A.  

A peer ID is included in the first packet from the initiator, along with suggested security policies.

B.  

XAuth is enabled as an additional level of authentication, which requires a username and password.

C.  

Three packets are exchanged between an initiator and a responder instead of six packets.

D.  

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

A.  

Setadditional-pathtosend

B.  

Enableroute-reflector-client

C.  

Setadvertisement-intervalto the number of additional paths to advertise

D.  

Setadv-additional-pathto the number of additional paths to advertise

E.  

Enablesoft-reconfiguration

A.  

The ISDB is dynamically updated and reduces administrative overhead.

B.  

The ISDB requires application control to maintain signatures and perform load balancing.

C.  

The ISDB applies rules to traffic from specific sources, based on application type.

D.  

The ISDB contains the IP addresses and port ranges of well-known internet services.

A.  

Create a new firewall policy, and the select the SD-WAN zone as Incoming Interface.

B.  

In the traffic shaping policy, select Assign Shaping Class ID as Action.

C.  

In the firewall policy, select Proxy-based as Inspection Mode.

D.  

In the traffic shaping policy, enable Reverse shaper, and then select the traffic shaper to use.

A.  

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

B.  

The measured bandwidth is less than 100 KBps.

C.  

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

D.  

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

A.  

FEC supports hardware offloading.

B.  

FEC improves reliability of noisy links.

C.  

FEC transmits parity packets that can be used to reconstruct packet loss.

D.  

FEC can leverage multiple IPsec tunnels for parity packets transmission.

A.  

In the dc1-lan-rm route map configuration, set set-route-tag to 10.

B.  

In SD-WAN rule ID 1, change the destination to use ISDB entries.

C.  

In the dc1-lan-rm route map configuration, unset match-community.

D.  

In the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

A.  

You can delete the virtual-wan-link zone because it contains no member.

B.  

The corporate zone contains no member.

C.  

You can move port1 from the underlay zone to the overlay zone.

D.  

The overlay zone contains four members.

A.  

port1 is assigned a manual IP address.

B.  

port1 is referenced in a firewall policy.

C.  

port2 is referenced in a static route.

D.  

port1 and port2 are not administratively down.

A.  

FortiGate flushes all sessions.

B.  

FortiGate terminates the old sessions.

C.  

FortiGate does not change existing sessions.

D.  

FortiGate evaluates new sessions.

A.  

Routes for ADVPN shortcuts must be manually configured.

B.  

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

C.  

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

D.  

You must use IKEv2 on IPsec tunnels.

A.  

Interface-based shaping mode

B.  

Reverse-policy shaping mode

C.  

Shared-policy shaping mode

D.  

Per-IP shaping mode

A.  

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

B.  

FortiGate has terminated the session after a change on policy ID 1.

C.  

Changes have been made on firewall policy ID 1 on FortiGate.

D.  

Firewall policy ID 1 has source NAT disabled.

A.  

hold-down-time

B.  

link-down-failover

C.  

auto-discovery-shortcuts

D.  

idle-timeout

A.  

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

B.  

The phase 1 configuration supports the network-overlay setting.

C.  

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

D.  

Dead peer detection is disabled.

A.  

Destination internet service must be enabled on the traffic shaping policy.

B.  

Application control must be enabled on the firewall policy.

C.  

Web filtering must be enabled on the firewall policy.

D.  

Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

A.  

The gateway address of their IPsec interfaces

B.  

The tunnel ID of their IPsec interfaces

C.  

The IP address of their IPsec interfaces

D.  

The name of their IPsec interfaces

A.  

The dead member interface stays unavailable until an administrator manually brings the interface back.

B.  

Port2 needs to wait 500 milliseconds to change the status from alive to dead.

C.  

Static routes using port2 are active in the routing table.

D.  

FortiGate has not received three consecutive requests from the SLA server configured for port2.

A.  

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

B.  

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

C.  

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

D.  

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

A.  

System template

B.  

BGP template

C.  

IPsec tunnel template

D.  

CLI template

E.  

Overlay template

A.  

Specify a unique peer ID for each dial-up VPN interface.

B.  

Use different proposals are used between the interfaces.

C.  

Configure the IKE mode to be aggressive mode.

D.  

Use unique Diffie Hellman groups on each VPN interface.

A.  

FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.

B.  

FortiGate performs routing lookups for new sessions only, after a route change.

C.  

FortiGate always blocks all traffic, after a route change.

D.  

FortiGate flushes all routing information from the session table, after a route change.

A.  

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

B.  

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

C.  

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

D.  

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

A.  

Create dynamic mapping for the LAN interface for all devices in the installation target list.

B.  

Use a metadata variable instead of a dynamic interface to define the firewall policy.

C.  

Dynamic mapping should be done automatically. Review the LAN interface configuration for branch2_fgt.

D.  

Policies can refer to only one LAN source interface. Keep only the D-LAN, which is the dynamic LAN interface.

A.  

diagnose sys sdwan zone

B.  

diagnose sys sdwan service

C.  

diagnose sys sdwan member

D.  

diagnose sys sdwan interface

A.  

You can assign only one template with a tunnel of fype static to each FortiGate device

B.  

You can define only one IPsec tunnel from branch devices to HUB1.

C.  

You can assign only one IPsec template to each FortiGate device.

D.  

You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

A.  

FortiGate updated the outgoing interface list on the rule so it prefers port2.

B.  

Port2 has the highest member priority.

C.  

Port2 has a lower latency than port1.

D.  

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

A.  

Enable auxiliary-session under config system settings.

B.  

Disable tсp-session-without-syn under config system settings.

C.  

Enable snat-route-change under config system global.

D.  

Disable allow-subnet-overlap under config system settings.

A.  

type must be set to static.

B.  

mode-cfg must be enabled.

C.  

exchange-interface-ip must be enabled.

D.  

add-route must be disabled.