Practice Free FCSS_SDW_AR-7.4 Exam Online Questions
What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.)
- A . The FortiGate cloud key has not been added to the FortiGate cloud portal.
- B . FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager
- C . The zero-touch provisioning process has completed internally, behind FortiGate.
- D . FortiGate has obtained a configuration from the platform template in FortiGate cloud.
- E . A factory reset performed on FortiGate.
Which two tasks are part of using central VPN management? (Choose two.)
- A . You can configure full mesh, star, and dial-up VPN topologies.
- B . You must enable VPN zones for SD-WAN deployments.
- C . FortiManager installs VPN settings on both managed and external gateways.
- D . You configure VPN communities to define common IPsec settings shared by all VPN gateways.
Refer to the exhibit.
Based on the exhibit, which action does FortiGate take?
- A . FortiGate bounces port5 after it detects all SD-WAN members as dead.
- B . FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.
- C . FortiGate brings up port5 after it detects all SD-WAN members as alive.
- D . FortiGate brings down port5 after it detects all SD-WAN members as dead.
Which two statements are true about using SD-WAN to steer local-out traffic? (Choose two.)
- A . FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.
- B . By default, local-out traffic does not use SD-WAN.
- C . By default, FortiGate does not check if the selected member has a valid route to the destination.
- D . You must configure each local-out feature individually, to use SD-WAN.
Refer to the exhibit.
The administrator analyzed the traffic between a branch FortiGate and the server located in the data center, and noticed the behavior shown in the diagram.
When the LAN clients located behind FGT1 establish a session to a server behind DC-1, the administrator observes that, on DC-1, the reply traffic is routed overT2. even though T1 is the preferred member in the matching SD-WAN rule.
What can the administrator do to instruct DC-1 to route the reply traffic through the member with the best performance?
- A . Enable snat-route-change under config system global.
- B . Enable reply-session under config system sdwan.
- C . Enable auxiliary-session under config system settings.
- D . FortiGate route lookup for reply traffic only considers routes over the original ingress interface.
Which type statements about the SD-WAN members are true? (Choose two.)
- A . You can manually define the SD-WAN members sequence number.
- B . Interfaces of type virtual wire pair can be used as SD-WAN members.
- C . Interfaces of type VLAN can be used as SD-WAN members.
- D . An SD-WAN member can belong to two or more SD-WAN zones.
AC
Explanation:
SD-WAN members can be manually ordered by changing their sequence number (A), which allows administrators to prioritize the interfaces according to the routing requirements. Also, VLAN interfaces can be used as SD-WAN members (C), providing flexibility in network design and the use of existing VLAN infrastructure within the SD-WAN setup.
Refer to the exhibit.
An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network.
The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over HUB1-VPN1.
However, the traffic is routed over HUB1-VPN3.
Based on the output shown in the exhibit, which two reasons, individually or together, could explain the observed behavior? (Choose two.)
- A . HUB1-VPN3 has a higher member configuration priority than HUB1-VPN1.
- B . The traffic matches a regular policy route configured with HUB1-VPN3 as the outgoing device
- C . HUB1-VPN1 does not have a valid route to the destination
- D . HUB1-VPN3 has a lower route priority value (higher priority) than HUB1-VPN1.
What are two benefits of using the Internet service database (ISDB) in an SD-WAN rule? (Choose two.)
- A . The ISDB is dynamically updated and reduces administrative overhead.
- B . The ISDB requires application control to maintain signatures and perform load balancing.
- C . The ISDB applies rules to traffic from specific sources, based on application type.
- D . The ISDB contains the IP addresses and port ranges of well-known internet services.
Refer to the exhibits.
You use FortiManager to manage the branch devices and configure the SD-WAN template. You have configured direct internet access (DIA) for the IT department users. Now. you must configure secure internet access (SIA) for all local LAN users and have set the firewall policies as shown in the second exhibit.
Then, when you use the install wizard to install the configuration and the policy package on the branch devices, FortiManager reports an error as shown in the third exhibit.
Which statement describes why FortiManager could not install the configuration on the branches?
- A . You must direct SIA traffic to a VPN tunnel.
- B . You cannot install firewall policies that reference an SD-WAN zone.
- C . You cannot install firewall policies that reference an SD-WAN member.
- D . You cannot install SIA and DIA rules on the same device.
What is true about SD-WAN multiregion topologies?
- A . Each region has its own SD-WAN topology
- B . It is not compatible with ADVPN.
- C . Regions must correspond to geographical areas.
- D . Routing between the hub and spokes must be BGP.