[2024] NSE7_SDW-7.2 Actual Exam Dumps, NSE7_SDW-7.2 Practice Test [Q45-Q69] | TestBraindump

  • Home
  • Articles
  • [2024] NSE7_SDW-7.2 Actual Exam Dumps, NSE7_SDW-7.2 Practice Test [Q45-Q69]

[2024] NSE7_SDW-7.2 Actual Exam Dumps, NSE7_SDW-7.2 Practice Test [Q45-Q69]

Share

[2024] NSE7_SDW-7.2 Actual Exam Dumps, NSE7_SDW-7.2 Practice Test

TestBraindump NSE7_SDW-7.2 dumps & NSE 7 Network Security Architect sure practice dumps

NEW QUESTION # 45
Refer to the exhibits.
Exhibit A -

Exhibit B -

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.
The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.
Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

  • A. Application control must be enabled on the firewall policy.
  • B. Destination internet service must be enabled on the traffic shaping policy.
  • C. Web filtering must be enabled on the firewall policy.
  • D. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Answer: A


NEW QUESTION # 46
Refer to the exhibit.

Based on the output, which two conclusions are true? (Choose two.)

  • A. Entry1(id=1)is a regular policy route.
  • B. The SD-WAN rules take precedence over regular policy routes.
  • C. There is more than one SD-WAN rule configured.
  • D. Theall_rulesrule represents the implicit SD-WAN rule.

Answer: A,C


NEW QUESTION # 47
Refer to the exhibit.

Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)

  • A. Priority
  • B. Interface member
  • C. Cost
  • D. Gateway IP

Answer: B,D


NEW QUESTION # 48
Refer to the exhibits.
Exhibit A -

Exhibit B -

Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the
routing table, and the performance SLA status.
If port2 is detected dead by FortiGate, what is the expected behavior?

  • A. Port2 becomes alive after three successful probes are detected.
  • B. Host 8.8.8.8 is reachable through port1 and port2.
  • C. The administrator manually restores the static routes for port2, if port2 becomes alive.
  • D. FortiGate removes all static routes for port2.

Answer: D

Explanation:
Explanation
This is due to Update static route is enable which removes the static route entry referencing the interface if the
interface is dead


NEW QUESTION # 49
What three characteristics apply to provisioning templates available on FortiManager? (Choose three.)

  • A. You can apply a system template and a CLI template to the same FortiGate device.
  • B. A template group can contain CLI templates of both types.
  • C. A CLI template can be of type CLI script or Perl script.
  • D. Templates are applied in order, from top to bottom.
  • E. A template group can include a system template and an SD-WAN template.

Answer: B,C,D

Explanation:
According to the FortiManager Administration Guide, provisioning templates are used to configure FortiGate devices in a consistent and efficient way. There are different types of templates, such as system, IPsec, SD-WAN, certificate, and CLI templates. Some characteristics of provisioning templates are:
You can apply a system template and a CLI template to the same FortiGate device, as long as they do not have conflicting settings1.
A CLI template can be of type CLI script or Perl script. A CLI script template contains FortiOS CLI commands, while a Perl script template contains Perl code that can generate FortiOS CLI commands2.
A template group can include a system template and an SD-WAN template, as well as other types of templates. A template group is a collection of templates that can be applied to multiple devices at once3.
A template group can contain CLI templates of both types, as long as they do not have conflicting settings2.
Templates are applied in order, from top to bottom. The order of the templates in a template group determines the order in which they are applied to the devices3.


NEW QUESTION # 50
Which two statements about SLA targets and SD-WAN rules are true? (Choose two.)

  • A. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy
  • B. When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA
  • C. Member metrics are measured only if an SLA target is configured
  • D. SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements

Answer: A,D


NEW QUESTION # 51
Refer to the exhibit.

Based on the output, which two conclusions are true? (Choose two.)

  • A. The SD-WAN rules take precedence over regular policy routes.
  • B. The all_rules rule represents the implicit SD-WAN rule.
  • C. Entry 1(id=1) is a regular policy route.
  • D. There is more than one SD-WAN rule configured.

Answer: C,D


NEW QUESTION # 52
Refer to the exhibits.


An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)

  • A. The session 3-tuple did not match any of the existing entries in the ISDB application cache.
  • B. Full SSL inspection is not enabled on the matching firewall policy.
  • C. Port1 and port2 do not have a valid route to the destination.
  • D. FortiGate did not refresh the routing information on the session after the application was detected.

Answer: A,D

Explanation:
Study guide 7.2 Page 191


NEW QUESTION # 53
Refer to the exhibit.

The exhibit shows the SD-WAN rule status and configuration.
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?

  • A. When T_N1PLS_0 has a latency of 80 ms.
  • B. When T_INET_0_0 has a latency of 250 ms.
  • C. When T_MPLS_0 has a latency of 100 ms.
  • D. When T_INET_0_0 and T_MPLS_0 have the same latency.

Answer: A


NEW QUESTION # 54
Refer to the exhibits.
Exhibit A

Exhibit B

Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule
configuration.
Based on the exhibits, which two statements are correct? (Choose two.)

  • A. SD-WAN rule ID 1 is set to lowest cost (SLA) mode.
  • B. FortiGate updated the outgoing interface list on the rule so it prefers port2.
  • C. Port2 has the highest member priority.
  • D. Port2 has a lower latency than port1.

Answer: B,D


NEW QUESTION # 55
Refer to the exhibit.

Which statement explains the output shown in the exhibit?

  • A. FortiGate will not re-evaluate the session following a firewall policy change.
  • B. FortiGate must re-evaluate the session due to routing change.
  • C. FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
  • D. FortiGate performed standard FIB routing on the session.

Answer: B

Explanation:
The snat-route-change option is enabled by default. This option enables FortiGate to re-evaluate the routing table and select a new egress interface if the next hop IP address changes. This option only applies to sessions in the dirty state. Sessions in the log state are not affected by routing changes.


NEW QUESTION # 56
Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?

  • A. link-down-failover
  • B. idle-timeout
  • C. auto-discovery-shortcuts
  • D. hold-down-time

Answer: D


NEW QUESTION # 57
Exhibit.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

  • A. The master tunnel T_INET_0 cannot accept the ADVPN shortcut.
  • B. There are no IPsec tunnel statistics log messages for ADVPN cuts.
  • C. There is one shortcut tunnel built from master tunnel T_MPLS_0.
  • D. The VPN tunnel T_MPLS_0 is a shortcut tunnel.

Answer: C

Explanation:
VPN event logs record the status of VPN tunnels, such as the establishment, termination, or failure of a tunnel.
The output includes the following information:
logid: the log ID number
type: the log type, either traffic or event
subtype: the log subtype, either vpn or ipsec
level: the log level, either error, warning, or notice
vd: the virtual domain name
logdesc: the log description
msg: the log message
action: the log action, such as tunnel-up, tunnel-down, or tunnel-stats remip: the remote IP address locip: the local IP address remport: the remote port number locport: the local port number outintf: the outgoing interface name cookies: the IKE SA cookies user: the user name group: the user group name useralt: the alternative user name xauthuser: the XAuth user name authgroup: the XAuth user group name assignip: the assigned IP address vpntunnel: the VPN tunnel name tunnellip: the tunnel loopback IP address tunnelid: the tunnel ID number tunneltype: the tunnel type, either ipsec or ssl duration: the tunnel duration in seconds sentbyte: the number of bytes sent rcvdbyte: the number of bytes received nextstat: the next statistics interval in seconds advpnsc: the ADVPN shortcut flag, either 0 or 1 Based on the exhibit, the following statement is true:
There is one shortcut tunnel built from master tunnel T_MPLS_0. This means that the VPN tunnel T_MPLS_0 is a master tunnel that can send ADVPN shortcut offers to other spokes, and the VPN tunnel T_MPLS_0_0 is a shortcut tunnel that is built from the master tunnel T_MPLS_01. In the exhibit, the log action for T_MPLS_0 is tunnel-up, and the log action for T_MPLS_0_0 is shortcut-up. The advpnsc flag for T_MPLS_0 is 0, indicating that it is not a shortcut tunnel, while the advpnsc flag for T_MPLS_0_0 is 1, indicating that it is a shortcut tunnel.


NEW QUESTION # 58
Refer to the exhibit.

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants
BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths.
However, when looking at the spoke routing table, the administrator does not see the prefixes from other
spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so
spokes can learn other spokes prefixes and their additional paths? (Choose three.)

  • A. Setadv-additional-pathto the number of additional paths to advertise
  • B. Setadvertisement-intervalto the number of additional paths to advertise
  • C. Setadditional-pathtosend
  • D. Enableroute-reflector-client
  • E. Enablesoft-reconfiguration

Answer: A,C,D


NEW QUESTION # 59
Refer to the exhibits.

Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel.
Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device.
Which statement best explain the cause for this issue?

  • A. You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.
  • B. You can define only one IPsec tunnel from branch devices to HUB1.
  • C. You can assign only one IPsec template to each FortiGate device.
  • D. You can assign only one template with a tunnel of fype static to each FortiGate device

Answer: A

Explanation:
The error message indicates that there is a conflict between the IPsec templates Branch_IPsec_1 and Branch_IPsec_2 for the device branch1_fgt. This means that the device already has an IPsec tunnel with the name HUB1-VPN2 configured, and the second template is trying to assign the same name to another tunnel.
This is not allowed, as each IPsec tunnel must have a unique name. Therefore, the administrator should review the branch1_fgt configuration and either delete or rename the existing tunnel with the name HUB1-VPN2 before assigning the second template. References = IPsec tunnel templates, IPsec VPN template
6.4.3, Understand and Use Debug Commands to Troubleshoot IPsec, L2L VPN TroubleShooting :"IPSec policy invalidated proposal with error ...


NEW QUESTION # 60
Refer to the exhibits.

Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer
output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the
receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender
FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives
one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)

  • A. On the sender FortiGate,duplication-max-numis set to3.
  • B. The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
  • C. On the receiver FortiGate,packet-de-duplicationis enabled.
  • D. The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

Answer: A,C


NEW QUESTION # 61
Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

  • A. The sdwan_service_id flag in the session information is 0.
  • B. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
  • C. All SD-WAN rules have the default setting enabled.
  • D. Traffic does not match any of the entries in the policy route table.

Answer: A,D

Explanation:
Explanation
sdwan_service_id is 0 = match SD-WAN implicit rule, study guide 7.0 page 120, 7.2 page 149 SD-WAN rules
internally are interpreted as a Policy route, so when the traffic doesn't match with any policy route, it will be
flowing by implict policy.


NEW QUESTION # 62
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choosetwo.)

  • A. Secure Shell (SSH)
  • B. Internet Key Exchange (IKE)
  • C. Security Association (SA)
  • D. Encapsulating Security Payload (ESP)

Answer: B,D


NEW QUESTION # 63
Refer to the exhibit.

Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?

  • A. FortiGate has terminated the session after a change on policy ID 1.
  • B. Firewall policy ID 1 has source NAT disabled.
  • C. The type of traffic defined and allowed on firewall policy ID 1 is UDP.
  • D. Changes have been made on firewall policy ID 1 on FortiGate.

Answer: D


NEW QUESTION # 64
What three characteristics apply to provisioning templates available on FortiManager? (Choose three.)

  • A. You can apply a system template and a CLI template to the same FortiGate device.
  • B. A template group can contain CLI templates of both types.
  • C. A CLI template can be of type CLI script or Perl script.
  • D. Templates are applied in order, from top to bottom.
  • E. A template group can include a system template and an SD-WAN template.

Answer: B,C,D

Explanation:
Explanation
According to the FortiManager Administration Guide, provisioning templates are used to configure FortiGate
devices in a consistent and efficient way. There are different types of templates, such as system, IPsec,
SD-WAN, certificate, and CLI templates. Some characteristics of provisioning templates are:
You can apply a system template and a CLI template to the same FortiGate device, as long as they do
not have conflicting settings1.
A CLI template can be of type CLI script or Perl script. A CLI script template contains FortiOS CLI
commands, while a Perl script template contains Perl code that can generate FortiOS CLI commands2.
A template group can include a system template and an SD-WAN template, as well as other types of
templates. A template group is a collection of templates that can be applied to multiple devices at once3.
A template group can contain CLI templates of both types, as long as they do not have conflicting
settings2.
Templates are applied in order, from top to bottom. The order of the templates in a template group
determines the order in which they are applied to the devices3.


NEW QUESTION # 65
Refer to the exhibits.

Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)

  • A. On the sender FortiGate, duplication-max-num is set to 3.
  • B. The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
  • C. On the receiver FortiGate, packet-de-duplication is enabled.
  • D. The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

Answer: A,C


NEW QUESTION # 66
Refer to the exhibit.

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change?
(Choose two.)

  • A. FortiGate terminates the old sessions.
  • B. FortiGate flushes all sessions.
  • C. FortiGate does not change existing sessions.
  • D. FortiGate evaluates new sessions.

Answer: C,D

Explanation:
FortiGate not to flag existing impacted session as dirty by setting firewall-session-dirty to check new. The results is that FortiGate evaluates only new session against the new firewall policy.


NEW QUESTION # 67
Which two interfaces are considered overlay links? (Choose two.)

  • A. IPsec
  • B. GRE
  • C. LAG
  • D. Physical

Answer: A,B


NEW QUESTION # 68
Which are three key routing principles in SD-WAN? (Choose three.)

  • A. Regular policy routes have precedence over SD-WAN rules.
  • B. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
  • C. SD-WAN rules have precedence over ISDB routes.
  • D. FortiGate performs route lookups for new sessions only.
  • E. By default, SD-WAN members are skipped if they do not have a valid route to the destination.

Answer: A,B,E

Explanation:
Explanation
Study Guide 7.2, pages 125, 129, 151


NEW QUESTION # 69
......

NSE7_SDW-7.2 Actual Questions and Braindumps: https://quiztorrent.testbraindump.com/NSE7_SDW-7.2-exam-prep.html

Related Articles

more
Fortinet NSE7_SDW-7.2 Certification Practice Exam

TestBraindump will offer you the best Test Braindumps & professional Quiz Torrent materials which will help you pass the professional certification tests easily.

Latest Test Braindump

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TestBraindump NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy