CCNA Nse7 Advanced Networking Questions

59 of 209 questions · Page 3/3 · Nse7 Advanced Networking topic · Answers revealed

151
MCQhard

A FortiGate has two WAN interfaces (port1, port2) as SD-WAN members. The performance SLA monitor is configured for both with a latency threshold of 50 ms. The measured latency on port1 is 45 ms and on port2 is 55 ms. An SD-WAN rule uses 'lowest-cost' algorithm. Which interface will be selected for new sessions?

A.port1 because its latency is within threshold and lower than port2
B.port2 because port1's latency is close to threshold
C.The session is dropped
D.Both interfaces are used equally
AnswerA

port1 meets the SLA and has lower latency, hence lower cost.

Why this answer

Lowest-cost algorithm selects the member with the lowest cost, where cost is based on the performance SLA metric. Port1 has lower latency (45 ms < 55 ms) and is within threshold, so it has lower cost.

152
MCQhard

A FortiGate is running OSPF with multiple areas. The admin wants to redistribute a static route (192.168.100.0/24) into OSPF area 0. The route is configured as a static route on the FortiGate. Which configuration step is essential to ensure the static route is redistributed into OSPF?

A.Create a prefix list to allow the static route and apply it to the OSPF area
B.Set the administrative distance of the static route to 110
C.Configure a route map to match the static route and set OSPF type
D.Enable 'redistribute static' under the OSPF router configuration
AnswerD

Without enabling redistribution on the OSPF process, static routes will not be advertised.

Why this answer

Option B is correct because OSPF does not redistribute static routes by default. The 'redistribute static' command must be configured under the OSPF process, and optionally route maps can filter, but redistribution must be enabled.

153
MCQmedium

Which command is used on a FortiGate to view the current state of BFD sessions?

A.get router info bfd
B.show bfd sessions
C.execute bfd show
D.diagnose sys bfd session list
AnswerD

This shows BFD session details.

Why this answer

Option D is correct because 'diagnose sys bfd session list' is the FortiGate CLI command used to display the current state of Bidirectional Forwarding Detection (BFD) sessions, including session state, local/remote discriminators, and timers. This command is part of the 'diagnose' utility, which provides detailed operational and diagnostic information for troubleshooting BFD in SD-WAN or routing contexts.

Exam trap

The trap here is that candidates familiar with Cisco IOS may instinctively choose 'show bfd sessions' (Option B), but FortiGate uses a different CLI syntax where 'diagnose' is the proper command for detailed operational state, not 'show' or 'execute'.

How to eliminate wrong answers

Option A is wrong because 'get router info bfd' is not a valid FortiGate command; the correct 'get' command for BFD is 'get router info bfd session' or 'get router info bfd neighbor', but the given syntax is incomplete and incorrect. Option B is wrong because 'show bfd sessions' is a Cisco IOS command, not a FortiGate command; FortiGate uses 'get' or 'diagnose' syntax, not 'show'. Option C is wrong because 'execute bfd show' is not a valid FortiGate command; 'execute' commands are used for actions like ping or traceroute, not for displaying BFD session state.

154
Multi-Selectmedium

A network administrator is configuring SD-WAN rules with load balancing. They want to distribute HTTP traffic evenly across two WAN links based on the number of sessions. Which TWO settings should they use? (Choose two.)

Select 2 answers
A.Ensure the SD-WAN rule matches HTTP traffic (e.g., using protocol or port criteria).
B.Set the load balancing algorithm to 'volume'.
C.Create a performance SLA to monitor the links.
D.Enable 'set update-static-route' on the SD-WAN rule.
E.Set the load balancing algorithm to 'session'.
AnswersA, E

The rule must match HTTP traffic to apply the load balancing algorithm to that traffic.

Why this answer

To distribute HTTP sessions evenly, the load balancing algorithm should be 'session', and the SD-WAN rule must match HTTP traffic using appropriate criteria (e.g., destination port 80).

155
MCQhard

A FortiGate has multiple VRFs. The administrator wants to leak a route from VRF1 to VRF2. Which configuration is required?

A.Configure route leaking using route maps and set vrf command under VRF1's routing process
B.Use the config router vrf-leak command to define leaking rules
C.Enable inter-VRF routing on the VDOM
D.Configure a static route in VRF2 pointing to the next-hop in VRF1 with a different administrative distance
AnswerA

Route leaking between VRFs is achieved by configuring route maps with set vrf and applying them under the routing process of the source VRF.

Why this answer

Option A is correct because route leaking between VRFs on a FortiGate is achieved by configuring route maps with the `set vrf` command under the source VRF's routing process. This allows specific routes from VRF1 to be imported into VRF2, enabling controlled inter-VRF communication without requiring a VDOM or static route workaround.

Exam trap

The trap here is that candidates confuse the FortiGate-specific route leaking method (route maps with `set vrf`) with generic Cisco-style VRF leaking commands or assume that a static route with a different administrative distance can bypass VRF isolation, which fails because VRFs are isolated at Layer 3 and require explicit route redistribution.

How to eliminate wrong answers

Option B is wrong because the `config router vrf-leak` command does not exist in FortiOS; route leaking is configured using route maps and the `set vrf` command under the routing process, not a dedicated vrf-leak command. Option C is wrong because enabling inter-VRF routing on a VDOM is a different concept—it allows all VRFs within a VDOM to communicate without explicit route leaking, which is not the same as selective route leaking between specific VRFs. Option D is wrong because configuring a static route in VRF2 pointing to a next-hop in VRF1 with a different administrative distance does not leak the route; it creates a static route that may fail because the next-hop is in a different VRF and not reachable without proper route leaking or inter-VRF connectivity.

156
Multi-Selectmedium

A network administrator is configuring SD-WAN rules and wants to ensure that voice traffic is sent over the link with the lowest jitter. Which TWO configurations should the administrator apply? (Choose two.)

Select 2 answers
A.Set the SD-WAN rule strategy to 'lowest cost'
B.Configure the SD-WAN rule to use 'volume' load balancing
C.Set the SD-WAN rule strategy to 'best quality'
D.Enable 'set jitter-threshold' on the SD-WAN rule
E.Ensure the performance SLA measures jitter
AnswersC, E

Best quality uses the priority order of metrics, which can include jitter.

Why this answer

To use jitter as the selection metric, the performance SLA must include jitter measurement, and the SD-WAN rule strategy should be 'best quality' with jitter as the highest priority metric.

157
MCQmedium

An administrator wants to ensure that all traffic from a specific LAN subnet (192.168.10.0/24) to the internet uses a particular WAN interface (wan1) in an SD-WAN setup, while other traffic uses wan2. What is the correct configuration to achieve this?

A.Create a policy-based routing rule with source 192.168.10.0/24 and set outgoing interface to wan1
B.Configure an SD-WAN rule with source address matching 192.168.10.0/24 and set the preferred member to wan1
C.Set the default route for wan1 with a higher distance
D.Use a route map with prefix list to match the subnet and set next-hop to wan1
AnswerB

SD-WAN rules allow source-based matching and preferred member selection.

Why this answer

SD-WAN rules are used to match traffic based on criteria and direct it to specific members. The rule would match source 192.168.10.0/24 and set the destination interface to wan1.

158
MCQeasy

Which FortiGate feature allows multiple independent routing tables on a single device, enabling traffic separation for different departments or customers?

A.ECMP
B.VRF
C.VDOM
D.Policy-based routing
AnswerB

VRF creates independent routing tables on the same FortiGate.

Why this answer

VRF (Virtual Routing and Forwarding) partitions the routing table into multiple instances, each with its own routing table and forwarding decisions.

159
Multi-Selectmedium

A network administrator is configuring SD-WAN on a FortiGate and wants to ensure that VoIP traffic uses the link with the lowest latency while bulk download traffic uses the link with the highest bandwidth. Which TWO configuration steps are required?

Select 2 answers
A.Assign a static route for the VoIP subnet
B.Create an SD-WAN rule for VoIP traffic with 'best quality' strategy
C.Enable BFD on all WAN interfaces
D.Configure a route map for VoIP traffic
E.Create a performance SLA for latency
AnswersB, E

Best quality uses the member with best SLA performance (e.g., lowest latency).

Why this answer

To achieve this, the administrator must create SD-WAN rules that match traffic types and assign appropriate strategies (best quality for VoIP, lowest cost for bulk).

160
MCQmedium

A FortiGate has two WAN interfaces configured as SD-WAN members. The administrator wants traffic to specific destination IP addresses to use a particular member. Which SD-WAN configuration object should be used to achieve this?

A.SD-WAN rule
B.Route map
C.Prefix list
D.Performance SLA
AnswerA

SD-WAN rules define which traffic goes to which member based on matching criteria.

Why this answer

SD-WAN rules allow matching traffic based on criteria such as source/destination IP, and then forward it to a specific SD-WAN member or strategy.

161
Drag & Dropmedium

Drag and drop the steps to configure a FortiGate to use an external authentication server (e.g., RADIUS) for admin login into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Add server, configure details, create group, assign to admin, then test.

162
Multi-Selectmedium

Which THREE statements are true about FortiGate SD-WAN health-check configuration?

Select 3 answers
A.Health-check probes can be sent from any interface, including loopback.
B.Health-check can only be configured on physical interfaces, not VLANs or subinterfaces.
C.Health-check can be configured with multiple thresholds for jitter, latency, and packet loss.
D.Health-check can update the routing table by setting 'update-static-route' to enable fallback.
E.Health-check can be configured to use HTTP or DNS protocols to verify link health.
AnswersC, D, E

Performance SLA thresholds can be defined for jitter, latency, and packet loss.

Why this answer

Option C is correct because FortiGate SD-WAN health-check allows configuring multiple thresholds for jitter, latency, and packet loss. These thresholds are used to determine the quality of a link; if any threshold is exceeded, the link is considered failed. This enables granular control over link health assessment beyond simple reachability.

Exam trap

The trap here is that candidates often assume health-check can use any interface as a source (like loopback) or that it only works on physical interfaces, but FortiGate restricts probe source to the member interface and supports VLANs and aggregates.

163
MCQhard

You run the following command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list Output: proto=6 proto_state=01 duration=3600 expire=3599 What does the 'proto_state=01' indicate?

A.The session is fully established and in the 'established' state
B.The session is in the 'init' state, meaning the first SYN packet has been seen but the handshake is not complete
C.The session is a UDP or ICMP session with no state tracking
D.The session is being torn down (FIN or RST received)
AnswerB

proto_state=01 indicates the session is being initiated (SYN seen).

Why this answer

Option B is correct. In FortiGate session table, proto_state values: 01 means the session is in the 'init' state (SYN sent, SYN-ACK not yet received). For TCP, this indicates the connection is being established.

164
Multi-Selectmedium

A network administrator is configuring SD-WAN on a FortiGate with three WAN links: MPLS (10 Mbps), Broadband (50 Mbps), and LTE (20 Mbps). They want to load balance traffic based on link bandwidth, with the option to manually steer critical traffic to the MPLS link. Which TWO steps must be taken to achieve this?

Select 2 answers
A.Set the SD-WAN rule strategy to 'Maximize Bandwidth' with volume algorithm for general traffic.
B.Create a separate SD-WAN rule for critical traffic with strategy 'Manual' and select MPLS as the preferred member.
C.Set the load balancing algorithm to 'Spillover' on all rules.
D.Enable ECMP on the FortiGate.
E.Configure a performance SLA for each link.
AnswersA, B

This enables bandwidth-based load balancing.

Why this answer

To load balance based on bandwidth, the 'Maximize Bandwidth' strategy with volume algorithm should be used. To allow manual steering, the SD-WAN rule for critical traffic should be set to 'Manual' strategy with MPLS selected as the preferred member. Options B and D together satisfy both requirements.

165
Multi-Selectmedium

An administrator is configuring SD-WAN with two members: MPLS and Broadband. The requirement is that voice traffic (UDP ports 16384-32768) should use MPLS primarily, and if MPLS fails SLA, then use Broadband. Which two configurations are needed? (Choose TWO.)

Select 2 answers
A.Disable the Broadband member from the SD-WAN zone
B.Configure a performance SLA for the MPLS member
C.Create an SD-WAN rule that matches voice traffic and uses 'best quality' strategy
D.Configure policy-based routing for voice traffic
E.Set the load balancing algorithm to 'sessions'
AnswersB, C

Required to monitor link quality.

Why this answer

A performance SLA monitors the MPLS link quality, and an SD-WAN rule is configured to match voice traffic with a strategy that prefers MPLS but falls back to Broadband if SLA fails. Without the SLA, the rule cannot detect failure.

166
MCQhard

An administrator configures OSPF on a FortiGate with multiple areas. After configuration, the FortiGate does not become an ABR. What is the most likely reason?

A.The router-id is not configured
B.The OSPF process is not enabled
C.The network type is set to point-to-point
D.There is no interface assigned to area 0
AnswerD

An ABR must have at least one interface in area 0 and one in another area.

Why this answer

To be an ABR, the FortiGate must have interfaces in area 0 (backbone) and at least one other area. If no interface is in area 0, it cannot be an ABR.

167
MCQeasy

Which load balancing algorithm in SD-WAN sends new sessions to the member interface with the least number of active sessions?

A.Sessions
B.Volume
C.Spillover
D.Source-dest IP
AnswerA

Sessions algorithm sends to the interface with the fewest active sessions.

168
MCQeasy

Which SD-WAN load balancing algorithm distributes traffic based on the number of active sessions per interface?

A.Sessions
B.Volume
C.Source-destination IP
D.Spillover
AnswerA

Sessions algorithm distributes based on number of sessions per interface.

Why this answer

The 'sessions' algorithm balances by session count. Other algorithms use volume, spillover, source-dest IP hash, or lowest cost.

169
Multi-Selectmedium

An administrator needs to integrate a FortiSwitch with a FortiGate for LAN edge management. The FortiSwitch will be used to provide access ports for end users. Which THREE configuration steps are required on the FortiGate?

Select 3 answers
A.Create a port profile that defines VLAN and security settings for the access ports
B.Configure a DHCP server on the FortiGate to assign IP addresses to FortiSwitch management
C.Enable STP on the FortiGate interface
D.Enable CAPWAP on the FortiGate interface connected to the FortiSwitch
E.Authorize the FortiSwitch in the FortiGate's managed switch list
AnswersA, D, E

Port profiles are used to configure the switch ports from the FortiGate.

Why this answer

The FortiGate acts as the controller for managed FortiSwitches. Key steps include enabling CAPWAP, creating a port profile, and authorizing the switch.

170
MCQhard

A FortiGate has ECMP configured with two equal-cost routes to a destination. The administrator wants to ensure that all packets from a given source IP use the same next-hop. Which ECMP load balancing method should be configured?

A.Source IP
B.Destination IP
C.Source-destination IP
D.Round robin
AnswerA

Source IP hash ensures all traffic from the same source uses the same path, regardless of destination.

Why this answer

Source IP hash ensures that all traffic from a specific source IP goes to the same next-hop, providing session persistence without using source-destination IP pair.

171
Multi-Selecteasy

An administrator wants to integrate a FortiSwitch with a FortiGate for LAN edge management. Which TWO steps are required for initial setup? (Choose two.)

Select 2 answers
A.Configure OSPF on the FortiSwitch
B.Connect the FortiSwitch to the FortiGate's managed switch port
C.Set the FortiSwitch to 'transparent' mode
D.Authorize the FortiSwitch in the FortiGate's switch controller
E.Create a firewall policy allowing traffic between FortiSwitch and FortiGate
AnswersB, D

The switch must be physically connected to a port that is configured as a managed switch port.

Why this answer

Option B is correct because a FortiSwitch must be physically connected to a FortiGate port that has been configured as a managed switch port (via config system interface and set type switch). This dedicated port enables the FortiGate to discover and manage the FortiSwitch using the FortiLink protocol, which encapsulates control and data traffic over a single link. Without this physical connection to a managed switch port, the FortiGate cannot establish the FortiLink adjacency required for LAN edge management.

Exam trap

The trap here is that candidates often assume a firewall policy is required for all traffic between devices, but FortiLink management traffic bypasses firewall rules because it uses a dedicated control channel that is implicitly permitted by the FortiGate's internal switch controller logic.

172
MCQeasy

Which SD-WAN load balancing algorithm distributes new sessions based on the number of active sessions on each link?

A.Source-dest IP
B.Spillover
C.Volume
D.Sessions
AnswerD

Sessions algorithm distributes based on the number of active sessions.

173
Multi-Selectmedium

A FortiGate is integrated with FortiSwitch and FortiAP. The administrator wants to manage both devices from the FortiGate GUI using the LAN edge management features. Which THREE conditions must be met for this integration to work?

Select 3 answers
A.FortiAP must be in CAPWAP mode to connect to the FortiGate.
B.The FortiGate must be in NAT mode.
C.FortiSwitch must be in the same Layer 2 domain as the FortiGate management interface.
D.The FortiGate must operate in transparent mode.
E.The FortiGate must have a separate VDOM for each managed device.
AnswersA, B, C

FortiAP uses CAPWAP to tunnel traffic to the FortiGate.

Why this answer

FortiSwitch and FortiAP management via FortiGate (LAN edge) requires: the FortiGate must be in NAT mode (transparent mode does not support this), a CAPWAP connection is used for FortiAP, and the devices must be in the same broadcast domain or reachable via the management VLAN. Option A is incorrect because FortiGate can manage them without VDOM. Option D is required for Layer 2 adjacency.

174
MCQhard

A FortiGate with FortiExtender is using LTE as a backup WAN link. When the primary link fails, the LTE link does not take over. What could be the cause?

A.The primary link's performance SLA is still passing.
B.The FortiExtender is not configured in pass-through mode.
C.The FortiExtender firmware is out of date.
D.The LTE interface is not added as an SD-WAN member.
AnswerD

Without adding to SD-WAN, the backup link won't be used for failover.

Why this answer

Option D is correct because for an LTE interface to be used as a backup WAN link in an SD-WAN setup, it must be explicitly added as an SD-WAN member. Without this, the FortiGate will not consider the LTE interface for traffic steering or failover, even if the primary link fails. The SD-WAN rules and performance SLA are only evaluated against interfaces that are members of the SD-WAN zone.

Exam trap

The trap here is that candidates often assume any working backup interface will automatically take over when the primary fails, but FortiGate SD-WAN requires explicit membership in the SD-WAN zone for failover to occur.

How to eliminate wrong answers

Option A is wrong because if the primary link's performance SLA is still passing, the SD-WAN logic would not trigger a failover to the backup link; the LTE link would not take over because the primary is considered healthy. Option B is wrong because pass-through mode is relevant for extending the FortiGate's interfaces via the FortiExtender, but it is not a prerequisite for LTE failover; the LTE interface can be used in normal mode as long as it is properly configured and added to SD-WAN. Option C is wrong while outdated firmware can cause various issues, the most direct and common reason for LTE not taking over is that the interface is not a member of the SD-WAN zone, not a firmware version problem.

175
MCQmedium

An administrator configures SD-WAN with two members (wan1, wan2) and a performance SLA for ICMP to 1.1.1.1. The SD-WAN rule is set to 'Best Quality' with 'latency' metric. The admin notices that traffic sometimes switches to the other link even when the current link has acceptable latency. Which action can reduce unnecessary flapping?

A.Configure a hysteresis value for the SLA
B.Increase the SLA probe interval
C.Use 'manual' strategy instead
D.Increase the 'update-cascade-interface' setting
AnswerA

Hysteresis adds a buffer: the link must be significantly better before switching, reducing flapping.

176
MCQeasy

A FortiGate administrator needs to configure BFD (Bidirectional Forwarding Detection) on a BGP peer to quickly detect link failures. Which CLI command enables BFD on the BGP neighbor 10.1.1.1?

A.config router policy set bfd enable end
B.config system interface edit port1 set bfd enable next end
C.config router static set bfd enable end
D.config router bgp config neighbor edit 10.1.1.1 set bfd enable next end end
AnswerD

BFD is enabled per neighbor under the BGP configuration.

177
MCQhard

A FortiGate is configured with policy-based routing (PBR) to route certain traffic through a specific next hop. However, some traffic that should match the PBR rule is not being affected. What is a likely reason?

A.The PBR rule uses a route map that references an incorrect prefix list.
B.The PBR rule is applied on the wrong interface or direction.
C.The PBR rule has a higher priority than the SD-WAN rule, but the traffic is hitting the SD-WAN rule first because of firewall policy order.
D.The traffic is generated locally from the FortiGate and PBR does not affect locally generated traffic.
AnswerB

PBR must be applied to the ingress interface where traffic arrives. If applied to the wrong interface or direction, traffic will not match.

Why this answer

Policy-based routing is applied on the ingress interface. If the administrator applied it to the egress interface or forgot to apply it to the correct ingress interface, the traffic will not match.

178
MCQeasy

A FortiGate is configured with OSPF multi-area. The administrator wants to ensure that routes from area 0 are redistributed into area 1. Which OSPF configuration is required?

A.Enable 'redistribute connected' on the ABR
B.Set the 'area type' to 'nssa' on area 1
C.Configure a route redistribution policy under OSPF
D.No additional configuration is needed; ABRs automatically advertise inter-area routes
AnswerD

OSPF ABRs by default advertise routes from one area to another.

Why this answer

OSPF automatically redistributes routes between areas. No special redistribution is needed; ABRs (Area Border Routers) advertise inter-area routes by default.

179
MCQmedium

An administrator configures a route map to control redistribution of connected routes into OSPF. The route map uses a prefix list to match routes. After applying the redistribution, no routes are redistributed. What is the most likely oversight?

A.The route map is missing a 'set' action, so it denies all routes
B.The prefix list is configured with the wrong sequence number
C.OSPF process ID is incorrect
D.The connected routes are not in the routing table
AnswerA

Without set, route map denies by default.

Why this answer

The route map must have a 'set' action or at least 'set metric' to actually redistribute. If the route map only matches but has no set statement, the routes are not injected. Also, the route map must be applied to the redistribution statement.

180
MCQhard

A FortiGate has two WAN links and uses ECMP load balancing for default routes. The administrator wants to ensure that all packets belonging to the same TCP session go out the same interface. Which setting should be enabled?

A.Persistent NAT
B.ECMP source-destination-ip hash
C.ECMP with source-ip hash
D.ECMP with 'session-based' algorithm
AnswerD

Session-based ECMP uses a hash of the 5-tuple (src IP, dst IP, protocol, src port, dst port) to ensure all packets of a session use the same interface.

181
MCQhard

You have configured VRF on a FortiGate with two VRFs: VRF 1 for guest traffic and VRF 2 for corporate traffic. You want to allow limited communication from guests to a corporate DNS server. What is the correct configuration step?

A.Create a firewall policy from VRF 1 to VRF 2 allowing DNS traffic
B.Enable 'set allow-vrf' on the DNS server's interface
C.Configure route leaking between VRF 1 and VRF 2 for the DNS server's IP
D.Place the DNS server in a management VDOM and use inter-VDOM links
AnswerC

Route leaking allows one VRF to know routes of another, enabling inter-VRF communication.

Why this answer

VRF leaking requires route leaking between VRFs; a firewall policy alone does not cross VRFs unless routes are leaked.

182
MCQmedium

A FortiGate is configured with SD-WAN using BGP. The administrator wants to influence outbound traffic to prefer one SD-WAN member over another based on BGP attributes. Which BGP attribute, when modified on the FortiGate, can achieve this for outbound traffic?

A.Local-preference
B.Weight
C.AS-Path prepending
D.MED
AnswerA

Local-preference is used to influence outbound traffic within the local AS. Higher local-preference makes a route more preferred for outbound traffic.

Why this answer

AS-Path prepending adds AS numbers to the path, making it longer and less preferred on the remote side. This influences outbound traffic by making the local route less attractive to downstream routers, but for outbound traffic from the FortiGate, local-preference (option C) is the correct attribute to influence outbound path selection within the local AS.

183
MCQeasy

An administrator wants to load balance traffic across two ISP links using SD-WAN. The requirement is that sessions from the same source IP address must always use the same ISP link. Which SD-WAN load balancing algorithm should be used?

A.Source-destination IP
B.Sessions
C.Volume
D.Spillover
AnswerA

This algorithm hashes source and destination IP to consistently select the same member for flows between the same two hosts.

Why this answer

The source-destination IP algorithm uses a hash of source and destination IP addresses to consistently map traffic to the same member. This ensures that all sessions with the same source and destination IP pair go to the same link, meeting the requirement.

184
MCQmedium

A network administrator configures SD-WAN on a FortiGate with two WAN members (port1, port2). They set up a performance SLA to measure latency to 8.8.8.8. The SLA shows both members are 'alive'. However, traffic matching an SD-WAN rule with 'best quality' strategy is not using the lowest-latency link. What is the MOST likely cause?

A.Both WAN members have the same cost in the SD-WAN configuration
B.The SD-WAN rule is configured with 'manual' strategy
C.The SD-WAN rule has 'set-match' enabled for source IP
D.The performance SLA does not have 'latency' as the first metric in the priority order
AnswerD

Best quality uses the configured metric order; if latency is not first, another metric determines the selection.

Why this answer

The 'best quality' strategy selects based on the highest priority metric. By default, latency is not the highest priority; jitter and packet loss are considered first. The admin must configure the SLA to prioritize latency or adjust the SD-WAN rule strategy.

185
Multi-Selecteasy

An administrator is configuring BGP with SD-WAN on a FortiGate. Which TWO statements are true about BGP and SD-WAN integration? (Choose two.)

Select 2 answers
A.BGP must be disabled on interfaces used for SD-WAN
B.BGP learned routes cannot be used as SD-WAN members
C.SD-WAN performance SLA can override BGP best path selection
D.SD-WAN rules can use BGP attributes such as AS path to influence path selection
E.BGP route redistribution is not supported with SD-WAN
AnswersC, D

SD-WAN can choose a different path based on SLA metrics.

Why this answer

BGP learned routes can be used as SD-WAN members and can influence path selection based on attributes like AS path. SD-WAN rules can use BGP attributes for load balancing.

186
Multi-Selectmedium

A network administrator is troubleshooting an SD-WAN setup where traffic from a specific application is not being load-balanced as expected. The SD-WAN rule uses the 'volume' load balancing algorithm. Which TWO factors could cause traffic to not be distributed equally? (Choose two.)

Select 2 answers
A.The SD-WAN rule is configured with 'mode = load-balance' but the algorithm is set to 'source-dest-ip'
B.One of the SD-WAN members is a PPPoE interface
C.The performance SLA has a high packet loss threshold causing the member to be dead
D.The traffic is asymmetric, causing sessions to be created on different members than expected
E.The traffic is encrypted and cannot be inspected
AnswersB, D

PPPoE interfaces are not supported for load balancing in SD-WAN.

Why this answer

Volume algorithm uses a weighted distribution. If one member is a PPPoE interface, it cannot be used for load balancing due to NAT issues. Also, if traffic is asymmetric, the session may not be balanced properly.

187
MCQmedium

An administrator configured an SD-WAN rule to steer traffic to a specific member interface using the 'lowest-cost' strategy. After applying, the traffic is not being load-balanced as expected. Which configuration element is MOST likely missing?

A.The 'best-quality' strategy was inadvertently selected instead.
B.A performance SLA has not been assigned to the SD-WAN member interfaces.
C.The SD-WAN member interfaces are not in the same zone.
D.The 'update-static-route' option is disabled on the SD-WAN member.
AnswerB

The lowest-cost strategy relies on performance SLA metrics to determine cost. Without an SLA, the cost is not calculated.

188
MCQhard

A FortiGate has two equal-cost paths to a destination network. ECMP is enabled. The administrator notices that all traffic uses the first path. What is the most likely cause?

A.ECMP is configured with 'spillover' mode
B.The second path is administratively down
C.ECMP is configured to use 'source-dest-ip' hash and all sessions are from same source to same destination
D.The route metric is not equal
AnswerC

That hash would send all to same path.

Why this answer

ECMP distributes session flows, but if all traffic is using one path, it might be due to a session-based hash that results in the same path for all sessions, or the ECMP load balancing may be set to 'source-dest-ip' and the traffic is from one source to one destination. More likely, the ECMP load balancing mode is set to 'usage' or there is a policy-based route overriding.

189
MCQmedium

A FortiGate with SD-WAN enabled uses two members: MPLS (10 ms latency) and Internet (40 ms latency). The SD-WAN rule uses 'Best Quality' strategy with latency as the metric. Traffic to a critical application (10.1.1.0/24) is currently using the MPLS link. The MPLS link's latency increases to 60 ms due to a routing issue. How will FortiGate handle new sessions to 10.1.1.0/24?

A.New sessions will use the Internet link; existing sessions continue on MPLS.
B.FortiGate will wait for the MPLS link to recover before sending new traffic.
C.All sessions immediately switch to the Internet link.
D.Existing sessions continue on MPLS; new sessions will use MPLS until the next SLA probe.
AnswerA

Best Quality uses SLA metrics to steer new sessions to the best member, but does not affect existing sessions.

Why this answer

With 'Best Quality' strategy, FortiGate continuously monitors performance SLAs. When the MPLS link's latency exceeds the threshold or becomes worse than the Internet link, new sessions will be steered to the best available member (Internet) based on the metric. Existing sessions remain on the original link until they expire.

190
MCQhard

A FortiGate is running OSPF in a multi-area network. The administrator notices that routes from area 1 are not being redistributed into area 0. The configuration includes 'redistribute connected' under OSPF. What is the most likely cause?

A.The OSPF network type is not broadcast
B.Area 1 is a stub area
C.The ABR is not configured with 'area 0'
D.The 'redistribute connected' command is missing under the OSPF process
AnswerD

If the routes are connected interfaces in area 1, they need to be redistributed into OSPF to be advertised to other areas.

Why this answer

By default, OSPF only redistributes routes from other routing protocols or connected routes if configured. However, routes from other OSPF areas are not redistributed; they are learned via inter-area LSAs. If redistribution is not configured for connected or static routes, the issue might be that the routes are not being generated.

Option C is a plausible cause: missing 'redistribute connected' under the OSPF process.

191
Multi-Selectmedium

An administrator wants to use policy-based routing to forward traffic from subnet 192.168.1.0/24 to a specific next-hop via port2. Which TWO configuration elements are needed?

Select 2 answers
A.An SD-WAN rule overriding the routing decision.
B.A route-map that matches the source subnet and sets the next-hop.
D.A prefix-list matching 192.168.1.0/24.
E.A firewall policy matching the traffic with action 'accept'.
AnswersB, D

PBR uses route-maps to match and set next-hop.

192
Multi-Selectmedium

A network administrator is configuring SD-WAN on a FortiGate to control outbound internet traffic. The requirement is to load balance traffic across two WAN interfaces (port1 and port2) based on the number of new sessions, but only when both links are healthy. The administrator has added both interfaces to the SD-WAN zone and configured performance SLAs. Which TWO additional configuration steps are necessary to implement this requirement?

Select 2 answers
A.Enable 'ECMP load balancing' in the routing settings
B.Configure the SD-WAN rule to use a performance SLA for health checking
C.Set the load balancing algorithm to 'sessions' in the SD-WAN rule for the traffic
D.Configure a policy-based routing rule to direct traffic to the SD-WAN zone
E.Set the 'sla-check' under config system sdwan to 'enable'
AnswersB, C

Why this answer

SD-WAN load balancing is configured in the SD-WAN rules. Setting the load balancing algorithm to 'sessions' achieves session-based distribution. The rule must also be configured to use the performance SLA to check link health, typically by setting the 'health check' field under SD-WAN rule strategy.

Option A is correct because the algorithm must be set to 'sessions'. Option D is correct because the rule must reference a performance SLA to consider link health.

193
MCQmedium

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session has been active for 1 hour and will expire in about 1 hour
B.The session is about to expire and will be removed soon
C.The session is using UDP protocol
D.The session is in a half-open state
AnswerA

Duration=3600 (1 hour), expire=3599 (almost 1 hour).

Why this answer

The output shows a TCP session (proto=6) in state 01 (established), duration of 3600 seconds (1 hour), and expire time of 3599 seconds (almost 1 hour remaining). This indicates a long-running HTTPS session that is still active.

194
MCQhard

A FortiGate is running OSPF in a multi-area topology. The administrator needs to redistribute connected routes from area 0 into area 1 but does not want to leak any other routes. Which configuration is correct?

A.Use policy-based routing to forward traffic to the connected networks.
B.Add the connected networks as networks in area 1 using 'network x.x.x.x 255.255.255.0 area 1'.
C.Configure route redistribution under OSPF with 'redistribute connected' and apply a route map that permits only the desired connected networks.
D.Use 'set redistribute connected' under the OSPF interface configuration for the connected interface in area 0.
AnswerC

Using redistribution with a route map allows selective advertisement of only the specified connected routes.

195
MCQmedium

A FortiGate is using BFD for BGP fast failure detection. The administrator wants to ensure that if the BFD session goes down, the BGP neighbor is removed and routes are withdrawn immediately. Which configuration is necessary?

A.Enable BFD on the BGP neighbor and ensure BFD timers are set lower than BGP hold time
B.Configure BGP graceful restart
C.Set BGP hold time to 0
D.Use 'set bfd-desired-min-tx 100' on the interface
AnswerA

BFD must be enabled for the BGP neighbor; when BFD detects a failure, it notifies BGP to tear down the session.

196
Multi-Selecthard

Which TWO statements are true regarding BGP path selection in a FortiGate SD-WAN environment?

Select 2 answers
A.BGP best path selection is independent of SD-WAN rules unless explicitly overridden.
B.SD-WAN cannot be applied to routes learned via BGP.
C.SD-WAN can modify BGP MED values to influence path selection.
D.SD-WAN rules always follow the BGP best path selection.
E.SD-WAN can use BGP community values as match criteria in SD-WAN rules.
AnswersA, E

BGP selects best path; SD-WAN can apply rules after.

Why this answer

BGP best path selection operates independently of SD-WAN rules because BGP selects the best route based on its own path attributes (e.g., weight, local preference, AS path length, MED) as defined in RFC 4271. SD-WAN rules can only override this selection if explicitly configured to do so, typically by using route maps or policy-based routing to influence the decision. Without such an override, the BGP best path is installed in the routing table and SD-WAN rules then apply to traffic forwarding, not to the BGP path selection process itself.

Exam trap

The trap here is that candidates often assume SD-WAN automatically overrides BGP path selection or that BGP attributes like MED can be dynamically adjusted by SD-WAN, when in fact SD-WAN operates on the forwarding plane and can only influence path selection through explicit policy overrides or by matching existing BGP attributes like communities.

197
MCQmedium

Which command is used on a FortiGate to view the current routing table including VRF instances?

A.show ip route
B.get router info routing-table all
C.diagnose ip route list
D.execute router list
AnswerB

This shows all VRFs routing tables.

Why this answer

Option B is correct because 'get router info routing-table all' is the FortiGate CLI command that displays the complete routing table, including all VRF instances. This command retrieves the kernel routing table entries for every VRF, showing routes from all routing protocols (static, OSPF, BGP, etc.) and is the standard way to view the full routing context on FortiGate.

Exam trap

The trap here is that candidates familiar with Cisco IOS often default to 'show ip route' (Option A), not realizing that FortiGate uses a completely different CLI syntax where 'get router info' is the equivalent operational command for viewing routing tables.

How to eliminate wrong answers

Option A is wrong because 'show ip route' is a Cisco IOS command, not a FortiGate command; FortiGate uses a different CLI syntax and does not support 'show' for routing table display. Option C is wrong because 'diagnose ip route list' is a FortiGate diagnostic command used for debugging or troubleshooting the routing table, but it is not the standard operational command to view the current routing table including VRF instances; it may show additional internal details but is not the intended production command. Option D is wrong because 'execute router list' is not a valid FortiGate command; FortiGate uses 'execute' for actions like ping or traceroute, not for listing routing tables.

198
MCQeasy

A FortiGate is connected to a FortiSwitch via a trunk port. The administrator wants to manage the FortiSwitch using FortiLink. Which of the following is a prerequisite for FortiLink to function?

A.The FortiSwitch must be running a firmware version that supports CAPWAP
B.The FortiSwitch must be configured with a DHCP server to assign IP addresses
C.The FortiSwitch must have a management IP in the same subnet as the FortiGate's management IP
D.A dedicated FortiLink interface (physical or VLAN) must be configured on the FortiGate
AnswerD

Why this answer

FortiLink requires a dedicated interface or VLAN for management. The FortiGate must have a FortiLink interface configured, typically using a physical interface or a VLAN interface for management traffic. Option A is correct because a dedicated FortiLink interface must be created.

Option B is unnecessary; DHCP is not required. Option C is optional. Option D is not required; FortiSwitch can use the same management IP.

199
MCQmedium

A FortiGate is configured with SD-WAN and has two WAN members: Member1 (ISP1) with priority 10, and Member2 (ISP2) with priority 5. The SD-WAN rule for traffic from the internal network uses the 'best quality' strategy. During normal operation, traffic flows through Member1. After a link failure on Member1, traffic correctly fails over to Member2. However, when Member1 is restored, traffic does not fail back. What is the most likely cause?

A.The static route for Member1 has a higher administrative distance than Member2.
B.The health-check for Member1 is configured with 'set probe-mode passive' and 'set update-static-route disable'.
C.The SD-WAN rule is configured with 'set fallback' disabled.
D.The priority of Member2 is higher than Member1.
AnswerB

Passive monitoring does not trigger fallback; update-static-route must be enabled for the route to be reinstated when the link recovers.

Why this answer

Option B is correct because when 'set probe-mode passive' is configured, the health-check server only monitors the link without actively generating probe traffic, and 'set update-static-route disable' prevents the static route associated with Member1 from being re-enabled after the link is restored. This means the route remains inactive, so SD-WAN cannot fail back to Member1 even though the physical link is up.

Exam trap

The trap here is that candidates assume failback is automatic with SD-WAN, but FortiGate requires explicit configuration of route updates or probe modes to re-enable a restored link; the 'best quality' strategy alone does not handle failback without proper health-check settings.

How to eliminate wrong answers

Option A is wrong because a higher administrative distance would make the route less preferred, but the question states traffic flows through Member1 normally, so its route must have a lower or equal AD; the issue is about failback, not initial selection. Option C is wrong because 'set fallback' is not a valid SD-WAN rule parameter; the correct parameter for controlling failback behavior is 'set update-static-route' or 'set probe-mode', not a 'fallback' toggle. Option D is wrong because priority 10 is higher than 5, making Member1 preferred; if Member2 had higher priority, traffic would not have flowed through Member1 initially.

200
MCQmedium

An administrator is troubleshooting BGP with SD-WAN. They have configured BGP on the FortiGate and the SD-WAN rule uses 'best quality' strategy. However, failover does not happen when a WAN link goes down. The BGP session is still up. What is the most likely reason?

A.The performance SLA is not configured to track the BGP next hop.
B.The SD-WAN rule is configured with 'set update-static-route disable'.
C.The BGP session is using eBGP multihop.
D.The load balancing algorithm is set to 'volume'.
AnswerA

For SD-WAN to detect link failure, the performance SLA must monitor the actual path to the BGP next hop or internet. BGP session may remain up via an alternate path, but the link may be degraded.

Why this answer

SD-WAN failover relies on performance SLA probes to measure link quality. If the BGP session is still up but the link is slow or lossy, the SLA will detect the degradation and trigger failover. Without SLA monitoring, link down events might not be detected if BGP session stays up via a backup path.

201
MCQeasy

A FortiGate is configured with SD-WAN using load balancing algorithm 'source-dest-ip'. What is the primary characteristic of this algorithm?

A.Traffic is sent to the member with the highest bandwidth.
B.Traffic is sent to the member with the lowest cost metric.
C.Traffic is distributed evenly across all SD-WAN members regardless of source or destination.
D.All traffic from the same source IP to the same destination IP uses the same SD-WAN member.
AnswerD

Source-dest-ip hashing ensures that traffic belonging to the same source-destination pair is consistently sent over the same link, preserving session affinity.

Why this answer

The source-dest-ip algorithm uses a hash of source and destination IP addresses to select the outgoing interface, ensuring that all packets of a given session go through the same link.

202
MCQmedium

An administrator needs to apply different routing policies for traffic based on source IP address, overriding the normal routing table. Which feature should be configured?

A.Prefix list
B.SD-WAN rule
C.Route map
D.Policy-based routing
AnswerD

PBR enables routing based on policies.

Why this answer

Policy-based routing (PBR) allows routing decisions based on criteria like source IP, protocol, etc., overriding the routing table.

203
Matchingmedium

Match each FortiGate interface type to its usage.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Hardware network port

Virtual LAN subinterface

Virtual interface for management or routing

Combines multiple physical links for redundancy

Link aggregation (LAG) for increased bandwidth

Why these pairings

These interface types are configurable on FortiGate.

204
Multi-Selecthard

Which TWO statements correctly describe the behavior of SD-WAN rules when using the 'maximize-bandwidth' strategy?

Select 2 answers
A.The strategy ensures that all traffic uses the member with the highest bandwidth.
B.The administrator can assign different weights to members to influence the proportion of traffic each handles.
C.If a member fails its health-check, it is removed from the set of eligible members for the rule.
D.Traffic from a single session can be split across multiple members for better performance.
E.Traffic is distributed based on session count to keep each link equally utilized.
AnswersB, C

Weights can be set per member to control the load-balancing ratio.

Why this answer

Option B is correct because the 'maximize-bandwidth' strategy in SD-WAN rules uses weighted load balancing, where the administrator assigns weights to each member link. The proportion of traffic each member handles is directly proportional to its assigned weight, allowing fine-grained control over bandwidth utilization across multiple WAN links.

Exam trap

The trap here is that candidates often confuse 'maximize-bandwidth' with simple 'load balancing' or assume it splits individual sessions, when in fact it uses weighted distribution while maintaining per-session stickiness and relying on health checks for member eligibility.

205
MCQeasy

A FortiGate is configured with ECMP routing to balance traffic across two default routes via two ISPs. The administrator wants to ensure that traffic from the same source-destination pair always uses the same ISP. Which ECMP load balancing method should be configured?

A.source-dest-ip
B.source-ip
C.per-packet
D.session
AnswerA

Why this answer

ECMP in FortiGate supports several load balancing methods, including source-destination IP hash. To keep traffic from the same source-destination pair consistent, use source-dest-ip hashing. Option A is correct.

Option B is for source-only. Option C is session-based. Option D is per-packet (not typical).

206
MCQmedium

Which feature allows a FortiGate to use multiple VRFs to separate routing tables for different customers or departments on the same physical device?

A.SD-WAN
B.VDOM
C.VRF
D.Policy-based routing
AnswerC

VRF creates separate routing tables.

Why this answer

VRF (Virtual Routing and Forwarding) enables multiple independent routing table instances on a single FortiGate, allowing traffic separation without additional hardware.

207
MCQmedium

A network administrator is troubleshooting a BGP session between a FortiGate and an ISP router. The administrator runs 'get router info bgp summary' and sees that the BGP state is 'Active'. What does this state indicate?

A.The BGP speaker is trying to establish a TCP connection with the peer
B.The BGP session is administratively down due to a configuration error
C.The BGP speaker is waiting for a routing update from the peer
D.The BGP session is fully established and exchanging routes
AnswerA

Why this answer

In BGP, the 'Active' state means that the router is trying to initiate a TCP connection to the peer but has not yet established it. This usually indicates a connectivity issue between the peers, such as a firewall blocking port 179 or incorrect IP addressing. Option A is correct.

Option B describes 'Established' state. Option C describes 'Connect' state. Option D is not a BGP state.

208
MCQhard

A FortiGate is configured with two WAN members in an SD-WAN zone. The performance SLA monitors latency to a probe server. The rule uses 'best quality' strategy. After some time, one member fails the SLA. Which action does the FortiGate take for existing sessions that were using that member?

A.All sessions are dropped and the member is removed from the zone
B.Existing sessions are re-evaluated and may be moved based on policy
C.Existing sessions are immediately moved to another member
D.Existing sessions continue on the failed member until they timeout
AnswerD

Only new sessions are affected.

Why this answer

When a member fails the SLA, only new sessions are redirected to other members that meet the SLA. Existing sessions continue on the failed member until they expire or are terminated. The 'best quality' strategy does not preemptively move existing sessions.

209
MCQmedium

A FortiGate administrator is integrating a FortiSwitch managed by the FortiGate. They want to configure a VLAN interface on the FortiSwitch for user traffic. Which configuration is required on the FortiGate?

A.Enable DHCP relay on the FortiSwitch VLAN
B.Configure a VLAN on the FortiSwitch under the switch controller and assign it to a port
C.Use the config system interface to create a VLAN on the FortiGate and tag it on the trunk
D.Create a VLAN subinterface on the FortiGate's port that connects to the FortiSwitch
AnswerB

Under config switch-controller, you create a VLAN and assign it to switch ports.

← PreviousPage 3 of 3 · 209 questions total

Ready to test yourself?

Try a timed practice session using only Nse7 Advanced Networking questions.