Exam NSE7_SDW-7.2 topic 1 question 61 discussion

B y D correct, Network overlay is not enabled in config.

I know this is confusing and I also struggled working out this particular question, but they always try to catch us with the wording of the answers. Because auto-discovery-sender is enabled in the P1 settings, it means ADVPN is configured, which inherently supports the network-overly feature, even though it's not enabled by default. I know you must enable the network-overlay feature via a CLI command, but the phrasing of the option A would've been different if it was wrong. A simply states that the configuration supports the feature, not that it is enabled, which makes it true. B is also correct because set-add-route is disabled which prevents the Forti from installing static IPSec routes into the routing table. C is false because natt: mode = none. UDP 4500 is used for nat-traversal. D is also false because the output shows that T_INET_1_0 is a child tunnel managed by T_INET_1 which doesn't necessarily mean that it is a spoke-to-spoke tunnel.

A: Incorrect because network-overlay is not enabled B: Correct because add-route is disabled C: Incorrect because natt mode=none D: Correct because parent=T_INET_1

A & B are correct. A - claims the config is supported, not necessarily configured, thus the claim is true B - add-route is disabled, thus the claim is true C - "natt: mode=none", thus no NAT-T

D is definitely wrong. There is no indication of any spoke-spoke tunnel. This is a hub (indicated by the auto-discovery-sender command), and tunnel T_INET_1_0 is a hub-spoke tunnel, not a spoke-spoke tunnel, and therefore cannot be a shortcut. C is wrong. IPSec ESP uses UDP 500 unless traversing NAT on either or both ends--only then is UDP 4500 used. However, from Exh B: "natt: mode=none" Thus no NAT-T, therefore no UDP 4500. That leaves A - which is not in the configuration but should be, unless they just mean the config supports it even though it is not configured - which is definitely the case and part of the reference design in the recommended template, most of which is configured on this hub. And B: i think this is actually false -- it looks like we are doing ADVPN with Phase2 Selector (SG p291), in which case the phase 2 selector (i.e., IPsec static routes) *would* be installed in the routing table. This is a bad question, since definitionally, C and D *cannot* be correct based on the diag output, and it appears B is conceptually incorrect.

I think A is wrong since set network overlay enable command isn't configured in Phase1 (and default value is disabled). I see that parent shortcut is T_INET_1 therefore correct answers are BD

Audo discovery sender & add route disable

I can't see c being right cannot tell if 4500 is being used from the output unless I am missing something. But this is a hub config so A is true and B add route is disabled.