CCNA Advanced Networking and SD-WAN Questions

75 of 209 questions · Page 2/3 · Advanced Networking and SD-WAN · Answers revealed

76
MCQhard

An administrator runs 'get router info bgp summary' and sees that the BGP session to a neighbor is in the 'Idle' state. The neighbor IP is reachable via ping. The BGP configuration uses loopback interfaces with 'update-source loopback1'. What is the MOST likely reason for the Idle state?

A.There is no route on the neighbor back to the FortiGate's loopback IP
B.The loopback interface is down or has no IP address assigned
C.The BGP neighbor's remote-as is misconfigured
D.The BGP timer values (keepalive/hold) are mismatched
AnswerA

BGP uses TCP; if the neighbor cannot reach the update-source IP, the TCP handshake fails, keeping the session in Idle.

Why this answer

BGP Idle state often indicates a TCP connection issue. If the update source is a loopback, the neighbor must have a route to that loopback IP, or the update-source must match the neighbor's configured remote-as and reachability.

77
MCQeasy

What is the function of a VRF (Virtual Routing and Forwarding) on a FortiGate?

A.To provide redundancy for routing protocols
B.To aggregate multiple physical interfaces into one logical interface
C.To create multiple independent routing tables
D.To encrypt traffic between different virtual domains
AnswerC

VRF maintains separate routing tables, providing path isolation.

Why this answer

VRF allows multiple independent routing tables to coexist on the same FortiGate, enabling traffic separation without separate physical devices.

78
MCQmedium

An administrator connects a FortiExtender to the FortiGate's USB port. The FortiGate detects the FortiExtender and creates a virtual interface 'wwan1'. However, the link status shows 'down'. The SIM card is inserted and the cellular plan is active. What should the administrator check?

A.The APN settings are not configured under the FortiExtender interface
B.The FortiGate needs a security policy allowing traffic from wwan1
C.The FortiExtender firmware is not compatible with the FortiGate
D.The FortiExtender is not powered on
AnswerA

APN is required for cellular connectivity; without it, the link stays down.

Why this answer

FortiExtender requires provisioning from the FortiGate; the APN must be configured correctly, and the extender may need to be activated.

79
MCQmedium

An administrator is configuring SD-WAN on a FortiGate. They want traffic from the internal network to a specific SaaS application to use the MPLS link unless the latency exceeds 50 ms, in which case traffic should failover to the broadband link. Which configuration elements are required?

A.Configure policy-based routing to direct SaaS traffic to the MPLS link and rely on default routing for failover.
B.Add a static route for the SaaS IP with the MPLS interface as the gateway and a higher distance than the default route via broadband.
C.Create an SD-WAN member for each link, configure a performance SLA with jitter threshold 50 ms, and add an SD-WAN rule matching the SaaS traffic using the 'best-quality' strategy with the MPLS member.
D.Create an SD-WAN member for each link, configure a performance SLA with latency threshold 50 ms, and add an SD-WAN rule matching the SaaS traffic with the MPLS member as preferred and enable 'set failover enable'.
AnswerD

This correctly defines members, an SLA to measure latency, and a rule that uses the MPLS link with failover to the broadband when the SLA is not met.

80
MCQmedium

A company with a hub-and-spoke SD-WAN topology uses FortiGates at each site. The hub has two WAN links: MPLS (10 Mbps) and broadband (100 Mbps). The spokes connect only via MPLS. The company deploys a new real-time application that requires low latency and low jitter. The network administrator creates an SD-WAN rule for this application with 'best quality' strategy and both MPLS and broadband as members. The SLA for MPLS is configured with latency < 10 ms and jitter < 5 ms. The SLA for broadband is configured with latency < 50 ms and jitter < 20 ms. The actual measured latency on MPLS is 12 ms, and jitter is 4 ms. The broadband latency is 25 ms, jitter 10 ms. Which path will the application traffic take?

A.The traffic will use the broadband link because MPLS SLA fails and broadband SLA is met.
B.The traffic will be load-balanced between MPLS and broadband.
C.The traffic will use the MPLS link because it is the preferred member.
D.The traffic will be dropped because no link meets the SLA.
AnswerA

SD-WAN failover to broadband.

Why this answer

The SD-WAN rule uses the 'best quality' strategy, which selects the member with the best SLA performance. The MPLS link fails its SLA because its measured latency of 12 ms exceeds the configured threshold of 10 ms, even though jitter is within limits. The broadband link meets both its latency (25 ms < 50 ms) and jitter (10 ms < 20 ms) thresholds, so it becomes the active path for the application traffic.

Exam trap

The trap here is that candidates assume MPLS is always preferred due to its lower latency profile, but the 'best quality' strategy strictly enforces SLA thresholds, and a link that fails its SLA is excluded from selection regardless of its absolute performance.

How to eliminate wrong answers

Option B is wrong because 'best quality' strategy does not perform load-balancing; it selects a single best path based on SLA compliance and performance metrics. Option C is wrong because MPLS is not inherently preferred; the rule treats both members equally, and MPLS is disqualified due to SLA failure. Option D is wrong because the broadband link meets its SLA thresholds, so traffic is not dropped.

81
Drag & Dropmedium

Drag and drop the steps to troubleshoot a FortiGate SSL VPN connection failure into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with basic configuration, then user authentication, then policies, then debug, then routing.

82
MCQmedium

A FortiGate administrator sees the following output: "diagnose sys session filter dport 443 diagnose sys session list session info: proto=6 proto_state=01 duration=3600 expire=3599" What does this session duration and expire time indicate?

A.The session has a timeout of 7200 seconds (2 hours)
B.The session is about to be torn down
C.The session is newly established
D.The session is using UDP protocol
AnswerA

Duration + expire = total timeout, 3600+3599=7199~7200.

Why this answer

Duration 3600 seconds (1 hour) and expire 3599 seconds means the session has been active for 1 hour and will expire in about 1 hour, total timeout 2 hours, which matches the default TCP session timeout.

83
MCQhard

A FortiGate has an SD-WAN configuration with two members (wan1, wan2). The performance SLA monitors latency to 8.8.8.8. The admin notices that even when the SLA is satisfied on both members, all traffic uses wan1. The SD-WAN rule is configured with 'strategy = best quality'. What is the most likely cause?

A.A firewall policy is overriding the SD-WAN rule
B.The best quality strategy selects the member with the best SLA metric, which is wan1 by default when both meet SLA
C.The performance SLA is incorrectly configured, causing wan2 to be ignored
D.The SD-WAN rule has 'set match-vip disable' which forces all traffic to wan1
AnswerB

Best quality uses a tie-breaking order; it does not load balance equally.

Why this answer

Option A is correct. In best quality mode, traffic uses the member with the best SLA metric. If both satisfy SLA, the default preference is the member with the lowest cost or the first member in the list (wan1).

To load balance, the admin should use a different strategy or enable 'update-static-route' to adjust routing metrics.

84
MCQmedium

You want to use policy-based routing (PBR) to send traffic from a specific subnet to a different next-hop than the default route. Which configuration is required?

A.Configure a route map under 'config router policy'
B.Create a firewall policy with 'set policy-based-route enable'
C.Enable 'set pbr-enforce-symmetric' on the interface
D.Configure a prefix list and apply to the static route
AnswerA

PBR uses route maps with set-next-hop in the policy route configuration.

Why this answer

Policy-based routing is configured under 'config router policy' with source/destination addresses and a set-next-hop action.

85
MCQmedium

An administrator configures two SD-WAN members (port1, port2) with performance SLAs. The SD-WAN rule uses 'best-quality' strategy. During a failover test, the primary member port1 becomes unavailable but traffic does not switch to port2. What should the administrator check first?

A.The SD-WAN rule is not configured to use the performance SLA.
B.The 'set status' on the performance SLA is 'passive'.
C.The performance SLA's failover threshold is not met.
D.The 'update-static-route' is enabled on port1.
AnswerC

The SLA must fail (e.g., latency threshold exceeded) to trigger failover. If port1 is physically down, SLA may still show as down but if the failover threshold is not configured, it may not switch.

86
MCQmedium

An administrator configures a route map on a FortiGate to redistribute connected routes into OSPF. The route map sets a metric of 100. After applying, the redistributed routes appear with metric 20. What is the most likely reason?

A.The route map is applied to the wrong direction
B.OSPF does not allow metric setting via route maps
C.The route map is not applied to the redistribution configuration
D.The metric type is set to type 1
AnswerC

If the route map is not referenced in the 'redistribute connected' command, it has no effect.

Why this answer

When redistributing into OSPF, the metric type can be set to type 1 or type 2. Type 2 (default) does not add internal cost, but the metric set in the route map should still apply. However, if the route map is not applied correctly or OSPF's default metric (20 for redistributed routes) overrides, the route map might be misconfigured.

Option D is correct: the route map might not be applied to redistribution.

87
MCQmedium

An administrator configures a route-map to match prefix-list 'PREFIX' and set metric 20. Which OSPF route redistribution uses this route-map correctly?

A.config router ospf config redistribute "connected" set route-map "RM" end
B.config router policy config route-map edit "RM" config rule set match-ip-address "PREFIX" set set-metric 20 end end
C.config router ospf set route-map "RM"
D.config router prefix-list edit "PREFIX" set rule permit 10.0.0.0/8 end
AnswerA

Route-map is applied in the redistribute configuration.

88
MCQmedium

A FortiGate is configured with VRF. Which statement about VRF is true?

A.Interfaces can belong to multiple VRFs simultaneously.
B.VRF allows multiple routing tables to coexist on the same FortiGate.
C.Routes from different VRFs can be automatically redistributed without configuration.
D.VRF can only be used when OSPF is enabled.
AnswerB

VRF creates separate routing tables for segmentation.

89
MCQhard

You are troubleshooting BFD on a FortiGate SD-WAN deployment. BFD is configured on two WAN interfaces (wan1, wan2) with a minimum transmit interval of 100 ms and a multiplier of 3. The network experiences occasional jitter causing packet loss. After a brief outage, the BFD session does not recover. Which setting should be adjusted to improve BFD resilience without significantly increasing failover time?

A.Disable BFD and rely on route timers.
B.Enable BFD on the management interface.
C.Increase the BFD minimum transmit interval on both interfaces.
D.Increase the BFD multiplier to 4 or higher.
AnswerD

A higher multiplier allows more missed packets, making BFD more tolerant to transient jitter.

Why this answer

Increasing the multiplier allows more consecutive missed BFD packets before declaring the session down, making it more tolerant to jitter. Decreasing the interval would make it more sensitive. The multiplier of 3 means 3 * 100 ms = 300 ms before declaring down; increasing to 4 would give 400 ms tolerance, improving resilience.

90
MCQmedium

An organization is deploying SD-WAN across multiple sites with two internet links (MPLS and broadband) at the main branch. They want voice traffic to use the MPLS link unless it fails, in which case failover to broadband should occur. Which SD-WAN rule configuration achieves this?

A.Configure an SD-WAN rule for voice with strategy 'maximize bandwidth' and members MPLS and broadband.
B.Configure an SD-WAN rule for voice with strategy 'lowest cost' and members MPLS and broadband.
C.Configure an SD-WAN rule for voice with strategy 'best quality', set MPLS as preferred member, and define SLA targets for MPLS.
D.Configure an SD-WAN rule for voice with strategy 'manual' and members MPLS and broadband.
AnswerC

Best quality with preferred member and SLA ensures MPLS used unless SLA fails.

Why this answer

Option C is correct because the 'best quality' strategy with a preferred member and SLA targets allows voice traffic to use the MPLS link as long as it meets the defined SLA (e.g., latency, jitter, packet loss). If the MPLS link fails or degrades below the SLA threshold, the SD-WAN rule automatically fails over to the broadband link, ensuring voice traffic continuity.

Exam trap

The trap here is that candidates often confuse 'best quality' with 'lowest cost' or 'maximize bandwidth', not realizing that 'best quality' with a preferred member provides the exact active/passive failover behavior required for voice traffic.

How to eliminate wrong answers

Option A is wrong because 'maximize bandwidth' strategy load-balances traffic across all members, not providing the required active/passive failover behavior. Option B is wrong because 'lowest cost' strategy selects the link with the lowest cost metric, which does not guarantee MPLS as the primary link or failover based on link health. Option D is wrong because 'manual' strategy requires explicit user intervention to switch links, lacking automatic failover based on link failure or SLA degradation.

91
MCQmedium

A FortiGate is configured with a route map named RM_OSPF that sets a metric of 100 for redistributed routes. The route map is applied to redistribution into OSPF. After applying, the redistributed routes have a metric of 20. What could be the cause?

A.The route map does not have a match statement and therefore is not applied
B.The route map is applied in the wrong direction
C.The OSPF process has a default-metric of 20 that overrides the route map
D.The redistributed route is already in OSPF with a metric of 20
AnswerA

If a route map has no match statements, it matches nothing, and the default metric (20) is used.

92
Multi-Selectmedium

An administrator is configuring SD-WAN on a FortiGate to route traffic between two internet connections (ISP1 and ISP2). The SD-WAN rules use performance SLA to measure latency. Which TWO statements are true about SD-WAN rule matching and failover?

Select 2 answers
A.When the SD-WAN rule action is set to 'best quality' and no member meets the SLA, the FortiGate will still forward traffic using the member with the best SLA status.
B.SD-WAN rules can use multiple members and the best member is selected based on performance SLA measurements.
C.SD-WAN automatically fails over all sessions to the backup member if the primary member exceeds the SLA threshold.
D.If multiple SD-WAN rules match, the rule with the highest bandwidth member is used.
E.When the SD-WAN rule action is set to 'lowest cost' and no member meets the SLA, the FortiGate drops the traffic.
AnswersA, B

Correct. If no member meets the SLA, the FortiGate uses the member with the best SLA status (least bad) to forward traffic.

Why this answer

Option A is correct because when an SD-WAN rule is configured with 'best quality' strategy, the FortiGate selects the member with the best SLA status even if no member fully meets the SLA threshold. This ensures traffic is still forwarded using the least-bad option rather than being dropped, maintaining connectivity under degraded conditions.

Exam trap

The trap here is that candidates often assume 'best quality' or 'lowest cost' actions will drop traffic when no member meets the SLA, but FortiGate always forwards traffic using the best available member to avoid connectivity loss.

93
MCQeasy

Which FortiGate feature allows the creation of multiple virtual routing tables within a single VDOM?

A.VRF
B.Policy-based routing
C.VDOM
D.ECMP
AnswerA

VRF (Virtual Routing and Forwarding) allows multiple routing tables within a VDOM.

94
MCQmedium

A FortiGate is configured with ECMP load balancing for equal-cost routes. The administrator wants to ensure that all traffic from a specific source IP uses the same next hop. Which ECMP load balancing method should be selected?

A.Destination-IP-based
B.Source-IP-based
C.Weighted random
D.Round-robin
AnswerB

Source-IP-based ECMP hashes the source IP to select a next hop, ensuring all traffic from the same source uses the same path.

95
MCQmedium

An administrator wants to integrate a FortiExtender with a FortiGate to provide additional WAN connectivity. Which configuration is required on the FortiGate to enable the FortiExtender to operate as a secondary WAN interface?

A.Configure the FortiExtender under Network > FortiExtender and assign it to a WAN interface
B.Enable LLDP on the port connected to the FortiExtender
C.Set the FortiExtender to bridge mode
D.Create a VLAN interface for the FortiExtender
AnswerA

The FortiGate creates a virtual interface for the FortiExtender.

Why this answer

Option B is correct. FortiExtender connects to the FortiGate via USB or Ethernet and is configured under Network > FortiExtender. A dedicated interface extension is created to use it as a WAN interface.

96
Multi-Selecthard

A FortiGate is configured with BGP and OSPF. The administrator wants to ensure that routes learned via BGP are redistributed into OSPF, but only specific prefixes. Which three components are needed? (Select THREE.)

Select 3 answers
A.A route map that references the prefix list and sets OSPF parameters
B.Redistribution of BGP into OSPF under router ospf with the route map applied
C.A VRF to separate the routing tables
D.A prefix list to match the desired BGP routes
E.A distribute list in OSPF to filter incoming routes
AnswersA, B, D

Route map ties together match (prefix list) and set actions (metric, tag).

97
MCQeasy

What is the purpose of configuring BFD (Bidirectional Forwarding Detection) on a FortiGate?

A.To provide rapid failure detection between two forwarding engines.
B.To load balance traffic across multiple links.
C.To encrypt BGP updates between peers.
D.To authenticate OSPF neighbors.
AnswerA

BFD provides sub-second detection of link failures, complementing routing protocol convergence.

Why this answer

BFD is a lightweight protocol that detects forwarding path failures quickly, allowing routing protocols to converge faster.

98
MCQmedium

An administrator configures SD-WAN with two members (port1 and port2). A performance SLA monitors latency to 8.8.8.8. The SD-WAN rule uses 'Best Quality' strategy based on latency. When the link on port1 becomes slow, the FortiGate continues using port1 even though port2 has lower latency. What is the most likely cause?

A.The FortiGate is not receiving ICMP replies from 8.8.8.8
B.The SD-WAN rule is configured with 'Manual' strategy
C.The performance SLA is not associated with the SD-WAN members
D.The load balancing algorithm is set to 'volume' instead of 'lowest-latency'
AnswerC

If the performance SLA is not applied to the SD-WAN member interface, the FortiGate does not know the latency status and cannot failover.

99
MCQhard

A FortiGate is configured with OSPF in multiple areas and redistributes connected routes into OSPF. The administrator notices that routes from area 1 are not appearing in area 0. The area 0 routers show the routes as 'O E2' but with an invalid metric. What is the most likely cause?

A.OSPF network type is broadcast on one side and point-to-point on the other
B.Redistribution is configured without a route map
C.The interface costs are misconfigured
D.The ABR has 'area 0 stub' configured
AnswerB

Without a route map, redistributed routes may get default metric values that can be invalid.

Why this answer

Redistributed routes are external (O E2). For an ABR to propagate a Type 5 LSA into another area, route summarization or a route map is needed; otherwise, external routes are not injected into other areas by default. However, if the ABR is not performing redistribution properly, the metric may be incorrect.

The most common cause is missing a route map to set the metric.

100
MCQhard

A FortiGate is configured with ECMP load balancing for multiple equal-cost routes. The administrator wants to ensure that all packets belonging to the same session go out the same interface. Which ECMP load balancing method should be used?

A.Weighted
B.Source-dest-IP-based
C.Source-IP-based
D.Spillover
AnswerB

Source-dest-IP hashing ensures that all packets in a session (same src/dst) go through the same interface, maintaining session integrity.

Why this answer

For ECMP, FortiGate supports source-dest-ip hashing to keep sessions on the same path. Other methods like round-robin may break sessions.

101
MCQmedium

A FortiGate with SD-WAN has two members: MPLS (port1) and Broadband (port2). The performance SLA is configured to monitor latency and packet loss. The administrator notices that after a brief outage on the MPLS link, traffic fails over to Broadband but does not fail back when MPLS recovers. What is the likely cause?

A.The SD-WAN rule for the traffic has 'set failback disable'.
B.The SLA threshold is set too aggressively, causing the link to be considered down long after recovery.
C.The Broadband link has a higher cost, so the FortiGate prefers to keep traffic there.
D.The SLA probe interval is longer than the outage duration, so the SLA never detected the outage.
AnswerA

The 'failback' setting controls whether traffic returns to the preferred member when it becomes healthy again. If disabled, traffic stays on the backup link.

102
MCQeasy

A network administrator wants to configure SD-WAN on a FortiGate with two internet connections (port1 and port2). The requirement is to use the link with the lowest cost as the primary path for all traffic, unless it exceeds a threshold. Which SD-WAN load balancing algorithm should the administrator choose?

A.Spillover
B.Sessions
C.Lowest-cost
D.Volume
AnswerC

Lowest-cost selects the member with the lowest cost. If the cost exceeds a threshold, the next best member is used.

Why this answer

The lowest-cost algorithm selects the member with the lowest cost value. If the cost exceeds a configurable threshold, traffic is sent to the next best member. This matches the requirement.

103
MCQhard

An administrator has configured BGP on a FortiGate with two upstream ISPs. They notice that traffic to a specific prefix is not load-balanced as expected; all traffic goes through ISP1 even though both paths are available. 'get router info bgp network' shows the prefix with two next hops. What is the MOST likely cause?

A.The prefix is being learned via an IGP with a lower administrative distance
B.The BGP multi-path is disabled
C.The administrative distance of BGP is higher than OSPF
D.The eBGP multihop is not configured
AnswerB

BGP load balancing requires multi-path to be enabled. Even with multiple paths, if multi-path is off, only the best path is installed.

104
MCQeasy

What is the purpose of using a prefix list in route redistribution?

A.To match routes based on IP prefix and prefix length
B.To define a list of allowed source IPs for management access
C.To specify the next-hop for a set of routes
D.To set BGP community values on matched prefixes
AnswerA

Prefix lists match routes by network and subnet mask.

Why this answer

Prefix lists are used to match specific IP prefixes and prefix lengths, commonly used in route maps to filter routes.

105
MCQeasy

A network administrator is configuring SD-WAN on a FortiGate. The organization has two internet links: MPLS (primary) and broadband (backup). The administrator wants all traffic to use the MPLS link unless it fails, in which case traffic should fail over to the broadband link. Which SD-WAN configuration best achieves this requirement?

A.Set the MPLS link priority to 10 and the broadband link priority to 5, then configure an SD-WAN rule with the 'best quality' strategy.
B.Enable 'set role' on the MPLS link as 'primary' and on the broadband link as 'standby' with the 'redundant' strategy.
C.Configure both links in the SD-WAN zone with equal priority and use the 'lowest cost' strategy.
D.Create two static routes: one with higher distance for MPLS and one with lower distance for broadband.
AnswerA

Higher priority for MPLS ensures it is preferred. The 'best quality' strategy selects the member with the highest priority when available, providing failover.

Why this answer

Option A is correct because setting the MPLS link priority to 10 (higher) and broadband to 5 (lower) ensures the SD-WAN rule with 'best quality' strategy selects the MPLS link as the preferred path. The 'best quality' strategy evaluates link quality metrics and, when priorities differ, prefers the higher-priority link. If the MPLS link fails, the strategy automatically fails over to the broadband link, meeting the requirement.

Exam trap

The trap here is that candidates often confuse SD-WAN failover with traditional static route failover using administrative distance, or incorrectly assume that role-based 'primary/standby' settings exist in FortiGate SD-WAN, leading them to choose options B or D instead of understanding that SD-WAN uses priority and strategy-based path selection.

How to eliminate wrong answers

Option B is wrong because 'set role' with 'primary' and 'standby' is not a valid SD-WAN configuration; FortiGate SD-WAN uses priority values and strategies, not role-based primary/standby assignments, and the 'redundant' strategy is for load balancing, not failover. Option C is wrong because equal priority with 'lowest cost' strategy would load-balance traffic across both links based on cost, not enforce MPLS as primary and broadband as backup. Option D is wrong because static routes with different distances control routing table selection, not SD-WAN link failover; SD-WAN rules override static route behavior and require SD-WAN-specific configuration to achieve policy-based failover.

106
MCQeasy

Which of the following is the primary purpose of BFD (Bidirectional Forwarding Detection) on a FortiGate?

A.To synchronize routing tables between peers
B.To load balance traffic across multiple paths
C.To provide fast detection of link failures
D.To encrypt routing updates between peers
AnswerC

BFD detects failures in sub-second intervals, much faster than routing protocol timers.

Why this answer

BFD provides fast failure detection between adjacent routers, enabling quicker convergence than routing protocol hellos.

107
MCQhard

An administrator configures BFD on a BGP session between two FortiGates. After enabling BFD, the BGP session flaps intermittently. What is the most likely cause?

A.The BFD failure detection intervals are too low, causing false positives
B.BFD is incompatible with BGP and should not be used together
C.BGP hold timer is shorter than BFD detection time
D.The BFD minimum transmit and receive intervals are set too high
AnswerA

Low intervals cause premature detection of failure.

Why this answer

BFD detects failures faster than BGP keepalives. If the network has high latency or occasional packet loss, BFD may time out and declare the peer down, causing BGP to reset. The BFD timers might be too aggressive for the network conditions.

108
MCQmedium

An administrator sees the following output from 'get router info routing-table': S 0.0.0.0/0 [10/0] via 192.168.1.1, port1 S 0.0.0.0/0 [10/0] via 192.168.2.1, port2 They have configured ECMP load balancing. However, traffic to a specific destination IP is always using port1. What is the likely reason?

A.The firewall policy only allows traffic on port1
B.ECMP uses per-packet load balancing by default and the traffic is a single flow
C.One of the static routes has a lower administrative distance
D.The destination IP hash results in the same link for all sessions due to the load balancing algorithm
AnswerD

FortiGate's ECMP uses a hash of source/dest IP and port. If only one flow exists, it will consistently use the same link.

109
Multi-Selectmedium

An administrator needs to integrate a FortiSwitch with a FortiGate for LAN edge management. The FortiGate will manage the switch via the LAN interface. Which TWO steps are required? (Choose two.)

Select 2 answers
A.Enable switch controller on the FortiGate.
B.Assign an IP address to the FortiSwitch's management VLAN on the FortiGate.
C.Configure the FortiSwitch in standalone mode.
D.Disable STP on the FortiSwitch ports connected to the FortiGate.
E.Connect the FortiSwitch to a port configured as a 'switch' interface type.
AnswersA, E

The switch controller feature must be enabled to manage FortiSwitch devices.

110
MCQeasy

Which SD-WAN load balancing algorithm distributes traffic based on the number of active sessions per SD-WAN member?

A.Sessions
B.Source-dest-IP
C.Spillover
D.Volume
AnswerA

Sessions balances by number of active sessions.

Why this answer

The sessions algorithm bases distribution on the current session count on each member.

111
MCQhard

An administrator is integrating a FortiExtender with a FortiGate. The FortiExtender is connected to port5 and configured with a cellular WAN connection. What must be configured on the FortiGate to allow the FortiExtender to provide WAN connectivity as an SD-WAN member?

A.Create a static route to the FortiExtender's management IP to use it as a gateway.
B.Configure port5 as a physical member and assign the FortiExtender's SIM card details.
C.Enable the 'fortiextender' option on port5 and configure the FortiExtender as an SD-WAN member using the virtual wan interface.
D.Use the FortiExtender as a standalone router and configure policy-based routing on the FortiGate.
AnswerC

The FortiExtender creates a virtual interface (e.g., wan or lte) that can be added as an SD-WAN member. Port5 must have the FortiExtender feature enabled.

112
MCQhard

A FortiGate is running OSPF with multiple areas. The admin wants to redistribute a static route for 192.168.100.0/24 into OSPF. After configuring 'config router ospf' with 'redistribute static' enabled, the route appears in the OSPF database but is not being advertised to other areas. What is the most likely cause?

A.The 'redistribute static' command needs a route map to filter the route correctly.
B.The static route's administrative distance is too high for OSPF.
C.The router is an ABR and the static route is being redistributed as a type 5 LSA, which is not flooded into stub areas.
D.OSPF must be configured with 'default-information originate' to allow redistribution.
AnswerC

Type 5 LSAs are blocked in stub areas. To redistribute into stub areas, the route must be advertised as a type 7 LSA.

Why this answer

By default, OSPF does not redistribute external routes into other areas unless the redistributing router is an ASBR and the route is a type 5 LSA. However, type 5 LSAs are not flooded into stub areas or NSSAs. If the router is in a NSSA or stub area, redistribution must be handled differently.

The most common reason is that the router is an ABR and the external route is not being advertised into other areas because the router is not acting as an ASBR for those areas.

113
Multi-Selectmedium

A FortiGate is deployed as a LAN edge switch with multiple FortiSwitch units connected. The administrator wants to configure VLANs and manage the switches centrally. Which TWO features must be enabled on the FortiGate to achieve this? (Select TWO.)

Select 2 answers
A.LLDP-MED
B.Configure a separate management VRF
C.Create VLAN interfaces on the FortiGate and assign them to the FortiLink interface
D.FortiLink on the interface connecting to the FortiSwitch
E.STP (Spanning Tree Protocol) on the FortiGate
AnswersC, D

VLANs are defined on the FortiGate and communicated to switches via FortiLink.

Why this answer

Options A and D are correct. FortiLink is required for central management of FortiSwitch. The FortiGate must have a dedicated FortiLink interface (e.g., internal) configured under Network > Interfaces.

VLANs are created on the FortiGate and propagated to switches via FortiLink.

114
Multi-Selectmedium

An administrator needs to configure VRF to separate traffic for two departments. Which THREE components must be configured for each VRF?

Select 3 answers
A.A VRF instance
B.Interface binding to the VRF
C.A dedicated VDOM
D.Route leaking configuration
E.A separate firewall policy for each VRF
AnswersA, B, D

Each VRF needs its own routing table instance.

Why this answer

Each VRF requires a virtual routing table (VRF instance), interfaces assigned to it, and optionally route leaking between VRFs.

115
MCQhard

An administrator runs 'get router info routing-table bgp' and sees that a route for 10.20.0.0/16 is learned via BGP from a neighbor. However, the route does not appear in the routing table. The administrator checks the BGP configuration and sees that 'network 10.20.0.0 255.255.0.0' is not configured under BGP. What is the most likely reason?

A.A route map is filtering the received route
B.The route is a default route (0.0.0.0/0) and is being suppressed
C.The BGP neighbor is not in the Established state
D.The route is not in the routing table because BGP requires the network statement to originate the route
AnswerA

Even though the route is learned, it may be filtered by an inbound route map before being installed in the routing table.

116
Multi-Selecthard

A FortiGate is configured with OSPF and multiple areas. The administrator wants to prevent type 3 LSAs from entering a specific area, while still allowing inter-area routing. Which TWO configurations can achieve this?

Select 3 answers
A.Configure the area as a stub area
B.Configure the area as an NSSA
C.Use an area filter list with 'prefix-list' to deny specific prefixes
D.Set the OSPF network type to point-to-multipoint
E.Configure the area as a totally stubby area
AnswersA, C, E

Stub areas block type 5 LSAs but also prevent type 3 from entering? Actually, stub areas block type 5 but allow type 3. To block type 3, use NSSA or totally stubby. Option A is not fully correct; need to reconsider.

Why this answer

Type 3 LSAs are summary LSAs. To block them, you can configure the area as a stub area (which blocks type 5 as well) or use an area filter list to filter specific prefixes.

117
MCQhard

A FortiGate is deployed with two ISPs and SD-WAN. The organization uses OSPF to exchange routes with a remote branch. The administrator notices that the FortiGate is not installing OSPF-learned routes into the routing table. The OSPF configuration is verified to be correct, and neighbors are established. Which configuration could be causing the issue?

A.The SD-WAN health-check is configured with 'update-static-route' and is overriding OSPF routes.
B.The administrative distance of OSPF is set to 200, which is higher than the default 110.
C.A distribute-list configured under OSPF is filtering the routes from being installed.
D.The OSPF interface is configured as 'passive', which prevents route exchange.
AnswerC

A distribute-list in OSPF can filter which routes are installed into the routing table, even if neighbors are up.

Why this answer

Option C is correct because a distribute-list applied under OSPF can filter routes from being installed into the routing table even when OSPF neighbors are fully established and the OSPF database contains the routes. This is a common cause of routes being learned but not installed, as the filter operates after the SPF calculation and before route insertion.

Exam trap

The trap here is that candidates assume OSPF neighbors being up and routes appearing in the OSPF database guarantee route installation, but a distribute-list can silently block installation without affecting neighbor adjacency or the LSDB.

How to eliminate wrong answers

Option A is wrong because the SD-WAN health-check with 'update-static-route' only affects static routes, not OSPF-learned routes; it cannot override OSPF routes in the routing table. Option B is wrong because the default administrative distance for OSPF is 110, and setting it to 200 would make OSPF routes less preferred but would not prevent them from being installed if no better route exists; the question states routes are not installed at all, not that they are overridden. Option D is wrong because a passive OSPF interface prevents sending or receiving OSPF hellos and thus prevents neighbor formation, but the question states neighbors are established, so passive configuration cannot be the issue.

118
MCQmedium

A FortiGate is configured with multiple VRF instances. The administrator needs to ensure that traffic from VRF 10 can reach a server in VRF 20. Which configuration is required?

A.Enable inter-VRF routing by setting 'vrf-leak enable' on the VRF instances
B.Configure a firewall policy that allows traffic between the VRFs
C.Place both interfaces in the same VRF
D.Use static routes with the appropriate VRF tags to leak routes between VRFs
AnswerD

Route leaking can be done with static routes or redistribution.

Why this answer

To route between VRFs, you must configure route leaking. This is done using 'config router leak' or by using route redistribution with VRF tags. Without route leaking, VRFs are isolated.

119
MCQmedium

A FortiGate is running OSPF with multiple areas. The administrator needs to redistribute a static route into OSPF. Which command will correctly configure redistribution of static routes into OSPF process 10?

A.config router ospf config redistribute edit static set status enable next end end
B.config router policy set redistribute static end
C.config router static set redistribute ospf end
D.config router ospf set redistribute static enable end
AnswerD

This is the correct syntax to enable redistribution of static routes into OSPF.

120
Multi-Selecthard

A FortiGate is configured with BGP to an SD-WAN member link. The administrator wants to prefer one link over another for specific routes based on AS path length. Which THREE configurations can influence BGP path selection? (Choose three.)

Select 3 answers
A.Set the metric (MED) to a lower value on the desired link.
B.Use a route map to prepend AS numbers to the AS path for the less preferred link.
C.Configure the 'set aspath' command in a route map to change the AS path.
D.Set a higher local preference on the desired link.
E.Configure weight on the neighbor to prefer routes from that neighbor.
AnswersB, D, E

AS path prepending makes the path longer, thus less preferred.

121
MCQmedium

An administrator configures a prefix list to filter routes received from a BGP neighbor. The prefix list permits 192.168.0.0/16 le 24. Which routes are permitted?

A.Only routes with prefix length exactly 16 within 192.168.0.0/16
B.Only routes with prefix length exactly 24 within 192.168.0.0/16
C.Any route with prefix length greater than 24 within 192.168.0.0/16
D.Any route with prefix length between 16 and 24 inclusive, starting with 192.168
AnswerD

The prefix list allows 192.168.0.0/16 and any more specific route up to /24 (i.e., le 24).

122
MCQeasy

A network administrator needs to configure SD-WAN on a FortiGate to distribute traffic across two WAN links based on session count. Which load balancing algorithm should be selected in the SD-WAN rule?

A.Volume
B.Lowest-cost
C.Spillover
D.Sessions
AnswerD

Sessions algorithm balances based on the number of active sessions.

Why this answer

The 'sessions' algorithm distributes new sessions across members proportionally to the number of active sessions, achieving session-based load balancing.

123
Multi-Selectmedium

A network admin needs to configure a FortiGate to load balance traffic across two ISP links using SD-WAN. The requirement is to use both links simultaneously for different sessions based on source-destination IP hash. Which two settings are required? (Select TWO.)

Select 2 answers
A.Create an SD-WAN zone with both WAN members
B.Configure an SD-WAN rule with load balancing algorithm 'source-dest-ip-hash'
C.Add a performance SLA for each member
D.Set the rule strategy to 'best quality'
E.Enable 'spillover' under the SD-WAN rule
AnswersA, B

Members must be added to the SD-WAN zone.

124
MCQmedium

A network engineer is configuring SD-WAN on a FortiGate. They have three WAN interfaces (wan1, wan2, lte) and want traffic to the primary datacenter (10.10.10.0/24) to use wan1 unless its latency exceeds 50 ms, in which case failover to wan2. The engineer created an SD-WAN rule with a strategy of 'Manual' and selected 'wan1' as the preferred member. What additional configuration is required to achieve automatic failover based on latency?

A.Create a route map to prefer wan1 and apply it to the SD-WAN rule.
B.Set the SD-WAN rule strategy to 'Best Quality' and select latency as the metric.
C.Enable BFD on wan1 and wan2 with a minimum interval of 50 ms.
D.Configure a performance SLA for wan1 with a latency threshold of 50 ms and associate it with the SD-WAN rule.
AnswerD

The performance SLA measures latency and triggers failover when the threshold is exceeded.

Why this answer

For automatic failover based on latency, a performance SLA must be configured to measure latency on wan1. The SD-WAN rule uses the SLA to determine if the preferred member meets the threshold; if not, traffic switches to the next available member. Option A correctly identifies this requirement.

125
MCQeasy

Which BFD mode is used to detect forwarding path failures between two FortiGates that are directly connected?

A.Synchronous mode
B.Echo mode
C.Demand mode
D.Asynchronous mode
AnswerD

Default mode with periodic hello packets.

Why this answer

BFD operates in asynchronous mode by default, where both peers send hello packets. If a certain number of packets are missed, the session is considered down. This is the standard mode for directly connected FortiGates.

126
Multi-Selectmedium

An administrator is troubleshooting an SD-WAN rule that is not matching expected traffic. The SD-WAN rule uses a custom application category and has a performance SLA attached. Which two conditions must be true for the traffic to be matched by the SD-WAN rule? (Select TWO.)

Select 2 answers
A.The performance SLA must be marked as 'up' for at least one member in the SD-WAN zone
B.The destination port must be 80 or 443
C.The traffic must be identified by the application control sensor as the configured application category
D.The source IP must be in the same subnet as the SD-WAN member's IP
E.The traffic must match the firewall policy that has SD-WAN enabled
AnswersC, E

If the rule matches on application category, the traffic must be identified accordingly by App Control.

127
Multi-Selectmedium

An administrator is configuring SD-WAN rules to direct specific traffic types. Which TWO of the following criteria can be used in an SD-WAN rule to match traffic?

Select 2 answers
A.Source interface
B.Time of day
C.Destination IP address
D.Application
E.URL category
AnswersC, D

Destination IP can be used as a match criterion.

128
Multi-Selecthard

An administrator deploys a FortiGate in a remote office with a FortiSwitch and FortiAP. The LAN edge management features are used to manage these devices. The FortiGate is configured as a controller. Which three steps are required to manage the FortiAP via the FortiGate? (Choose THREE.)

Select 3 answers
A.Configure DHCP option 138 or DNS to point FortiAP to FortiGate
B.Authorize the FortiAP by serial number on the FortiGate
C.Enable CAPWAP on the FortiGate
D.Enable LLDP on the FortiSwitch
E.Configure an SSID under the FortiAP profile
AnswersA, B, C

FortiAP discovers the controller via DHCP or DNS.

Why this answer

The FortiGate must have CAPWAP enabled to act as a wireless controller. The FortiAP must be authorized (by serial number). The FortiGate must be reachable by the FortiAP via Layer 3 connectivity (e.g., DHCP option 138).

129
MCQmedium

A network admin is configuring SD-WAN on a FortiGate with two WAN members (port1, port2). The requirement is that traffic for Office 365 (source IP 10.1.1.0/24, destination IP 132.245.0.0/16) should use port1 primarily unless it fails the performance SLA, in which case it should use port2. Which SD-WAN rule configuration should the admin use?

A.Configure the rule with 'strategy = spillover' and set spillover thresholds
B.Configure the rule with 'strategy = source-dest-ip' and include port1 and port2
C.Configure the rule with 'strategy = best quality', and enable 'set match-vip enable'. Use performance SLA to monitor port1
D.Configure the rule with 'strategy = manual' and set the preferred member to port1
AnswerC

Best quality uses the performance SLA to select the best member. When the primary member fails SLA, traffic moves to the next best.

Why this answer

Option C is correct because the 'best quality' strategy with 'set match-vip enable' applies the SLA to the selected traffic. The rule matches the Office 365 traffic and selects the best-quality member (port1) based on the SLA. If port1 fails, traffic switches to port2.

130
MCQhard

You run 'diagnose sys session filter dport 179' on a FortiGate and see many sessions with proto=6 and proto_state=01. What does this indicate about the BGP sessions?

A.BGP sessions are fully established and exchanging routes.
B.BGP sessions are being actively torn down.
C.BGP sessions are in the process of being established, but not yet fully up.
D.BGP sessions are using TCP port 179 but are idle.
AnswerC

proto_state=01 means SYN_SENT, indicating TCP handshake is incomplete.

Why this answer

proto_state=01 indicates TCP session establishment (SYN_SENT). Persistent sessions in this state suggest BGP peers are not reaching Established state, possibly due to misconfiguration or firewall blocking.

131
MCQeasy

Which FortiGate feature is used to detect link failures within milliseconds, allowing rapid convergence for routing protocols like OSPF and BGP?

A.ECMP
B.OSPF Fast Hello
C.BFD
D.Route tagging
AnswerC

BFD offers fast failure detection.

Why this answer

Bidirectional Forwarding Detection (BFD) provides sub-second link failure detection independent of the routing protocol. It is commonly used with OSPF, BGP, and SD-WAN to speed up convergence.

132
MCQeasy

Which routing protocol is commonly used in SD-WAN deployments to exchange routes between FortiGate and the provider edge router in an MPLS network?

A.RIP
B.BGP
C.IS-IS
D.OSPF
AnswerB

BGP is the preferred protocol for exchanging routes with MPLS provider edge routers due to its scalability and policy control.

133
Multi-Selecthard

A FortiGate is configured with OSPF multi-area. The administrator wants to redistribute a static route into OSPF area 0 and ensure it is propagated to all areas. Which THREE steps are required? (Choose three.)

Select 3 answers
A.Set the OSPF network type to point-to-multipoint
B.Ensure the static route has a valid next-hop and is in the routing table
C.Configure 'redistribute static' under OSPF router configuration
D.Disable OSPF on all interfaces to prevent loops
E.Configure a route map to set the metric type to E1
AnswersB, C, E

Only routes in the routing table can be redistributed.

Why this answer

To redistribute into OSPF, you need to configure redistribution under OSPF, optionally with a route map to set metrics. The route must be in the routing table. Also, OSPF must be enabled on appropriate interfaces to form adjacencies.

134
MCQeasy

Which feature allows a FortiGate to participate in multiple routing tables simultaneously, enabling network segmentation and overlapping IP address spaces?

A.VDOM
B.Policy-based routing
C.VRF
D.Route redistribution
AnswerC

VRF creates separate routing tables within a VDOM or global.

Why this answer

Virtual Routing and Forwarding (VRF) partitions the routing table into multiple independent tables, allowing overlapping IP addresses and separate routing policies per VRF. This is the standard method for network segmentation on FortiGate.

135
MCQmedium

Which BGP attribute is used by FortiGate SD-WAN to influence outbound traffic path selection?

A.Next Hop
B.Local Preference
C.MED
D.AS Path
AnswerB

Local Preference is used to influence outbound traffic decision.

136
MCQmedium

An administrator is troubleshooting SD-WAN and runs the following CLI command: 'execute sdwan-health-check status' The output shows that one SD-WAN member has a status of 'dead'. What does this indicate?

A.The member interface is administratively down
B.The member is not meeting the performance SLA thresholds
C.The SD-WAN member is not included in any SD-WAN rule
D.The member has failed the health check probe to the target server
AnswerD

'Dead' indicates that the health check has failed, meaning no response from the target.

Why this answer

The SD-WAN health check monitors the connectivity to configured servers. A 'dead' status means the member is not passing the health check probes, indicating a connectivity failure.

137
Multi-Selectmedium

A network engineer is troubleshooting an OSPF multi-area setup on a FortiGate. The FortiGate is an ABR (Area Border Router) connecting area 0 and area 1. The engineer notices that routes from area 1 are not being advertised into area 0. Which TWO of the following are possible causes? (Select TWO.)

Select 2 answers
A.OSPF is not enabled on the interface in area 1, or the network type is mismatched
B.The 'redistribute connected' command is missing
C.The FortiGate does not have a direct connection to area 0
D.The FortiGate has a static route to area 1 that overrides OSPF
E.The administrative distance for OSPF is set too high
AnswersA, C

Without OSPF on the interface, no adjacency forms, and routes are not learned.

Why this answer

Options A and C are correct. OSPF ABR needs a link to area 0; if there is no direct connection, routes may not be advertised. Also, interfaces in area 1 must be passive if no neighbors, but passive still advertises routes? Actually, if an interface is passive, it does not form adjacency but still advertises connected routes.

However, option C is plausible: if the interface is not running OSPF (network type mismatch), no adjacency forms. So A and C are correct.

138
MCQmedium

A FortiGate is configured with policy-based routing to force traffic from subnet 10.0.1.0/24 to go through a WAN interface. The administrator notices that traffic from 10.0.1.0/24 is still using the default route. Which debug command can confirm if the policy-based routing is being applied?

A.diagnose debug routing ip-probe 10.0.1.1 8.8.8.8
B.diagnose debug flow policy-based-route
C.diagnose debug enable && diagnose debug router policy
D.get router info policy-based-route
AnswerB

This command shows details of policy-based routing matches and actions.

139
MCQmedium

An administrator is configuring a FortiGate as a LAN edge device with FortiSwitch and FortiAP. Which feature must be enabled on the FortiGate to centrally manage the FortiSwitch and FortiAP devices?

A.CAPWAP
B.LLDP
C.SNMP
D.FortiLink
AnswerD

FortiLink is the proprietary protocol for managing FortiSwitch and FortiAP from FortiGate.

Why this answer

Option D is correct. FortiLink is the protocol that enables FortiGate to manage FortiSwitch and FortiAP devices. It uses a dedicated interface (e.g., internal) with FortiLink enabled.

140
MCQhard

You run the following command on a FortiGate: `diagnose sys session filter dport 443` Output: `proto=6 proto_state=01 duration=3600 expire=3599` What does this output indicate?

A.The session is for UDP port 443, is in state ESTABLISHED, and has 3599 bytes remaining.
B.The session is for TCP port 443, is in state SYN_SENT, and has been active for 3600 seconds.
C.The session is for TCP port 443, is in state TIME_WAIT, and will expire in 3600 seconds.
D.The session is for TCP port 443, is in state FIN_WAIT, and will expire in 3599 seconds.
AnswerB

proto=6 is TCP, proto_state=01 is SYN_SENT, duration is 3600 seconds, expire is 3599 seconds remaining.

141
Multi-Selectmedium

An administrator wants to integrate a FortiExtender into an existing SD-WAN deployment. Which TWO steps are required for proper integration?

Select 2 answers
A.Disable all other WAN interfaces
B.Authorize the FortiExtender on the FortiGate
C.Enable NAT on the FortiExtender interface
D.Configure a separate VDOM for the FortiExtender
E.Configure the FortiExtender as an SD-WAN member
AnswersB, E

Authorization is needed for management and integration.

Why this answer

The FortiExtender must be authorized and added as an SD-WAN member to participate in SD-WAN.

142
MCQmedium

An administrator needs to ensure that traffic from the internal network (10.0.0.0/8) destined to the Internet is routed through a specific next-hop (192.168.1.1) only if a more specific route for the destination does not exist. Which routing feature should be used?

A.Configure route redistribution from BGP to OSPF.
B.Enable ECMP load balancing.
C.Use policy-based routing with a deny rule for the specific prefixes that have more specific routes.
D.Create a static default route with a higher administrative distance.
AnswerC

PBR can be configured to not match traffic that matches a more specific route by using a deny policy in the route map or by setting a higher priority for the specific route.

Why this answer

Policy-based routing (PBR) allows traffic to be routed based on source/destination IP, port, etc., independent of the routing table. It can be configured to match traffic and set the next-hop, with a 'match' condition that can include the absence of a specific route. However, in FortiGate, policy-based routing rules are processed before the routing table, so if a more specific route exists, the PBR rule would still apply unless configured with the 'set match-vip' or other logic.

Actually, the best way is to use a route map or prefix list with a deny statement for specific prefixes and then apply PBR. A simpler approach is to use default route with a higher distance, but that doesn't filter by destination. The correct answer is policy-based routing with a deny rule for specific prefixes.

143
MCQeasy

What is the function of a route map in FortiGate routing?

A.To configure load balancing between multiple WAN links.
B.To filter and modify routing information during redistribution.
C.To enable BFD on a specific interface.
D.To create a static route for a specific destination.
AnswerB

Route maps are used to match routes based on criteria and then set attributes or permit/deny the route during redistribution or policy routing.

Why this answer

Route maps provide granular control over route redistribution by matching prefix lists or other attributes and then applying actions like set metric, set next hop, or permit/deny.

144
Multi-Selecthard

An administrator is configuring BGP on a FortiGate to peer with an ISP router. The FortiGate is advertising a prefix (203.0.113.0/24) to the ISP. To ensure that traffic to the prefix is load balanced across two WAN links (port1 and port2) using SD-WAN, the administrator must configure which THREE of the following? (Select THREE.)

Select 3 answers
A.Define both port1 and port2 as SD-WAN members
B.Configure a performance SLA to monitor each link
C.Enable 'set load-balance-mode' on the SD-WAN rule to 'sessions' or another algorithm
D.Configure BGP to use the same AS number on both members
E.Create an SD-WAN rule that matches traffic and uses a load balancing algorithm like 'sessions'
AnswersA, C, E

SD-WAN members are the interfaces to be load balanced.

Why this answer

Options A, B, and D are correct. SD-WAN members must be the WAN interfaces. The SD-WAN rule must use a load balancing algorithm (e.g., sessions) to distribute traffic.

BGP must advertise the prefix via both interfaces; this is typically done via advertising the prefix through BGP on both members or by using SD-WAN to influence the routing. Actually, BGP advertisement is separate; SD-WAN does not advertise routes. But to load balance inbound traffic, the administrator may need to advertise via both links.

However, the question focuses on SD-WAN configuration, so A, B, D are essential.

145
MCQeasy

A FortiGate is configured with two static routes to the same destination 0.0.0.0/0 with equal distance but different priorities. The priority values are 10 and 20. Which route will be used for traffic matching the default route?

A.The route with priority 20 will be used.
B.The route with lower distance will be used.
C.The route with priority 10 will be used.
D.Both routes will be used for load balancing.
AnswerC

Priority 10 is higher preference than 20.

Why this answer

In FortiGate, when multiple static routes have the same distance (administrative distance) to the same destination, the route with the lowest priority value is selected. Priority is a FortiGate-specific metric that breaks ties among routes with equal distance. Since priority 10 is lower than 20, the route with priority 10 will be installed in the routing table and used for traffic matching 0.0.0.0/0.

Exam trap

The trap here is that candidates often confuse priority with administrative distance or assume higher priority is better, but FortiGate uses lower priority values as more preferred, opposite to the common intuition from other vendors like Cisco where a lower metric is better but the term 'priority' can be misleading.

How to eliminate wrong answers

Option A is wrong because a higher priority value (20) is less preferred; FortiGate selects the route with the lowest priority, not the highest. Option B is wrong because the question states both routes have equal distance, so distance does not differentiate them; the selection is based on priority, not distance. Option D is wrong because load balancing between static routes requires equal distance and equal priority; with different priorities, only the lowest priority route is active, and the other serves as a backup.

146
MCQmedium

An administrator configures an SD-WAN rule with the 'volume' load balancing algorithm. The two WAN members have bandwidth capacities: port1 = 100 Mbps, port2 = 50 Mbps. Traffic is HTTP and HTTPS from internal users to the internet. How will the traffic be distributed?

A.Traffic is sent to the member with the least number of bytes transmitted, resulting in a balanced distribution proportional to bandwidth
B.All traffic uses port1 until it reaches 100 Mbps, then uses port2
C.Traffic is distributed evenly session-by-session (round-robin)
D.Source-destination IP pairs are hashed to a specific member
AnswerA

Volume algorithm tracks bytes transmitted and sends new traffic to the least loaded member.

Why this answer

Option C is correct. The volume algorithm distributes traffic based on the volume of bytes processed. It sends new sessions to the member with the least amount of traffic volume sent.

Over time, traffic is split proportionally to the bandwidth ratio (2:1).

147
Multi-Selecthard

An administrator is troubleshooting SD-WAN and wants to verify that performance SLA probes are being sent correctly. Which THREE CLI commands can provide information about the SLA probes and their results?

Select 3 answers
A.diagnose sys sdwan health-check
B.diagnose sys sdwan probe-detail
C.diagnose sys sdwan member-sla
D.diagnose sys sdwan route
E.diagnose sys sdwan config
AnswersA, B, C

This command shows health check results.

148
Multi-Selectmedium

A FortiGate is configured with an SD-WAN zone containing two WAN interfaces. The administrator wants to use the 'spillover' load balancing algorithm to ensure that the primary link carries traffic until its bandwidth reaches 80% utilization, after which new sessions are sent to the secondary link. Which THREE configuration steps are necessary?

Select 3 answers
A.Create a performance SLA to measure bandwidth utilization
B.Add both interfaces as members of the SD-WAN rule
C.Configure the 'spillover-threshold' on the primary interface to 80 percent
D.Assign a weight of 80 to the primary interface and 20 to the secondary
E.In the SD-WAN rule, set the load balancing method to 'spillover'
AnswersB, C, E

Why this answer

Spillover requires setting the algorithm to 'spillover' in the SD-WAN rule (option A). Then, you need to define the spillover threshold on the primary interface (option C), and also set the secondary interface as a member (option E) so traffic can fail over. Option B is not needed if you use spillover; you don't need to set weight.

Option D is incorrect because the threshold is set on the interface, not in a performance SLA.

149
MCQmedium

A network administrator is configuring SD-WAN on a FortiGate with two WAN links (port1 and port2). They want traffic to destination 10.0.0.0/8 to use port1 as long as its latency is below 50ms and jitter below 10ms; otherwise, fail over to port2. Which SD-WAN configuration components are required?

A.SD-WAN members, one performance SLA, one SD-WAN member with a static route
B.SD-WAN members, two performance SLAs (one per interface), one SD-WAN rule
C.SD-WAN members, one performance SLA, two SD-WAN rules (one for each interface)
D.SD-WAN members, one performance SLA, one SD-WAN rule with the performance SLA as a strategy
AnswerD

The performance SLA defines latency/jitter thresholds. The SD-WAN rule references the SLA and sets the strategy to 'best quality' or 'manual' to enforce failover based on SLA compliance.

Why this answer

To implement failover based on link quality, you need SD-WAN members (interfaces), a performance SLA to monitor the links, and an SD-WAN rule that uses the SLA to determine which member to use. The 'best quality' strategy automatically switches when thresholds are not met.

150
MCQhard

A FortiGate with two WAN interfaces configured in an SD-WAN setup uses the 'lowest-cost' load balancing algorithm. The performance SLA monitors latency and jitter. If wan1 has a cost of 10 and wan2 has a cost of 20, but wan1 is experiencing 50% packet loss, what will happen to traffic?

A.Traffic is distributed equally between both links
B.Traffic is dropped until wan1 recovers
C.Traffic continues using wan1 because cost is lower
D.Traffic is sent to wan2 because wan1 is considered dead
AnswerD

wan1 fails SLA so it's dead, traffic uses wan2.

Why this answer

The 'lowest-cost' algorithm selects the member with the lowest cost. However, if a member fails the performance SLA (e.g., high packet loss), it is considered 'dead' and will not be used, even if its cost is lower. Traffic will then be sent to the next lowest-cost member that is alive.

← PreviousPage 2 of 3 · 209 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Advanced Networking and SD-WAN questions.