NSE 7 SDWAN

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

For each managed gateway in VPN manager what do you configure (4)

-Protected subnets -Gateway role (hub, spoke, so on) -Interface where the tunnel terminates -Advanced settings (peer ID, IKE mode config)

What is fortimanager

-Single pane of glass management -Minimizes initial setup costs and ongoing operating expense of large deployments -helps maintain regulatory compliance -reduces wan usage with local fortiguard cache serve -provides centralized device management -automates device provisioning and maintains policies -provides logging and reporting Other: -mass provisioning -scheduled rollout of configuration changes -maintaining, tracking, auditing changes -provisioning firewall policies Configuration central repository -deploy and manage complex star and mesh VPNs -FDS -script and automate device provisioning, policy changes, etc

Key features of fortimanager (9)

-centralized management -administrative domains -configuration revision control and tracking -local fortiguard service -firmware management -scripting -manager panes -logging and reporting -pay as you go licensing through fortinet VM on demand program

When configuring SDWAN members what do you set the gateway to when using a DHCP/Ppoe interface

0.0.0.0

What are the quick mode selectors set to for ADVPN configuration

0.0.0.0/0

Udp session state values

00 when traffic is one way 01 when traffic is two ways

Client side states (TCP proto state numbers)

0=none 1=established 2= syn 3=SYN/ack 4=fin wait 5=time wait 6=close 7=close wait 8=last ack 9=listen

How many SDWAN interface per vdom

1

If a performance SLA has multiple SLA targets how many can be used as a "required SLA target" for the lowest cost (SLA) outgoing interface strategy

1 from the same performance SLA but multiple SLA targets can be selected

Steps to configure SDWAN in fortimanager(6)

1) Enable SDWAN in central management settings for ADOM 2) create health check servers 3) create interface members 4) configure SDWAN template (interface members, SLA with health check server, rules) 5) assign devices to template 6) configure SDWAN firewall policy with SDWAN interface

What are the five load balancing modes for IPSec tunnel aggregation

1) Round robin- traffic is balanced per packet 2) L3: traffic is balanced based on layer three header information 3) L4: traffic is balanced based on layer 4 header information 4) Redundant: all traffic is sent through the tunnel that came up first. Other tunnels used for backup 5) weighted round robin- traffic is load balanced in round robin manner based on link weights configured for each tunnel

Describe the flow that fortigate follows to select an outgoing interface based on the Lowest Cost (SLA) strategy (3)

1) SLA targets Fortigate checks SLA target requirements to slew for or eliminate any outgoing interfaces 2) cost Fortigate checks for cost as the second criteria (cost is specified on the interface when you add it to SDWAN) 3) interface preference Fortigate checks the interface preference as the third criteria (order it's listed)

Steps to configure SDWAN with zero touch deployment

1) add fortigate cloud key to forticloud 2) set up and assign a configuration template to redirect fortigate to fortimanager 3) plug in fortigate to obtain a DHCP address 4) fortigate will obtain central management config from forticloud 5) authorize fortigate In fortimanager root ADOM 6) create SDWAN template and push to fortigate

Steps for zero touch provisioning with SDWAN (fortideploy)

1) add fortigate cloud key to forticloud 2) set up the configuration template with the central management configuration to redirect the fortigate to fortimanager 3) connect fortigate to a DHCP server and turn on fortigate 4)fortigate reviews and IP from the DHCP server and established a management tunnel with forticloud 5) fortigate completes zero touch provisioning by obtaining the central management config from fortigate cloud 6) fortigate appears as an authorized device in fortimanager root ADOM 7) authorize fortigate and assign an SDWAN template 8) install the SDWAN configuration on fortigate

5 steps of zero touch provisioning with fortideploy

1) add fortigate cloud key to the fortigate cloud panel 2) set up a configuration template 3) connect to the fortigate egress port to obtain a DHCP IP address 4) fortigate receives an IP from the DHCP server and establishes a management tunnel with fortigate cloud 5) fortigate completes zero touch provisioning by obtaining configuration from the platform template in the fortigate cloud

Application aware sdwan

1) application aware - visibility into 3000+ apps and app level transaction for better SLA

Five advanced SDWAN features the fortigate offers

1) application aware - visibility into 3000+ apps and app level transaction for better SLA 2) multi path intelligence - Dynamic WAN link selection using SLA strategies and automated failover capabilities 3) multi broadband supported - Transport Independent with support for Ethernet 3G/4G and aggregates multiple interfaces into single interface 4) simplified monitoring- High level monitoring of SDWAN devices on a map and detailed application monitoring 5) certified security - most verified security such as NSS labs and high performance security processor technology

Describe ADVPN message exchange (10)

1) client behind spoke 1 generates traffic for devices located on spoke 2s network 2) spoke 1 receives packet, encrypts it and sends it to the hub 3) the hub receives the packet from spoke 1 and forwards it to spoke 2 4) spoke 2 receives the packet, decrypts it and forwards it to the destination device 5) the hub knows that a more direct tunnel option might be available from spoke 1 to spoke 2 and sends a shortcut offer message to spoke 1 6) spoke 1 acknowledges the shortcut offer by sending a shortcut query to the hub 7) the hub forwards the shortcut query message to spoke 2 8) spoke 2 acknowledges the shortcut query and sends a shortcut reply to the hub 9) the hub forwards the shortcut reply to spoke 1 10) spoke 1 and spoke 2 imitate the tunnel IKE negotiation

4 steps to configuring and using BGP tags in the SDWAN rulss

1) configure the community list 2) configure the route map and set match community and set route tag 3) configure BGP and apply the route map to the BGP neighbor 4) configure SDWAN rule and apply the the route tag

What are the steps to configure VPNs with VPN manager on fortimanager (5)

1) create a VPN community 2) add gateways (members) to the community 3) install the VPN community and gateways configuration 4) add firewall policies 5) install firewall policies

8 Steps to get SDWAN orchestrator set up and configured

1) enable SDWAN orchestrator 2) plan SDWAN network 3) create shared resources 4) create profiles for hub and edge devices 5) add fortigate devices to fortimanager 6) add devices to SDWAN orchestrator and install SDWAN configurations 7) install firewall policies to fortigate devices 8) monitor SDWAN network

Steps to use zero touch provisioning on a fortigate without internet access (5)

1) register the fortigate on fortimanager 2) connect fortigate to a DHCP server configured with option 240 or 241 with fortimanager Ip or FQDN 3) stars the fortigate 4) fortigate will be assigned an IP by DHCP server and will be provided with fortimanager information 5) fortigate will configure itself with the fortimanager IP for central a management

Routing table lookup process

1) regular policy routes - if it matches policy route traffic is forwarded if it matches policy route and action is stop policy routing fortigate checks the route cache 2) SDWAN rules 3) Route cache 4) FIB

Describe xauth exchange

1) server (responder) sends a CFG_REQUEST packet 2) client (initiator) sends a CFG_REPLY packet containing the user credentials 3) if authentication is OK the server sends a CFG_SET 4) client replies with a CFG_ACK

What 7 settings need to be changed from their default values when configuring ADVPN from fortimanager VPN manager

1) set protected networks to all 2) enable ADVPN in the IPsec phase 1 with a script 3) ensure that the add-route option is disabled on hub 4) enable net-device on spokes with a script 5) configure ip addresses on the IPSec virtual interfaces 6) configure dynamic routing and use script to enable route reflector if using IBGP 7) phase1name will be automatically created by fortimanager as phase1name_0

How many bytes in a mb

1,000,000

Range for the weight for volume and session based load balancing on a member

1-255

How long does FortiOS store the SLA metrics for each interface of every health check (link quality measurements)

10 minutes

What is the default threshold that fortigate will fail to the second link (based on interface preferences) for SDWAN strategy best quality

10%

What percentage by default will SDWAN fail to the next link when best quality is used as the SDWAN rule strategy and how can you change this default

10% Config sys virtual-wan-link Config health check Config sla Set link-cost-threshold <value>

Sum of guaranteed-bandwidth-percentage of all shaping groups in one shaping profile must be no bigger than _____

100%

kb vs KB

1000 bits vs 8000 bits 125 bytes vs 1024 bytes Kilobit vs kilobyte 1 kbit = 0.125 KB

What proto state are the kernel routes for the members participating in the performance SLA set to

17

What is the default class ID for traffic shaping groups

2

How many digits is protocol state in the session table and what do both numbers mean

2 First identifies if session is in proxy or flow (server side state) Second number identifies client side state

Multi path intelligence SDWAN

2) multi path intelligence - Dynamic WAN link selection using SLA strategies and automated failover capabilities

What class IDs are within acceptable range for traffic classification by groups

2-31

How many lookups does fortigate usually perform

2. One on first packet from originator and one on first packet from responder

What DHCP option is used to use zero touch provisioning on a fortigate without access to the internet

240 fortimanager IP 241 FMG FQDN

Multi broadband supported sdwan

3) multi broadband supported - Transport Independent with support for Ethernet 3G/4G and aggregates multiple interfaces into single interface

How many traffic shaping groups can you configure

30 2-31

For the link quality measurements, the latency and jitter that are displayed on the graph and percentages are based on the last _____ proves from the server that the performance SLA is using. The packet loss percentage is calculated from the last ________ probes from the server that the performance SLA is using.

30 probes 100 probes

How many SAs does a hub have to maintain if there are 16 remote sites

32

300kbps in kilobytes KBps

37KBps

Simplified monitoring SDWAN

4) simplified monitoring- High level monitoring of SDWAN devices on a map and detailed application monitoring

Certified security SDWAN

5) certified security - most verified security such as NSS labs and high performance security processor technology

What OS was ADVPN introduced

5.4

How many entries can the dynamic ISDB database hold

512

Explain how this per ip setting would apply to a traffic shaping policy Max band- 5000kbps Max concurrent connections- 5

5mbps per ip on the network. If there is ten users it total to 50mbs of outgoing traffic. Each user will be allocated 5mbps of max band and five concurrent sessions at a time

What FortiOS is OCVPN supported on

6.2.0 and later

Since what FortiOS does SDWAN support ADVPN

6.2.1

Default time that fortigate tries to fetch OCVPN related data from the OCVPN cloud and what is configurable range

60 minutes Configurable between 30-120 minutes

What is traffic shaping

A bandwidth management technique that prioritizes specific traffic over other traffic whose potential Loss would be less damaging attempts to normalize traffic peaks and bursts to prioritize certain flows over others Adjust how your fortigate allocate resources to different traffic types to improve the performance and stability of latency sensitive or band with intensive network applications

What is the ISDB

A database of well known internet service definitions made of public IP addresses and destination ports

What must be defined for unclassified traffic on a traffic shaping profile

A default-class-ID that way all traffic that doesn't match a group will be matched to the default class id

What is an ISDB entry made of

A direction which can be destination or source or both A reference to an IP range internal list A reference to an IP number

What happens after you have enabled SDWAN and configured the member interfaces and the load balancing method?

A logical interface called SDWAN is added to the interface list

What Is the link health monitor

A mechanism that detects when a router along the path is stopped or degraded

Describe IKE mode configuration (What is it, when does it occur, describe exchange)

A method for automatically configuring the IP settings of IPSec clients After phase 1 is up and xauth is completed, but before phase 2 the following exchange occurs 1) client sends a CFG_REQUEST message listing the required IP settings 2) server replies with a CFG_REPLY containing the assigned values for each attribute requested

What is a shared shaper

A shared shaper applied to a policy means all traffic matching the policy will share the bandwidth that is allocated. Using a shared shaper you can reserve guaranteed bandwidth as well as maximum bandwidth. Packets will be dropped if max is exceeded

What is IPsec

A suite of protocols for authenticating and encrypting traffic between two peers. the two most used protocols in the suite are: IKE which does the handshake, tunnel maintenance, and disconnection ESP, which ensures data integrity and encryption

What is SDWAN (3)

A virtual interface consisting of a group of member interfaces that can be connected to different link types Allows effective WAN usage with various load balancing algorithms Supports link quality measurement

SDWAN ASIC specs

A53 quad @ 1.4ghz DDR4-32B @ 2400 28,000 DMPS 18x network ports 36 GBPS throughput 18 GBPS IPSec throughput CAPWAP support

What is an ADOM

ADOMs enable the admin account to create groupings of devices for administrators to monitor and manage. It divides administration of devices by grouping the Em based on a management criteria and to control and restrict admin access

Four main fortimanager wizards

Add device Install wizard Import policy Reinstall policy

What is adding a model device in fortimanager and SDWAN orchestrator

Adding an offline fortigate by it's serial number

How does SDWn simplify configurations

Admin can configure a single set of routes and firewall policies and apply them to all member interfaces

What is time wait client state 5

After a fin ack is sent the fortigate keeps the session in the session table for a few more seconds to allow for any out of order packets

When is the session flagged as may_dirty

After traffic is evaluated against the firewall policies and allowed it is flagged (usually first packet for a new session)

Where do you configure protected subnets on fmg vpn manager

All VPN communities

What will the output of the command Be Get router info kernel | grep "proto=17"

All the FIB route entries that are used to reach the servers defined on the performance SLA page over each participant interface

Source ip based load balancing

All traffic from a source ip is sent to the same interface

What are SDWAN rules for

Allow you to specify which traffic you want to route through which interface based on different strategies

What is fortideploy

Allows admins to add fortigate and fortiap devices in bulk to their fortigate cloud or fortiap cloud acccounts. It then allows admins to select a configuration template and operating system to deploy with the newly added devices.

Application control shaping

Allows bandwidth control on specific applications, application Categories, and URL categories. Application control must be enabled on the IPv4 policy for application control shaping to work and web filter should be enabled on ipv4 policy fir URL category shaping to work

What is an SDWAN template in fortimanager and what are the 4 components

Allows you to add your SDWAN components to a single template. You can add interface members, performance SLA, SDWAN rules, and neighbor

Customized profile option for the quality criteria field in the best quality strategy SDWAN rule and what is the equation

Allows you to estimate quality of link based on a combination of the same three performance measures determined by an equation. Link quality = (a*latency)+(b*jitter)+(c*packetloss)+(d/bandwidth)

What is zero touch provisioning(fortideploy)

Allows you to provision and configure fortigate and fortiap devices automatically from forticloud or fortimanager. Admins can use the fortideploy feature to configure all devices simultaneously and manage them all with a single click

Fortimeter

Allows you turn fortiOSVMs and fortiWebOS VMs on and off as needed paying for only the volume of traffic that you use. These VM's are also sometimes called pay-as-you-go VMs. You must have a forti meter license and the fortimeter license must be linked with fortimanager using forticare

If all phase 1 settings are configured the same for an IPSec tunnel how does the fortigate choose between the two

Alphabetical order

What is forward error correction

An IPSec phase 1 setting that adds additional packets with redundant data. Recipient can use this redundant information to construct any lost packet or any packet that arrives with errors. Feature increases bandwidth usage but improves reliability on lossy or noisy links.

What is SDWAN orchestrator (3)

An application that is released and signed by fortinet to run on fortimanager. It is part of management extension on fortimanager. It is used for configuring and monitoring SDWAN networks on fortigate devices that are managed by fortimanager Simplifies centralized deployment and enables automation

What is automatically generated when you enabled SDWAN

An implicit rule designed to balance the traffic among all the available SDWAN member links based on source IP

When the hub forwards a spokes shortcut query (Ike message) to the desired spoke what does spoke 2 send to the hub to be forwarded to spoke one

And Ike message (shortcut reply) containing it's public ip

What needs to be enabled in order for application and URL category shaping to work

App control and web filter profile on IPV4 policy

What two databases can SDWAN use to steer traffic along a specific link

Application control database ISDB

What must be applied to a firewall policy if you specify an application in an SDWAN rule

Application control profile allowing the SDWAN traffic

IP DSCP app method

Application identification method. SDWAN rules are matched based on differentiated services code point values (DSCP) Traffic must be marked with IP DSCP before reaching fortigate

Application control app method

Application identification method. Fortigate identifies applications based on signatures. The well known app list is updated from fortiguard automatically. Method requires a learning phase during which the first session is required to identify the application and may not match the expected sdwan rule. After the initial learning phase, dynamic cache entries are stored in the ISDB to avoid the learning phase again

ISDB app method

Application identification method. Internet service database is a DB of well known internet service definitions that is made of public opinion addresses and destination ports. Updated from fortiguard and identifies the application immediately. It does not include all of the internet services

Customer application control app method

Application identification method. Users can define a custom application control signature.

Custom ISDB app method

Application identification method. Uses a user defined ISDB. Admins can create custom services and can group them into service groups. Method is flexible and identification is also fast but requires manual maintainence.

FQDN app method

Application identification method. Uses fully qualified domain name firewall addresses as destinations. Fortigate uses DNS to resolve the FQDN to IP addresses. It's simple and fast but not as accurate for cloud services or for most well known internet service

How does SDWAN install routes for it's member interfaces into the routing table

As individual routes

What are the requirements to be an alive member

As long as it's configured failure threshold (link status check) has not been reached SDWAN member will be in alive state even though it is failing to match the SLA target requirements

How are vpn settings stored on fortimanager for VPN manager

As objects in the objects database

After configuring all SDWAN settings what two important steps do you need to do for SDWAN to be applied

Assign to a device and create a firewall policy

How many member interfaces need to be specified for SDWAN interface

At least 2

If a fortigate device has multiple dial up VPNs using preshared keys and sharing the same local gateway , proposal, and DH group, what do you need to do to for the fortigate to identify the correct VPN configuration for each incoming proposal

At least one tunnel must use aggressive mode Or both use aggressive and different peer IDs

Fortigate SDWAN configuration requirements (4)

At least two member interfaces Interfaces should not be referenced by another configuration element Supports aggregate, VLAN, and IPSec interfaces One one SDWAN interface per vdom

What does the IKE SA consist of

At the IKE level, a single IKE SA is established to handle secure communications both ways between the two peers. The following is an example of the type of information that would be included in an IKE SA. Description Example Authentication method used MD5 Encryption and hash algorithm 3DES DH group used 2 Lifetime of the IKE SA in seconds or kilobytes 86,400 Shared secret key values for the encryption algorithms

What does the IPSec SA consist of

At the IPSec level, SAs are unidirectional—one for each direction A separate IPSec SA is established for each direction of a communication session Each IPSec SA consists of security parameter values, such as a destination address, a unique security parameter index (SPI), the IPSec transforms used, the security keys, and additional attributes, such as IPSec lifetime. The SPI value becomes a unique record identifier (key field) linked to the SA parameters in the Security Parameter Databases in the RAM of peer devices. Each IPSec SA consists of values such as Description Example Peer (destination) address 10.1.1.23 Security parameter index (SPI) 7C123A9C IPSec transforms used AH, HMAC-SHA-1 Security keys 12345CD8765EF432A Additional attributes (such as IPSec lifetime)

How to configure session route persistence and what is default

At the interface level Config system interface Edit <interface> Set preserve-session-route (enable | disable) Disable- fortigate flushes all routing information from the session table after a route change and performs new routing lookups for new packets (default) Enable- fortigate marks existing session routing information as persistent and only applies the modified routes to new sessions

What extra option is there to enable as an outgoing interface strategy for the SDWAN rules in the CLI

Auto Fortigate will select an SDWAN member based on the quality of the link

What commands need to be enabled on what devices for ADVPN (3)

Auto-discovery-forwarder enabled on the interfaces that connects two hubs together Auto-discovery-sender enabled on hub interface connected to the spoke Auto-discovery-receiver enabled on the spoke interface connecting to the hub

What routing protocols does ADVPN support (3)

BGP OSPF RIPv2/ng

SDWAN rule strategy: best quality

Based on the performance of the link. It will prefer the interface that is added to the list first and then won't switch to the next member until the priority link quality is 10% or worse than the quality of the next in the link. 10% is the default but can be changed with the set link-cost-threshold command

Why should you configure SDWAN early

Because you cannot use a member interface if the interface is referenced by a firewall policy or static route

Which SDWAN strategy rules require you to specify an SLA

Best quality Lowest cost Max bandwidth

What SDWAN rule strategy does not use an SLA TARGET

Best quality (link cost threshold based on latency jitter packet lost or custom)

What SDWAN rule strategy requires estimated upstream and downstream bandwidth to be configured on the interface (hint 3)

Best quality- criteria: bandwidth Upstream bandwidth Downstream bandwidth

Phase 1 of IPSec negotiation uses a single ______ ___ and phase 2 uses two ______ for each _____

Bidirectional SA SAs for each traffic direction

What must you do on an application control profile if you are using Google signatures on an an SDWAN rule

Block QUIC traffic

Give an example of when priority would come into play for a traffic shaping profile on an interface

Both class 2 and 3 will be assigned their guaranteed first. 20 each of 100. Then the remaining of 60 will be allocated to class 2 because of the higher priority.

How is an ISDB entry identified

By a number starting from 65536

How are the ISDB and application control databases maintained

By fortiguard

How can traffic be classified

By the traffic shaping policy into different groups or class IDs based on matching criteria. Set the "then" to "assign shaping class ID" instead of choosing "apply shaper"

What is QoS?

Capability to adjust some quality aspects of your overall network traffic - quality of service

Failover parameters for SLA (3)

Check interval Failure before inactive Success before restore

What are the acceptable value ranges for the link status configuration Check interval Failures before inactive Restore link after

Check interval - 500-3600 Failures before inactive - 1-3600 Restore link after - 1-3600

What are the following fields under the link status for: Check interval Failures before inactive Restore link after Update static route

Check interval means it will send the probe every _____ miliseconds Failures before inactive and restore link after settings are to help prevent the system from continuously transferring traffic back and forth between links (known as flapping) Failures before inactive switches to dead after x consecutive unanswered requests from both servers Restore link after switches back to alive after x consecutive responses from one of the two servers Update static route automatically disables static routes for inactive interfaces and restores routes on interface recovery

Config system settings Set firewall-session-dirty (check-all | check-new | check-policy-option) What are each options

Check-all - default and all policy information is removed from session affected by a policy change. When new packets are received they are reevaluated Check-new - existing sessions are unaffected. New sessions are evaluated against the modified policies Check-policy-option- sessions will be handled based on the firewall policy configuration

What does the best quality SDWAN rule use the performance SLA for

Chooses link based on latency, jitter, or packet loss or custom and uses SLA for these values

Three steps to configuring interface based shaping

Classify traffic into different groups using traffic shaping policy Configure the traffic shaping profile, assign a percentage based value for guaranteed and max bandwidth along with priority to each group Assign a shaping profile to interface with outbound bandwidth configured

Command to get details on an ISDB ID (shows ID, name, direction, ip-range-number, ip-number)

Config firewall internet-service <ID> Get

Command to enable or disable ISDB entries in the CLI

Config firewall internet-service-extension Edit <ID> Config disable-entry Use diag internet-service ID-summary to get id

Command to apply traffic shaper to firewall policy

Config firewall policy Edit <> Set traffic-shaper <shaper> Set traffic-shaper-reverse <shaper name> Set per-ip-shaper <shaper name>

True or false? You can apply traffic shaper to a firewall policy

Config firewall policy Edit <> Set traffic-shaper <shaper> Set traffic-shaper-reverse <shaper name> Set per-ip-shaper <shaper name>

When check-policy-option is configured for the global session handling what is the command to modify behavior per policy

Config firewall policy Edit <ID> Set firewall-session-dirty (check-all | check-new) Next End

Command to configure a per ip shaper

Config firewall shaper per-ip-shaper

Command to configure a shared shaper

Config firewall shaper traffic-shaper

CLI command to configure traffic shaping group

Config firewall shaping-policy Set name Set service Set srcaddr Set dstintf Set class-ID Set dstaddr

Command to configure traffic shaping profile in CLI

Config firewall shaping-profile Edit name Set default-class-id Config shaping-entries Edit 1 Set class-id Set priority Set guaranteed-bandwidth-percentage Set maximum-bandwidth-percentage Edit 2 Set class-ID

Command to configure BGP with route map to apply route tag

Config router bgp Config neighbor Set route-map-in "name of route map that has community list and tag"

What needs to be enabled in the IBGP configuration on the hub so that routes learned from one spoke are forwarded to the other spokes

Config router bgp Set neighbor-group Set route-reflector-client enable

Command to configure community list

Config router community list Edit "1:2" Confif rule Edit 1 Set action permit Set match "1:2" Next End Next End

Command to configure policy routes

Config router policy

Command to configure route map with community list and route tag

Config router route-map Edit "name" Config rule Edit 1 Set match-community "1:2" Set set-route-tag # Next End Next End

Command to configure a static route with SDWAN interface

Config router static Edit <> Set dst 0.0.0.0 0.0.0.0 Set virtual-wan-link enable End Next

Command to force sessions to stay on the same SDWAN member after a route chanbe

Config sys int Edit <SDWAN member> Set preserve-session-route enable

Command to apply a traffic shaper and outbandwidth on an interface

Config sys interface Edit wan1|wan2 Set outbandwidth <kbps> Set egress-shaping-profile <shaper name>

Command to configure the time to wait before a packet is considered lost

Config sys virtual-wan-link Config health-check Set probe-timeout <500-5000> Msec

Command to configure sla

Config sys virtual-wan-link Config health-check Config sla Edit <> Set link-cost-factor [latency | jitter | packet-loss] Set latency-threshold < 1-10000000> Set jitter-threshold <0-10000000> Set packetloss-threshold <0-100>

Command to configure SDWAN rule

Config sys virtual-wan-link Set name Set addr-mode Set input-device Set mode <priority | auto | manual | sla | load-balanced> Set src "all" Set input-device-negate disable Set src-negate disable Set health-check Etc

Command to set members for the performance SLA

Config sys virtual-wan-link Config health-check Set member <0,1,2>

When SNAT is applied in a session what command determines the action fortigate takes when there is a route change? What is the default?

Config system global Set SNAT-route-change [disable | enable] Default is disabled

Command to configure health check for SDWAN

Config system sdwan Config system virtual-wan-link Config health-check Edit <name> Set protocol (ping | tcp-echo | UDP-echo | http | dns | twamp) Set server x.x.x.x x.x.x.x Set members Config sla Edit <> Next End Next End

Global session handling setting command and what is default

Config system settings Set firewall-session-dirty (check-all | check-new | check-policy-option) Check-all is default

Command to configure link status parameters in CLI

Config system virtual-wan-link Config health-check Set interval <500-3600> Set failtime <1-3600> Set recoverytime <1-3600>

Command to configure SDWAN rule with route tag

Config system virtual-wan-link Config service Edit 1 Set route-tag # applied to route map

Commands to configure sdwan

Config system virtual-wan-link Set status enable Set load-balance-mode <> Config members Edit <> Set interface <> Set gateway <> Set source <> (ip for SLA probe) Set cost <> Set priority <> Set status enable Next End

Command to set load balance mode on CLI

Config system virtual-wan-link Set load-balance-mode <load balance mode> Source-ip-based Weight-based Usage-based Source-dest-ip-based Measured-volume-based

Command to configure IPSec aggregate tunnel

Config vpn IPSec phase1-interface Edit <> Set aggregate member enable Set aggregate-weight <> Next End

In interface mode for IPSec vpn, by default static routes are automatically added to each IPSec dial up client, what should you do if you are using a dynamic routing protocol over ipsec and do not want fortigate to automatically add static routes

Config vpn IPSec phase1-interface Edit <phase1 name> Set add-route disable

What is auto-discovery-sender enable

Configured on hub for ADVPN indicates that when IPSec traffic transits the hub, the hub should send a shortcut offer to the initiator of the traffic

What is a traffic shaping policy

Controls how and what traffic will be shaped. You will apply the shaper once the type of traffic is specified.

By default vpn zone is enabled when creating vpn communities on vpn manager, what is a vpn zone

Creates an interface Zone and adds the IPSec virtual interfaces to them

In a volume based load balancing algorithm weighted distribution is based on ____ ____ of ____ across each member.

Cumulative number of bytes

Where is a member marked dead when it fails the link status check

Dead on the health-check and in all rules associated with the performance SLA (will be removed from route if that option is enabled)

What does fortigate do when net-device is enabled in the phase 1 IPSec configuration and what is default

Default is disabled Fortigates creates desperate virtual interfaces for each dial up client and uses the destination subnets in the quick mode selections Tunnel name = phase1name_index

What is the per-policy option Explain enabled and disabled and which is default

Default is disabled When disabled fortigates applies the specified shaping rules to all policies using the shaper. When enabled fortigate applied shaping rules to each policy individually

What do shaping profiles do

Define the percentage of the interface bandwidth that is allocated to each group (in max and guaranteed bandwidth) defines how different shaping groups or classes of traffic are prioritized

If add-route is enabled on IPSec interface mode configuration, what is the destination of the static route

Destination subnet that is received In the phase2 quick mode selectors

What does the session table contain

Details information about every IP connection that crosses or terminates at the fortigate

Where to configure the health check servers to be used for SDWAN in fortimanager

Device manager > sdwan > health check servers

Where to create interface members for SDWAN in fortimanager

Device manager > sdwan > interface members

Where can you monitor SDWAN status in fortimanager

Device manager > sdwan > monitor

How to filter the real-time debug of IKE

Diag debug console timestamp en Diag vpn Ike log filter clear Diag vpn Ike log filter ? (Mdst-addr4) Diag debug app ike -1 Di de en

Sniffer command to match any packet with the SYN flag on to port 443

Diag sniffer packet any 'tcp[13]&2==2 and port 443' 4

Command to show every session in detail

Diag sys session list

Command to bring IPSec tunnel up

Diag vpn tunnel up <tunnel name>

Command to collect debug information for probes are what are values for ICMP UDP HTTP and TCP probes

Diagnose debug enable Diagnose debug application link-monitor <> 1 server up down events 2 configuration changes 4 engine events 8 ICMP probes 16 UDP probes 32 TCP probes 64 HTTP probes 128 TWAMP probes 256 GRE probes 512 link detection 1024 DNS messages 2048 application messages 4096 policy route messages

Command to see ISDB list in the kernel of firewall

Diagnose firewall internet-service-app-Ctrl list

Command to see policy routes

Diagnose firewall proute list

To view information for the per-IP shaper command Shows max bandwidth Max concurrent sessions Packets dropped Bytes dropped

Diagnose firewall shaper per-ip-shaper list name <name>

To view information about a shared traffic shaper what diagnose command do you use Shows name Max and guaranteed bandwidth Current bandwidth Priority queue value Overhead Packets dropped Bytes dropped

Diagnose firewall shaper traffic-shaper list name <name of shaper>

Command to get the ISDB entry summary (shows ID and name)

Diagnose internet-service ID-summary

Command to get all IPs and ports for a given ISDB entry (shows ISDB ID and name, version, timestamp, number of IP ranges, more info)

Diagnose internet-service id <>

Command of you want to get information about which ISDB entry includes a specific IP and specific port (shows ISDB ID, country, region, city )

Diagnose internet-service info <vdom name> <proto> <port> <ip>

Command to show ISDB entries that include a specific IP address (Shows ISDB ID, name, and matches number )

Diagnose internet-service match <vdom name> <ip> <netmask>

Command to check route cache

Diagnose ip rtcache list

Command to check allocated max, guaranteed and current bandwidth per class including the default class ID on an interface

Diagnose net link interface list <port> Look for egress traffic control

Command to collect different information regarding SDWAN members health checks and rules (name a few options)

Diagnose sys virtual-wan-link Member Service Health-check Neighbor Log SLA-log Internet-service-app-ctrl-list Internet-service-app-ctrl-flush

Command to collect basic information regarding SDWAN members (name some options)

Diagnose sys virtual-wan-link ? Member Service Route-tag-list Route-tag-flush Health-check Neighbor Log SLA-log Intf-SLA-log Internet-service-app-ctrl-list Internet-service-app-Ctrl-flush Reset

Command to see the performance SLA health check values in the CLI

Diagnose sys virtual-wan-link health-check

Command to show details on health check

Diagnose sys virtual-wan-link health-check

Debug command for performance SLA shows port, shows state, packet loss, latency, and jitter

Diagnose sys virtual-wan-link health-check <performance SLA name>

Command to see the dynamic ISDB cache/database

Diagnose sys virtual-wan-link internet-service-app-Ctrl-list

Debug command to check Interface specific SLA logs for the last 10 minutes

Diagnose sys virtual-wan-link intf-SLA-log <interface name>

Command to shows detailed info about SDWAN members (shows member, interfaces, gateway, priority, weight)

Diagnose sys virtual-wan-link member

Command to reset sdwan

Diagnose sys virtual-wan-link reset

Command to see SDWAN rules, with members, member state, source, destination, and interface services

Diagnose sys virtual-wan-link service

Command to show details on SDWAN rules

Diagnose sys virtual-wan-link service <rule>

Command to show details of health check quality information in last ten minutes

Diagnose sys virtual-wan-link sla-log

Debug command to debug the link monitor probe process for SLA and what are levels

Diagnose test application lnkmtd <level> 1 show memory info 2 show VDOM monitor info 3 show fail detection info

Command to display extra routing information such as IPSec Tunnel name Bound interface Important: ipv4 route tree (Shows quick mode selectors and tunnel index)

Diagnose vpn tunnel list name <name of tunnel>

What should you do if you are running a dynamic routing protocol over ipsec

Disable add-route

By default what is the distance and priority assigned to a static route added automatically by IPSec when add-route is enabled and how can you change it

Distance 15 Priority 0 Config vpn ipsec phase1-interface Edit <phase1 name> Set distance <> Set priority <>

Describe the initial burst approach traffic shaping uses

During transitions from no traffic to having traffic, for the first second of the transition, the rate can be up to two times the configured rate . Then, after the first second of transition, the rate reduces to the configured rate , And should stay there

What type of interfaces does SDWAN orchestrator create for generated tunnel interfaces

Dynamic interfaces with per-device mappings so they can be used on firewall policy packages

How is the ISDB updated

Dynamically updated from fortiguard servers.

Advantage of having a hub and spoke topology Disadvantages

Easy to manage the VPN configuration and firewall policies Minimal system requirements for branch office devices Disadvantages: Communication between branch offices through headquarters is slower than it would be using a direct connection Single point of failure

What is the first step in creating an SDWAN using fortimanager

Enable SDWAN central management for the ADOM in system settings System settings > all ADOMs > ADOM name > central management > SDWAN

What is this option for when configuring an SDWAN rule: Set input-device-negate disable | enable

Enable to include all interfaces but exclude the interfaces configured with the command "set input-device <interface>"

What is this option for when configuring an SDWAN rule: Set src-negate disable | enable

Enable to include all source addresses but exclude addresses configured with the command "set src <"src">

What is this option for when configuring an SDWAN rule: Set default disable | enable

Enable to use SDWAN as the default service With disable FIB lookups are done to validate the route to the destination

Interface based shaping

Enable traffic controls based on percentage of the interface bandwidth

Per ip traffic shaping

Enabled you to apply traffic shaping to all source IP addresses in the security policy

Policy shaping

Enables you to define the maximum bandwith and the guaranteed bandwith set for a security policy

Per IP shaping

Enables you to define traffic control on a more granular level

What is ESP

Encapsulating security payload Part of the IPsec suite of protocols ensures data integrity and encryption

What is the guaranteed bandwidth option for shared shaper

Ensure there is a consistent reserved bandwidth available for traffic passing through the policy. Traffic should be significantly less than the bandwidth capacity of the interface. If not it will cause unwanted latency for other traffic passing through that shaper policy.

If a session is flagged as May_dirty and there is a policy change the session is flagged as dirty as well. Where do offloaded session packets go in this case?

Even if they are offloaded the next packet in a dirty session will go to the CPU

Why would you need to set the source ip for SDWAN probe traffic and what if it's set to 0.0.0.0

Example, if you are sending it over a VPN tunnel and only specific subnet is allowed If set to 0.0.0.0 then fortigate will use the primary IP address of the SDWAN member interface as the source IP

After a static route is removed (such as an SDWAN member becoming dead) what happens?

Existing sessions are revalidated

True or false: when a device is added to fortimanager it can automatically be used in SDWAN orchestrator

False devices must be added to SDWAN orchestrator separately

True or false. SDWAN can't be interstated with OCVPN

False it can

True or false: NAT is not supported for ADVPN

False it is supported by the on demand tunnels

True or false. Only one SLA target can be selected as the required SLA target for the lowest cost (SLA) outgoing interface strategy for SDWAN rules

False multiple can be selected. All the selected SDWAN member interfaces must satisfy ALL of the selected SLA targets to be considered as a selection for the outgoing interface

True or false. SLA targeted are required

False they are optiona

True or false. You should use SDWAN manager on fortimanager first and then SDWAN orchestrator

False you should not use SDWAN manager if using orchestrator

True or false. You have to add fortigate to fortimanager before adding it to SDWAN orchestrator

False. It is recommended to add it to fortimanager first but you can add it to SDWAN orchestrator first

True or false. Only one SLA target can be created per performance SLA

False. Multiple can be created in although there are limited scenarios you would want to do that

True or false the default route using SDWAN requires two gateways to be defines instead of one

False. You define associated gateways when you configure the member interfaces under SDWAN virtual interface

SDVPN dynamic spoke-to-spoke shortcuts

Feature that allows SDWAN to combine a dynamic shortcut tunnel between spokes and the static tunnel to the hub. When the static tunnel to the hub is referred to in the SDWAN rules, the rules will add a dynamic shortcut tunnel automatically when a shortcut tunnel is established

What two things can you configure with the SDWAN virtual interface instead of separate interfaces

Firewall policy and static routes

A route with a lower priority would be chosen _____

First

Why may a session not match a configured SDWAN rule In a new deployment

First session is required as a learning phase to identify the application and may not match expected SDWAN rule

How is VPN manager enabled on fortimanager

For each ADOM in the system settings > ADOM > ADOM name > central management

What is the "set link-cost-factor" command used for Config sys virtual-wan-link Config service Set link-cost-factor [latency | jitter | packetloss]

For the SDWAN rules when you select best quality for the strategy on selecting outgoing interfaces

Requirements for a fortigate to participate in OCVPN

FortiOS 6.2.0 and later Fortigate must have internet access Must be registered to forticare using same forticare account

What four components overal make up the fortinet secure SDWAN solution

Fortigate Fortimanager Fortianalyzer Fortideploy

What happens if net-device is disabled in the IPsec phase1 config

Fortigate creates a single IPSec virtual interface that is shared by all IPSec clients connecting to the same dial up vpn. In this case the tunnel-search setting determines how fortigate learns networks behind each remote client.

Instead of the admin actively directing and pushing out devices in response to network topology changes how does OCVPN propagate these changes

Fortigate devices use device polling to propagate changes across nodes in the VPN

For the guaranteed bandwidth feature what does fortigate do if the flow does not achieve the configured rate

Fortigate increases the packet priority queue in effort to increase rate

What are the requirements to use zero touch provisioning feature (2)(fortideploy)

Fortigate must have internet access and a DHCP server must assign an IP address to the fortigate interface

What is the FIB

Forwarding Information Base is used for management and is generated by the routing process. Used for packet forwarding information. In HA the FIB exists on both members but the routing table only exists on the primary

Are are SDWAN rules evaluated

From top down

How are SDWAN rules evaluated

From top down

What topologies does OCVPN offer

Full mesh Hub and spoke (with or without ADVPN )

Advantages and disadvantages of full mesh

Full mesh connects every location to every other location. Topology causes less latency and hub and spoke requires less HQ bandwidth Disadvantages: every spoke fortigate must be powerful and administration and troubleshooting is more complicated

What's proto options are available in GUI and CLI for the link health monitor probing

GUI Ping HTTP DNS CLI PING HTTP tcp-echo UDP-echo TWAMP Dns

What is it called when fortigate initially selects the wrong phase 1 and switches to a different one

Gateway revalidation

What is the implicit rule for SDWAN rules

Generated when SDWAN is enabled. Used when other conditions are not met and is designed to balance the traffic among all the available SDWAN member links

Command to verify which IPSec tunnels are up

Get IPSec tunnel list

Command to get prefixes received and next hops for each destination for BGP

Get router info BGP network

Command to see FIB

Get router info kernel

When you look at the session table you will see dev->/dev -> indicating the ingress and egress ports for the traffic. How do you determine which ports they are being mapped to

Get router info kernel and it will show dev=#(port#)

Command to see routing table

Get router info routing-table all

Commands to verify there are BGP prefixes being received over the tunnels

Get router info routing-table all get router info BGP network Get router info BGP neighbors <tunnel ip > received-routes Get router info BGP summary

Command to show brief summary of each session including protocol source ip, destination ip, and port

Get sys session list

Command to see total number of IPV4 sessions for the current vdom

Get sys session status

Fortimanager management layers and sub layers (3)

Global ADOM layer - Global objects, all header and footer policies ADOM layer - Common object database, devices, device groups and policy packages Device manager layer- Name and type of managed devices, addresses, revision history, real time status, model, firmware

What level is session handling for firewall policies configured at

Globally or at VDOM level if VDOMs are enabled

What utility can be used to sort through the session list (get sis session list) for a specific ip

Grep

Name some preconfigured traffic shapers

Guaranteed 100 KBPS High priority Low priority Medium priority Shared 1M pipe

What is the purpose of configuring two server beacons for link health monitor

Guards against the server being at fault at not the link

What will an on demand tunnel look like (both through a VPN created on fmg vpn manager and one directly on fortigate )

H2S_0 H2S_0_0 Phase1vpnname_0

Diagnose debug application link-monitor 64

HTTP probe debug for link monitor

What options are there for the traffic priority drop down when creating a traffic shaoee

High medium low

For the RETRIEVE_CONFIG option of SDWAN orchestrators first online action what type of settings are retrieved (4ish)

Host name WAN port LAN/DMZ port Static route

What does the thickness of the line on the map represent on SDWAN orchestrator

How much traffic is flowing over the link

Diagnose debug application link-monitor 8

ICMP probe debug for link monitor

What methods does a fortigate support for automatically configuring the IP settings of IPSec clients (3)

IKE mode configuration DHCP over IPSec L2TP over IPSec

When does gateway revalidation apply (3)

IKEv1 with certificate authentication IKEv2 with preshared key authentication IKEv2 with certificate authentication

What two formats are accepted for specifying a link health monitor server

IP or FQDN

What does application control rely on to identify the application (besides signature)

IPS engine in order to identify the upper layer protocols (kernel cannot do this) kernel can only identify NTP DNS and ICMP

When OCVPN is enabled on fortigates registered to the same forticare account what is generated automatically

IPSec phase1 and 2 configuration, static routes, and firewall policies are generated automatically

What IP version does ADVPN support

IPv4 and ipv6

Format of a traffic shaping policy (___+____)

If + then

For a fortigate without internet access, that is managed by a fortimanager, what is employed to prevent fortimanager IP Spoofing (this is for FMG access on a lan or lab)

If a different fortimanager IP comes from the DHCP server at a later time fortigate will not change the central management configuration

When would an SDWAN member assigned to a performance SLA be selected over the other participating links

If it meets the SLA target and the others dont

Describe the two tunnel-search setting: nexthop for phase1 of a dial up vpn

If net device is disabled and tunnel search is set to nexthop fortigate does not use the quick mode selectors to learn about remote networks. Fortigate will learn those routes with the assistance of a dynamic routing protocol configured to run over the IPsec tunnels

What exception is there to the usual two route lookups that fortigate performs

If there is a route change route information is flushed from affected sessions and route cache entries

When is the session flagged as blocked

If there is no matching firewall policy or it matches a deny policy

What does the phase2 route-overlap setting define

If two remote sites share the same subnets they might create overlapping static routes on the central fortigate. This phase 2 setting defines what action fortigate will take if a new remote site is connecting and there is already a remote site connected with an overlapping subnet

In what cases would SNAT-route-change enabled be used

If you are not using SDWAN or a link monitor and you have multiple ISPs and one link goes down If you have multiple ISPs and you change a route attribute for one of the static routes such as priority

What does it mean to add member "0" to the participants for a performance SLA and where is this done

In the CLI and it is equivalent of adding all SDWAN members to the SLA

Fortimanager management model

In the global ADOM layer you create header and foot policy rules that can be assigned to multiple ADOMs In the ADOM layer objects and policy packages in each ADOM share a common object database. You can create import from and install policy package on many managed devices at once In the device manager layer you can configure and install device settings for each device. Fortimanager compares the current configuration to the changes configuration and creates a new configuration revision on fortimanager.

Where is the ISDB loaded

In the kernel

Even though you must configure routes using SDWAN virtual interface fortigate installs _____ ______ for the member interfaces in the routing table

Individual routes

By design, traffic Shaping configured in a firewall policy, application list, or traffic shaper policy uses an ________ ______ approach

Initial burst approach

How do you push vpn settings for the fortimanager vpn manager to devices

Installing policy package

Icmp protocol state

It has not state Proto_state is always 00

Why is it recommended to enable SSL deep inspection on policies when you use application control profiles

It improves the accuracy of application detection

What happens if you add a fortigate to SDWAN orchestrator before adding it to fortimanager

It is automatically added to fortimanager

Why would you configure cost for an SDWAN interface

It is used in the SDWAN rules strategies Lowest Cost and Maximize Bandwidth options

Can OCVPN use multiple wan links at once

It supports multiple but will only use one at a time

For any incoming IPSec connection, how does fortigate select which phase1 to use

It uses the first phase 1 (in alphabetical order) that matches the following: Local gateway IP Mode (aggressive or main) Peer ID if aggressive mode is used (b/c aggressive includes peer ID in first packet) Authentication method (psks and certs) Digital certificate information Proposal DH group

If no policy routes (regular policy route or SDWAN rule) matches the traffic, fortigate will perform a FIB lookup. If the FIB resolved interface is an SDWAN member what does the fortigate do

It uses the load balancing method configured in the implicit rule

How does fortigate route properly when tunnel search is set to next hop

It uses the remote IPs for the tunnel interfaces learned through the IKE messages and interface index then routes to the destination learned through the dynamic routing protocol

How does fortigate route properly when tunnel search is set to selectors

It uses the subnets learned through the quick mode selectors and the tunnel indexes

What happens if traffic does not match any traffic shaping policies

It will go through implicit policy

How can you tell if a policy route is an SDWAN rule from the command diagnose firewall proute list

It will say vwl_service and vwl_mbr_seq

With the SDWAN rule setting configuration set to default enable + gateway enable what does fortigate do

It will select the first outbound interface in the SDWAN policy route and will skip the FIB lookup

How would a reverse shaper affect YouTube

It would affect not just upload but download speed as well

When you configure traffic shapers you configure bandwidth values as ____ but in CLI and GUI stats you see bandwidth in _____

Kilobits Kbps Kilobytes KBps

What three criteria are used to measure the quality of the links connected to the member interface participating in a performance SLA

Latency Jitter Packet loss

For the best quality SDWAN rule strategy what are the options for quality criteria

Latency Jitter Packet loss Downstream Upstream Bandwidth Customized profile

What sections make up the performance SLA

Link health monitor SLA targets Link status

Customized profile equation

Link quality = (a*latency)+(b*jitter)+(c*packetloss)+(d/bandwidth)

Process responsible for performing performance SLA probes

Lnkmtd

Common session flags (11)

Log = session is being logged Local = session is to/from local stack Ndr= session will be checked by IPS signature Nds= session will be checked by IPS anomaly Br= session is being bridged (TP mode) Npu = session can be offloaded to npu Wccp = web caching Npd = session cannot be offloaded to NPU Redir = session is being processed by an application layer proxy Authed= session was successfully authenticated Auth=session requires or required authentication

What type of traffic log and column should you use to verify that traffic is egressinf the correct SDWAN member interfaces

Log and report > forward traffic Destination interface

What rule option uses SDWAN member interface cost

Lowest cost

Which SDWAN rule strategies require the SLA TARGETS

Lowest cost Max bandwith

What rules require an SLA target to be defined

Lowest cost Maximize bandwidth

What will a debug flow say if a packet is exceeded max concurrent connection limit and denied for per ip shaper

MSG="blocked by quota check, dropepd"

What will a debug flow say if packets are exceeded the maximum bandwidth and being dropped for a shared shaper

MSG="exceeded shaper limit, drop"

What SDWAN rule strategy does not depend on performance SLA or SLA targets

Manual

What 4 strategies can be used for SDWAN rules to route traffic through an outgoing interface

Manual Best quality Lowest cost Maximize bandwidth

What two views can you monitor SDWAN on fortimanager

Map view and table view

Which SDWAN rule strategy does not take cost or interface preference into consideration

Maximize bandwidth (SLA)

Link health monitor

Mechanism for detecting when a router along the path is stopped or degraded Used so fortigate can check the status/health of each SDWAN member interface participating in a performance SLA by periodically sending probing signals through each member link to a server that acts as a beacon.

What things must be specified under an SDWAN interface (2)

Member and it's associated gateway

Advantages and disadvantages of a partial mesh topology

Minimizing required resources of a full mesh but reduces latency from a hub and spoke. Partial mesh is appropriate if communication is not required between every location Disadvantage is that fortigates configuration is still more complex than a hub and spoke and routing requires more planning

What is recommended to do with the policy blocks that are automatically installed to fortimanager by SDWAN orchestrator

Move them to the top of the policy package

Formula for required VPN tunnels

N sites = N(N-1)/2

What are the three first online action options to choose from when adding a device to SDWAN orchestrator

NONE: manually imitate confirmation installation after adding the device to the orchestrator RETRIEVE_CONFIG: import some of the configuration settings from the device when the devices comes online for first time. Settings such as host name, WAN port, LAN DMZ port and static route are imported SYNC_CONFIG select to install the SDWAN orchestrator config associated with the profile when the device comes online for first time

What 5 options are there for PerIP traffic shaper

Name Max bandwidth Max concurrent connections Forward DSCP Reverse DSCP

When you add a fortigate device to SDWAN orchestrator what do you assign to the device

Name Profile name First online action Region

Where can you monitor SDWAN link status

Network > performance SLA > graph

What is the duel vpn wizard

Network > sdwan Edit SDWAN member Interface + vpn Used to automatically set up multiple VPN tunnels to the same destination over multiple outgoing interfaces for redundancy. Includes automatically configuring IPSec, routing and firewall settings

What is the gateway used for when configuring member interfaces

Next hop up used to create the kernel route to each performance SLA and also used for static routes created by SDWAN virtual interface

Are ADOMs enabled by default

No

Is cost or preference taken into consideration for the maximize bandwidth (SLA) strategy?

No only if members meets SLA targets

Where can you check OCVPN license type, device information and network topology

OCVPN portal Contains license type Device information including serial number, OCVPN rule, host name, public IP address, port number, overlays Topology

Where are configured traffic shaping profiles applied

On network > interfaces > select interface > traffic shaping

When is the session flagged as dirty

On the first packet before it is evaluated against policies and if there is a change in policy configuration any existing may_dirty sessions will also be flagged as dirty

If you are configuring a primary hub and secondary hub for OCVPN how are overlays configured

On the primary and the cloud will sync them to the secondary

What two policy blocks does SDWAN orchestrator create on fortimanager and what are they for

One for hub devices (SDWAN_Overlay_PB_HUB) One for edge devices (SDWAN_Overlay_PB_EDGE) The policy blocks include the necessary firewall policies to allow health check and negotiate traffic for VPN tunnels

Why are two SAs required to secure traffic from peer-to-peer

One for inbound and one for outbound traffic

What direction is a shared shaper applied to

Only outbound traffic

What happens if update-static-route is enabled for the performance SLA

Only static routes for the dead member with the same next-hop are removed from the routing table Static routes for the dead member that are routed through a different next hop are kept on the RIB/FIB

Does OCVPN support vdoms

Only supported on the root vdom

How does SDWAN orchestrator work with fortimanager to install the configuration on fortigate (3)

Orchestrator automatically generates CLI scripts of the configuration Orchestrator installs the CLI scripts to the device manager database on fortimanager Fortimanager receives the CLI scripts and fortimanager installs the configurations on fortigate

How can traffic shaping policy be used for interface based traffic shaping

Organizes traffic into groups so that a shaping profile can be applied to the groups which defines the percentage based values for guaranteed and max bandwidth and priority

Where in the session table can you see shared shaper information and other detailed information like packet drop counter

Origin-shaper Reply-shaper

Oif

Outgoing interface

What is OCVPN

Overlay controller vpn cloud based solution for provisioning and setting up IPSec VPN. When OCVPN is enabled on fortigate devices that are registered to forticare using the same forticare account, IPSec phase1 and 2 configuration, static routes, and firewall policies are generated automatically

What must be the same on the OCVPN config on each fortigate for the local and remote selectors pairs to be negotiated

Overlay names

SDWAN orchestrator automatically establishes _____ between all hubs

Overlays

What happens if maximum bandwidth is exceeded for traffic shaping

Packets will be dropped

What is IKE

Part of the IPsec suite which does the handshake, tunnel maintenance, and disconnection Phase 1 and phase 2 Negotiates the tunnels private keys, authentication, and encryption Allows parties involved in a transaction to set up their security associations

Where in the session table can you see per_ip_shaper shaper information

Per_ip_shaper

Explain IPSec aggressive mode exchange

Phase 1 3 packet exchange 1) client initiates by suggesting the security policies and providing it's DH public value and peer ID 2) responder replies with same information + hash 3) initiator sends it's hash payload

Explain IPSec main mode exchange

Phase 1 6 packet exchange 1) client imitates by proposing security policies (ISAKMP policies) 2) reps ponder selects which security policy it will agree to use and reply 3) initiator sends it's DH public value 4) responder replies with it's DH public value 5) imitator sends it's peer ID and hash payload 6) responder replies with it's peer ID and hash payload

What settings do you configure for vpn community on vpn manager

Phase 1 and phase 2 Authentication and encryption settings for phase 1 Diffie Hellman Key life Dpd Phase 2 PFS Replay detection

What phases and options are there for IKE

Phase 1 main or aggressive mode Phase 2 quick mode

What type of interfaces does SDWAN support (4+)

Physical VLAN Aggregate IPSec interfaces Others

What are the measurement techniques for SLA (5)

Ping Http TCP echo UDP echo TWAMP

Diag dvm device list on fmg Pkg: modified Cond: ok

Pkg= policy package status Cond= device database status Conn= firewall up or down Conf=configuration status Db= device database status

Where to configure traffic shapers

Pol it and objects > traffic shapers

Where to create a traffic shaping policy in GUI

Policy and object > traffic shaping policy

How do you modify an ISDB in the GUI

Policy and objects > internet service database Enable or disable

Where can you see stats on traffic shapers including current bandwidth utilization And dropped bytes

Policy and objects > traffic shapers

Where to configure traffic shaping profile in gui

Policy and objects > traffic shaping profile

SDWAN rules are treated as _______ routes

Policy based routes

Proute

Policy route

What type of routes are SDWAN rules

Policy routes

Which routes take precedence on fortigates

Policy routes

Which gets checked first policy routes or SDWAN routes

Policy routes then sdwan routes

What order does fortigate perform policy lookups

Policy-based routes: If a match occurs and the action is to forward, traffic is forwarded based on the policy route. SDWAN rules Route Cache: If there are no matches, FortiGate looks for the route in the route cache. Forwarding Information Base, otherwise known as the kernel routing table. If no match occurs, the packet is dropped.

With command diagnose sys virtual-wan-link health-check what do you see

Port member State (alive or dead) Packet loss percentage Latency in ms Jitter in ms Sla_map

For ADVPN over OCVPN to work at least one device must announce it's role as ____ _____

Primary hub

What role does priority assignment play when assigning bandwidth to a group or class within a traffic shaping profile

Priority decides which class can win when multiple classes are competing for available bandwidth

Pro and con of ISDB app method

Pro is it identifies and application immediately and is managed by fortiguard. Con is that it does not contain all internet service

Pros and cons of FQDN app method

Pro is it is fast but not as fast as the other options b/c it needs to use DNS. con is it is not accurate for cloud services or for most well known internet services

Pro and con of IP DSCP app method

Pro is that is can help integrate SDWAN with an existing architecture. Con is that there is less control over traffic identification, it must be marked with IP DSCP val before it reaches fortigate and users or applications both may interfere with marking

Pros and cons of custom ISDB app method

Pro is that it is fast and flexible and con is that is required manual maintenance

Pro and con of application control app method

Pro is that the fortigate identifies based on app signatures and the well known app list is managed by fortiguard. Con is that it requires a learning phase to identify the application and the first session may not match the expected SDWAN rule. After the learning phase a dynamic cache entry is stored in the ISDB to avoid the learning phase

What is SDWAN orchestrator profile

Profile creates a template that defines general system, network, and business policies for devices in SDWAN networks

What does the diag sys session list command show

Protocol number (proto=) Protocol state(proto_state=) Expiration (expire=) Traffic shaper counters (origin-shaper reply-shaper) Session flags (state=) Rx and Tx Statistics (statistics) SNAT and DNAT for each direction(origin->sink) Source mac of packet (src_mac) PolicyID (policy ID=) Hardware accel counters (npu_state, NPU info: VLAN)

When the hub sends a shortcut offer to a spoke informing that it can negotiate a direct connection, the spoke sends a FortiOS specific Ike message (shortcut query) with what information (4)

Public ip Local subnet Desired remote subnet Auto generated PSK or digital cert

_____ Can be a useful tool for optimizing the performance of the various applications on your network

QOS

What is traffic queuing?

Queuing ensures that packets are transmitted in order of their assigned priority Q for that physical Interface

Plan your SDWAN network topology based on what two principles

Regions- each device should be added to corresponding region depending on how network is structured geographically Hub and edges- defining the roles of each fortigate device

How to configure OCVPN for the fortigate (6)

Register device on forticare account VPN > overlay controller vpn Enable OCVPN Select the role (hub or spoke) Select an WAN interface Create a new overlay, specifying name, local subnets, and local interface

What must you do before you can configure OCVPN on the fortigate itself

Register the fortigates to the forticare account and then you can go to VPN > OCVPN on the fortigate

In what way is traffic load balanced between members for the maximize bandwidth (SLA) outgoing interface strategy

Round robin session based

What does the kernel perform first? Route lookup or policy lookup

Route then policy

What is a security association

SA is the basis for building security functions into IPSec A security association is the establishment of shared security attributes between two network entities to support secure communication. An SA may include attributes such as: cryptographic algorithm and mode; traffic encryption key; and parameters for the network data to be passed over the connection.

What two components does secure SDWAN encompass

SDWAN (SDWAN, QoS, VPN) + NGFW (app control IPS AV URL sandboxing ssl inspection)

SDWAN configuration components (5) main (10 subtypes)

SDWAN - interfaces rules SLA Routing - static BGP Security - policies and profiles VPN - IPSec tunnels QoS - traffic shapers, policy, profile

Difference between SDWAN implicit load balancing methods vs ECMP load balancing method

SDWAN includes one more: volume

Where to add devices for SDWAN orchestrator

SDWAN orchestrator > configuration > device

Where in GUI do you create profiles for SDWAN orchestrator hub and edge devices

SDWAN orchestrator > configuration > profile

How does SDWAN use BGP tags

SDWAN rules can use BGP learned routes as dynamic destinations You can accept a route that matches a community and set a tag to the routes These tags can be used as dynamic destinations in the SDWAN rules

How can SDWAN work with ADVPN(3)

SDWAN rules can use the shortcut VPN to forward traffic between spokes Dynamic shortcut tunnels and the static tunnel to the hub are combined into one SDWAN member When the shortcut tunnel is established the traffic through SDWAN will go through the shortcut tunnel rather than through the hub

What makes fortinet SDWAN ultrafast (app identification and steering)

SOC4 chip

When using the application control database for SDWAN rules and policies with app control UTM what should you use for an accurate application identification

SSL deep inspection

Auth flag

Sacha requires or required authentication

Where is routing information written on the fortigate for each session (2)

Session Table and route cache

Which load balancing methods use weights configured on each SDWAN member

Session and volume based

Npu flag

Session can be offloaded to NPu

Npd flag

Session cannot be offloaded to NPU

Br flag

Session is being bridged (TP mode)

log flag

Session is being logged

Redir flag

Session is being processed by an application layer proxy

Authed flag

Session was successfully authenticated

Nds flag

Session will be checked by IPS anomaly

Ndr flag

Session will be checked by IPS signature

In a session based load balancing algorithm weighted distribution is based on the number of ____on each SDWAN member

Sessions

Weight based load balancing

Sessions Interfaces with higher weights have a higher priority and get more traffic

What is session route persistence

Sessions passing through that interface will continue to pass without being affected by a route change. Route changes will apply only to new sessions. This is applied at the interface level when SNAT is not applied

IBGP configuration of a hub participating in ADVPN

Set AS the same as the remote AS In the neighbor group Enable set route-reflector-client enable in the neighbor group In the neighbor range set the neighbor group and prefix range for the overlay subnet Add protected subnets for the hub

IBGP configuration for spoke participating in ADVPN

Set asn Config neighbor as the hub ip and set remote asn Define protected subnet for the spoke

What needs to be configured on the ADVPN spoke

Set auto-discovery-receiver enable Set ip on the tunnel interface Set net-device enable

What needs to be configured on the ADVPN hub (5)

Set net-device disable Set add-route disable Set tunnel-search nexthop Set auto discovery sender enable Assign an ip to the tunnel interface

What gets imported from the device when you select RETRIEVE_CONFIG for the first online action for add device in SDWAN orchestrator

Settings such as host name, WAN port, LAN DMZ port and static route are imported

What 5 things are so specified when creating a shared traffic shaper

Shared or per ip Name Priority Max bandwidth Guaranteed bandwidth DSCP

What three traffic shaping message does the fortigate offer?

Shared policy shaping Per IP shaping Interface based shaping

What 4 differences are there when configuring a shared shaper vs per-ip shaper (2 each)

Shared shaper will have you configure a priority and guaranteed bandwidth does not have concurrent connections Per ip shaper will have you configure max concurrent connect and reverse and forward DSCP does not have priority or guaranteed bandwidth

Diagnose sys virtual-wan-link health-check

Shows information like packet loss, latency, jitter for the servers acting as the beacons

What type of hub and spoke architecture is supported by ADVPN

Single or multiple hub

Why do you need to configure the hub as a route reflector when using IBGP for ADVPN

So routes learned from one spoke are forwarded to the other spokes

Why would you configure priority for an SDWAN interface member

So the priority can be used for SDWAN rules or priority rules

What is ADVPN

Solution based on IKE and IPSec Provides direct connectivity between all sites by creating on demand tunnels between spokes Benefit of full mesh topology while providing scalability with minimum configuration

What options are there for controlling the type of traffic matched on a shaping policy

Source IP Destination IP Service Application URL category

What parameters can be used with SDWAN rules to match traffic (7)

Source IP User group Destination Ip Destination port number ISDB address objects as dest Firewall application as dest ToS

SDWAN load balancing methods (5) what is default

Source IP (default) - sessions from the same source IP address use the same interface Source destination IP - sessions with the same source and destination IP pair use the same interface Spillover - use one interface until the threshold is reached then use the next Sessions - sessions will be distributed based on weights assigned on the interfaces Volume - sessions are distributed so the traffic volume is distributed by the interface weights

What criteria is defined is defined on a traffic shaping policy

Source address Destination address Service Application URL category Name Shaper to apply Outgoing interface

Source-dest-IP-based load balancing

Source and destination IP All traffic from a source IP to a destination IP is sent to the same interface

What is configured on an interface for a traffic shaping profile to be applied

Specified profile Outbound bandwidth

What three things are configured in a traffic shaping profile

Specify group (class ID) Set max and guaranteed bandwidth Set priority

Usage based load balancing

Spillover All traffic is sent to the first interface on the list. When the bandwidth on that interface exceeds the spillover limit the new traffic is sent to the next interface

What VPN communities are the hub and spoke roles provided as options in VPN manager

Star and dial up

What type of WAN IPs does OCVPN support

Static and dynamic

What traffic and routes does the SDWAN implicit rule only apply to

Static routes

Interface weight on an SDWAN member only applies to ____ ____

Static routing

What account can enable and create ADOMs

Super_user

What type of user can enable management extensions in fortimanager

Super_user

What protocol is TCP and what is UDP

TCP 6 UDP 17

Diagnose debug application link-monitor 32

TCP probe debug for link montiro

What protocols are available to use for SLA probing in the CLI that are not in the GUI

TCP-echo UDP-echo Twamp

Diagnose debug application link-monitor 128

TWAMP prob debug for link monitor

What do the green arrows on the link quality measurement (performance SLA page) indicate

That the server is responding to the health check, regardless of the packet loss latency and jitter values. Does not mean the SLA targets are being met.

Where are the routes for the link health monitor added (for the beacon probing)

The FIB

If you assign multiple classes the same priority on a shaper profile how is bandwidth allocated after guaranteed limits have been reached

The allocation to each class will be proportional to it's guaranteed bandwidth percentage. Bottom All classes will be assigned their guaranteed first which is 20 for class 2 20 for class 3 and then 30 for class 4. The remaining 30 will be allocated to class 2 and 4 because of the higher priority. The allocation of the remaining will be proportional to the guaranteed bandwidth. In this case it is 12 for class 2 (30 mbps * 20/50) and then 18 for class 4 (30*30/50)

What is the requirement to select and outbound interface when SDWAN rule settings are set default and set gateway disable (1)

The best match to the destination must be an SDWAN member A policy route outbound interface is considered acceptable only if it has a FIB route to the destination The first OIF filling this requirement is selected

What is helpful for troubleshooting when SDWAN member interfaces routes are removed or adding to the routing table

The event logs

Describe the learning phase of the application control app identify method

The first session is required to identify the application and may not match an expected SDWAN rule. After the learning phase dynamic cache entries are stored in the ISDB to avoid the learning phase again. Kernel matches policy based on IPv4 headers. Flags session as may dirty with app 0 allows sessions sends traffic to IPS to identify layer 7 info ips flags as dirty so kernel will reevaluate. After IPS identifies the app it adds an entry to a dynamic ISDB with the destination IP and port. Any further session to the same destination will use the ISDB entry to immediately identify the app This entry will be pushed to the kernel firewall

What rule is the load balancing algorithm configured on

The implicit rule

Where are the dynamic ISDB entries pushed after IPS identifies the application

The kernel firewall

If bandwidth is exceeded what traffic will be dropped first when there are traffic shapers configured

The ones with the lowest priority configured on the policy or on the profile

What is defined by an SLA target

The quality of the link Jitter Latency Packet loss

What does the fortigate do after a changing in the routing table when it is not applying SNAT (3)

The routing information is removed from the sessions that are affected by the change, session is flagged as dirty, and related route cache entries are deleted Route lookup is done again for the next packets (2 total) one for originator and one for responder

What is outbandwidth for on the interface that a traffic shaper profile is applied to

The shaper uses outbound bandwidth as maximum link speed to shape traffic. It is the bandwidth of the link

What will the routing table look like with the command get router info routing-table all when you have SDWAN configured

There will be individual static routes with both gateways applied and equal routing attributes (dest address and subnet, distance, priority) so fortigate can remove individual routes in the event of an interface outage and redirect to the remaining members without affecting the whole SDWAN load balance group

What is a vpn gateway on vpn manager and what are the two types

They are the fortigates that will be assigned to a community and have a vpn tunnel configured on it Managed - managed by fortimanager in the current ADOM External - devices not managed by fortimanager or devices ina. Different ADOM

VPN community on fortimanager and what are the three types

They contain the common ipsec settings (phase 1 and phase2) that are shared by all the IPSec gateways members of the community Full mesh Star Dial up

What are business rules in sdwan orchestrator profiles

They define routing policies between subnets in SDWAN networks or defines how traffic from SDWAN subnets accesses the internet. Orchestrator includes predefined business rules in profiles.

What other options besides protocols can you configure in the CLI for the health-check that are not available in the GUI (3)

Threshold-warning And threshold-alert for packet loss perentage, latency ms, and jitter ms Ha election priority Enable/disable system DNS as probe server

When net device is disabled and tunnel search is set to next hop how does fortigate learn the remote ips of the clients

Through the IKE messages (IPs on the IPSec virtual interfaces of the clients)

What is the max concurrent session option for per ip traffic shaping

Total number of simultaneous connections each source IP can have

What is traffic policing?

Traffic policing is dropping packets that do not conform to bandwidth limitations.

Shapers will allow you to define how traffic will flow by setting the ____, ____, _____

Traffic priority Bandwidth DSCP options

_____ Are the point of control where you can define bandwidth values and priority and then use them in traffic shaping policy

Traffic shapers

SDWAN rules: maximize bandwidth (SLA)

Traffic will be load balanced among all the members that satisfy the SLA target and if there are multiple SLA targets traffic will be load balanced between members that meet all the targets. Traffic is load balanced using session based round robin

True or false. Preshared key is NOT part of the matching criteria when choosing phase 1 settings

True

What do the virtual interfaces that are created by the set net-device enable command look like

Tunnel name = phase1name_index

How many servers can be used as a beacon for link health monitor

Two

What is an aggregate IPSec tunnel

Two or more IPSec tunnels between two sites can be combined to create an aggregate tunnel. Similar to LACP port aggregate. One single interface for routing and firewall policing

What is twamp

Two way active measurement protocol defines a standard for measuring round-trip network performance between any two devices that support the TWAMP protocols. ... The TWAMP-Test protocol is used to send and receive performance-measurement probes

Went in IP sack tunnel is traversing Nat how is ESP encapsulated

UDP over port 4500

Diagnose debug application link-monitor 16

UDP probe debug for link monitor

Where do you turn off add route on fmg vpn manager

Under the VPN gateway configuration of the hub

How long do on demand tunnels remain active for ADVPN

Until the SAs are manually flushed it until they time out

How long do sessions flag does block stay in memory in the session table And what happens two packets matching a session with the block flag

Until the session expires all packets matching will be dropped

What needs to be configured in the CLI to use the bandwidth link criteria options (3) for the SDWAN rule link quality strategy

Upstream and downstream bandwidth estimate Config sys int Set estimated-upstream-bandwidth Set estimated-downstream-bandwidth

Bandwidth option for the quality criteria field in the best quality strategy SDWAN rule (3)

Upstream, downstream, or bidirectional Fortigate selects the link based on the available bandwidth in the incoming direction, outgoing direction, or both The estimated upstream and downstream bandwidth per member interface must be configured

How can you exclude a criteria from the customized profile quality criteria

Use 0 as the value

After SDWAN network is configured on all devices by the SDWAN orchestrator when do you do

Use fortimanager to define and install firewall policies to the fortigate

What possible actions are there for the phase2 route-overlap setting (3)

Use-new - disconnect existing and accept new Use-old - keep existing and reject new one Allow - keep existing and accept new one. Traffic sessions that start from the central fortigate will be load balanced over both VPN with ECMP

What is Xauth

Used as additional authentication for IPSec tunnels. One side must provide credentials (username and password) in order to authenticate. It is known as phase 1.5 because it occurs after phase 1 and before phase 2

What is auto-discovery-receiver enabled

Used in ADVPN Configured on spike interface Indicates that the IPSec tunnel wants to participate in ADVPN and receive a SHORTCUT-OFFER

What is the max bandwidth option for shared shaper

Used to set the largest amount of traffic allowed using a policy where this shaper is enabled. If traffic goes above this limit fortigate will start dropping packets

What is this option for when configuring an SDWAN rule: Set mode <> What options can be enabled with it (5)

Used to set the outgoing interface strategy Auto -select based on quality of link Manual Priority - best quality SLA -lowest cost Load-balanced -maximize bandwidth

What is SDWAN usage monitor and three views

Used to view traffic distribution between the member interfaces based on bandwidth, volume, or sessions Bandwidth shows bandwidth utilization by each member interface Volume shows volume of traffic sent and received per member interface Sessions show number of sessions lasting through per member interface

What are SDWAN orchestrator shared resources

Useful for creating resources that are going to be used across all deployments Shared resource categories include: Intranet addresses Network SLA System Health threshold Resources such as DHCP servers/ relays, DNS servers, SNMP hosts, NTO servers fortiguard and email etc

Link quality measurements

Using Ping or HTTP echo fortigate can determine the latency Jitter, or packet loss percentage for each link and dynamically select links based on these measurements

How does SDWAN allow you to control application performance

Using rules and performance SLAs that route traffic based on quality type

How is effective WAn use achieved (3)

Using various load balancing glorying such as bandwidth usage Sessions or application aware routing

Fortimanager manager panes(5)

VPN SDWAN FortiAP Fortiswitch Fabric view

What is fortimanager VPN manager

VPN manager simplifies the administration of multiple VPNs. Allows you to install IPSec settings on multiple fortigates simultaneously

Max number of ADOMs on fortimanager

Varies by models

Measured volume based load balancing

Volume based Sessions are load balanced based on traffic volume in bytes. More traffic is sent to interfaces with higher volume ratios

Main motivator for deploying SDWAN

WAN use when using multiple WAN links

Wccp flag

Web caching

What is this option for when configuring an SDWAN rule: Set hold-down-time 0

When a backup member becomes primary it remains as primary for at least this time period regardless of changes in the quality of links

When is the only time the zero touch provisioning feature can be used(fortideploy)

When fortigate restarts after factor reset or on a new fortigate device provisioning

Why should you create an intranet IP pool that SDWAN orchestrator can use

When it creates the SDWAN network orchestrator will use an IP pool to assign IP addresses to the devices in the LAN segment and automatically create addresses objects and address groups based on this assignment

When will an SDWAN member be dead

When it reaches the failure threshold

Describe the two tunnel-search setting: selectors for phase1 of a dial up vpn and when the tunnel-search setting applies

When net-device is disabled Fortigate learns about the remote networks behind each remote client depending on what tunnel-search is set to If set to selectors fortigate uses the destination subnets of the quick mode selectors to populate the routing table with information about the remote networks. In this scenario fortigate needs to use the tunnel index's to route traffic to each remote network

When are SLA targets usef

When referenced by a rule

Where would you specify the cost of an SDWAN interface when you want to use the lowest cost (SLA) strategy

When you add the interface as a member to the SDWAN virtual interface it gives you the option to select interface, specify gateway, specify cost, and enable or disable

What the the performance SLA - link status for

Where you can set how often the system checks the link status to determine if it needs to transfer the traffic to another link

What is reverse direction shaping

Will shape any incoming traffic

How are SLA violations marked on the link quality performance SLA page

With red numbers

Is a member considered alive if it is failing the SLA target

Yes

Can different vdoms be assigned to different ADOMs on fortimanager if they belong to the same device

Yes if advanced mode is enabled

Do you need to specify an SLA for the best quality strategy and why

Yes you specify the SLA to be used but you don't use the SLA targets Fortigate estimates the quality of each link based on either latency jitter or packet loss percentage (you can specify the quality criteria)

Describe a scenario in which there would be multiple SLA targets for one performance SLA

You are located in a branch office and use a few different application that run on the same server headquarters. You could create on performance SLA that will perform the health check on that server but then have different SLA targets for the different applications.

SDWAN rules: lowest cost (SLA) strategy

You select an SLA target from a performance SLA. The selected SDWAN member (based on order from top down) must satisfy all the selected SLA targets to be considered as a selection for the outgoing interface

SDWAN rule strategy: manual

You specify the interface priority you want to send traffic out from. Traffic matching the rule criteria will go out the first available interface based on the interface preference. Does not depend on performance SLA or targets.

What do you get when you include fortideploy on your fortinet device order

You will receive a bulk deployment forticloud key tied to all support devices within that order so that you can enter the bulk key in forticloud for all devices instead of each individual one

What happens when SNAT-route-change is disabled and what happens when it is enabled

disabled - After a routing change the sessions with SNAT keep using the same outbound interface as long as the old route is still active Enabled - routing information is flushed from existing SNAT sessions (flagged as dirty) so the existing sessions can use the new best route Route cache entries are removed Routing lookups are done again for the next packets RPF is done again

How does zero touch provisioning work on a fortigate without internet access or policies, etc

https://www.historiantech.com/zeroish-touch-provisioning-connect-to-fortimanager-via-the-dhcp-option/

SDWAN orchestrator shared resource categories (5)

include: Intranet addresses Network SLA System Health threshold

Diagnose sys virtual-wan-link member | service

information related to SDWAN rules shows interface preference, state, etc

What feature is essential for SDWAN (how to know if link is down)

link quality measurements

Formula for tunnels for a hub and spoke topology

n - 1

Another name for traffic shaping

qos

What is a security association

security association is the establishment of shared security attributes between two network entities to support secure communication. Two types of SAs IKE IPsec

Local flag

session is to/from local stack

How are the link quality measurements used?

the values are used against the SLA criteria within the rules that are used to route traffic based on the link quality of each member

How to enable ADVPN shortcuts on OCVPN

"Auto discovery shortcuts" on the OCVPN GUI page

Six application identification methods

- ISDB - custom ISDB - FQDN - IP DSCP - Application control - customer application control

Three examples of when a routing change may occur

- when the order of the interfaces in the policy route changes - when an SDWAN member state changes - when there is a dynamic routing update

When should you use fortimanager in your network

-Large enterprises -Managed service providers


Set pelajaran terkait

CH 42, Assessment and Concepts of Care for Patients with Eye and Vision Problems

View Set

Chapter: Completing the Application, Underwriting, and Delivering the Policy

View Set

Unité 8, p. 401 (Paris, capitale de la France)

View Set

LeeU Project Management Final Exam

View Set

Ancient Persia and Its Context 2

View Set

CIS 105 Sound Byte: Plagiarism and Intellectual Property

View Set

Organelles involved in Processing Proteins

View Set