Fortinet NSE 7 Network Security Architect NSE7_SDW-6.4 Questions & Answers

• Question 1:

  Refer to the exhibit.

  

  Which two statements about the debug output are correct? (Choose two )

  A. The debug output shows per-IP shaper values and real-time readings.

  B. This traffic shaper drops traffic that exceeds the set limits.

  C. Traffic being controlled by the traffic shaper is under 1 Kbps.

  D. FortiGate provides statistics and reading based on historical traffic logs.

  Correct Answer: AB

• Question 2:

  Refer to exhibits.

  Exhibit A.

  

  Exhibit B.

  

  Exhibit A shows the traffic shaping policy and exhibit B show: the firewall policy

  FortiGate is not performing traffic shaping as expected basi on the policies shown in the exhibits.

  To correct this traffic shaping issue on FortiGate, what configuration change must be made on which policy?

  A. The shaper mode must be applied per-IP shaper on the traffic shaping policy

  B. The application control profile must be enabled on the firewall policy.

  C. The web filter profile must be enabled on the firewall policy

  D. The URL category must be specified on the traffic shaping policy

  Correct Answer: C

  SD-WAN_6.4_Study_Guide page 131

• Question 3:

  Refer to the exhibit.

  

  Based on the exhibit, which two actions does FortiGate perform on traffic passing through the SD-WAN member port2? (Choose two.)

  A. FortiGate performs routing lookups for new sessions only after a route change.

  B. FortiGate marks the routing information on existing sessions as persistent.

  C. FortiGate flushes all routing information from the session table after a route change.

  D. FortiGate always blocks all traffic after a route change.

  Correct Answer: AB

• Question 4:

  What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.)

  A. The FortiGate cloud key has not been added to the FortiGate cloud portal.

  B. FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

  C. The zero-touch provisioning process has completed internally, behind FortiGate.

  D. FortiGate has obtained a configuration from the platform template in FortiGate cloud.

  E. A factory reset performed on FortiGate.

  Correct Answer: AC

• Question 5:

  Which two statements describe how IPsec phase 1 main mode is different from aggressive mode when performing IKE negotiation? (Choose two )

  A. A peer ID is included in the first packet from the initiator, along with suggested security policies.

  B. XAuth is enabled as an additional level of authentication, which requires a username and password.

  C. A total of six packets are exchanged between an initiator and a responder instead of three packets.

  D. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

  Correct Answer: BC

• Question 6:

  Refer to exhibits.

  

  

  Exhibit A shows the firewall policy and exhibit B shows the traffic shaping policy.

  The traffic shaping policy is being applied to all outbound traffic; however, inbound traffic is not being evaluated by the shaping policy.

  Based on the exhibits, what configuration change must be made in which policy so that traffic shaping can be applied to inbound traffic?

  A. Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

  B. In the traffic shaping policy, select Assign Shaping Class ID as Action.

  C. In the firewall policy, select Proxy-based as Inspection Mode.

  D. In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

  Correct Answer: D

• Question 7:

  Refer to the exhibit.

  

  Which conclusion about the packet debug flow output is correct?

  A. The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

  B. The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

  C. The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

  D. The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

  Correct Answer: D

• Question 8:

  Refer to the exhibit.

  

  Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)

  A. FortiGate creates separate virtual interfaces for each dial-up client.

  B. FortiGate creates a single IPsec virtual interface that is shared by all clients.

  C. FortiGate maps the remote gateway 100.64.3.1 to tunnel index interface 1.

  D. FortiGate does not install IPsec static routes for remote protected networks in the routing table.

  Correct Answer: BC

  If net-device is disabled, FortiGate creates a single IPSEC virtual interface that is shared by all IPSEC clients connecting to the same dialup VPN. In this case, the tunnel-search setting determines how FortiGate learns the network behind each remote client.

• Question 9:

  Which two statements describe how IPsec phase 1 aggressive mode is different from main mode when performing IKE negotiation? (Choose two)

  A. A peer ID is included in the first packet from the initiator, along with suggested security policies.

  B. XAuth is enabled as an additional level of authentication, which requires a username and password.

  C. A total of six packets are exchanged between an initiator and a responder instead of three packets.

  D. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

  Correct Answer: BC

• Question 10:

  Which two benefits from using forward error correction (FEC) in IPsec VPNs are true? (Choose two.)

  A. FEC transmits the original payload in full to recover the error in transmission.

  B. FEC reduces the stress on the remote device buffer to reconstruct packet loss.

  C. FEC transmits additional packets as redundant data to the remote device.

  D. FEC improves reliability, which overcomes adverse WAN conditions such as noisy links.

  Correct Answer: CD