CCNA Advanced Networking and SD-WAN Questions

75 of 209 questions · Page 1/3 · Advanced Networking and SD-WAN · Answers revealed

1
MCQmedium

An administrator has configured OSPF on a FortiGate with multiple areas. They want to ensure that routes from area 0 are redistributed into area 1, but they notice that routes from area 1 are not appearing in area 0. What is the most likely configuration issue?

A.There is a firewall policy blocking OSPF packets
B.The ABR has 'area 1 stub' configured, preventing LSA type 5 redistribution
C.The redistribution is done with a route map that is not permitting the routes
D.The ABR is not configured with 'area 0' and 'area 1' on the same router
AnswerB

If area 1 is configured as a stub area, it blocks type 5 LSAs (external routes). Redistribution into area 0 would not be affected, but routes from area 1 into area 0 may be blocked if area 1 is a stub.

2
MCQeasy

What is the purpose of BFD (Bidirectional Forwarding Detection) in a FortiGate routing configuration?

A.To encrypt routing protocol traffic
B.To detect forwarding path failures quickly
C.To authenticate routing peers
D.To provide load balancing across multiple paths
AnswerB

BFD rapidly detects failures for faster convergence.

Why this answer

BFD provides fast failure detection for routing protocols like OSPF and BGP, enabling sub-second convergence by detecting link failures faster than protocol hello timers.

3
MCQmedium

An administrator configures a performance SLA to monitor a remote server. The SLA status shows 'dead' for one WAN member. The administrator checks the interface and sees that it is up and passing other traffic. What is the most likely cause?

A.The FortiGate's routing table does not have a route to the probe target
B.The interface is not added as an SD-WAN member
C.The SLA probe is using TCP port 80 but the server is only responding to ICMP
D.The SLA probe interval is set too high
AnswerC

If the probe type does not match the server's response, the SLA fails even if the link is up.

Why this answer

Performance SLA probes may fail due to firewall rules blocking ICMP or the probe port, or the server not responding to the probe type.

4
MCQeasy

An administrator wants to use a FortiGate to manage FortiSwitch units via the LAN. Which interface configuration is required on the FortiGate to allow this management?

A.The interface must have 'set role lan' configured
B.The interface must be configured as a 'trunk' mode to connect to the FortiSwitch
C.The interface must be a member of a VDOM
D.The interface must have 'set type switch' enabled
AnswerB

The FortiGate interface connecting to a FortiSwitch should be configured in 'trunk' mode (as opposed to 'switch' mode) to allow management and VLAN traffic.

5
MCQmedium

During an SD-WAN health check, an administrator observes that a performance SLA for wan1 shows 'Status: dead' even though the interface is up and can ping the SLA server. The SLA configuration uses a TCP echo probe to 8.8.8.8 port 443. What is the most likely cause?

A.The SLA server is blocking ICMP echo requests.
B.The performance SLA is configured with the wrong threshold.
C.The firewall policy allowing the probe traffic is missing.
D.The probe protocol is TCP echo, but the server at 8.8.8.8 does not support TCP echo on port 443.
AnswerD

TCP echo uses port 7 by default; using a different port will not elicit a proper echo response unless the server is configured for it.

Why this answer

A TCP echo probe expects a TCP connection to the specified port, but the server must be configured to respond to TCP echo requests (RFC 862), which typically uses port 7. Using port 443 (HTTPS) would not result in a TCP echo response; the server would not send back the same data. The probe would fail, causing the SLA to show as dead.

6
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in a half-open state (proto_state=01) and will expire in 3600 seconds.
B.The session has been idle for 3600 seconds and will be removed in 3599 seconds.
C.The session is using TCP and has been up for 3600 seconds, with 3599 seconds remaining before expiry.
D.The session is UDP and has 3600 seconds to live.
AnswerC

proto=6 is TCP, duration is uptime, expire is remaining time.

7
Multi-Selecthard

A FortiGate is configured with OSPF multi-area. The administrator needs to ensure that routes from area 2 are advertised into area 0. Which TWO configurations are necessary?

Select 2 answers
A.Configure a virtual-link between area 2 and area 0
B.Set the OSPF network type to point-to-point
C.Configure an Area Border Router (ABR) between area 2 and area 0
D.Disable OSPF on area 0
E.Enable route redistribution from OSPF into OSPF
AnswersC, E

ABR is required to connect areas.

Why this answer

An Area Border Router (ABR) must be present, and route redistribution from area 2 into area 0 is required (or OSPF automatically advertises inter-area routes but only if the ABR has the routes in its OSPF database). Typically, OSPF automatically advertises routes between areas if the ABR has them, but redistribution may be needed if routes are from a different protocol or if filtering is applied. For simplicity, most common answer: ABR and redistribution or proper area configuration.

However, the question asks for configurations necessary; OSPF automatically advertises intra-area routes to other areas via ABR, but if routes are from another protocol, redistribution is needed. Assuming OSPF routes within area 2, the ABR will advertise them to area 0 automatically. But since the question includes 'from area 2 into area 0', the ABR is the key.

Also, a virtual-link might be needed if area 2 does not connect to area 0 directly. But the expected answers: ABR and redistribution. Alternatively, just ABR and proper area configuration.

I'll go with ABR and redistribution as typical for exam.

8
Multi-Selecthard

An administrator is troubleshooting an SD-WAN deployment where traffic from the branch to the datacenter is being sent over the backup LTE link even though the primary MPLS link has low latency and jitter. The SD-WAN rule uses 'Best Quality' strategy with latency and jitter metrics. The performance SLA for MPLS shows 'alive'. Which TWO configurations could cause this behavior?

Select 2 answers
A.BFD is enabled on MPLS but not on LTE.
B.The SD-WAN rule has 'set member' configured to only include LTE.
C.The performance SLA is not associated with the SD-WAN rule.
D.The route to the datacenter is learned via OSPF with a lower cost over LTE.
E.The latency threshold is set too low for MPLS.
AnswersB, C

If MPLS is not listed as a member in the rule, it won't be used.

Why this answer

If the SD-WAN rule has an 'input-device' match that excludes MPLS, or if the rule's 'set member' does not include MPLS, traffic will not use it even if the SLA is good. Another possibility is that the performance SLA is not associated with the rule, so the rule treats MPLS as unavailable. Options A and B are the most likely.

9
MCQmedium

An administrator wants to use FortiExtender to provide LTE WAN connectivity. After connecting the FortiExtender to the FortiGate, the LTE interface is not showing up. What is the first troubleshooting step?

A.Run 'execute lte test' command
B.Configure an SD-WAN rule for LTE traffic
C.Verify the FortiExtender is connected to the correct port and powered on
D.Check the signal strength of the LTE connection
AnswerC

Physical connectivity is the first check.

Why this answer

Verify that the FortiExtender is properly connected and powered. Check the USB or Ethernet connection to the FortiGate. Also verify that the FortiExtender is recognized in the dashboard.

Often a reboot of the FortiExtender or FortiGate can resolve detection issues.

10
MCQmedium

A FortiGate is configured with two VRF instances (VRF1 and VRF2). The admin needs to allow traffic from VRF1 to reach a server in VRF2. The server is directly connected to the FortiGate on an interface in VRF2. What configuration is required?

A.Add both VRFs to the same VDOM
B.Use VRF route leaking with route maps to export necessary routes between VRFs
C.Configure a static route in VRF1 pointing to the server's IP via the VRF2 interface
D.Configure a firewall policy with source VRF1 and destination VRF2
AnswerB

Route leaking allows redistribution of routes between VRFs, enabling inter-VRF communication.

Why this answer

Option D is correct. VRF leaking (route leaking) between VRFs is required to enable communication. Without leaking, VRFs are isolated.

A route map or policy can be used to export routes between VRFs.

11
MCQmedium

A network admin configures OSPF on a FortiGate with multiple areas. To ensure that routes from one area are advertised into another area, which OSPF feature must be properly configured?

A.OSPF route redistribution
B.OSPF passive interface
C.OSPF virtual-link
D.OSPF network type
AnswerA

Route redistribution controls route advertisement between OSPF areas or from other protocols.

Why this answer

Route redistribution is used to inject routes from one OSPF area into another or from other protocols. Without redistribution, routes stay within their own area.

12
MCQeasy

Which SD-WAN load balancing algorithm is best for ensuring that all traffic from a specific source-destination pair uses the same WAN link?

A.Spillover
B.Source-dest IP
C.Volume
D.Lowest-cost
AnswerB

Source-dest IP hashes both IPs, ensuring same pair goes to same link.

13
MCQeasy

A FortiGate is configured with multiple virtual routers (VRFs). The administrator wants to allow communication between two VRFs using a firewall policy. Which type of interface is required for the policy?

A.VDOM link
B.VLAN subinterface
C.Loopback interface
D.Virtual-wire pair
AnswerA

VDOM links are used to connect VDOMs or VRFs; firewall policies can be applied to allow traffic between VRFs.

14
MCQhard

You have configured a route map named 'RM-BGP' to filter routes redistributed from OSPF into BGP. The route map uses 'set community 65000:100' and 'set metric 50'. After applying the route map under 'config router bgp' with 'redistribute ospf route-map RM-BGP', you see that routes are being redistributed but without the community and metric. What is wrong?

A.The route map does not have any 'match' criteria, so it never applies
B.The route map is missing a 'set community' statement with 'additive' option
C.The BGP neighbor requires 'soft-reconfiguration inbound' to see the changes
D.The 'set metric' command is not supported for BGP redistribution
AnswerA

Without match statements, the route map may not be applied. A common configuration error.

Why this answer

Route-map statements require 'match' conditions; if no match is specified, the route map may not match any routes. Also, the route map must have a sequence number with 'match ip address' or similar.

15
MCQmedium

A FortiGate has OSPF configured in multiple areas. The administrator wants to redistribute routes from area 0 into area 1 with a metric of 10. Which command is correct?

A.config router ospf config redistribute "ospf" set status enable set metric 10 end
B.config router ospf config redistribute "connected" set metric 10 end
C.config router ospf config area edit 1 set type nssa end
D.config router ospf set redistribute "ospf" metric 10
AnswerA

Redistributing OSPF into OSPF with a metric is used to influence inter-area routes.

16
MCQmedium

A multi-area OSPF network includes a FortiGate as an ABR. The administrator needs to redistribute a static route into OSPF. Which command is required on the FortiGate to achieve this?

A.config router ospf config redistribute edit 'static' set status enable end
B.config router prefix-list edit 'static' set action permit end
C.config router policy set src 0.0.0.0/0 set dst 0.0.0.0/0 end
D.config router static set redistribute ospf enable end
AnswerA

Correct method to enable redistribution of static into OSPF.

Why this answer

Redistribution of static routes into OSPF is done under the OSPF process configuration using 'redistribute static' with optional metric and metric-type. The command 'config router ospf' then 'redistribute static' enables redistribution.

17
Multi-Selecthard

A FortiGate in a multi-area OSPF network is not learning routes from area 1. Which THREE items could be causing this?

Select 3 answers
A.The ABR is not configured with 'set type' for area 1.
B.The 'set redistribute' option is missing on the ABR.
C.There is a firewall policy blocking OSPF traffic between areas.
D.Area 1 is configured as a stub area and does not accept external routes.
E.The interface in area 1 is administratively down.
AnswersC, D, E

OSPF uses multicast and may be blocked by policies.

18
MCQmedium

An administrator wants to integrate a FortiExtender with a FortiGate to provide cellular WAN connectivity. Which configuration step is required on the FortiGate to use the FortiExtender as an SD-WAN member?

A.Enable BGP on the FortiExtender interface
B.Create a firewall policy allowing traffic from the FortiExtender
C.Add the FortiExtender's interface to the SD-WAN zone
D.Configure a static route pointing to the FortiExtender
AnswerC

The interface representing the FortiExtender must be added as an SD-WAN member.

Why this answer

The FortiExtender must be registered and configured as an SD-WAN member, typically by enabling it as an interface and adding it to the SD-WAN zone.

19
MCQeasy

Which load balancing algorithm in SD-WAN distributes new sessions based on the source and destination IP addresses, ensuring that all sessions from a given source-destination pair go to the same member?

A.Lowest cost
B.Volume
C.Source-dest IP
D.Sessions
AnswerC

Hashes source and destination IP.

Why this answer

The source-destination IP algorithm uses a hash of source and destination IP to consistently select the same member for the same pair, which is useful for stateful applications or to avoid asymmetric routing.

20
MCQeasy

What is the purpose of BFD on a FortiGate?

A.To load balance traffic across multiple paths.
B.To provide fast detection of link failures.
C.To authenticate OSPF neighbors.
D.To encrypt traffic between two FortiGates.
AnswerB

BFD detects failures faster than routing protocol hello timers.

21
MCQeasy

An administrator wants to load balance traffic across two WAN links by session count. Which SD-WAN load balancing algorithm should they use?

A.Sessions
B.Spillover
C.Lowest-cost
D.Volume
AnswerA

The sessions algorithm distributes sessions based on the number of active sessions per interface.

22
MCQmedium

An administrator wants to ensure that traffic from a specific source IP uses a particular SD-WAN member regardless of performance SLA results. Which SD-WAN configuration element should be used?

A.SD-WAN rule with manual strategy
B.Route map
C.Policy-based routing on the firewall policy
D.Performance SLA
AnswerA

SD-WAN rules can use manual strategy to force traffic to a specific member.

Why this answer

SD-WAN rules allow matching traffic based on source/destination, and can set the 'strategy' to 'manual' or explicitly select a member, overriding SLA-based choices.

23
MCQeasy

Which feature allows a FortiGate to maintain separate routing tables for different customers or departments on the same device?

A.Route maps
B.VDOM
C.VRF (Virtual Routing and Forwarding)
D.Policy-based routing
AnswerC

VRF allows multiple independent routing table instances on the same FortiGate.

24
MCQmedium

A FortiGate has multiple VRFs configured. An administrator wants to allow traffic from VRF 1 to reach a server in VRF 2. What configuration is required?

A.Use a single VDOM and enable inter-VDOM links.
B.Place both interfaces in the same VRF.
C.Create a static route from one VRF to another.
D.Configure a VRF leak policy using route maps or policy routes.
AnswerD

VRF leaking can be achieved by using route maps with the 'set vrf' command or by using policy routes to forward traffic between VRFs.

Why this answer

VRF leaking is the process of sharing routes between VRFs. This is done by configuring route maps that match specific routes and setting the target VRF, or by using policy routes that override the VRF lookup.

25
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a multicast session with a duration of 3600 seconds.
B.The session is a TCP session in established state that has been up for 3600 seconds and will expire in 3599 seconds.
C.The session is in SYN_SENT state and has timed out after 3600 seconds.
D.The session is a UDP session that has been active for 3600 seconds.
AnswerB

proto=6 means TCP, proto_state=01 typically indicates established state. Duration is the time since session creation, expire is the remaining time before the session is removed if idle.

Why this answer

The output shows a TCP session in established state (proto_state=01) that has been alive for 3600 seconds and the idle timeout will expire in 3599 seconds if no packets are sent.

26
MCQmedium

A FortiGate has multiple equal-cost routes to the same destination via two different interfaces. ECMP load balancing is enabled. What determines how traffic is distributed among the routes?

A.The interface speed
B.A hash of source and destination IP addresses
C.Round-robin per packet
D.The route metric
AnswerB

Default ECMP uses source-dest-ip hashing.

Why this answer

ECMP uses a hash algorithm based on source/destination IP and optionally ports to distribute sessions. The 'load-balance' setting in the routing configuration determines the method (e.g., source-dest-ip, source-dest-port).

27
MCQmedium

A network administrator configures an SD-WAN zone with two members (port1 and port2) and sets the load balancing algorithm to 'spillover'. The spillover threshold is set to 100 Mbps on port1. If traffic reaches 120 Mbps on port1, what happens to new sessions?

A.All traffic is dropped because the threshold exceeded
B.New sessions are sent to port2 until port1 drops below the threshold
C.Port1 continues to receive all new sessions but packets are queued
D.New sessions are distributed equally between port1 and port2
AnswerB

Correct spillover behavior.

Why this answer

Spillover algorithm sends traffic to the preferred member (lowest cost or first in order) until its bandwidth exceeds the threshold. When the threshold is exceeded, new sessions are sent to the next available member. Port2 will handle new sessions until port1 drops below the threshold.

28
Multi-Selecthard

A FortiGate is configured with multiple VRFs. An administrator notices that routes from VRF A are not being advertised to VRF B via BGP, even though the BGP configuration is correct. Which TWO actions could resolve this issue?

Select 2 answers
A.Enable 'route-flap damping' on the BGP session between VRFs
B.Configure a route leak from VRF A to VRF B under config router vrf
C.Disable 'bgp enforce-first-as' to allow cross-VRF advertisements
D.Configure 'set import-route' under the BGP VRF configuration
E.Use 'set next-hop-self' on the BGP neighbor in each VRF
AnswersB, E

Why this answer

BGP by default does not advertise routes between VRFs. You must enable route leaking, either by using 'config router vrf' and 'leak-route' (option B) or by configuring 'next-hop-self' and using BGP multipath (option D) in certain topologies. Option A is not directly related.

Option C is unnecessary. Option E is incorrect because you don't need to import routes.

29
MCQmedium

An administrator wants to segment traffic between two departments (Engineering and Finance) using the same FortiGate. Each department must have its own routing table with overlapping IP addresses. Which feature should be enabled to achieve this without creating separate VDOMs?

A.VRF
B.Policy-based routing
C.Virtual IP (VIP)
D.Multiple VDOMs
AnswerA

VRF provides separate routing tables within a VDOM, allowing overlapping IP addresses.

Why this answer

VRF (Virtual Routing and Forwarding) allows multiple routing table instances within a single VDOM or global. It is ideal for network segmentation with overlapping IP spaces without the overhead of full VDOMs.

30
MCQmedium

An administrator wants to use BFD to detect failures in an OSPF neighbor relationship faster than OSPF hello timers. They configure 'config router ospf' and 'set bfd enable'. However, BFD sessions are not coming up. What is a possible reason?

A.The interface has 'set bfd enable' missing under config system interface
B.OSPF is configured with 'network point-to-multipoint'
C.The neighbor does not have BFD enabled on its OSPF configuration
D.The FortiGate's BFD transmit interval is set too high
AnswerA, C

Both global OSPF BFD and interface-level BFD must be enabled. Missing interface-level can prevent BFD session establishment.

Why this answer

BFD requires that the interface has BFD enabled at the interface level and that the OSPF neighbor also supports BFD.

31
MCQeasy

An administrator wants to ensure that voice traffic (UDP 16384-32768) always uses the MPLS link, while internet-bound traffic uses broadband. Which SD-WAN feature should be configured to achieve this?

A.Performance SLA
B.SD-WAN member configuration
C.Load balancing algorithm
D.SD-WAN rule
AnswerD

SD-WAN rules control traffic steering based on criteria.

Why this answer

SD-WAN rules allow matching specific traffic patterns and forcing them to use particular members or strategies. The rule can match the voice traffic UDP port range and set the strategy to 'manual' or 'best quality' with preferred member as MPLS.

32
MCQeasy

A FortiGate administrator wants to use BFD to quickly detect link failures in an SD-WAN deployment. Which statement about BFD configuration on FortiGate is correct?

A.BFD is enabled by default on all FortiGate interfaces
B.BFD can be configured under the interface or routing protocol to detect forwarding path failures
C.BFD sessions are established automatically when OSPF neighbors form
D.BFD uses performance SLA probes to determine link health
AnswerB

Why this answer

BFD (Bidirectional Forwarding Detection) is configured under the interface or routing protocol to provide fast failure detection. It is not enabled by default. Option A is incorrect because BFD must be configured.

Option B is incorrect because BFD uses dedicated sessions, not sharing OSPF hello intervals. Option D is incorrect because BFD does not use performance SLA; SLAs are separate health checks.

33
MCQmedium

A FortiGate is configured with SD-WAN and uses performance SLA to monitor link quality. The administrator sets the SLA threshold to jitter < 30ms. If a link has average jitter of 35ms, what is the status of that link in the SD-WAN health check?

A.Dead
B.Unavailable
C.Degraded
D.Alive
AnswerC

Degraded means the link does not meet one or more SLA thresholds.

Why this answer

When the measured jitter exceeds the threshold, the link is considered 'degraded' (or 'failed' depending on configuration) for that SLA. In SD-WAN, the member may still be used but with lower preference.

34
MCQeasy

A company has two internet connections: a primary fiber link (port1, 100 Mbps) and a backup DSL link (port2, 20 Mbps). They are using SD-WAN to load balance traffic based on volume, with a rule that sends 70% of traffic to port1 and 30% to port2. Recently, users report that video conferencing applications are experiencing high latency and jitter. The network team finds that the SD-WAN performance SLA for the fiber link shows 80% packet loss and high latency. The SD-WAN rule action is set to 'best quality' with a latency threshold of 150 ms. The current latency on port1 is 200 ms, and on port2 is 40 ms. What should the administrator do to ensure that video conferencing traffic uses the DSL link while the fiber link is degraded?

A.Increase the SLA latency threshold to 250 ms so that the fiber link is considered acceptable.
B.Change the SD-WAN rule action to 'lowest cost' to favor the DSL link.
C.Adjust the volume ratio to send 100% of traffic to port2 until the fiber link recovers.
D.No changes are needed; the SD-WAN rule with 'best quality' will automatically use port2 for new sessions because port1 does not meet the SLA.
AnswerD

Correct. With 'best quality' action, if a member fails SLA, new sessions will be directed to the best performing member.

Why this answer

Option D is correct because the SD-WAN rule action is set to 'best quality', which means the FortiGate will automatically steer new sessions away from any interface that fails the performance SLA. Since port1 has 80% packet loss and 200 ms latency (exceeding the 150 ms threshold), it is considered degraded, and new video conferencing traffic will be directed to port2 (40 ms latency) without manual intervention.

Exam trap

The trap here is that candidates often assume manual configuration (like changing thresholds or ratios) is required to fix a degraded link, when in fact the 'best quality' action with performance SLA already provides automatic failover to the best-performing link.

How to eliminate wrong answers

Option A is wrong because increasing the SLA latency threshold to 250 ms would make the degraded fiber link appear acceptable, causing traffic to continue using the high-latency, high-packet-loss link and defeating the purpose of SLA monitoring. Option B is wrong because changing the rule action to 'lowest cost' would select the link based on cost metrics (e.g., bandwidth cost), not performance, and the DSL link might not be the lowest cost; even if it were, this action does not consider SLA compliance for latency and jitter. Option C is wrong because manually adjusting the volume ratio to 100% on port2 is a static workaround that bypasses the dynamic SLA-based steering, which is less efficient and not necessary when the 'best quality' action already handles failover automatically.

35
MCQeasy

A FortiGate is configured with two ISPs in an SD-WAN. The administrator wants to use the link with the highest bandwidth for bulk downloads, but if that link fails, all traffic should automatically use the backup link. Which load balancing algorithm should be used?

A.Sessions
B.Volume
C.Spillover
D.Source-destination IP
AnswerC

Spillover uses a configured bandwidth threshold; traffic is sent to the primary link until it reaches the threshold, then spills over to the backup. If the primary fails, all traffic goes to backup.

36
Multi-Selecthard

A FortiGate is in a multi-area OSPF environment. The administrator needs to redistribute connected routes from area 1 into OSPF. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Configure the connected interfaces as OSPF passive interfaces.
B.Configure 'redistribute connected' under the OSPF configuration.
C.Create a route map to filter which connected routes are redistributed.
D.Set the 'redistribute connected' metric and metric-type.
E.Enable 'default-information originate' to advertise a default route.
AnswersB, C, D

Redistribution of connected routes must be enabled in the OSPF process.

Why this answer

To redistribute connected routes into OSPF, you need to enable redistribution, optionally filter with a route map, and set the metric and metric-type to ensure proper route advertisement.

37
MCQmedium

A FortiGate has two equal-cost paths to a destination network through two different ISPs. The administrator wants to load balance traffic across both links using ECMP, but notices that all traffic uses only one link. What should the administrator check first?

A.Check that both routes have the same administrative distance and priority
B.Configure 'set v4-ecmp-mode' to 'source-ip-based'
C.Verify that 'set load-balance-eligible' is enabled on both WAN interfaces
D.Disable 'anti-replay' on the security policy
AnswerA

ECMP requires equal cost; if distances differ, the lower distance route is preferred.

Why this answer

ECMP requires that routes have the same distance and priority. Additionally, FortiGate uses source-destination IP hash by default; if sessions are sticky, one link may carry all traffic.

38
Multi-Selecthard

A FortiGate is configured with OSPF in a multi-area design. An administrator needs to redistribute static routes from another router into OSPF on the FortiGate, but only for prefixes that match a route map. The administrator has configured 'config router ospf' with 'redistribute static route-map RM_STATIC'. However, the static routes are not appearing in the OSPF database. Which THREE troubleshooting steps should the administrator take?

Select 3 answers
A.Verify that OSPF is enabled on at least one interface (config router ospf -> network)
B.Verify that the route map 'RM_STATIC' exists and has appropriate match and set statements
C.Check if a prefix-list is applied that filters the redistributed routes
D.Run 'get router info ospf route' to see the redistributed routes in the routing table
E.Confirm that 'redistribute' is configured under the OSPF process, not just under the router
AnswersB, D, E

If the route map doesn't exist or lacks match conditions, redistribution fails.

Why this answer

Common issues: The route map may not exist, might not have the correct match conditions, or the redistribute command might be missing 'set metric' or 'set metric-type' parameters (though not always required, missing them can cause routes not to be advertised). More importantly, OSPF redistribution must be enabled at the process level (option B). Option D is needed to verify the route map contents.

Option A is irrelevant because the OSPF process must be enabled. Option C is about prefix-lists which may be used but is not the most direct step. Option E is a valid step to check if the static routes are actually redistributed.

39
MCQhard

A FortiGate is configured with an SD-WAN rule using 'spillover' algorithm. The primary member has a spillover threshold of 100 Mbps. Traffic of 80 Mbps is currently flowing through the primary member. A new session requiring 30 Mbps arrives. What will happen?

A.The new session is sent to the primary member because the current load is below the threshold.
B.The new session is sent to the secondary member because the primary threshold would be exceeded.
C.The new session is dropped because no member can handle it.
D.The primary member's threshold is dynamically increased.
AnswerB

Spillover sends the session to the next available member when adding it would exceed the threshold.

Why this answer

Spillover algorithm will direct the new session to the secondary member because the primary's current load (80 Mbps) plus the new session (30 Mbps) would exceed the threshold (100 Mbps).

40
Multi-Selectmedium

An administrator wants to deploy FortiSwitch and FortiAP using LAN edge management from a FortiGate. Which TWO conditions must be met? (Choose two.)

Select 2 answers
A.The FortiSwitch and FortiAP must be factory reset before connecting.
B.The FortiGate must be configured with the FortiLink interface for FortiSwitch and a CAPWAP interface for FortiAP.
C.The FortiSwitch and FortiAP must be in the same broadcast domain as the FortiGate management interface.
D.The FortiGate must have a valid FortiCare contract for unified management.
E.The FortiGate must have the 'set allowaccess' command enabled for HTTPS or SSH on the managing interface.
AnswersB, C

FortiSwitch uses FortiLink (a dedicated interface or VLAN), and FortiAP uses a CAPWAP interface for management.

Why this answer

LAN edge management requires L2 connectivity between the FortiGate and devices, and proper interface configuration: FortiLink for switches and CAPWAP for APs.

41
MCQeasy

A FortiGate administrator wants to enable load balancing for equal-cost paths to the same destination. The FortiGate has two equal-cost routes via two different next-hop routers. Which feature should the admin enable to load balance traffic across both paths?

A.BFD (Bidirectional Forwarding Detection)
B.ECMP (Equal Cost Multi-Path)
C.Policy-based routing
D.SD-WAN load balancing
AnswerB

ECMP distributes traffic across multiple routes with the same metric and administrative distance.

Why this answer

Option A is correct. ECMP (Equal Cost Multi-Path) is the feature that allows a router to load balance traffic across multiple equal-cost paths. FortiGate supports ECMP by default for routing protocols like OSPF and BGP.

42
MCQeasy

An administrator wants to integrate a FortiExtender with a FortiGate to provide WAN connectivity. Which interface type is used on the FortiGate to connect to the FortiExtender?

A.wan
B.lan
C.dmz
D.loopback
AnswerA

The FortiExtender connects to a WAN interface, and FortiGate creates a wwan interface.

Why this answer

FortiExtender connects via a WAN interface, typically configured as a 'wan' or 'vlan' interface. The FortiGate automatically detects the FortiExtender and creates a 'wwan' interface for the cellular link.

43
MCQmedium

A FortiGate with SD-WAN configured has a Performance SLA monitoring Google DNS (8.8.8.8). The SLA is configured with latency threshold 100 ms and jitter threshold 20 ms. The link is currently meeting both thresholds. The administrator wants to ensure that if the SLA fails, traffic moves to another link. Which SD-WAN rule strategy should be used?

A.Best quality
B.Manual selection
C.Maximize bandwidth (SLA)
D.Failover (SLA)
AnswerD

Failover strategy uses the first member that meets SLA; if that fails, it moves to the next member in the list.

44
MCQmedium

An administrator wants to integrate a FortiExtender with a FortiGate for LTE backup. The FortiGate is using SD-WAN. What is the correct way to add the FortiExtender as an SD-WAN member?

A.Connect the FortiExtender to a physical port on the FortiGate and configure that port as an SD-WAN member.
B.Configure the FortiExtender as a standalone firewall and use IPsec between them.
C.Configure the FortiExtender as a separate VDOM and route between VDOMs.
D.Use a virtual-wire pair to connect the FortiExtender.
AnswerA

The FortiExtender appears as a physical interface (e.g., wwan) on the FortiGate when connected. That interface can be added as an SD-WAN member.

Why this answer

FortiExtender connects to a physical port (e.g., USB or Ethernet) and appears as a WAN interface. This interface can be added to the SD-WAN interface table as a member.

45
MCQmedium

An administrator configures a performance SLA for SD-WAN health checks. The SLA uses a ping probe to 8.8.8.8 every 2 seconds with a latency threshold of 150 ms and jitter threshold of 20 ms. After some time, the SD-WAN rule still shows the member as 'dead'. Which command should the administrator use to verify the probe results?

A.show system sdwan health-check
B.diagnose sys sdwan health-check
C.diagnose sys session list
D.execute ping-options source 8.8.8.8
AnswerB

This command displays real-time health check statistics.

Why this answer

The 'diagnose npu np6 sdf-wan health-check' command shows detailed probe statistics per member, including latency, jitter, and packet loss, helping to identify why the SLA is failing.

46
MCQhard

An administrator configures policy-based routing (PBR) on a FortiGate to route traffic from a specific subnet through an MPLS link. The PBR is configured under config router policy. However, traffic from that subnet is still using the default route. What is the most likely issue?

A.The PBR policy does not have a set tos or set dscp value
B.The PBR policy has a higher priority number than the default route
C.The firewall policy is not allowing traffic to use the PBR
D.The MPLS link is down
AnswerC

PBR requires that the firewall policy has 'set pbr-enable enable' or the policy must be matched before PBR is applied. Without it, PBR may not be applied to the traffic.

47
MCQeasy

What is the purpose of a route map when used with route redistribution on a FortiGate?

A.To create a prefix list for BGP
B.To define the administrative distance of redistributed routes
C.To enable the redistribution process
D.To filter or modify route attributes during redistribution
AnswerD

Route maps allow granular control over which routes are redistributed and how.

Why this answer

Route maps are used with route redistribution to filter which routes are redistributed and to modify route attributes (such as metric, tag, or next-hop) as they are injected from one routing protocol into another. Option D is correct because route maps provide granular control over the redistribution process, allowing administrators to match specific routes using prefix lists or ACLs and then set attributes like metric or tag before the routes are redistributed.

Exam trap

The trap here is that candidates often confuse the route map's role as a filter or modifier with the enabling of redistribution itself, thinking the route map is required to start redistribution, when in fact redistribution is enabled by the 'redistribute' command and the route map is an optional parameter.

How to eliminate wrong answers

Option A is wrong because a prefix list is a separate tool used to match IP prefixes, not a route map; route maps can reference prefix lists, but the route map itself is not a prefix list. Option B is wrong because administrative distance is a property of the routing protocol or static route, not something set by a route map during redistribution; route maps can set metric, tag, or next-hop, but not administrative distance. Option C is wrong because the redistribution process is enabled by the 'redistribute' command under the routing protocol configuration, not by a route map; the route map is an optional filter applied to that redistribution.

48
MCQmedium

A network administrator is configuring SD-WAN on a FortiGate. They have multiple WAN links and want to ensure that traffic for a critical application uses the link with the lowest latency. Which SD-WAN configuration component should be used to achieve this?

A.Performance SLA with latency threshold and SD-WAN rule using best-quality strategy
B.SD-WAN rule with spillover load balancing
C.SD-WAN members with static priority
D.Load balancing algorithm set to lowest-cost (SLA)
AnswerA

Performance SLA measures latency, and a best-quality rule selects the link with lowest latency within the threshold.

49
MCQeasy

A FortiGate is configured with ECMP load balancing. What is the default behavior when multiple routes have equal cost?

A.The route with the lowest metric is always preferred
B.The administrator must enable per-packet load balancing
C.Traffic is load balanced across the routes using a hash algorithm
D.All traffic is sent over the first route until it fails
AnswerC

ECMP uses source-destination hashing to distribute sessions.

Why this answer

ECMP (Equal-Cost Multi-Path) by default uses a hash-based method to distribute traffic across the equal-cost paths.

50
Multi-Selectmedium

An administrator is configuring SD-WAN rules to steer traffic based on application performance. The requirement is to use VoIP traffic over the WAN link that has the lowest latency, but if latency exceeds 100ms, fail over to a backup link. The administrator has already created performance SLAs for both links. Which THREE configuration steps are required?

Select 3 answers
A.Set the 'failover-threshold' on each SD-WAN member to 100
B.Configure the SLA metric to 'latency' in the performance SLA
C.Create an SD-WAN rule for VoIP traffic and set the load balancing method to 'best quality'
D.Add both WAN interfaces to the rule as members and set weight based on latency
E.In the SD-WAN rule, set the 'sla-constraint' to 'sla' and define the latency threshold of 100ms
AnswersB, C, E

Why this answer

To achieve the requirement: first, create an SD-WAN rule that matches VoIP traffic (option A). Then, set the strategy to 'best quality' and select the latency SLA metric (option C). Finally, configure the failover threshold by setting the SLA trigger (option E).

Option B is not needed because the rule matches the application, not the interface. Option D is incorrect because the threshold is set in the SLA, not the interface.

51
Multi-Selectmedium

A network admin is troubleshooting an SD-WAN rule that should steer VoIP traffic to a low-latency link. The rule matches traffic from the VoIP subnet to any destination and uses the 'best-quality' strategy with SLA monitoring. However, traffic is still using the other link. Which TWO checks should the admin perform? (Choose two.)

Select 2 answers
A.Ensure that the FortiGate has a default route via each SD-WAN member.
B.Check that the SD-WAN rule has a higher priority than other rules that might match the traffic.
C.Disable the other SD-WAN members temporarily to force traffic to the desired link.
D.Confirm that the VoIP subnet is included in the SD-WAN zone.
E.Verify that the performance SLA is correctly configured and the VoIP traffic matches the SLA's server.
AnswersB, E

SD-WAN rules are evaluated in order; a rule with higher priority (lower number) takes precedence.

52
Multi-Selectmedium

A FortiGate is acting as an ABR between OSPF area 0 and area 1. The administrator needs to redistribute a static route into OSPF so that it appears as an inter-area route (Type 3 LSA). Which three steps are required? (Choose THREE.)

Select 3 answers
A.Disable route summarization on the ABR
B.Configure a route map to set the metric type to Type 1
C.Verify the OSPF process has network statements covering all interfaces
D.Configure 'redistribute static' under OSPF on the ABR
E.Ensure the static route is present in the routing table
AnswersC, D, E

Necessary for OSPF adjacency and LSA propagation.

Why this answer

Redistribution is configured under OSPF process. The static route must exist. To propagate as Type 3, the redistribution must occur on the ABR and the route should be injected into area 0 so it can be converted to Type 3.

Optionally, a route map can filter.

53
MCQhard

A network engineer is troubleshooting an SD-WAN setup where traffic from a specific subnet is not being load-balanced as expected. The SD-WAN rule uses 'source IP' hashing. The engineer notices that the traffic originates from multiple hosts in the same /24 subnet. What is the most likely cause of poor load distribution?

A.The SD-WAN rule is not matching the traffic.
B.The SD-WAN members have different bandwidths.
C.Traffic is using a single destination IP and port.
D.The source IP hashing algorithm causes multiple hosts in the same subnet to map to the same member.
AnswerD

Source IP hashing can lead to poor distribution for similar IPs.

Why this answer

Source IP hashing in SD-WAN uses a hash of the source IP address to select a member for each flow. When multiple hosts reside in the same /24 subnet, their source IPs share the same first 24 bits, which can cause the hash algorithm to map them to the same SD-WAN member if the hash function is not sufficiently granular or if the number of members is small. This results in poor load distribution despite multiple sources.

Exam trap

The trap here is that candidates assume multiple hosts in the same subnet automatically distribute traffic evenly, forgetting that source IP hashing can produce identical hash values for IPs sharing the same network prefix, leading to poor load balancing.

How to eliminate wrong answers

Option A is wrong because if the SD-WAN rule were not matching the traffic, no load balancing would occur at all, not just poor distribution. Option B is wrong because different bandwidths among members affect capacity but do not cause the hash algorithm to map multiple hosts in the same subnet to the same member; bandwidth differences are handled by weighted load balancing, not source IP hashing. Option C is wrong because using a single destination IP and port would affect per-flow load balancing (e.g., session-based hashing), but source IP hashing is independent of destination; the issue here is specifically about source IPs in the same subnet mapping identically.

54
Matchingmedium

Match each IPsec VPN term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Internet Key Exchange version 1

Internet Key Exchange version 2

Encapsulating Security Payload

Authentication Header

Perfect Forward Secrecy

Why these pairings

These are fundamental IPsec VPN concepts.

55
MCQmedium

An administrator notices that when a BGP session goes down, failover to the backup path takes about 30 seconds. The admin wants to reduce the failover time to less than 1 second. Which technology should the administrator implement?

A.Configure BGP fast external failover
B.Increase the BGP keepalive timer to 1 second
C.Use policy-based routing with SLA monitoring
D.Enable BFD on the BGP neighbor and the associated interface
AnswerD

BFD provides fast failure detection (milliseconds) for routing protocols.

Why this answer

Option B is correct. BFD (Bidirectional Forwarding Detection) provides sub-second failure detection. It can be configured to monitor the BGP session and trigger faster convergence.

56
MCQmedium

An administrator configures an SD-WAN rule to steer traffic from a specific subnet to an SD-WAN member with the lowest cost. Which load balancing algorithm should be selected in the SD-WAN rule to achieve this behavior?

A.Lowest-cost
B.Volume
C.Sessions
D.Source-dest-IP
AnswerA

Lowest-cost uses the member with the best performance SLA metric.

Why this answer

Lowest-cost algorithm selects the member with the lowest cost (from performance SLA) for each session. Other algorithms do not consider cost.

57
MCQhard

A FortiGate administrator runs 'diagnose sys session list' and sees a session for which the destination interface is 'sdwan'. The session is marked with 'state=01000048'. What does this state indicate about the session?

A.The session is being held until the SD-WAN load balancing decision is made
B.The session is bypassing SD-WAN load balancing and using policy-based routing
C.The session has completed load balancing and is being forwarded out the sdwan interface
D.The session has been dropped because the selected SD-WAN member is down
AnswerA

Why this answer

In FortiGate session states, the hex value '01000048' corresponds to flags including 'dest_valid' and 'likely_proto'. The flag '01000000' typically indicates the session is using ECMP. In the context of an SD-WAN interface, this state suggests that the session is undergoing load balancing and is waiting for the route to be resolved.

More specifically, a session state like this often means the session is in 'ECMP pending' state. Among the options, the closest is that the session is waiting for SD-WAN load balancing decision. Option C is the correct interpretation.

58
MCQhard

An enterprise uses FortiGate as an SD-WAN edge device with three WAN links: Link A (MPLS), Link B (broadband), and Link C (LTE). The SD-WAN rule for VoIP traffic uses the 'best quality' strategy with link-quality-measurement enabled. The VoIP traffic is routed via Link A. During peak hours, users report poor voice quality. The administrator checks the SD-WAN performance SLA logs and sees that Link A's jitter and latency are within acceptable thresholds, but packet loss is slightly elevated. Which action would most likely improve VoIP quality without manual intervention?

A.Increase the priority of Link A to ensure it remains the preferred link.
B.Configure a performance SLA for VoIP traffic with jitter < 10ms, latency < 100ms, and packet-loss < 0.5% and apply it to the SD-WAN rule.
C.Disable link-quality-measurement to reduce overhead on Link A.
D.Add a new SD-WAN rule with 'lowest cost' strategy for VoIP traffic.
AnswerB

Applying a performance SLA with strict thresholds will cause the SD-WAN rule to select a link that meets the criteria, switching away from Link A if it fails the SLA.

Why this answer

Option B is correct because configuring a performance SLA with specific thresholds for jitter, latency, and packet loss allows FortiGate to dynamically failover VoIP traffic to another WAN link when Link A's packet loss exceeds the defined threshold (e.g., 0.5%). Since the 'best quality' strategy uses link-quality-measurement to select the link with the best SLA compliance, applying a performance SLA with a packet-loss threshold ensures that even if jitter and latency are acceptable, elevated packet loss triggers a switch to a healthier link, improving voice quality without manual intervention.

Exam trap

The trap here is that candidates assume 'best quality' automatically handles all quality metrics, but without a performance SLA with explicit thresholds, FortiGate only uses link-quality-measurement for ordering and does not failover based on packet loss alone.

How to eliminate wrong answers

Option A is wrong because increasing the priority of Link A would force it to remain the preferred link, preventing failover to a better-performing link when packet loss is elevated, which would not resolve the poor voice quality. Option C is wrong because disabling link-quality-measurement would stop FortiGate from monitoring link quality altogether, removing the ability to detect packet loss and make dynamic routing decisions, likely worsening VoIP quality. Option D is wrong because using the 'lowest cost' strategy for VoIP traffic would select links based on cost rather than quality, which could route traffic over a cheaper but lower-quality link, failing to address the packet loss issue on Link A.

59
MCQeasy

Which routing technique allows a FortiGate to forward packets based on source IP address, destination IP address, or other criteria, in addition to the destination IP alone?

A.Policy-Based Routing (PBR)
B.RIP
C.OSPF route redistribution
D.ECMP
AnswerA

PBR uses policies to route traffic based on various attributes.

Why this answer

Option C is correct. Policy-Based Routing (PBR) allows forwarding decisions based on source IP, destination IP, protocol, port, etc., overriding the destination-based routing table.

60
Multi-Selectmedium

A FortiGate is configured with OSPF and BGP. The administrator wants to redistribute OSPF routes into BGP. Which TWO steps are required?

Select 2 answers
A.Configure a route map to filter the routes being redistributed
B.Set the BGP table version to 2
C.Use the 'redistribute ospf' command under the BGP configuration
D.Ensure the OSPF routes are present in the routing table
E.Disable OSPF on the interface
AnswersC, D

This enables redistribution of OSPF routes into BGP.

61
MCQmedium

An administrator sees the following output from 'diagnose sys session list' for a particular session: proto=6 proto_state=01 duration=3600 expire=3599. What does this indicate about the session?

A.The session is an ICMP session
B.The session is a TCP session that is still open and will expire in 3599 seconds
C.The session is a TCP session in TIME_WAIT state
D.The session is for UDP traffic and has been up for 3600 seconds
AnswerB

proto=6 is TCP, duration=3600 seconds, expire=3599 seconds remaining.

62
MCQhard

A FortiGate is configured with two SD-WAN members (wan1, wan2) and a performance SLA for each. The SD-WAN rule uses 'Maximize Bandwidth' strategy with volume-based load balancing. The administrator notices that traffic is only using wan1, even though both links have capacity. The SLA status for wan2 shows 'alive'. What could be the problem?

A.The link cost for wan2 is too high.
B.The SD-WAN rule has a 'set member' statement that lists only wan1.
C.The performance SLA for wan2 is not associated with the SD-WAN rule.
D.The bandwidth weight for wan2 is set to 0.
AnswerB

If the rule explicitly includes only wan1, traffic will not use wan2 even if the SLA is alive.

Why this answer

The 'Maximize Bandwidth' strategy distributes traffic based on volume, but if the algorithm is set to 'Volume' and the bandwidth ratio settings (set bandwidth-weight) are imbalanced, one link might be preferred. However, the most common cause is that the SD-WAN rule's 'dst' or 'src' match criteria are restricting traffic to only wan1, or the rule's 'set member' includes only wan1. Another possibility: the rule might have 'set priority' or 'set input-device' that forces traffic to wan1.

63
Multi-Selectmedium

An administrator needs to configure a FortiGate to use two WAN links for internet traffic with failover and load balancing. Which TWO steps are required?

Select 2 answers
A.Configure a performance SLA for each SD-WAN member.
B.Set the SD-WAN zone to 'spillover' mode.
C.Enable NAT on the SD-WAN zone.
D.Define SD-WAN rules to match internet-bound traffic.
E.Add both WAN interfaces as SD-WAN members.
AnswersD, E

Rules determine how traffic is load-balanced.

64
MCQhard

An administrator configures a route map named RMAP_EXPORT that sets a community for routes redistributed into BGP. The route map is applied to the 'redistribute connected' statement under BGP. However, the connected routes are not being advertised to BGP peers. What is the most likely cause?

A.The BGP neighbor is not configured with 'route-map in'
B.Connected routes are not in the routing table
C.The route map does not have a 'match ip address' statement
D.The route map is missing a 'set community' action
AnswerC

Without a match, the route map may not permit any routes.

Why this answer

Route maps used for redistribution require a 'match' statement to select routes. If the route map has only a 'set' action without a 'match', it may not match any routes, resulting in no redistribution. A common mistake is omitting the 'match' clause.

65
Multi-Selecthard

A FortiGate is experiencing asymmetric routing due to route leaking between VRFs. The administrator wants to ensure that traffic using a specific VRF returns via the same path. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Enable 'set pbr-enforce-symmetric' on the VRF interfaces
B.Configure policy-based routing with set-next-hop to force return traffic through the same interface
C.Use a route map to set the next-hop on routes leaked into the VRF
D.Disable route leaking between VRFs
E.Increase the administrative distance of the leaked routes
AnswersA, B, C

This feature forces symmetric routing for policy-based routes.

Why this answer

To handle asymmetric routing, the administrator can enable 'set pbr-enforce-symmetric', configure policy-based routing to enforce symmetric paths, or use route maps to influence route selection.

66
MCQeasy

What is the purpose of a prefix list in FortiGate routing?

A.To match routes based on their network prefix and subnet mask.
B.To configure NAT rules.
C.To define SD-WAN members.
D.To assign IP addresses to interfaces.
AnswerA

Prefix lists are used to match specific routes for filtering or redistribution based on prefix length.

Why this answer

A prefix list in FortiGate is used to match routes based on their network prefix and subnet mask (prefix length). It is commonly applied in route maps or BGP configurations to filter or manipulate routing information, such as in redistribution or neighbor policy statements. Unlike access lists, prefix lists match the exact prefix and length, providing more granular control over route advertisement and acceptance.

Exam trap

The trap here is that candidates often confuse prefix lists with access lists or route maps, assuming they can be used for general packet filtering or interface configuration, but prefix lists are strictly for route prefix matching in routing policy contexts.

How to eliminate wrong answers

Option B is wrong because NAT rules are configured using firewall policies or central NAT tables, not prefix lists. Option C is wrong because SD-WAN members are defined in the SD-WAN configuration under the 'config system sdwan' context, where interfaces and their roles are specified, not via prefix lists. Option D is wrong because IP addresses are assigned to interfaces using the 'config system interface' command with the 'set ip' directive, not through prefix lists.

67
MCQhard

A FortiGate is connected to a FortiExtender via USB. The administrator wants to use LTE as a backup WAN link in an SD-WAN setup. After configuring the FortiExtender, the LTE interface is not showing up as an SD-WAN member. What is the most likely reason?

A.The FortiExtender is not in managed mode
B.The FortiGate does not have a valid FortiExtender license
C.The LTE SIM card is not activated
D.The LTE interface must be configured as a WAN link in the FortiExtender first
AnswerB

A valid license is required for FortiExtender integration; without it, the interface may not be recognized as an SD-WAN member.

68
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session with a short timeout.
B.The session is a UDP session that has been active for 1 hour.
C.The session is a TCP session in established state that has been active for 1 hour and will expire in about 1 hour.
D.The session is a TCP session that has timed out and is being removed.
AnswerC

The output matches a TCP established session with durations.

Why this answer

proto=6 indicates TCP. proto_state=01 means the session is in 'established' state (TCP state established). duration=3600 seconds means the session has been active for 1 hour. expire=3599 means it will expire in 3599 seconds (almost 1 hour more). This indicates a healthy long-lived TCP session that is still active.

69
MCQhard

An administrator wants to load-balance traffic across two WAN links using ECMP. The routes have equal distances and metrics. However, traffic is only using one of the links. What could be the cause?

A.The routes are learned via different routing protocols with different administrative distances.
B.ECMP is not enabled globally under config system settings.
C.The firewall policy is configured to use a specific egress interface.
D.The traffic is session-based and ECMP uses per-packet load balancing.
AnswerA

ECMP requires equal distances; if one route has a lower distance, it will be preferred.

70
MCQmedium

An administrator configures BFD on a FortiGate to improve convergence time for OSPF. What is the primary purpose of BFD in this context?

A.To reduce the number of OSPF neighbors
B.To encrypt OSPF packets
C.To detect link failures faster than OSPF hello timers
D.To load balance OSPF traffic across multiple links
AnswerC

BFD provides rapid failure detection, often sub-second, improving convergence.

Why this answer

BFD provides fast failure detection (sub-second) for routing protocols like OSPF, triggering quicker route convergence.

71
Multi-Selecthard

A FortiGate running FortiOS 7.2 has multiple WAN interfaces. The administrator is configuring SD-WAN load balancing with the 'volume' algorithm. The requirement is that each interface carries a percentage of total traffic based on its bandwidth capacity. The administrator sets the 'weight' of each interface accordingly. However, traffic distribution is not as expected. Which TWO factors could cause this discrepancy?

Select 2 answers
A.The interface bandwidth settings (speed) do not reflect actual link capacity
B.The weight values are not in the range 1-100
C.The traffic is dominated by a few large-volume sessions, causing imbalance
D.The load balancing algorithm is set to 'per-packet' instead of 'volume'
E.The performance SLA is set to 'disable' on some interfaces, causing them to be excluded
AnswersA, C

Why this answer

The volume algorithm uses weight and interface bandwidth to distribute traffic. If the interface bandwidth is misconfigured (option B), the distribution will be wrong. Also, per-packet load balancing is not used; the algorithm works on sessions.

However, if the traffic consists of few large sessions, the volume distribution may not be even. Option D is correct because the algorithm works at session level, not per-packet, so volume imbalance can occur if sessions vary greatly in size. Option A is irrelevant.

Option C is incorrect because the algorithm does not use per-packet. Option E is a possible issue with health checks if traffic is diverted.

72
MCQmedium

An administrator wants to use BFD with OSPF to detect link failures faster. What must be configured on the FortiGate?

A.Enable BFD only on the OSPF interfaces using 'set bfd enable' under the interface configuration.
B.BFD is automatically enabled when OSPF is configured; no additional steps are needed.
C.Enable BFD globally and under the OSPF process with 'set bfd enable'.
D.Create a BFD template and apply it to the OSPF process.
AnswerC

BFD must be enabled globally under config system interface and also enabled for OSPF under config router ospf with 'set bfd enable'.

73
MCQhard

A FortiGate is running OSPF with multiple areas. The administrator notices that routes from area 1 are not being redistributed into area 0. The ABR has the following configuration: 'config router ospf config area edit 0.0.0.0 set type nssa end config area edit 0.0.0.1 set type standard end end'. What is the issue?

A.The ABR must have 'set type standard' for area 0.
B.Area 0 is configured as NSSA, which does not accept type 3 LSAs from other areas.
C.The ABR is missing a 'redistribute connected' command.
D.Area 1 is not configured as NSSA, so routes cannot be redistributed.
AnswerB

NSSA areas do not allow type 3 summary LSAs. Routes from other areas are not injected into an NSSA area unless special options are used.

Why this answer

In OSPF, area 0 must be a standard area (or at least not NSSA) for inter-area routes to be advertised. NSSA areas block type 3 LSAs by default.

74
Multi-Selectmedium

A FortiGate is configured with multiple VRFs to segregate traffic from different departments. The administrator needs to allow the Finance VRF to access a shared printer in the default VRF. Which TWO steps are required to enable inter-VRF communication?

Select 2 answers
A.Configure OSPF to redistribute routes between VRFs
B.Place both the Finance and default VRF interfaces into the same zone
C.Configure a leak route from the Finance VRF to the default VRF for the printer's subnet
D.Create a firewall policy between the VRF interfaces that permits the required traffic
E.Assign the printer's IP address to an interface in the Finance VRF
AnswersC, D

Why this answer

To route between VRFs, you need a route leak. This can be done using leak routes under config router vrf, or by using policy-based routing between VRFs. Firewall policies between VRFs are also required to permit the traffic.

Option B is correct: firewall policies must be configured between the two VRFs. Option D is correct: a route leak (or inter-VRF policy route) must be configured to enable routing between VRFs. Option A is not required if you leak routes.

Option C is not the primary method; a leak route is more appropriate. Option E is not necessary if you use route leaking.

75
MCQmedium

A FortiGate is configured with two SD-WAN members (port1 and port2). The administrator sets an SD-WAN rule with 'set load-balance-mode source-dst-ip' for all internal traffic. The source IP is 10.0.0.1 and destination IP is 172.16.0.1. Which factor determines the outgoing interface for this traffic?

A.The destination IP only
B.The combination of source IP and destination IP hashed to select an interface
C.The source IP only
D.The interface with the lowest current utilization
AnswerB

source-dst-ip mode uses a hash of both source and destination IPs to consistently select the same interface for the same flow.

Page 1 of 3 · 209 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Advanced Networking and SD-WAN questions.