Visit here for our full Fortinet FCSS_SDW_AR-7.4 exam dumps and practice test questions.
Question 121
What is the primary advantage of implementing IPsec overlays in SD-WAN deployments?
A) Increase available bandwidth automatically
B) Provide secure encrypted connectivity over untrusted networks
C) Eliminate the need for routing protocols
D) Reduce hardware costs by 50 percent
Answer: B
Explanation:
IPsec overlays have become a foundational component of modern SD-WAN architectures, particularly as organizations shift from private MPLS networks to internet-based connectivity. The primary advantage of implementing IPsec overlays in SD-WAN deployments is providing secure encrypted connectivity over untrusted networks like the public internet. IPsec creates encrypted tunnels between FortiGate devices, ensuring that sensitive corporate data remains confidential and protected from interception even when traversing public infrastructure. This security enables organizations to safely use low-cost internet connections instead of expensive private circuits while maintaining enterprise-grade security. IPsec overlays provide authentication, ensuring that only authorized devices can participate in the corporate network, encryption protecting data confidentiality, and integrity verification preventing tampering. In SD-WAN contexts, IPsec tunnels become SD-WAN members that can be included in zones and referenced in rules just like physical interfaces. The combination of SD-WAN intelligence with IPsec security creates Secure SD-WAN, delivering both performance optimization and comprehensive security. FortiGate supports various IPsec configurations including route-based and policy-based VPNs, with route-based tunnels being preferred for SD-WAN due to their flexibility. IPsec overlays also enable consistent security policies across all WAN connections regardless of transport type. Option A is incorrect because IPsec overlays don’t increase physical bandwidth; they actually add overhead due to encryption headers, slightly reducing available payload capacity. However, this tradeoff is acceptable for the security benefits gained. Option C is incorrect because routing protocols are still necessary in IPsec overlay networks to exchange reachability information between sites. Protocols like BGP or OSPF typically run over IPsec tunnels. Option D is incorrect because while SD-WAN can reduce costs through internet usage, IPsec implementation doesn’t specifically reduce hardware costs by any particular percentage.
Question 122
Which BGP attribute does FortiGate SD-WAN modify to influence inbound traffic path selection?
A) Local preference
B) AS-PATH prepending
C) MED
D) Community strings
Answer: B
Explanation:
When organizations connect to multiple internet service providers or use dual-homed internet connections, controlling inbound traffic becomes important for ensuring traffic enters through preferred paths and for implementing effective load balancing. BGP provides various mechanisms for influencing routing decisions, and understanding which attributes affect inbound versus outbound traffic is essential for SD-WAN architects. AS-PATH prepending is the BGP attribute FortiGate SD-WAN commonly modifies to influence inbound traffic path selection from upstream providers. AS-PATH prepending works by artificially lengthening the AS-PATH attribute by repeating the local autonomous system number multiple times when advertising routes to BGP peers. Since BGP path selection prefers shorter AS-PATH lengths, prepending makes a path appear less attractive, causing remote networks to prefer alternative paths when available. In SD-WAN scenarios, AS-PATH prepending can be used to implement active-passive or active-active traffic distribution across multiple internet connections. For example, to prefer ISP-A for inbound traffic while keeping ISP-B as backup, the organization would prepend additional AS numbers when advertising to ISP-B, making that path less preferred by remote networks. AS-PATH prepending is effective because it influences BGP decisions globally across the internet, though the effectiveness depends on remote networks having alternative paths available. FortiGate can dynamically adjust AS-PATH prepending based on link conditions, implementing intelligent inbound traffic steering coordinated with SD-WAN outbound path selection. Option A is incorrect because local preference is used to influence outbound traffic path selection within an autonomous system, not inbound traffic from external networks. Local preference isn’t advertised to external BGP peers. Option C is incorrect because MED (Multi-Exit Discriminator) has limited scope, only influencing path selection by the directly connected neighboring AS, and many providers ignore MED values. Option D is incorrect because community strings are tags used for policy application and grouping but don’t directly influence path selection algorithms in BGP.
Question 123
What is the maximum number of SD-WAN zones that can be configured on a FortiGate device?
A) 32
B) 64
C) 128
D) 256
Answer: D
Explanation:
SD-WAN zones provide logical organization of SD-WAN members, enabling simplified policy management and flexible network design. Understanding zone limitations is important for architecting large-scale SD-WAN deployments that may require segmenting WAN connections based on various criteria including performance characteristics, security levels, cost, or geographic location. FortiGate supports up to 256 SD-WAN zones, matching the maximum number of SD-WAN members and providing extensive flexibility for complex deployments. This high limit enables sophisticated designs where zones represent different connection types such as MPLS overlay zone, internet underlay zone, LTE backup zone, cloud connectivity zone, and regional zones for different geographic areas. Large enterprises with diverse WAN connectivity can leverage multiple zones to implement granular traffic steering policies that align with business requirements. For example, critical real-time applications might be restricted to high-performance MPLS zones, general business traffic might use internet zones with appropriate security, and bulk data transfers might use high-bandwidth but higher-latency zones. The ability to configure 256 zones ensures that zone limitations don’t constrain network design, though practical deployments typically use far fewer zones for operational simplicity. Each zone can contain multiple members, and members can belong to multiple zones if needed for policy flexibility. Effective zone design balances granularity for precise traffic control against operational complexity and maintainability. Option A is incorrect because 32 zones would be insufficient for large enterprise deployments requiring extensive segmentation of WAN connectivity across many sites and connection types. Option B is incorrect because 64 zones, while more substantial, still doesn’t represent FortiGate’s actual capability and could limit design flexibility in very large deployments. Option C is incorrect because 128 zones is not the maximum supported; FortiGate actually supports up to 256 zones for maximum design flexibility.
Question 124
Which feature enables FortiGate to identify and classify applications for SD-WAN steering?
A) Deep packet inspection
B) Port-based classification only
C) DNS filtering
D) IP address matching
Answer: A
Explanation:
Application-aware routing is a defining characteristic of SD-WAN that differentiates it from traditional WAN routing approaches. Accurate application identification is essential for steering different application types across appropriate WAN paths based on their specific requirements. FortiGate uses deep packet inspection (DPI) to identify and classify applications for SD-WAN steering decisions. Deep packet inspection examines packet payloads beyond just headers, analyzing application-layer data to identify specific applications regardless of the ports they use. This capability is critical because modern applications often use dynamic ports, encrypted connections, or tunnel through standard ports like 80 and 443, making simple port-based identification inadequate. FortiGate’s DPI engine, powered by FortiGuard application control signatures, can identify thousands of applications including web services, collaboration tools, cloud applications, streaming media, and custom business applications. The identification happens in real-time as traffic flows through the firewall, enabling immediate classification and appropriate SD-WAN rule matching. DPI can identify applications even within encrypted HTTPS sessions using techniques like SNI examination and certificate analysis without breaking encryption. Once applications are identified, SD-WAN rules can reference application categories or specific applications to implement intelligent steering. For example, rules can direct Microsoft 365 traffic to low-latency paths, Salesforce to specific internet breakouts, and backup traffic to high-bandwidth connections. The combination of accurate application identification through DPI and flexible SD-WAN rules enables true intent-based networking aligned with business priorities. Option B is incorrect because port-based classification alone is insufficient for modern application identification, as many applications use non-standard or dynamic ports, and multiple applications may share common ports. Option C is incorrect because DNS filtering identifies domains and websites but doesn’t provide comprehensive application classification for all traffic types. Option D is incorrect because IP address matching can identify destination networks but doesn’t classify the actual application being used.
Question 125
What is the recommended strategy for steering VoIP traffic in SD-WAN?
A) Volume-based
B) Lowest cost
C) Best quality (lowest latency)
D) Spillover
Answer: C
Explanation:
Different applications have different network requirements, and selecting appropriate SD-WAN strategies for each application type is crucial for ensuring optimal user experience. VoIP and other real-time communications applications are particularly sensitive to network conditions and require careful path selection. The recommended strategy for steering VoIP traffic in SD-WAN is best quality, also known as lowest latency strategy. This strategy evaluates all available SD-WAN members and selects the path currently offering the best performance characteristics including lowest latency, minimal jitter, and lowest packet loss. VoIP quality degrades rapidly when latency exceeds 150 milliseconds, jitter exceeds 30 milliseconds, or packet loss exceeds 1 percent, making performance-based path selection essential. The best quality strategy continuously monitors Performance SLA metrics through health checks and automatically selects the optimal path for each new call session. If network conditions change during a call and the current path degrades below SLA thresholds, SD-WAN can steer new calls to better paths, though moving existing calls is generally avoided to prevent disruption. Best quality strategy prioritizes performance over cost or load distribution, accepting that VoIP traffic might concentrate on the highest-quality link rather than being distributed for load balancing. This approach ensures consistent voice quality and user satisfaction. Organizations should configure Performance SLA health checks with thresholds matching voice quality requirements and apply best quality strategy specifically to VoIP applications identified through DPI or port classification. Option A is incorrect because volume-based strategy distributes traffic to balance bandwidth utilization rather than selecting the lowest latency path, which could result in VoIP calls using suboptimal paths. Option B is incorrect because lowest cost strategy prioritizes economical connections over performance, potentially routing VoIP over high-latency or congested paths that degrade call quality. Option D is incorrect because spillover strategy uses a primary path until capacity is exhausted, then overflows to secondary paths, which doesn’t provide the consistent low-latency routing VoIP requires.
Question 126
Which command is used to configure SD-WAN on FortiGate CLI?
A) config system virtual-wan-link
B) config system sdwan
C) config router sdwan
D) config wan-optimization sdwan
Answer: B
Explanation:
Understanding the correct CLI syntax for configuring SD-WAN is essential for FortiGate administrators implementing and troubleshooting SD-WAN deployments. The proper command to configure SD-WAN on FortiGate CLI is “config system sdwan”. This command enters the SD-WAN configuration context where administrators can configure SD-WAN status (enable/disable), define SD-WAN zones, add members to zones, configure health checks and Performance SLA settings, and define SD-WAN rules for traffic steering. The configuration hierarchy under this command includes multiple sub-contexts: “config members” for adding interfaces or tunnels as SD-WAN members with associated settings like priority and weight, “config health-check” for defining probes that monitor path performance, “config zone” for creating logical groupings of members, and “config service” for creating SD-WAN rules that match traffic and apply steering strategies. Modern FortiOS versions use this standardized “config system sdwan” syntax, replacing the older “config system virtual-wan-link” from earlier versions. The CLI configuration must be coordinated with firewall policies that reference SD-WAN zones as source or destination interfaces. Complete SD-WAN configuration typically involves first defining zones, adding members to zones with appropriate gateway and interface assignments, configuring health checks with SLA thresholds matching application requirements, and creating SD-WAN rules that identify traffic and apply appropriate strategies. The CLI provides more granular control and visibility compared to GUI configuration for advanced deployments. Option A is incorrect because “config system virtual-wan-link” was the legacy command used in older FortiOS versions before the feature was rebranded as SD-WAN; current versions use “config system sdwan”. Option C is incorrect because “config router sdwan” is not valid FortiOS syntax; SD-WAN configuration is under the system context, not router context. Option D is incorrect because “config wan-optimization sdwan” is not valid syntax; WAN optimization and SD-WAN are separate features with different configuration commands.
Question 127
What is the purpose of Performance SLA targets in health checks?
A) Define encryption strength requirements
B) Specify monitoring destinations and thresholds
C) Configure bandwidth allocation limits
D) Set firewall policy priorities
Answer: B
Explanation:
Performance SLA health checks are the foundation of SD-WAN’s ability to make intelligent routing decisions based on actual network conditions. Understanding how to configure these health checks properly is essential for effective SD-WAN implementations. Performance SLA targets specify the monitoring destinations and thresholds that define acceptable performance for different traffic types. Each health check configuration includes one or more targets, which are IP addresses or FQDNs that FortiGate sends probes to for measuring latency, jitter, and packet loss. Targets should be carefully selected based on what they represent: gateway addresses for measuring ISP connectivity, specific application servers for monitoring path quality to critical services, or well-known internet destinations for general internet performance. The health check also defines thresholds including maximum acceptable latency, maximum jitter, maximum packet loss percentage, and probe intervals. When measurements exceed configured thresholds, the associated SD-WAN member is marked as failing SLA, and SD-WAN rules requiring SLA compliance won’t use that member. Multiple health checks can be configured with different targets and thresholds to match various application requirements, for example, strict thresholds for voice applications and relaxed thresholds for bulk data transfers. Health checks support various probe types including ping, HTTP GET, TCP connect, and DNS queries, with ping being most common for its simplicity and low overhead. Proper target selection ensures health checks accurately represent the performance applications will experience. Option A is incorrect because encryption strength is configured in VPN settings, not in Performance SLA health checks which focus on monitoring network performance characteristics. Option C is incorrect because bandwidth allocation is configured through traffic shaping policies, not health check targets which measure performance rather than limit throughput. Option D is incorrect because firewall policy priorities are set in the firewall policy configuration, not in SD-WAN health checks which serve a different purpose.
Question 128
Which SD-WAN member priority value indicates the highest preference?
A) 0
B) 1
C) 10
D) 255
Answer: B
Explanation:
SD-WAN member priority values influence path selection when multiple members satisfy Performance SLA requirements and can carry traffic. Understanding how priority values affect routing decisions is important for implementing preferred path configurations and controlling failover behavior. In FortiGate SD-WAN, lower priority numbers indicate higher preference, with priority 1 being the highest preference. Priority values range from 1 to 65535, and when multiple members are available and meet SLA requirements, FortiGate considers priority as a tie-breaker in path selection depending on the configured strategy. For strategies like priority-based or spillover, priority directly determines the selection order, with traffic preferring lower-numbered (higher-priority) members first. For load balancing strategies, priority can still influence distribution by weighting traffic toward higher-priority members. Priority configuration enables administrators to express preferences for certain connections, for example, setting an MPLS connection to priority 1 and internet connections to priority 10, ensuring MPLS is preferred when both meet requirements. Priority also influences failover behavior, determining which backup path becomes active when the primary path fails. Different members in the same zone can have different priorities, and members can have different priorities in different zones if they belong to multiple zones. Effective use of priority simplifies traffic engineering by explicitly stating preferences rather than relying solely on performance metrics. Priority should align with business requirements considering factors like connection cost, capacity, latency characteristics, and security. Option A is incorrect because priority 0 is not a valid priority value in FortiGate SD-WAN; valid priorities start at 1. Option C is incorrect because priority 10 indicates lower preference than priority 1, with higher numbers representing lower priority. Option D is incorrect because priority 255, while valid, represents a very low preference compared to priority 1 which is the highest.
Question 129
What happens when you enable passive health check mode for an SD-WAN member?
A) Health checks stop sending probes completely
B) Link status is monitored without active probing
C) Only SNMP monitoring is used
D) Bandwidth testing runs automatically
Answer: B
Explanation:
Health check configuration offers different modes that balance monitoring accuracy against network overhead, and understanding these modes helps optimize SD-WAN deployments. Passive health check mode provides an alternative to active probing that can be useful in specific scenarios. When passive health check mode is enabled for an SD-WAN member, FortiGate monitors the link status without sending active probes, instead relying on interface status and actual traffic flow to determine link health. This mode is useful when active probing is undesirable due to security policies, when probe traffic might be rate-limited or blocked by intermediate devices, or when minimizing monitoring overhead is important. In passive mode, the SD-WAN member is considered healthy as long as the physical or logical interface remains up and responsive. However, passive mode provides less granular performance visibility since latency, jitter, and packet loss metrics aren’t actively measured. Passive mode works best for connections where interface status reliably indicates usability, such as direct Ethernet connections, but may be less effective for connections where link layer appears up but network layer connectivity is impaired. Organizations might use passive mode for backup connections that should remain available but don’t require continuous performance monitoring, or in environments where active probing conflicts with security policies. When using passive mode, SD-WAN strategies relying on detailed performance metrics may not function optimally, so simpler strategies like priority-based selection are more appropriate. Option A is incorrect because while passive mode doesn’t send active probes, it doesn’t stop all health checking; it monitors interface status and uses passive indicators. Option C is incorrect because passive mode doesn’t specifically use SNMP; it monitors interface status through the operating system, not external management protocols. Option D is incorrect because bandwidth testing is a separate feature from health check modes and doesn’t run automatically in passive mode.
Question 130
Which routing protocol is recommended for dynamic routing over SD-WAN overlays?
A) RIP
B) EIGRP
C) BGP
D) IS-IS
Answer: C
Explanation:
Selecting appropriate routing protocols for SD-WAN overlays impacts scalability, convergence time, and operational complexity. While SD-WAN handles path selection for underlay connections, routing protocols are still needed to exchange reachability information across the overlay network. BGP is the recommended routing protocol for dynamic routing over SD-WAN overlays in enterprise deployments. BGP offers several advantages that align well with SD-WAN requirements including excellent scalability supporting thousands of routes and hundreds of peers, policy-based routing capabilities through extensive attribute manipulation, support for hierarchical designs through route reflection, and vendor-neutral standardization ensuring interoperability. In SD-WAN architectures, BGP typically runs over IPsec tunnels connecting hub and spoke sites, with hubs acting as route reflectors to avoid full mesh BGP peering requirements. BGP’s path attributes enable sophisticated traffic engineering, and its loop prevention mechanisms work reliably in complex topologies. BGP also integrates well with cloud connectivity, as cloud providers commonly use BGP for dynamic routing with customer networks. For SD-WAN specifically, BGP can advertise routes with appropriate attributes that SD-WAN rules can evaluate for steering decisions. BGP’s relatively slow convergence compared to IGPs is less critical in SD-WAN because SD-WAN’s own failover mechanisms operate independently and much faster based on Performance SLA monitoring. However, BGP does provide the necessary routing protocol foundation for site-to-site reachability. Option A is incorrect because RIP is an obsolete distance-vector protocol with poor scalability (15-hop limit), slow convergence, and inefficient operation that makes it unsuitable for modern enterprise SD-WAN. Option B is incorrect because EIGRP, while offering good convergence and features, is Cisco-proprietary and not available on FortiGate devices, limiting its applicability in SD-WAN. Option D is incorrect because IS-IS, while used in some service provider networks, is overly complex for typical enterprise SD-WAN and less commonly implemented than BGP.
Question 131
What is the default hold-down time for SD-WAN health checks?
A) 0 seconds
B) 5 seconds
C) 30 seconds
D) 60 seconds
Answer: A
Explanation:
Health check behavior includes various timing parameters that affect how quickly FortiGate detects and responds to link failures or recovery. Understanding these timers helps optimize the balance between fast failover and stability. The default hold-down time for SD-WAN health checks is 0 seconds, meaning there is no hold-down period by default. Hold-down time defines how long FortiGate waits after a member begins failing health checks before marking it as down and removing it from SD-WAN path selection. A hold-down time of 0 means the member is immediately considered down once it fails the configured number of consecutive health checks. This aggressive approach enables fast failover, quickly steering traffic away from failing paths to maintain application performance. However, in environments with unstable links that experience brief intermittent failures, zero hold-down time might cause excessive route flapping where members rapidly transition between up and down states, potentially creating instability. Administrators can configure non-zero hold-down times to add hysteresis, requiring sustained failure before declaring a member down. For example, setting a 30-second hold-down time means the member must fail health checks continuously for 30 seconds before being marked down. Similarly, there’s a hold-up time controlling how long a member must pass health checks before being marked up after recovery. These timers should be tuned based on link characteristics and application tolerance for temporary degradation versus stability. Option B is incorrect because 5 seconds is not the default hold-down time, though it could be configured manually if brief stability periods are desired before declaring members down. Option C is incorrect because 30 seconds would be a relatively long hold-down time that would delay failover significantly, and it’s not the default value. Option D is incorrect because 60 seconds would create very slow failover responses that could impact application performance during failures, and it’s not the default setting.
Question 132
Which feature allows FortiGate to create direct tunnels between spokes without hub intervention?
A) Hub-and-spoke VPN
B) ADVPN (Auto Discovery VPN)
C) Full mesh VPN
D) Site-to-site VPN
Answer: B
Explanation:
VPN topology design significantly impacts traffic patterns, latency, and hub resource utilization in SD-WAN deployments. Traditional hub-and-spoke topologies force all spoke-to-spoke traffic through hub sites, creating potential bottlenecks and suboptimal routing. ADVPN (Auto Discovery VPN) is Fortinet’s solution that allows FortiGate to create direct IPsec tunnels between spoke sites dynamically without hub intervention, enabling optimal routing for spoke-to-spoke communication. ADVPN maintains the simplicity of hub-and-spoke configuration while delivering the performance benefits of direct spoke-to-spoke connectivity. The technology works by having spokes maintain permanent tunnels to hubs as in traditional hub-and-spoke, but when a spoke needs to communicate with another spoke, ADVPN automatically discovers the remote spoke’s addressing information through the hub and establishes a direct tunnel. This shortcut tunnel carries spoke-to-spoke traffic directly, bypassing the hub and reducing latency. The dynamic tunnels remain active as long as traffic flows and are automatically torn down after an idle timeout to conserve resources. ADVPN eliminates the need for manual full-mesh tunnel configuration, which becomes unmanageable in large deployments due to exponential growth in required tunnels. From an operational perspective, administrators configure only hub-spoke relationships, and ADVPN handles spoke-spoke relationships automatically. This approach is particularly valuable for deployments with many branch offices that occasionally need to communicate directly, such as for backup traffic, file sharing, or collaboration. ADVPN integrates with SD-WAN, allowing performance monitoring and intelligent path selection across both permanent and dynamic tunnels. Option A is incorrect because traditional hub-and-spoke VPN requires all spoke-to-spoke traffic to transit through the hub, lacking the direct spoke-to-spoke capability. Option C is incorrect because full mesh VPN requires manual configuration of tunnels between every site pair, creating significant management overhead in large deployments. Option D is incorrect because site-to-site VPN is a generic term for connecting two sites and doesn’t specifically describe the dynamic tunnel establishment capability.
Question 133
What is the maximum number of health check servers that can be configured per Performance SLA?
A) 1
B) 2
C) 4
D) No specific limit
Answer: D
Explanation:
Performance SLA health checks can monitor multiple destination servers to provide comprehensive visibility into network path performance and reachability. Understanding configuration capabilities helps design robust monitoring strategies. FortiGate SD-WAN Performance SLA health checks have no specific hardcoded limit on the number of servers that can be configured per health check, providing flexibility for comprehensive monitoring. Administrators can configure multiple servers as targets within a single health check, and FortiGate will probe all configured servers according to the health check parameters. Multiple servers serve several purposes: providing redundancy so that a single server failure doesn’t incorrectly indicate path failure, monitoring different geographic locations or services to assess path performance for various destinations, and validating reachability to multiple critical resources that applications depend on. When multiple servers are configured, the health check can be set to consider the member up if any server responds successfully or require all servers to respond, depending on the logic configured. Using multiple servers provides more accurate assessment of overall path health compared to relying on a single monitoring target. For example, monitoring both the ISP gateway and a public DNS server helps distinguish between ISP issues and broader internet problems. However, practical considerations include probe overhead increasing with more servers, potential for false positives if server-specific issues are confused with path problems, and complexity in interpreting results when different servers show different performance. Best practice typically involves 2-3 servers per health check for important paths, balancing redundancy against complexity. Option A is incorrect because limiting health checks to a single server would create single points of failure in monitoring and doesn’t reflect FortiGate’s actual capabilities. Option B is incorrect because while two servers might be common practice for redundancy, it’s not a maximum limit. Option C is incorrect because four servers is also not a maximum limit, though it represents reasonable practice for comprehensive monitoring.
Question 134
Which SD-WAN strategy provides the highest aggregate throughput for bulk data transfers?
A) Best quality
B) Lowest cost
C) Volume-based
D) Priority
Answer: C
Explanation:
Different SD-WAN strategies optimize for different objectives, and selecting the appropriate strategy for each application type ensures optimal resource utilization and performance. Bulk data transfers such as backups, database replication, and large file transfers have unique requirements focused on maximizing throughput rather than minimizing latency. The volume-based strategy provides the highest aggregate throughput for bulk data transfers by actively distributing traffic across multiple SD-WAN members to utilize their combined bandwidth capacity. Volume-based strategy monitors the amount of data transmitted over each member and distributes new sessions to balance utilization, directing traffic to members with available capacity. This approach maximizes aggregate throughput by preventing any single link from becoming saturated while others remain underutilized. Unlike strategies that might concentrate traffic on a single “best” path, volume-based intentionally spreads traffic across all available members meeting SLA requirements. This strategy is particularly effective for applications that initiate multiple parallel sessions or transfers, as each session can be distributed to different members. For example, backup software often opens multiple concurrent connections, and volume-based strategy can assign each connection to different WAN links, achieving throughput equal to the sum of all member bandwidths. The strategy works best when applications are not latency-sensitive and can tolerate the varying performance characteristics of different paths. For optimal results, volume-based strategy should be applied to traffic types where aggregate bandwidth is the priority rather than consistent low latency. Option A is incorrect because best quality strategy focuses on selecting the single best-performing path rather than distributing across multiple paths for aggregate throughput. Option B is incorrect because lowest cost strategy prioritizes economical paths over performance optimization and doesn’t specifically maximize throughput. Option D is incorrect because priority strategy uses a strict preference ordering, directing traffic to the highest-priority member rather than distributing across multiple members for maximum aggregate bandwidth.
Question 135
What protocol and port does FortiGate use for ADVPN shortcut negotiation?
A) UDP 500 and 4500
B) TCP 443
C) UDP 1194
D) TCP 8080
Answer: A
Explanation:
Understanding the protocols and ports used by VPN technologies is essential for firewall configuration, troubleshooting connectivity issues, and ensuring proper network design. ADVPN builds upon standard IPsec VPN infrastructure, using the same fundamental protocols for tunnel establishment and maintenance. FortiGate uses UDP ports 500 and 4500 for ADVPN shortcut negotiation, which are the standard IPsec VPN ports. UDP port 500 is used for IKE (Internet Key Exchange) protocol negotiation, handling the initial security association establishment, authentication, and key exchange. UDP port 4500 is used for NAT-Traversal (NAT-T), which encapsulates IPsec ESP packets in UDP to traverse NAT devices that would otherwise block or corrupt IPsec traffic. When ADVPN needs to establish a shortcut tunnel between two spokes, the initiating spoke uses information learned from the hub to contact the target spoke directly. The shortcut negotiation uses the same IKE process as regular IPsec tunnels, with authentication based on pre-shared keys or certificates configured for the VPN. From a network design perspective, firewalls and routers between sites must permit UDP 500 and 4500 bidirectionally for ADVPN shortcuts to establish successfully. Network Address Translation can complicate ADVPN operation, which is why NAT-T support is critical. The use of standard IPsec ports means ADVPN benefits from widespread protocol support and compatibility with existing network infrastructure. Option B is incorrect because TCP 443 is used for HTTPS and SSL VPN, not for IPsec-based ADVPN tunnels which use UDP-based protocols. Option C is incorrect because UDP 1194 is the default port for OpenVPN, a different VPN technology not used by FortiGate ADVPN. Option D is incorrect because TCP 8080 is commonly used for HTTP proxies and web services, not for ADVPN or IPsec tunnel negotiation.
Question 136
Which SD-WAN member weight value provides the most traffic when using weighted load balancing?
A) 0
B) 1
C) 50
D) 255
Answer: D
Explanation:
Weight values provide granular control over traffic distribution when using weighted load balancing strategies in SD-WAN. Understanding how weights influence traffic distribution helps implement proportional load sharing aligned with member capacities and business requirements. In FortiGate SD-WAN, higher weight values result in proportionally more traffic being directed to that member when using weighted load balancing. Weight values range from 1 to 255, with 255 being the maximum and receiving the most traffic. Weights determine the relative proportion of traffic each member receives, calculated as the member’s weight divided by the sum of all weights. For example, if three members have weights of 100, 50, and 50 respectively (sum = 200), they would receive approximately 50 percent, 25 percent, and 25 percent of traffic. Weights should typically be set proportional to member bandwidth capacities to prevent oversubscription. A 100 Mbps connection might be assigned weight 100 while a 50 Mbps connection gets weight 50, resulting in traffic distribution matching available capacity. Weight-based distribution operates per-session rather than per-packet, maintaining session integrity while distributing different sessions proportionally across members. This approach works well for mixed-capacity links, ensuring optimal utilization without overloading slower connections. Weights can be adjusted dynamically based on changing business requirements or link performance. When combined with SLA monitoring, only members meeting SLA receive traffic according to their weights, with automatic redistribution when members fail. Option A is incorrect because weight 0 would indicate the member should receive no traffic, which typically isn’t useful in load balancing scenarios. Option B is incorrect because weight 1 is the minimum useful weight and would receive the least traffic in proportional distribution. Option C is incorrect because while weight 50 is valid and moderate, weight 255 provides the maximum proportional share of traffic in weighted load balancing.
Question 137
What is the purpose of SD-WAN neighbor configuration in ADVPN deployments?
A) Manually define all spoke-to-spoke tunnels
B) Specify hub devices for shortcut negotiation
C) Configure BGP peering relationships
D) Set bandwidth limits per neighbor
Answer: B
Explanation:
ADVPN configuration requires specific settings to enable dynamic tunnel establishment while maintaining the operational simplicity of hub-and-spoke management. Understanding neighbor configuration is essential for successful ADVPN deployments. In ADVPN deployments, neighbor configuration specifies hub devices that spoke sites use for shortcut negotiation and discovery of remote spoke information. When a spoke needs to establish a direct tunnel to another spoke, it queries the configured hub neighbors to obtain the remote spoke’s addressing information including public IP address and network identifiers. The hub maintains this information about all connected spokes and provides it upon request, acting as a directory service for ADVPN. Neighbor configuration includes the hub’s IP address or FQDN and the VPN interface name used for communication. Multiple hubs can be configured as neighbors for redundancy, ensuring spoke-to-spoke connectivity remains possible even if one hub becomes unavailable. The neighbor relationship is unidirectional from operational perspective; spokes configure hubs as neighbors, but hubs don’t configure spokes as neighbors since hubs don’t initiate shortcut requests. This configuration enables the automatic discovery mechanism that makes ADVPN scalable, eliminating the need for manual spoke-to-spoke tunnel configuration while providing direct connectivity when needed. The hub neighbor information is used during the IKE negotiation process when establishing shortcuts. Option A is incorrect because ADVPN’s purpose is to avoid manually defining spoke-to-spoke tunnels; neighbor configuration enables automatic discovery, not manual tunnel definition. Option C is incorrect because BGP peering is configured separately through routing protocol configuration and is independent from ADVPN neighbor settings used for tunnel discovery. Option D is incorrect because bandwidth limits are configured through traffic shaping policies or interface settings, not through ADVPN neighbor configuration which handles tunnel discovery.
Question 138
Which diagnostic command shows active ADVPN shortcuts between spokes?
A) diagnose vpn tunnel list
B) get router info bgp summary
C) diagnose sys sdwan service
D) show vpn status
Answer: A
Explanation:
Monitoring and troubleshooting ADVPN requires visibility into which dynamic shortcuts are currently established and their operational status. Understanding the appropriate diagnostic commands helps administrators verify proper ADVPN operation and investigate connectivity issues. The command “diagnose vpn tunnel list” shows active IPsec tunnels including both permanent hub-spoke tunnels and dynamic ADVPN shortcuts between spokes. This command provides comprehensive information about each tunnel including tunnel name, source and destination IP addresses, encryption and authentication algorithms, traffic statistics showing bytes transmitted and received, uptime indicating when the tunnel was established, and current tunnel status. For ADVPN deployments, this command reveals which spoke-to-spoke shortcuts are currently active, allowing administrators to verify that shortcuts establish when expected and identify which spoke pairs have direct connectivity. The output differentiates between permanent tunnels configured statically and dynamic tunnels created by ADVPN through naming conventions or tunnel parameters. When troubleshooting ADVPN issues like shortcuts failing to establish, this command helps determine whether the problem is authentication failure, routing issues, or configuration errors. The tunnel list also shows selector information indicating what traffic is protected by each tunnel. Administrators can use this command to monitor ADVPN efficiency by tracking how many shortcuts are active versus relying on hub transit. Option B is incorrect because “get router info bgp summary” displays BGP neighbor relationships and routing information, not VPN tunnel status or ADVPN shortcuts. Option C is incorrect because “diagnose sys sdwan service” shows SD-WAN rule information and hit counts but doesn’t specifically display VPN tunnel status or ADVPN shortcuts. Option D is incorrect because “show vpn status” is not valid FortiOS command syntax; the correct command uses the diagnose format.
Question 139
What is the recommended approach for integrating cloud applications with SD-WAN?
A) Route all traffic through the data center
B) Use local internet breakout with security
C) Block cloud traffic completely
D) Use only MPLS for cloud access
Answer: B
Explanation:
Cloud application access has become a dominant component of enterprise traffic patterns, and optimizing this connectivity is a key SD-WAN use case. Traditional architectures that backhaul internet traffic through data centers create latency, consume WAN bandwidth, and provide poor user experience for cloud services. The recommended approach for integrating cloud applications with SD-WAN is using local internet breakout with integrated security, also known as secure local internet breakout or direct internet access. This approach allows branch office traffic destined for cloud applications like Office 365, Salesforce, or AWS to exit directly to the internet from the branch rather than transiting through headquarters or data center. Local breakout reduces latency by minimizing the number of network hops, reduces WAN bandwidth consumption by keeping internet traffic off private circuits, and improves application performance by connecting directly to cloud provider edge locations. However, local breakout requires robust security at the branch to protect against internet threats. FortiGate Secure SD-WAN integrates security functions including firewall, IPS, antivirus, web filtering, and application control directly at the branch, enabling safe local breakout. SD-WAN rules can identify cloud application traffic through DPI or Internet Service Database and steer it to local internet connections while applying appropriate security policies. This approach aligns with cloud providers’ architectural recommendations, particularly Microsoft’s guidance for Office 365 connectivity. Organizations maintain centralized policy control through FortiManager while enabling distributed internet access. Option A is incorrect because routing all traffic through the data center creates the performance and bandwidth problems SD-WAN aims to solve, and is counter to cloud provider recommendations. Option C is incorrect because blocking cloud traffic completely isn’t feasible in modern business environments where cloud applications are essential productivity tools. Option D is incorrect because using only MPLS for cloud access is expensive, doesn’t optimize routing to cloud edge locations, and underutilizes lower-cost internet connectivity.
Question 140
Which feature allows bandwidth measurement between SD-WAN members without affecting production traffic?
A) Active bandwidth measurement
B) Passive traffic monitoring
C) SNMP polling
D) NetFlow analysis
Answer: A
Explanation:
Understanding available bandwidth on WAN connections is important for capacity planning, traffic engineering, and SD-WAN rule configuration. However, measuring bandwidth can be challenging without disrupting production traffic or consuming significant resources. Active bandwidth measurement is a FortiGate feature that allows measurement of available bandwidth between SD-WAN members without affecting production traffic through controlled testing during configured time windows. Active bandwidth measurement works by periodically sending test traffic at increasing rates to determine the maximum throughput a path can sustain. The feature can be configured to run during maintenance windows or off-peak hours to minimize any potential impact on production traffic. Measurements provide data about actual available bandwidth rather than just the configured circuit speed, accounting for factors like ISP oversubscription or shared bandwidth scenarios. This information helps administrators understand true path capacity for making informed decisions about traffic steering policies and identifying underperforming connections that may need provider attention. Bandwidth measurement results can be viewed through CLI commands or GUI dashboards and can be logged for historical analysis. The feature includes safeguards to prevent test traffic from overwhelming connections or significantly impacting production applications. While active measurement does generate test traffic, it’s controlled and scheduled to minimize production impact, unlike passive approaches that only observe existing traffic. Option B is incorrect because passive traffic monitoring observes production traffic but cannot accurately measure available bandwidth since it only sees utilized capacity, not potential capacity. Option C is incorrect because SNMP polling collects device statistics like interface counters but doesn’t actively measure available bandwidth or path capacity through testing. Option D is incorrect because NetFlow analysis provides visibility into traffic flows and utilization patterns but doesn’t perform active bandwidth measurement to determine maximum available capacity.
