Which are three key routing principles in SD-WAN? (Choose three.)
Question 6 of 60
Correct Answer: A, B, E
Three key routing principles in SD-WAN are: SD-WAN members are skipped if they do not have a valid route to the destination, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member, and regular policy routes have precedence over SD-WAN rules.
Question 7 of 60
Refer to the exhibit.
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)
Correct Answer: A, D
For Toronto and London spokes to establish an ADVPN shortcut, two key configuration settings are required. Firstly, on the hubs, net-device must be enabled on all IPsec VPNs. This ensures that the devices can properly transmit and receive traffic over the VPN connections. Secondly, on the hubs, auto-discovery-sender must be enabled on the IPsec VPNs to spokes. This setting allows the hubs to send discovery messages required for establishing dynamic VPN shortcuts between spokes.
Question 8 of 60
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
Correct Answer: D
To perform real-time troubleshooting for ADVPN negotiation, the appropriate CLI command is 'diagnose debug application ike'. This command provides detailed debugging information about the Internet Key Exchange (IKE) process, which is integral to the negotiation and establishment of ADVPN (Auto Discovery VPN) tunnels.
Question 9 of 60
What are two common use cases for remote internet access (RIA)? (Choose two.)
Correct Answer: A, B
Two common use cases for remote internet access (RIA) are providing internet access through the hub and centralizing security inspection on the hub. These use cases focus on consolidating internet connectivity and security measures in a central location, which can simplify management and enhance security policies.
Question 10 of 60
Refer to the exhibits.
Exhibit A.
Exhibit B.
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why some log messages show that the traffic matched the implicit SD-WAN rule? (Choose two.)
Correct Answer: B, D
One reason could be that the session 3-tuple, which includes the source IP, destination IP, and port number, did not match any existing entries in the Internet Service Database (ISDB) application cache. This means the traffic is not correctly identified by the application steering rule and defaults to the implicit SD-WAN rule. Another reason is that the FortiGate did not refresh the routing information on the session after the application was detected. By default, sessions subject to Source Network Address Translation (SNAT) are not re-evaluated after an application is identified. Because of this, the traffic continues to match the implicit rule rather than being re-mapped to the intended rule ID 1.