Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. FCSS_SDW_AR-7.4

Free Fortinet FCSS_SDW_AR-7.4 Exam Questions (page: 7)

Page 3 of 15
PDF with 68 Questions

You are planning a large SD-WAN deployment with approximately 1000 spokes and want to allow ADVPN between the spokes. Some remote sites use FortiSASE to connect to the company's SD-WAN hub.
Which overlay routing configuration should you use?

  1. BGP on loopback with dynamic BGP for ADVPN shortcut routing.
  2. BGP on loopback with IPsec phase2 selectors for ADVPN shortcut routing.
  3. BGP per overlay with dynamic BGP for ADVPN shortcut routing.
  4. BGP per overlay with BGP next-hop convergence for ADVPN shortcut routing.

Answer(s): A

Explanation:

For a large-scale SD-WAN deployment (such as 1000 spokes) where ADVPN shortcut routing is required and some remote sites connect via FortiSASE, the recommended overlay routing configuration is BGP running on loopback interfaces, combined with dynamic BGP for ADVPN shortcut routing. This design leverages the scalability and resilience of BGP, allowing dynamic discovery and route exchange necessary for shortcut tunnels between spokes in ADVPN environments. Using loopback interfaces for BGP peering is considered best practice because it decouples routing protocol stability from physical link status, ensuring that if a physical underlay interface fails, the BGP session remains up as long as there's an alternate path. With dynamic BGP, each spoke can efficiently learn the routes to other spokes and dynamically establish shortcuts, which is critical at this scale. This method also integrates smoothly with FortiSASE for remote connectivity to the SD-WAN hub, providing flexibility and centralized management.


Reference:

Fortinet SD-WAN Reference Architecture Guide 7.4, "Scalable Routing with BGP on Loopback and ADVPN Shortcuts"

Fortinet SD-WAN Concept Guide, "Overlay Routing Designs for Large Deployments"



Refer to the exhibits.


You connect to a device behind a branch FortiGate device and initiate a ping test. The device is part of the LAN subnet and its IP address is 10.0.1.101.

Based on the exhibits, which interface uses branch 1_fgt to steer the test traffic?

  1. port4
  2. HUB1-VPN1
  3. port1
  4. port2

Answer(s): D



You manage an SD-WAN topology. You will soon deploy 50 new branches.

Which three tasks can you do in advance to simplify this deployment? (Choose three.)

  1. Update the DHCP server configuration.
  2. Create model devices.
  3. Create a ZTP template.
  4. Define metadata variables value for each device.
  5. Create policy blueprint.

Answer(s): B,C,E

Explanation:

When planning to deploy a large number of branches (e.g., 50), Fortinet recommends several preparatory steps to simplify and automate the rollout. Creating model devices allows you to predefine configurations and settings that can be cloned or adapted for each branch, saving time and minimizing manual errors. Preparing a Zero Touch Provisioning (ZTP) template enables automatic onboarding and provisioning of new FortiGates as soon as they come online, reducing manual intervention. Lastly, creating a policy blueprint allows for standardized policy deployment across all branches, ensuring consistent security and SD-WAN rule enforcement. This holistic approach streamlines the deployment process, allows for rapid scaling, and ensures that all devices are configured according to corporate policy from day one.


Reference:

Fortinet SD-WAN 7.4 Reference Architecture, "ZTP and Model Device Strategies for Scalable Rollouts"

FortiManager Admin Guide, "Policy Blueprints and Automation for Branch Deployment"



Refer to the exhibit.



An administrator configures SD-WAN rules for a DIA setup using the FortiGate GUI. The page to configure the source and destination part of the rule looks as shown in the exhibit. The GUI page shows no option to configure an application as the destination of the SD-WAN rule Why?

  1. You cannot use applications as the destination when FortiGate is used for a DIA setup.
  2. FortiGate allows the configuration of applications as the destination of SD-WAN rules only on the CLI.
  3. You must enable the feature on the CLI.
  4. You must enable the feature first using the GUI menu System > Feature Visibility.

Answer(s): D



You are planning a new SD-WAN deployment with the following criteria:

- Two regions

- Most of the traffic is expected to remain within its region

- No requirement for inter-region ADVPN

To remain within the recommended best practices, which routing protocol should you select for the overlays?

  1. OSPF for the routing within each region and EBGP between the regions.
  2. IBGP with BGP on loopback within each region and EBGP between the regions.
  3. IBGP with BGP per overlays within each region and IBGP with BGP on loopback between the regions.
  4. IBGP within each region and between the regions.

Answer(s): B

Explanation:

For SD-WAN deployments that span multiple regions--where most traffic is intra-region and there is no requirement for inter-region ADVPN--the best practice is to use IBGP with BGP on loopback interfaces for routing within each region and EBGP between the regions. This approach ensures robust and scalable routing, isolates regional routing domains, and enables policy control at region boundaries. BGP on loopback is preferred for its reliability and flexibility, as it enables peering that is not tied to specific physical interfaces. EBGP between regions allows each region to maintain independent routing policies and summarization, optimizing performance and manageability. By separating IBGP (intra-region) and EBGP (inter-region), you create a modular architecture that scales easily and simplifies fault isolation and troubleshooting.


Reference:

Fortinet SD-WAN Reference Architecture Guide 7.4, "Regional Routing Best Practices"

FortiOS 7.4 SD-WAN Overlay Design Guidelines



Viewing page 7 of 15



Post your Comments and Discuss Fortinet FCSS_SDW_AR-7.4 exam prep with other Community members:

FCSS_SDW_AR-7.4 Exam Discussions & Posts