Professional Documents
Culture Documents
NSE7 - SDW-7.0 Exam - Free Actual Q&As
NSE7 - SDW-7.0 Exam - Free Actual Q&As
NSE7 - SDW-7.0 Exam - Free Actual Q&As
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 1/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 1 - Exam A
Question #1 Topic 1
Which diagnostic command can you use to show the member utilization statistics measured by performance SLAs for the last 10 minutes?
Correct Answer: D
Selected Answer: A
Selected Answer: A
Selected Answer: A
A. diagnose sys sdwan intf-sla-log. The answers is in the pag 321 SD-WAN Study Guide.
D. diagnose sys sdwan sla-log is only for view the member metrics
upvoted 2 times
Selected Answer: D
You can view the stored member metrics by running the diagnose sys sdwan sla-log command. Note that you must include the name of the
performance SLA followed by the member configuration index number. To display the SLA logs per interface, you run the diagnose sys sdwan intf-
sla-log command.
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 2/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Selected Answer: A
Selected Answer: D
You can view the stored member metrics by running the diagnose sys sdwan sla-log command. Note that you must indicate the name of the
performance SLA followed by the member configuration index number. To display the stored member utilization, you run the diagnose sys sdwan
intf-sla-log command.
upvoted 3 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 3/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 1
Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)
Correct Answer: AC
Selected Answer: AC
Selected Answer: AC
Selected Answer: AC
Selected Answer: AC
IKE
ESP
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 4/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 1
Which two settings can you configure to speed up routing convergence in BGP? (Choose two.)
A. update-source
B. set-route-tag
C. holdtime-timer
D. link-down-failover
Correct Answer: CD
Selected Answer: CD
Selected Answer: CD
Hold Timer
Link Down fail over
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 5/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 1
Exhibit A -
Exhibit B -
Exhibit A shows the configuration for an SD-WAN rule and exhibit B shows the respective rule status, the routing table, and the member status.
The administrator wants to understand the expected behavior for traffic matching the SD-WAN rule.
Based on the exhibits, what can the administrator expect for traffic matching the SD-WAN rule?
Correct Answer: C
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 6/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: C
Because the gateway is enabled, Fortigate will not check if the member has a valid route to the destination, therefore MPLS will win because it has
the most SLAs that are met.
upvoted 9 times
Even with T_INET_1_0 being succesfull in one SLA target (0x1), FortiGate checks how many SLA targets a member meets. The more SLA targets it
meets, the higher its preference. If there are two or more members that meet the same number of SLA targets, then FortiGate uses the member
cost as the tiebreaker, and then the member priority as the last tiebreaker.
With "set gateway enable", T_MPLS_0 should skip the FIB and use gateway 172.16.1.5. It doesn't matter if that gateway may not reach 10.0.0.0/8
set default enable is missing, so SD-WAN rules are skipped if the best route to the destination isn’t an SD-WAN member. They all are.
upvoted 1 times
MPLS has the most SLAs 0x3 but no route. INET_1 has one more SLA than the other. D
upvoted 2 times
Please, check page 145 of SD-WAN7.0. I spent 30 minutes of analyzing that example and thinking and my conclusion is that it must be D.
upvoted 2 times
I thoroughly tested this in my home lab and strictly added the 'set gateway enable' command. Then tried to ping 8.8.4.4 from a LINUX server, with
no internet routes in the FIB. The ping failed. Then I added the 'set default enable' and my ping worked. Since this configuration on the list does
NOT have 'set default enable' I will continue to say the only valid answer is D. INET_1 has a valid route in this example.
upvoted 4 times
MPLS doesn´t has valid route for destination AND set gateway enable without also set default enable will not allow packets to flow to this member
without a valid route.
INET_1 has route and meets one sla target (0x1);
INET_0 has route but doesn´t meet sla targets (0x0).
upvoted 3 times
Selected Answer: D
MPLS doesn´t has valid route for destination AND set gateway enable without also set default enable will not allow packets to flow to this member
without a valid route.
INET_1 has route and meets one sla target (0x1).
INET_0 has route but doesn´t meet sla targets (0x0).
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 7/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Selected Answer: C
To see the valid route, you should look in the database routing table.
MPLS iface is a member of the sdwan rule so it has a valid route even if it is not the best(thus it is not present in the routing table)
upvoted 2 times
MPLS doesn´t has valid route for destination AND set gateway enable without also set default enable will not allow packets to flow to this member
without a valid route.
INET_1 has route and meets one sla target (0x1).
INET_0 has route but doesn´t meet sla targets (0x0)
upvoted 4 times
Selected Answer: C
I found something maybe more explicative about the "set gateway enable":
https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-deployment-for-mssps/511005/sd-wan-routing-logic
in that document, the "set gateway enable" command is explained as a way to disable the general rule "SD-WAN Member is selected only if it has a
valid route to the destination (not necessarily the best route).". So in this case the correct answer would be C even if there isn't a valid route.
upvoted 1 times
Selected Answer: D
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 8/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 1
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on
Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)
A. London generates an IKE information message that contains the Toronto public IP address.
B. Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.
D. The first packets from Toronto to London are routed through Hub 1 then to Hub 2.
Correct Answer: BD
B, D are correct
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 9/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 1
Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.)
A. http
B. icmp
C. twamp
D. dns
Correct Answer: AD
Selected Answer: AD
A,D correct
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 10/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 1
Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)
A. The traffic shaper drops packets if the bandwidth is less than 2500 KBps.
C. The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.
D. The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.
Correct Answer: BC
Selected Answer: BC
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 11/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 1
Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?
Correct Answer: D
Selected Answer: D
D is correct
Page 209 in Study_Guide 7.0
Page 236 in Study_Guide 7.2
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: D
D. for using "non ike" routes (for example BGP/static and so on) you must do disable the add-route that inject automatically kernel route based on
p2 selectors from the remote site
from the SD-WAN_7.2_Study_Guide page 236
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 12/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Question #9 Topic 1
Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?
Correct Answer: B
Selected Answer: B
B is correct
Page 248 in Study guide 7.0
Page 278 in Study guide 7.2
upvoted 2 times
Selected Answer: B
di de app ike -1
upvoted 1 times
B. to debug the *negotiation* of an ipsec tunnel you souled user dia deb app ike -1
with the appropriate filters
nse7.2 study guide 278
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 13/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
Exhibit A shows the system interface with the static routes and exhibit B shows the firewall policies on the managed FortiGate.
Based on the FortiGate configuration shown in the exhibits, what issue might you encounter when creating an SD-WAN zone for port1 and port2?
Correct Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 14/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 15/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)
C. Traffic does not match any of the entries in the policy route table.
D. Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.
Correct Answer: AD
Selected Answer: AC
If you are familiar with ECMP, you probably know the v4-ecmp-mode setting available under config system settings. The v4-ecmp-mode setting
defines the algorithm that FortiGate uses to load balance sessions that match ECMP routes in the VDOM.
However, when you enable SD-WAN on FortiGate, FortiOS hides the v4-ecmp-mode setting and replaces it with the load-balance-mode setting
under config system sdwan. That is, after you enable SD-WAN, you now control the VDOM ECMP algorithm with the load-balance-mode setting.
upvoted 1 times
Selected Answer: AC
Selected Answer: AC
sdwan_service_id is 0 = match SD-WAN implicit rule, study guide 7.0 page 120, 7.2 page 149
SD-WAN rules internally are interpreted as a Policy route, so when the traffic doesn't match with any policy route, it will be flowing by implict
policy.
upvoted 2 times
AC, sdwan_service_id is 0 = match SD-WAN implicit rule, study guide page 120
upvoted 2 times
ans A, C
upvoted 1 times
Selected Answer: AC
D should be not true becasue when using sd-wan doean't use the v4-ecmp-mode but use the load-balance-mode
upvoted 3 times
Selected Answer: AC
answer is A and C
upvoted 1 times
Selected Answer: AC
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 16/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Selected Answer: AD
A and D is correct
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 17/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The
administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.
Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)
A. The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.
B. T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.
Correct Answer: AB
Selected Answer: AC
Do not confuse the member configuration priority with the Priority setting available on the SD-WAN member configuration. The latter is used for
the priority of static routes for members when you configure static routes for zones. The former refers to the member priority based on the
Interface Preference list configuration. Members that are configured first in the list have higher priority over those configured last. The Priority
setting is used as a tiebreaker for ECMP routes when matching the implicit SD-WAN rule.
upvoted 1 times
Selected Answer: AB
A: Policy router have a higher precedence than a SD-WAN Rule: Page 192 SDWAN 7.2
B: The priority of T_INET_0_1 is lower than T_INET_0_0 and the mode is Manual.
upvoted 3 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 18/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: BC
It’s clear that T_INET_0_0 and T_INET_0_1 have different priorities, there is no route using T_INET_0_0 interface.
upvoted 4 times
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Assigning-Priority-to-SD-WAN-Members-for-Default/ta-p/230911
upvoted 2 times
Selected Answer: AC
A, C are correct
upvoted 1 times
Selected Answer: CD
A and C is correct
upvoted 2 times
Selected Answer: AC
A and C , priority ( on interface preferences) not considered on Manual strategy in sdwan rule
upvoted 3 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 19/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the exhibit, which two actions does FortiGate perform on sessions after a firewall policy change? (Choose two.)
Correct Answer: CD
Selected Answer: CD
C, D are correct.
Study Guide 7.0 page 135.
Study Guide 7.2 page 161.
upvoted 3 times
Selected Answer: CD
Selected Answer: CD
Answer is C and D
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 20/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements about SD-WAN central management are true? (Choose two.)
Correct Answer: CD
Selected Answer: AC
Selected Answer: AC
A an C correct
upvoted 1 times
Selected Answer: AC
Selected Answer: AC
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add interface members to the SD-
WAN zones. You must bind the interface members by name to physical interfaces or VPN
interfaces.https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-new-features/794804/new-sd-wan-template-fmg
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 21/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper,
C. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper,
D. The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy,
Correct Answer: C
Selected Answer: C
In a Per-IP shaper configuration, if an IP address exceeds the configured concurrent session limit, the message "Denied by quota check" appears.
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 22/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which are two benefits of using CLI templates in FortiManager? (Choose two.)
B. You can configure interfaces as SD-WAN members without having to remove references first.
C. You can configure FortiManager to sync local configuration changes made on the managed device, to the CLI template.
Correct Answer: AD
Selected Answer: AD
Selected Answer: AD
Official study guide, page 42; "CLI templates are useful for pushing advanced CLI settings that reference meta fields."
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 23/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
Exhibit A shows the SD-WAN performance SLA and exhibit B shows the SD-WAN member status, the routing table, and the performance SLA
status.
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 24/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
C. The administrator manually restores the static routes for port2, if port2 becomes alive.
Correct Answer: B
Selected Answer: B
B is correct
Study Guide 7.0, page 96.
Study Guide 7.2, page 113.
upvoted 1 times
Selected Answer: B
B is correct
upvoted 1 times
Selected Answer: B
Any static route for port 2 will be gone due to the configuration listed.
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 25/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)
B. ibgp-multipath is disabled.
C. additional-path is enabled.
D. You can run the get router info routing-table database command to display the additional paths.
Correct Answer: AB
Selected Answer: CD
C, D is correct
upvoted 1 times
Selected Answer: CD
Selected Answer: CD
C and D is correct
upvoted 3 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 26/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
In a hub-and-spoke topology, what are two advantages of enabling ADVPN on the IPsec overlays? (Choose two.)
Correct Answer: AB
Selected Answer: AB
Selected Answer: AB
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 27/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?
D. All traffic from a source IP to a destination IP is sent to the least used interface.
Correct Answer: B
Selected Answer: A
A is correct
Study Guide 7.0, page 149.
Study Guide 7.2, page 176.
upvoted 2 times
Selected Answer: A
A is correct
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 28/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
Selected Answer: A
A. like ecmp - src-dst is 2 tuple hash that match all session between pair of hosts and assign
them to the same interface
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 29/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)
A. FortiGate does not install IPsec static routes for remote protected networks in the routing table.
C. FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.
Correct Answer: AC
Selected Answer: AB
D is false
C is false because there is no auto-discovery-receiver or sender so ADVPN is not configured
Has to be A and B
upvoted 5 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 30/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: AB
The question asks if the config SUPPORTS (not if it's already enabled) "network-overlay" setting. It's true because the phase1-interface is configured
as IKE v2 (IKE v1 doesn't, you can test in any Fortigate just editing a fake phase1-interface). C and D are false (read other comments), so it's A & B.
upvoted 2 times
Selected Answer: AC
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 31/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
Exhibit A shows the source NAT (SNAT) global setting and exhibit B shows the routing table on FortiGate.
Based on the exhibits, which two actions does FortiGate perform on existing sessions established over port2, if the administrator increases the
D. FortiGate updates the gateway information of the sessions with SNAT so that they use port1 instead of port2.
Correct Answer: AD
Selected Answer: AD
Selected Answer: AD
A, D is correct
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 32/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube.
Exhibit B shows the firewall policy configuration and the underlay zone status.
Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 33/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.
B. FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.
C. FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.
D. Non-TCP Facebook and YouTube traffic are not used for performance measurement.
Correct Answer: AD
Selected Answer: AD
Another comment said "because without using application Control on the firewall policy, SDWAN can't work" but there is a app control "default"
defined on config.
upvoted 4 times
Selected Answer: AD
Selected Answer: AD
If B is correct it should include latency since it didn't mentioned the Latency therefore it indicates that latency is able to measure so the argument
contradicts itself.
upvoted 1 times
Selected Answer: AB
B because without using application Control" on the firewall policy, SDWAN can't work with Youtube an Facebook configured
upvoted 2 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 34/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
Exhibit A shows an SD-WAN event log and exhibit B shows the member status and the SD-WAN rule configuration.
Based on the exhibits, which two statements are correct? (Choose two.)
A. FortiGate updated the outgoing interface list on the rule so it prefers port2.
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 35/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: AC
Selected Answer: AC
Selected Answer: AC
Which best describes the SD-WAN traffic shaping mode that bases itself on a percentage of available bandwidth?
Correct Answer: A
Selected Answer: A
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 36/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. LAG
B. IPsec
C. Physical
D. GRE
Correct Answer: BD
Selected Answer: BD
Selected Answer: BD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 37/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system
When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0,
even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.
Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over
T_INET_1_0?
Correct Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 38/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/14295/controlling-return-path-with-auxiliary-session
upvoted 1 times
Selected Answer: A
A is correct
Study Guide 7.0, pages 130 - 131
Study Guide 7.2, pages 156 - 157
upvoted 1 times
Selected Answer: A
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 39/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)
B. The ISDB requires application control to maintain signatures and perform load balancing.
C. The ISDB applies rules to traffic from specific sources, based on application type.
D. The ISDB contains the IP addresses and port ranges of well-known internet services.
Correct Answer: AD
Selected Answer: AD
Selected Answer: AD
Selected Answer: AD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 40/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Refer to the exhibit, which shows the IPsec phase 1 configuration of a spoke.
What must you configure on the IPsec phase 1 configuration for ADVPN to work with SD-WAN?
Correct Answer: C
Selected Answer: B
B are correct
Study guide 7.0 below
Study guide 7.2, pages 242 and 270
upvoted 2 times
Selected Answer: B
"B" is the right one, official study guide, pages 215 and 239
upvoted 1 times
Selected Answer: B
B is correct.
upvoted 1 times
Selected Answer: B
Selected Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 41/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
"C" is incorrect.
Auto-discovery-sender must be enable on HUB (Pag. 237 - Study Guide).
Selected Answer: B
B. SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.
C. SD-WAN does not monitor the health and performance of ADVPN shortcuts.
Correct Answer: B
Selected Answer: B
Selected Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 42/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
C. To indicate the routes that can be used for routing SD-WAN traffic.
Correct Answer: B
Selected Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 43/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?
Correct Answer: D
Selected Answer: B
Not sure why people are posting "D" as the answer. It is not an interface showing on the exhibits. Because of this, "B" "When T_MPLS_0 has a
latency of 100 ms." should be the correct answer. Did someone make a major typo?
upvoted 1 times
Selected Answer: B
T_N1PLS_0? where?
upvoted 2 times
Selected Answer: D
D is correct
Study Guide 7.0, page 174
Study Guide 7.2, page 200
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 44/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: D
D
Link-cost-threadhold =10
so actual latence of INT_0_0 = 101.349 * 0.9 =91.2141
so Int_MPLS less than 91.2141 to take over, so D is correct
upvoted 1 times
D is correct
upvoted 1 times
Official study guide, page 174. link-cost-treshold is set to 10 (percent) so the other link must have a latency of less than 90% of the preferred link
upvoted 1 times
Selected Answer: D
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 45/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A -
Exhibit B -
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 46/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.
The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not
Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?
D. Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.
Correct Answer: B
B is correct
upvoted 1 times
Selected Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 47/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
D. By default, SD-WAN members are skipped if they do not have a valid route to the destination.
E. By default, SD-WAN rules are skipped if the best route to the destination is not an SD-WAN member.
BDE correct
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 48/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
so itìs B, D, E
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 49/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the output, which two conclusions are true? (Choose two.)
Correct Answer: AD
Selected Answer: AD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 50/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements about SLA targets and SD-WAN rules are true? (Choose two.)
A. When configuring an SD-WAN rule, you can select multiple SLA targets of the same performance SLA.
B. SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements.
C. SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy.
Correct Answer: BC
Selected Answer: BC
page 216
upvoted 1 times
Selected Answer: BD
I Think B<D
upvoted 1 times
What does enabling the exchange-interface-ip setting enable FortiGate devices to exchange?
Correct Answer: C
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 51/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?
Correct Answer: C
Selected Answer: A
Answer is# A
upvoted 2 times
diagnose sys sdwan zone displays the configured zones and their members. Note that the output
indicates the kernel interface index number of a member, which should match the index displayed by
diagnose netlink interface list.
upvoted 3 times
Selected Answer: A
Selected Answer: A
A, tested on lab
upvoted 2 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 52/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the
sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.
The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate
forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.
Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)
B. The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.
C. The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.
Correct Answer: AD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 53/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)
A. Cost
B. Interface member
C. Priority
D. Gateway IP
Correct Answer: BD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 54/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. IBGP is preferred over EBGP, because IBGP preserves next hop information.
B. You must use BGP to route traffic for both overlay and underlay links.
Correct Answer: A
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 55/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in
exhibit A.
After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 56/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.
Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)
A. FortiGate did not refresh the routing information on the session after the application was detected.
D. The session 3-tuple did not match any of the existing entries in the ISDB application cache.
Correct Answer: AC
Selected Answer: AD
Which are two expected behaviors of the traffic that matches the traffic shaper? (Choose two.)
A. The number of simultaneous connections among all source IP addresses cannot exceed five connections.
B. The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.
C. The number of simultaneous connections allowed for each source IP address cannot exceed five connections.
D. The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.
Correct Answer: CD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 57/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)
A. FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.
C. By default, FortiGate does not check if the selected member has a valid route to the destination.
Correct Answer: BD
Selected Answer: BD
Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)
D. URL categories
E. Application signatures
A. The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.
B. The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.
C. The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.
D. The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.
Correct Answer: D
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 58/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
The exhibit shows the BGP configuration on the hub in a hub-and-spoke topology. The administrator wants BGP to advertise prefixes from spokes
to other spokes over the IPsec overlays, including additional paths. However, when looking at the spoke routing table, the administrator does not
see the prefixes from other spokes and the additional paths.
Based on the exhibit, which three settings must the administrator configure inside each BGP neighbor group so spokes can learn other spokes
B. Enable route-reflector-client
E. Enable soft-reconfiguration
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 59/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Study Guide 7.2 - Page 240. However, advertisement-interval is used to speed up the convergence (study guide - 7.2)
upvoted 1 times
ABD is correct
upvoted 2 times
ABD is correct
upvoted 3 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 60/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
B. FortiGate will not re-evaluate the session following a firewall policy change.
C. FortiGate used 192.2.0.1 as the gateway for the original direction of the traffic.
Correct Answer: D
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 61/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
The exhibit shows the details of a session and the index numbers of some relevant interfaces on a FortiGate appliance that supports hardware
offloading. Based on the information shown in the exhibits, which two statements about the session are true? (Choose two.)
A. The reply direction of the asymmetric traffic flows from port2 to port3.
C. The original direction of the symmetric traffic flows from port3 to port2.
Correct Answer: AB
AB Correct
dev=7-> 6/6->7
study guide 7.2 Page 156
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 62/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
In a dual-hub hub-and-spoke SD-WAN deployment, which is a benefit of disabling the anti-replay setting on the hubs?
A. It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.
B. It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and
C. It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.
D. It instructs the hub to skip content inspection on TCP traffic, to improve performance.
Correct Answer: B
Selected Answer: B
Selected Answer: B
Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?
A. hold-down-time
B. link-down-failover
C. auto-discovery-shortcuts
D. idle-timeout
Correct Answer: A
Selected Answer: A
wait until the hold down time passes and then take action. Accurate monitoring
upvoted 1 times
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 63/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which statement about the role of the ADVPN device in handling traffic is true?
A. This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.
B. Two hubs, 10.0.1.101 and 10.0.2.101, are receiving and forwarding queries between each other.
C. This is a hub that has received a query from a spoke and has forwarded it to another spoke.
D. Two spokes, 192.2.0.1 and 10.0.2.101, forward their queries to their hubs.
Correct Answer: C
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 64/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the exhibit, which two actions does FortiGate perform on traffic passing through port2? (Choose two.)
A. FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.
B. FortiGate performs routing lookups for new sessions only, after a route change.
D. FortiGate flushes all routing information from the session table, after a route change.
Correct Answer: AB
Selected Answer: AB
D. You do not need to configure firewall policies that accept the SD-WAN traffic.
Correct Answer: B
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 65/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Which two statements about the SD-WAN zone configuration are true? (Choose two.)
A. The service-sla-tie-break setting enables you to configure preferred member selection based on the best route to the destination.
Correct Answer: AC
Selected Answer: AC
What are two common use cases for remote internet access (RIA)? (Choose two.)
Correct Answer: BC
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 66/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.
Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)
B. On the spokes, auto-discovery-receiver must be enabled on the IPsec VPN to the hub.
Correct Answer: AB
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 67/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the exhibit, which change in the measured packet loss will make T_INET_1_0 the new preferred member?
Correct Answer: A
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 68/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
B. FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.
D. FortiGate brings down port5 after it detects all SD-WAN members as dead.
Correct Answer: B
Selected Answer: D
The answer is D
upvoted 1 times
Selected Answer: D
This feature extends fail-detect to aggregate and redundant interfaces. When an aggregate or a redundant interface goes down, the corresponding
fail-alert-interface will be changed to down. When the aggregate or redundant interface comes up, the corresponding fail-alert-interface will be
changed to up.
https://docs.fortinet.com/document/fortigate/6.2.0/new-features/517328/extend-interface-failure-detection-to-aggregate-interfaces
upvoted 1 times
Selected Answer: D
D is correct
upvoted 1 times
Selected Answer: D
Answer is#D
upvoted 1 times
This slide shows the effect of Cascade Interfaces based on the configuration shown in the previous slide. If
there is at least one alive member—port1 in the example—the alert interface (port5) is up. However, if all
members are dead, port5 is brought down.
upvoted 1 times
What are two benefits of using forward error correction (FEC) in IPsec VPNs? (Choose two.)
C. FEC transmits parity packets that can be used to reconstruct packet loss.
D. FEC can leverage multiple IPsec tunnels for parity packets transmission.
Correct Answer: BC
Selected Answer: BC
Which two tasks are part of using central VPN management? (Choose two.)
A. You can configure full mesh, star, and dial-up VPN topologies.
D. You configure VPN communities to define common IPsec settings shared by all VPN gateways.
Correct Answer: AD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 70/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)
A. After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.
C. FortiGate can offload the traffic that is subject to passive monitoring to hardware.
D. FortiGate passively monitors the member if TCP traffic is passing through the member.
Correct Answer: BD
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 71/72
29/10/23, 0:01 NSE7_SDW-7.0 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/fortinet/nse7-sdw-7-0/custom-view/ 72/72