NSE7_SDW-7.2 Free Practice Test

Refer to the exhibits. Exhibit A -

Exhibit B -

Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA status.
If port2 is detected dead by FortiGate, what is the expected behavior?

1. A. Port2 becomes alive after three successful probes are detected.
2. B. FortiGate removes all static routes for port2.
3. C. The administrator manually restores the static routes for port2, if port2 becomes alive.
4. D. Host 8.8.8.8 is reachable through port1 and port2.

Correct Answer: B
This is due to Update static route is enable which removes the static route entry referencing the interface if the interface is dead

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.

Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

1. A. London generates an IKE information message that contains the Toronto public IP address.
2. B. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
3. C. Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.
4. D. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Correct Answer: BD

Refer to the exhibit.

FortiGate has multiple dial-up VPN interfaces incoming on port1 that match only FIRST_VPN.
Which two configuration changes must be made to both IPsec VPN interfaces to allow incoming connections to match all possible IPsec dial-up interfaces? (Choose two.)

1. A. Specify a unique peer ID for each dial-up VPN interface.
2. B. Use different proposals are used between the interfaces.
3. C. Configure the IKE mode to be aggressive mode.
4. D. Use unique Diffie Hellman groups on each VPN interface.

Correct Answer: AC

Refer to the exhibit.

In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti- replay setting on the hubs?

1. A. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.
2. B. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.
3. C. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.
4. D. It instructs the hub to skip content inspection on TCP traffic, to improve performance.

Correct Answer: B

Which two statements describe how IPsec phase 1 main mode is different from aggressive mode when performing IKE negotiation? (Choose two )

1. A. A peer ID is included in the first packet from the initiator, along with suggested security policies.
2. B. XAuth is enabled as an additional level of authentication, which requires a username and password.
3. C. A total of six packets are exchanged between an initiator and a responder instead of three packets.
4. D. The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Correct Answer: BC