Mx

Question 1

Auto VPN ports used by peers

Answer 1

Source ports UDP 32768-61000 for IPSec tunnel, VPN registry destination port UDP 9350

Question 2

Exhibit showing appliance status of MX in VPN concentrator mode that’s having issues - what to do to resolve?

Answer 2

Probably unplug all LAN ports

Question 3

Select two features supported in MX passthrough mode

Answer 3

“IDS/IPS, Site to Site VPN (assume Site to Site Auto VPN as referred to in doc) supported.
Note: HA is not supported (only supported in NAT/routed and one-arm VPN concentrator modes) “

Question 4

Using a vMX for Azure offers what benefit over an IPSec VPN to Azure? SD-WAN, next gen f/w, intrusion prevention?

Answer 4

vMX can do HA and SD-WAN (SD-WAN was a choice in test)

Question 5

Firmware upgrade order for MXs in HA pair

Answer 5

Primary downloads firmware and upgrades first (while secondary is active), then secondary

Question 6

Exhibit showing MX routing table - what is next-hop for traffic from given source to given destination where latter is reachable via an Auto VPN tunnel?

Answer 6

Assume it should be particular Auto VPN peer destination, as shown on output (not default route next-hop of MX)

Question 7

Where to check high WAN utilisation?

Answer 7

Current utilisation levels would be: Security Appliance > Appliance Status > Uplink tab

Question 8

If a setting is changed on MX that was configured via template, what would be the behaviour?

Answer 8

“local overrides-Once a network has been bound to a template, some options can still be configured normally. Any local configuration changes made directly on the network will override the template configuration.
Note:
Updating the same options on the template will not clear a network’s local overrides. To clear local overrides, the network needs to be unbound and rebound to the template. “

Question 9

Exhibit showing 3 networks (A,B,C) with VPNs between A&B and A&C. What is the MX Insight licence requirement when if troubleshooting data required on web app health on B

Answer 9

Need Insight licence on both networks A & B MXs or just on net B?

Answer needs to be confirmed

Question 10

Exhibit showing SDWAN performance class configuration- what is preferred uplink for webex conference traffic

Answer 10

Configured preferred link(WAN2?) as long as performance class thresholds are satisified

Question 11

No of tunnels on an Auto VPN hub, when there are 2 dual link hubs, 50 single link spokes

Answer 11

((2-1)x2^2) + 50x1x2 = 104

Question 12

Drag & drop to select differences between NAT mode(routed) and passthrough mode MX setup

Answer 12

“NAT mode(default): NAT/DHCP support, acts as gateway for LAN
Passthrough/VPN Concentrator: no NAT/routing, no vlan config, not recommended for network perimeter”

Question 13

Exhibit showing SD-WAN & traffic shaping - How to enable 4:1 ratio for traffic across WAN1/WAN2 uplinks

Answer 13

Set WAN1/2 bandwidths to give 4:1 ratio on Security &SD-WAN>SD-WAN & traffic shaping>Uplink configuration, and enable Load balancing on Uplink Selection section

Question 14

exhibit - Security Centre log showing blocked traffic- which IDS/IPS mode used?

Answer 14

Blocking connections so ‘Prevention’ mode used

Question 15

Which vlan ID is used by MX to source pings via Tools tab?

Answer 15

Highest vlan ID

Question 16

SD-WAN Performance class threshold checking - how and what packets are used for this?

Answer 16

“100 byte UDP packets sent over primary link(WAN1?)

(Assume only over one link as active/active VPN and/or load balancing are disabled)”