_INET_0_0 and T_MPLS_0 have the same latency.
- B. When T_INET_0_0 has a latency of 250 ms.
- C. When T_N1PLS_0 has a latency of 80 ms.
- D. When T_MPLS_0 has a latency of 100 ms.
Answer: C
NEW QUESTION # 63
Exhibit.
The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?
- A. There are no IPsec tunnel statistics log messages for ADVPN cuts.
- B. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.
- C. The VPN tunnel T_MPLS_0 is a shortcut tunnel.
- D. There is one shortcut tunnel built from master tunnel T_MPLS_0.
Answer: D
Explanation:
VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel. The output includes the following information:
* logid: the log ID number
* type: the log type, either traffic or event
* subtype: the log subtype, either vpn or ipsec
* level: the log level, either error, warning, or notice
* vd: the virtual domain name
* logdesc: the log description
* msg: the log message
* action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats
* remip: the remote IP address
* locip: the local IP address
* remport: the remote port number
* locport: the local port number
* outintf: the outgoing interface name
* cookies: the IKE SA cookies
* user: the user name
* group: the user group name
* useralt: the alternative user name
* xauthuser: the XAuth user name
* authgroup: the XAuth user group name
* assignip: the assigned IP address
* vpntunnel: the VPN tunnel name
* tunnellip: the tunnel loopback IP address
* tunnelid: the tunnel ID number
* tunneltype: the tunnel type, either ipsec or ssl
* duration: the tunnel duration in seconds
* sentbyte: the number of bytes sent
* rcvdbyte: the number of bytes received
* nextstat: the next statistics interval in seconds
* advpnsc: the ADVPN shortcut flag, either 0 or 1
Based on the exhibit, the following statement is true:
* There is one shortcut tunnel built from master tunnel T_MPLS_0. This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up.
The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.
NEW QUESTION # 64
Refer to the exhibits.
Exhibit A -
Exhibit B -
Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B
shows the system global and system settings configuration on dc1_fgt.
When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the
reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching
SD-WAN rule.
Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so
dc1_fgt routes the reply traffic over T_INET_1_0?
- A. Enable snat-route-change under config system global.
- B. Enable auxiliary-session under config system settings.
- C. Disable tp-session-without-syn under config system settings.
- D. Disable allow-subnet-overlap under config system settings.
Answer: C
NEW QUESTION # 65
Refer to the exhibit.
Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?
- A. FortiGate has terminated the session after a change on policy ID 1.
- B. Firewall policy ID 1 has source NAT disabled.
- C. The type of traffic defined and allowed on firewall policy ID 1 is UDP.
- D. Changes have been made on firewall policy ID 1 on FortiGate.
Answer: D
NEW QUESTION # 66
Exhibit.
Which conclusion about the packet debug flow output is correct?
- A. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.
- B. The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.
- C. The packet size exceeded the outgoing interface MTU.
- D. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.
Answer: A
Explanation:
In a Per-IP shaper configuration, if an IP address exceeds the configured concurrent session limit, the message
"Denied by quota check" appears. SD-WAN 7.0 Study Guide page 287
NEW QUESTION # 67
Refer to the exhibit.
The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths.
However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)
- A. Set advertisement-interval to the number of additional paths to advertise
- B. Enable soft-reconfiguration
- C. Enable route-reflector-client
- D. Set additional-path to send
- E. Set adv-additional-path to the number of additional paths to advertise
Answer: C,D,E
NEW QUESTION # 68
Refer to the exhibit.
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to
exchange routes over IPsec?
- A. type must be set to static.
- B. mode-cfg must be enabled.
- C. exchange-interface-ip must be enabled.
- D. add-route must be disabled.
Answer: D
NEW QUESTION # 69
What are two reasons for using FortiManager to organize and manage the network for a group of FortiGate
devices? (Choose two.)
- A. It sends probe signals as health checks to the beacon servers on behalf of FortiGate.
- B. It acts as a policy compliance entity to review all managed FortiGate devices.
- C. It improves SD-WAN performance on the managed FortiGate devices.
- D. It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.
- E. It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.
Answer: D,E
NEW QUESTION # 70
Refer to the exhibit.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.
Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)
- A. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
- B. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
- C. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
- D. London generates an IKE information message that contains the Toronto public IP address.
Answer: A,B
NEW QUESTION # 71
Refer to the exhibit.
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?
- A. type must be set to static.
- B. mode-cfg must be enabled.
- C. exchange-interface-ip must be enabled.
- D. add-route must be disabled.
Answer: D
NEW QUESTION # 72 
Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)
- A. The measured bandwidth is less than 100 KBps.
- B. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.
- C. The traffic shaper drops packets if the bandwidth is less than 2500 KBps.
- D. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.
Answer: A,B
NEW QUESTION # 73
Which are three key routing principles in SD-WAN? (Choose three.)
- A. Regular policy routes have precedence over SD-WAN rules.
- B. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
- C. FortiGate performs route lookups for new sessions only.
- D. SD-WAN rules have precedence over ISDB routes.
- E. By default, SD-WAN members are skipped if they do not have a valid route to the destination.
Answer: A,B,E
Explanation:
Study Guide 7.2, pages 125, 129, 151
NEW QUESTION # 74
Refer to the exhibits.
Exhibit A
Exhibit B
Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.
Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the static route priority on port2 to 20? (Choose two.)
- A. FortiGate flags the sessions as dirty.
- B. FortiGate continues routing the sessions with no SNAT, over port2.
- C. FortiGate performs a route lookup for the original traffic only.
- D. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
Answer: B,D
NEW QUESTION # 75
Refer to the exhibit.
The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device.
The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1.
Based on the exhibits, which two statements are correct? (Choose two.)
- A. When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.
- B. There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.
- C. FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.
- D. FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.
Answer: A,D
NEW QUESTION # 76
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.
Based on the exhibit, which statement is true?
- A. You can move port1 from the underlay zone to the overlay zone.
- B. You can delete the virtual-wan-link zone because it contains no member.
- C. The corporate zone contains no member.
- D. The overlay zone contains four members.
Answer: C
Explanation:
Based on the exhibit, the "corporate" zone contains no member (B). In the FortiGate GUI, zones without members do not display any interfaces listed under them, which is the case for the corporate zone in the exhibit. Reference: This conclusion is based on standard Fortinet GUI interpretation and the operational logic of SD-WAN zones as per Fortinet's guidelines and user interface standards.
NEW QUESTION # 77
Refer to the exhibits.
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B.
The administrator noticed that the traffic matched the implicit SD- WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)
- A. Full SSL inspection is not enabled on the matching firewall policy.
- B. The session 3-tuple did not match any of the existing entries in the ISDB application cache.
- C. FortiGate did not refresh the routing information on the session after the application was detected.
- D. Port1 and port2 do not have a valid route to the destination.
Answer: A,D
NEW QUESTION # 78
Refer to the exhibits.
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator
collected the information shown in exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on
FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit
SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)
- A. Full SSL inspection is not enabled on the matching firewall policy.
- B. FortiGate did not refresh the routing information on the session after the application was detected.
- C. Port1 and port2 do not have a valid route to the destination.
- D. The session 3-tuple did not match any of the existing entries in the ISDB application cache.
Answer: B,D
Explanation:
Explanation
Study guide 7.2 Page 191
NEW QUESTION # 79
Which two performance SLA protocols enable you to verify that the server response contains a specific value?
(Choose two.)
- A. dns
- B. twamp
- C. http
- D. icmp
Answer: A,C
NEW QUESTION # 80
Refer to the exhibit.
Based on the exhibit, which action does FortiGate take?
- A. FortiGate brings up port5 after it detects all SD-WAN members as alive.
- B. FortiGate brings down port5 after it detects all SD-WAN members as dead.
- C. FortiGate bounces port5 after it detects all SD-WAN members as dead.
- D. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.
Answer: C
NEW QUESTION # 81
......
Fortinet NSE7_SDW-7.2 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Test Engine to Practice NSE7_SDW-7.2 Test Questions: https://examboost.validdumps.top/NSE7_SDW-7.2-exam-torrent.html