Fortinet NSE7_SDW-7.2 Practice Exams
Last updated on Apr 02,2025- Exam Code: NSE7_SDW-7.2
- Exam Name: Fortinet NSE 7 - SD-WAN 7.2
- Certification Provider: Fortinet
- Latest update: Apr 02,2025
Refer to the exhibit.
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?
- A . type must be set to static.
- B . mode-cfg must be enabled.
- C . exchange-interface-ip must be enabled.
- D . add-route must be disabled.
Which statement about using BGP for ADVPN is true?
- A . You must use BGP to route traffic for both overlay and underlay links.
- B . You must configure AS path prepending.
- C . You must configure BGP communities.
- D . IBGP is preferred over EBGP, because IBGP preserves next hop information.
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
- A . get router info routing-table all
- B . diagnose debug application ike
- C . diagnose vpn tunnel list
- D . get ipsec tunnel list
Refer to the exhibits.
Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)
- A . On the receiver FortiGate, packet-de-duplication is enabled.
- B . The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.
- C . The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
- D . On the sender FortiGate, duplication-max-num is set to 3.
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)
- A . Encapsulating Security Payload (ESP)
- B . Secure Shell (SSH)
- C . Internet Key Exchange (IKE)
- D . Security Association (SA)
Which are three key routing principles in SD-WAN? (Choose three.)
- A . FortiGate performs route lookups for new sessions only.
- B . Regular policy routes have precedence over SD-WAN rules.
- C . SD-WAN rules have precedence over ISDB routes.
- D . By default, SD-WAN members are skipped if they do not have a valid route to the destination.
- E . By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
Refer to the exhibits.
Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel.
Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device.
Which statement best explain the cause for this issue?
- A . You can assign only one template with a tunnel of fype static to each FortiGate device
- B . You can define only one IPsec tunnel from branch devices to HUB1.
- C . You can assign only one IPsec template to each FortiGate device.
- D . You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.
Which are two benefits of using CLI templates in FortiManager? (Choose two.)
- A . You can reference meta fields.
- B . You can configure interfaces as SD-WAN members without having to remove references first.
- C . You can configure FortiManager to sync local configuration changes made on the managed device,
to the CLI template. - D . You can configure advanced CLI settings.
Refer to the exhibit.
Exhibit B
Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
- A . port1 is assigned a manual IP address.
- B . port1 is referenced in a firewall policy.
- C . port2 is referenced in a static route.
- D . port1 and port2 are not administratively down.
Refer to the exhibits.
Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.
Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.
The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.
However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.
Based on the exhibits, which configuration change is required to fix issue?
- A . In the dcl-lab-rm route map configuration, set set-route-tag to 10.
- B . In SD-WAN rule ID 1, change the destination to use ISDB entries.
- C . In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.
- D . In the dcl-lab-rm route map configuration, unset match-community.