FortiGate Tie-Break Methods and Traffic Handling Quiz

Questions and Answers

PDF Questions PDF Answers

Which tie-break method instructs FortiGate to consider the best route to the destination when choosing the preferred member in a rule?

cfg-order

service-sla-tie-break

zone

fib-best-match (correct)

What is the default tie-break method at the zone level?

fib-best-match

service-sla-tie-break

zone (correct)

cfg-order

What is the default tie-break method at the rule level?

cfg-order (correct)

fib-best-match

service-sla-tie-break

zone

What is local-out traffic?

Traffic initiated by FortiGate for management purposes

What does setting the interface-select-method to sdwan on a feature enable?

Using SD-WAN for local-out traffic

What happens when you set the tie-break method to fib-best-match?

FortiGate considers the best route to the destination when choosing the preferred member in a rule

What is the purpose of the interface-select-method setting?

To enable SD-WAN for local-out traffic

What does the source address of an SD-WAN rule need to match for local-out traffic?

The local IP address used by FortiGate

What happens when you enable SD-WAN for system DNS queries?

FortiGate starts using the member with the best route for the destination

Which level determines the default tie-break method for SD-WAN rules?

Rule level

Which command should you use to view the status of an SD-WAN rule on the FortiGate CLI?

diagnose sys sdwan service

What information does the output of the 'diagnose sys sdwan service' command provide?

Matching criteria, rule mode, and outgoing interface list

In which order are the outgoing interfaces listed in the output of the 'diagnose sys sdwan service' command?

Top to bottom

What command can you use to display the rule settings of an SD-WAN rule from a policy route standpoint?

diagnose firewall proute list

What is the ID displayed in the output of the 'diagnose firewall proute list' command?

The same ID displayed in the debug flow output when a packet matches a rule

What information is included in the output of the 'diagnose firewall proute list' command?

Rule settings, outgoing interface list, rule hit count, and last time the rule was hit

By default, does the preferred member have to be the best route?

No

What is the purpose of checking the current status of SD-WAN rules?

For troubleshooting purposes

What do SD-WAN rules represent in terms of policy routes?

Essentially policy routes

How are SD-WAN rules updated?

Based on member status and performance

Study Notes

SD-WAN Rules and Tie-Break Methods

• The fib-best-match tie-break method instructs FortiGate to consider the best route to the destination when choosing the preferred member in a rule.
• The default tie-break method at the zone level is auto.
• The default tie-break method at the rule level is fib-best-match.
• Local-out traffic refers to traffic originating from the FortiGate itself.
• Setting the interface-select-method to sdwan on a feature enables SD-WAN interface selection for that feature.
• When the tie-break method is set to fib-best-match, FortiGate chooses the best route to the destination.
• The purpose of the interface-select-method setting is to determine how FortiGate selects the outgoing interface for an SD-WAN rule.
• For local-out traffic, the source address of an SD-WAN rule needs to match the IP address of the FortiGate interface.
• Enabling SD-WAN for system DNS queries applies SD-WAN rules to DNS queries originating from the FortiGate itself.
• The default tie-break method for SD-WAN rules is determined at the rule level.
• The diagnose sys sdwan service command displays the status of SD-WAN rules.
• The output of the diagnose sys sdwan service command provides information about the status of SD-WAN rules, including the current status, SLA, and health checks.
• The outgoing interfaces are listed in the order of their priority in the output of the diagnose sys sdwan service command.
• The diagnose firewall proute list command can be used to display the rule settings of an SD-WAN rule from a policy route standpoint.
• The output of the diagnose firewall proute list command includes information about the rule ID, destination, and outgoing interface.
• The ID displayed in the output of the diagnose firewall proute list command is the rule ID.
• The preferred member does not have to be the best route by default.
• Checking the current status of SD-WAN rules ensures that the rules are working as expected.
• SD-WAN rules represent policy routes in terms of routing decisions.
• SD-WAN rules are updated dynamically based on the health checks and SLA configurations.

Description

Test your knowledge on FortiGate tie-break methods, default methods at zone and rule level, local-out traffic, setting interface-select-method to sdwan, and consequences of setting tie-break method to fib-best-match.