NEW QUESTION 1
Which two tasks are part of using central VPN management? (Choose two.)

• A. You can configure full mesh, star, and dial-up VPN topologies.
• B. You must enable VPN zones for SD-WAN deployments.
• C. FortiManager installs VPN settings on both managed and external gateways.
• D. You configure VPN communities to define common IPsec settings shared by all VPN gateways.

Answer: AD

NEW QUESTION 2
Refer to the exhibit.

Which statement about the role of the ADVPN device in handling traffic is true?

• A. This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.
• B. Two hubs, 10.0.1.101 and 10.0.2.101, are receiving and forwarding queries between each other.
• C. This is a hub that has received a query from a spoke and has forwarded it to another spoke.
• D. Two spokes, 192.2.0.1 and 10.0.2.101, forward their queries to their hubs.

Answer: C

NEW QUESTION 3
Refer to the exhibit.

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)

• A. On the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes.
• B. On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.
• C. auto-discovery-forwarder must be enabled on all IPsec VPNs.
• D. On the hubs, net-device must be enabled on all IPsec VPNs.

Answer: AB

NEW QUESTION 4
Which components make up the secure SD-WAN solution?

• A. Application, antivirus, and URL, and SSL inspection
• B. Datacenter, branch offices, and public cloud
• C. FortiGate, FortiManager, FortiAnalyzer, and FortiDeploy
• D. Telephone, ISDN, and telecom network.

Answer: C

NEW QUESTION 5
Refer to the exhibit.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.
Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)

• A. The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.
• B. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.
• C. T_INET_0_0 does not have a valid route to the destination.
• D. T_INET_1_0 has a higher member configuration priority than T_INET_0_0.

Answer: AC

NEW QUESTION 6
Which statement about SD-WAN zones is true?

• A. An SD-WAN zone can contain only one type of interface.
• B. An SD-WAN zone can contain between 0 and 512 members.
• C. You cannot use an SD-WAN zone in static route definitions.
• D. You can configure up to 32 SD-WAN zones per VDOM.

Answer: D

Explanation:
SD-WAN zones are a group of interfaces that share the same SD-WAN settings, such as health check, SLA, and load balancing. Some characteristics of SD-WAN zones are:
✑ An SD-WAN zone can contain different types of interfaces, such as physical, VLAN, aggregate, and tunnel interfaces1.
✑ An SD-WAN zone can contain up to 512 members1.
✑ You can use an SD-WAN zone in static route definitions, as long as the destination interface is also an SD-WAN zone1.
✑ You can configure up to 32 SD-WAN zones per VDOM1.

NEW QUESTION 7
Refer to the exhibit.

The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not see the prefixes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes prefixes and their additional paths? (Choose three.)

• A. Set additional-path to send
• B. Enable route-reflector-client
• C. Set advertisement-interval to the number of additional paths to advertise
• D. Set adv-additional-path to the number of additional paths to advertise
• E. Enable soft-reconfiguration

Answer: ABD

NEW QUESTION 8
Refer to the exhibit.

Which conclusion about the packet debug flow output is correct?

• A. The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.
• B. The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.
• C. The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.
• D. The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

Answer: D

NEW QUESTION 9
Refer to the exhibit.

Based on the exhibit, which action does FortiGate take?

• A. FortiGate bounces port5 after it detects all SD-WAN members as dead.
• B. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.
• C. FortiGate brings up port5 after it detects all SD-WAN members as alive.
• D. FortiGate brings down port5 after it detects all SD-WAN members as dead.

Answer: A

NEW QUESTION 10
Refer to the exhibit.

Based on the exhibit, which statement about FortiGate re-evaluating traffic is true?

• A. The type of traffic defined and allowed on firewall policy ID 1 is UDP.
• B. FortiGate has terminated the session after a change on policy ID 1.
• C. Changes have been made on firewall policy ID 1 on FortiGate.
• D. Firewall policy ID 1 has source NAT disabled.

Answer: C

NEW QUESTION 11
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?

• A. Interface-based shaping mode
• B. Reverse-policy shaping mode
• C. Shared-policy shaping mode
• D. Per-IP shaping mode

Answer: A

Explanation:
Interface-based shaping goes further, enabling traffic controls based on percentage of the interface bandwidth.

NEW QUESTION 12
Refer to the exhibit.

Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)

• A. FortiGate flushes all sessions.
• B. FortiGate terminates the old sessions.
• C. FortiGate does not change existing sessions.
• D. FortiGate evaluates new sessions.

Answer: CD

Explanation:
FortiGate not to flag existing impacted session as dirty by setting firewall-session-dirty to check new. The results is that FortiGate evaluates only new session against the new firewall policy.

NEW QUESTION 13
Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)

• A. Type of physical link connection
• B. Internet service database (ISDB) address object
• C. Source and destination IP address
• D. URL categories
• E. Application signatures

Answer: BCE

NEW QUESTION 14
Refer to the exhibit.

In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti- replay setting on the hubs?

• A. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.
• B. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.
• C. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.
• D. It instructs the hub to skip content inspection on TCP traffic, to improve performance.

Answer: B

NEW QUESTION 15
Refer to the exhibit.

Based on the output, which two conclusions are true? (Choose two.)

• A. There is more than one SD-WAN rule configured.
• B. The SD-WAN rules take precedence over regular policy routes.
• C. The all_rules rule represents the implicit SD-WAN rule.
• D. Entry 1(id=1) is a regular policy route.

Answer: AD

NEW QUESTION 16
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)

• A. Encapsulating Security Payload (ESP)
• B. Secure Shell (SSH)
• C. Internet Key Exchange (IKE)
• D. Security Association (SA)

Answer: AC

NEW QUESTION 17
......