Black Friday Biggest Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

DumpsWrap Logo

Fortinet NSE7_EFW-7.0 Dumps

Page: 1 / 16
Total 163 questions
Get NSE7_EFW-7.0 Full Access Download NSE7_EFW-7.0 PDF

Fortinet NSE 7 - Enterprise Firewall 7.0 Questions and Answers

Question 1

Which two statements about the Security Fabric are true? (Choose two.)

Options:

A.

Only the root FortiGate collects network information and forwards it to FortiAnalyzer.

B.

FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

C.

All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity.

D.

Branch FortiGate devices must be configured first.

Question 2

An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

as

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

Options:

A.

HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

B.

Redirection of HTTP to HTTPS administrative access is disabled.

C.

HTTP administrative access is configured with a port number different than 80.

D.

The packet is denied because of reverse path forwarding check.

Question 3

Examine the IPsec configuration shown in the exhibit; then answer the question below.

as

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:

diagnose vpn ike log-filter src-addr4 10.0.10.1

diagnose debug application ike -1

diagnose debug enable

The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output?

Options:

A.

The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

B.

The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter.

C.

The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

D.

The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

Question 4

What are two functions of automation stitches? (Choose two.)

Options:

A.

Automation stitches can be configured on any FortiGate device in a Security Fabric environment.

B.

An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

C.

Automation stitches can be created to run diagnostic commands and attach the results to an email message when CPU or memory usage exceeds specified thresholds.

D.

An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

Question 5

Which two statements about bulk configuration changes made using FortiManager CLI scripts are correct? (Choose two.)

Options:

A.

When run on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate device.

B.

When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

C.

When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

D.

When run on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate device.

Question 6

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

Options:

A.

route-reflector enable

B.

route-reflector-server enable

C.

route-reflector-client enable

D.

route-reflector-peer enable

Question 7

You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature databases.

Which two settings need to be verified for these features to function? (Choose two.)

Options:

A.

FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management.

B.

FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages.

C.

Service access needs to be enabled on FortiManager under System Settings > Network.

D.

FortiGate needs to have include-default-servers disabled under config system central-management.

Question 8

Refer to the exhibit, which shows a central management configuration.

as

Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?

Options:

A.

Public FortiGuard servers

B.

10.0.1.243

C.

10.0.1.242

D.

10.0.1.244

Question 9

A FortiGate device has the following LDAP configuration:

as

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:

>dsquery user –samid administrator

“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab”

Based on the output, what FortiGate LDAP setting is configured incorrectly?

Options:

A.

cnid.

B.

username.

C.

password.

D.

dn.

Question 10

Refer to the exhibit, which shows the output of a diagnose command.

as

What can you conclude from the output shown in the exhibit? (Choose two.)

Options:

A.

This is a pinhole session created to allow traffic for a protocol that requires additional sessions to operate through FortiGate.

B.

This is an expected session created by the IPS engine.

C.

Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.200.1.1.

D.

Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.0.1.10.

Question 11

Which two configuration commands change the default behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.)

Options:

A.

set av-failopen off

B.

set av-failopen pass

C.

set fail-open enable

D.

set ips fail-open disable

Question 12

An administrator added the following Ipsec VPN to a FortiGate configuration:

configvpn ipsec phasel -interface

edit "RemoteSite"

set type dynamic

set interface "portl"

set mode main

set psksecret ENC LCVkCiK2E2PhVUzZe

next

end

config vpn ipsec phase2-interface

edit "RemoteSite"

set phasel name "RemoteSite"

set proposal 3des-sha256

next

end

However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.

as

as

What is causing the IPsec problem in the phase 1 ?

Options:

A.

The incoming IPsec connection is matching the wrong VPN configuration

B.

The phrase-1 mode must be changed to aggressive

C.

The pre-shared key is wrong

D.

NAT-T settings do not match

Question 13

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?

Options:

A.

FortiGate first checks the OSPF ID to elect a DR.

B.

Non-DR and non-BDR routers will form full adjacencies to DR and BDR only.

C.

BDR is responsible for forwarding link state information from one router to another.

D.

Only the DR receives link state information from non-DR routers.

Question 14

A FortiGate device has the following LDAP configuration:

as

The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time debug while testing the student account:

as

Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)

Options:

A.

cnid.

B.

username.

C.

password.

D.

dn.

Question 15

Which two statements about the Security Fabric are true? (Choose two.)

Options:

A.

Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.

B.

Only the root FortiGate sends logs to FortiAnalyzer.

C.

Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global CMDB objects sent by the root FortiGate.

D.

FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

Question 16

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?

Options:

A.

Only the DR receives link state information from non-DR routers.

B.

Non-DR and non-BDR routers form full adjacencies to DR only.

C.

Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6.

D.

FortiGate first checks the OSPF ID to elect a DR.

Question 17

Refer to the exhibit, which shows the output of get system ha status. NGFW-1 and NGFW-2 have been up for a week.

as

Which two statements about the output are true? (Choose two.)

Options:

A.

If FGVM...649 is rebooted, FGVM...650 will become the primary and retain that role, even after FGVM...649 rejoins the cluster.

B.

If no action is taken, the primary FortiGate will leave the cluster due to the current sync status.

C.

If port7 becomes disconnected on the secondary, both FortiGate devices will elect itself the primary.

D.

If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a synchronization reset.

Question 18

Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

Options:

A.

Preview pending configuration changes for managed devices.

B.

Add devices to FortiManager.

C.

Import policy packages from managed devices.

D.

Install configuration changes to managed devices.

E.

Import interface mappings from managed devices.

Question 19

Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the question below.

as

Which statement are true regarding the output in the exhibit? (Choose two.)

Options:

A.

There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

B.

The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.

C.

FortiGate will send the FortiGuard queries to the server with highest weight.

D.

A server's round trip delay (RTT) is not used to calculate its weight.

Question 20

A FortiGate has two default routes:

as

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

as

What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?

Options:

A.

The session would be deleted, and the client would need to start a new session.

B.

The session would remain in the session table, and its traffic would start to egress from port2.

C.

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

D.

The session would remain in the session table, and its traffic would still egress from port1.

Question 21

Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.

as

An administrator would like to test session failover between the two service provider connections.

What changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

Options:

A.

Configure set snat-route-change enable.

B.

Change the priority of the port2 static route to 5.

C.

Change the priority of the port1 static route to 11.

D.

unset snat-route-change to return it to the default setting.

Question 22

Which statement about IKE and IKE NAT-T is true?

Options:

A.

IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.

B.

IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.

C.

They both use UDP as their transport protocol and the port number is configurable.

D.

They each use their own IP protocol number.

Question 23

Examine the partial output from two web filter debug commands; then answer the question below:

as

Based on the above outputs, which is the FortiGuard web filter category for the web site

Options:

A.

Finance and banking

B.

General organization.

C.

Business.

D.

Information technology.

Question 24

Examine the output from the BGP real time debug shown in the exhibit, then the answer the question below:

as

Which statements are true regarding the output in the exhibit? (Choose two.)

Options:

A.

BGP peers have successfully interchanged Open and Keepalive messages.

B.

Local BGP peer received a prefix for a default route.

C.

The state of the remote BGP peer is OpenConfirm.

D.

The state of the remote BGP peer will go to Connect after it confirms the received prefixes.

Load More NSE7_EFW-7.0 Questions
Page: 1 / 16
Total 163 questions
Get NSE7_EFW-7.0 Full Access Download NSE7_EFW-7.0 PDF