All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

Encapsulating Security Payload (ESP)

Secure Shell (SSH)

Internet Key Exchange (IKE)

Security Association (SA)

The ISDB is dynamically updated and reduces administrative overhead.

The ISDB requires application control to maintain signatures and perform load balancing.

The ISDB applies rules to traffic from specific sources, based on application type.

The ISDB contains the IP addresses and port ranges of well-known internet services.

update-source

set-route-tag

holdtime-timer

link-down-failover

hold-down-time

link-down-failover

auto-discovery-shortcuts

idle-timeout

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.

port1 is assigned a manual IP address.

port1 is referenced in a firewall policy.

port2 is referenced in a static route.

port1 and port2 are not administratively down.

It ensures consistent settings between phase1 and phase2.

It guides the administrator to use Fortinet recommended settings.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

diagnose sys sdwan zone

diagnose sys sdwan service

diagnose sys sdwan member

diagnose sys sdwan interface

You can use metadata variables only to define interface members and the gateway IP.

All SD-WAN template fields support metadata variables.

Any field Identified with a dollar sign ($) in a magnifying glass.

Any field identified with an "M" in a circle.

Provide direct internet access on spokes

Provide internet access through the hub

Centralize security inspection on the hub

Provide thorough inspection on spokes

You must use BGP to route traffic for both overlay and underlay links.

You must configure AS path prepending.

You must configure BGP communities.

IBGP is preferred over EBGP, because IBGP preserves next hop information.

Each region has its own SD-WAN topology

It is not compatible with ADVPN.

Regions must correspond to geographical areas.

Routing between the hub and spokes must be BGP.

FortiGate does not consider the source address of the packet when matching an SD-WAN rule for local-out traffic.

By default, local-out traffic does not use SD-WAN.

By default, FortiGate does not check if the selected member has a valid route to the destination.

You must configure each local-out feature individually, to use SD-WAN.

It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links.

It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance.

It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub.

It provides direct connectivity between all sites by creating on-demand tunnels between spokes.

There is more than one SD-WAN rule configured.

The SD-WAN rules take precedence over regular policy routes.

Theall_rulesrule represents the implicit SD-WAN rule.

Entry1(id=1)is a regular policy route.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

FortiGate has terminated the session after a change on policy ID 1.

Changes have been made on firewall policy ID 1 on FortiGate.

Firewall policy ID 1 has source NAT disabled.

You can apply a system template and a CLI template to the same FortiGate device.

A CLI template can be of type CLI script or Perl script.

A template group can include a system template and an SD-WAN template.

A template group can contain CLI templates of both types.

Templates are applied in order, from top to bottom.

You can assign only one template with a tunnel of fype static to each FortiGate device

You can define only one IPsec tunnel from branch devices to HUB1.

You can assign only one IPsec template to each FortiGate device.

You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

It does not allow you to monitor the status of SD-WAN members.

It is enabled or disabled on a per-ADOM basis.

It is enabled by default.

It uses templates to configure SD-WAN on managed devices.

Routes for ADVPN shortcuts must be manually configured.

SD-WAN can steer traffic to ADVPN shortcuts, established over IPsec overlays, configured as SD-WAN members.

SD-WAN does not monitor the health and performance of ADVPN shortcuts.

You must use IKEv2 on IPsec tunnels.

Interface-based shaping mode

Reverse-policy shaping mode

Shared-policy shaping mode

Per-IP shaping mode

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

On the receiver FortiGate,packet-de-duplicationis enabled.

The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.

On the sender FortiGate,duplication-max-numis set to3.

FEC supports hardware offloading.

FEC improves reliability of noisy links.

FEC transmits parity packets that can be used to reconstruct packet loss.

FEC can leverage multiple IPsec tunnels for parity packets transmission.

Specify a unique peer ID for each dial-up VPN interface.

Use different proposals are used between the interfaces.

Configure the IKE mode to be aggressive mode.

Use unique Diffie Hellman groups on each VPN interface.