New Year Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

NSE7_EFW-7.0 Fortinet NSE 7 - Enterprise Firewall 7.0 Questions and Answers

Questions 4

A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

What should the administrator check to fix the problem?

Options:

A.

The connectivity between the FortiGate unit and the DNS server.

B.

The connectivity between the client workstations and the DNS server.

C.

That DNS traffic from client workstations is allowed by the explicit web proxy policies.

D.

That DNS service is enabled in the explicit web proxy interface.

Buy Now
Questions 5

Exhibits:

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

An administrator is trying to configure ADVPN with a hub-spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however, the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned by one spoke are forwarded to the other spokes?

Options:

A.

Configure an individual neighbor and remove neighbor-range configuration.

B.

Configure the hub as a route reflector client.

C.

Change the router id to 10.1.0.254.

D.

Make the configuration of remote-as different from the configuration of local-as.

Buy Now
Questions 6

Refer to the exhibit, which contains partial output from an IKE real-time debug.

Based on the debug output, which phase 1 setting is enabled in the configuration of this VPN?

Options:

A.

auto-discovery-shortcut

B.

auto-discovery-forwarder

C.

auto-discovery-sender

D.

auto-discovery-receiver

Buy Now
Questions 7

Examine the following partial output from a sniffer command; then answer the question below.

What is the meaning of the packets dropped counter at the end of the sniffer?

Options:

A.

Number of packets that didn’t match the sniffer filter.

B.

Number of total packets dropped by the FortiGate.

C.

Number of packets that matched the sniffer filter and were dropped by the FortiGate.

D.

Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Buy Now
Questions 8

View the following FortiGate configuration.

All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for Internet traffic from a user on the internal network:

If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s session?

Options:

A.

The session would remain in the session table, and its traffic would still egress from port1.

B.

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

C.

The session would remain in the session table, and its traffic would start to egress from port2.

D.

The session would be deleted, so the client would need to start a new session.

Buy Now
Questions 9

Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

Options:

A.

This session cannot be synced with the slave unit.

B.

The inspection of this session has been offloaded to the slave unit.

C.

The master unit is processing this traffic.

D.

This session is for HA heartbeat traffic.

Buy Now
Questions 10

Refer to the exhibit, which shows the output of diagnose sys session stat.

Which statement about the output shown in the exhibit is correct?

Options:

A.

There are two sessions that have not been removed in case of any out-of-order packets that arrive.

B.

There are 166 TCP sessions waiting to complete the three-way handshake.

C.

162 sessions have been deleted because of memory page exhaustion.

D.

All the sessions in the session table are TCP sessions.

Buy Now
Questions 11

Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

Options:

A.

1

B.

2

C.

3

D.

4

Buy Now
Questions 12

View the IPS exit log, and then answer the question below.

# diagnose test application ipsmonitor 3

ipsengine exit log”

pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017

code = 11, reason: manual

What is the status of IPS on this FortiGate?

Options:

A.

IPS engine memory consumption has exceeded the model-specific predefined value.

B.

IPS daemon experienced a crash.

C.

There are communication problems between the IPS engine and the management database.

D.

All IPS-related features have been disabled in FortiGate’s configuration.

Buy Now
Questions 13

Refer to the exhibit, which contains partial output from an IKE real-time debug.

Why did the tunnel not come up?

Options:

A.

The local gateway has configured less secure encryption and hashing algorithms compared to the remote gateway.

B.

The Diffie-Hellman group does not match on the local and remote gateways.

C.

The proposal ID does not match between local and remote gateways.

D.

The encapsulation method for phase 2 is set to none on local and remote gateways.

Buy Now
Questions 14

An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn’t the script make any changes to the managed device?

Options:

A.

Commands that start with the # sign are not executed.

B.

CLI scripts will add objects only if they are referenced by policies.

C.

Incomplete commands are ignored in CLI scripts.

D.

Static routes can only be added using TCL scripts.

Buy Now
Questions 15

View the exhibit, which contains the output of a real-time debug, Which statement about this output is true?

Which of the following statements is true regarding this output?

Options:

A.

The requested URL belongs to category ID 255.

B.

The server hostname Is training, fortinet.com.

C.

FortiGate found the requested URL in its local cache.

D.

This web request was inspected using the ftgd-allow web filler profile.

Buy Now
Questions 16

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

Options:

A.

route-reflector enable

B.

route-reflector-server enable

C.

route-reflector-client enable

D.

route-reflector-peer enable

Buy Now
Questions 17

View the global IPS configuration, and then answer the question below.

Which of the following statements is true regarding this configuration?

Options:

A.

IPS will scan every byte in every session.

B.

FortiGate will spawn IPS engine instances based on the system load.

C.

New packets will be passed through without inspection if the IPS socket buffer runs out of memory.

D.

IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Buy Now
Questions 18

In which two states is a given session categorized as ephemeral? (Choose two.)

Options:

A.

A TCP session waiting for FIN ACK

B.

A UDP session with packets sent and received

C.

A UDP session with only one packet received

D.

A TCP session waiting for the SYN ACK

Buy Now
Questions 19

Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.

Why didn’t the tunnel come up?

Options:

A.

IKE mode configuration is not enabled in the remote IPsec gateway.

B.

The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration.

C.

The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration.

D.

One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

Buy Now
Questions 20

Refer to the exhibit, which shows partial outputs from two routing debug commands.

Why is the port2 default route not in the second command output?

Options:

A.

The port2 interface is disabled in the FortiGate configuration.

B.

The port1 default route has a lower distance than the default route using port2.

C.

The port1 default route has a higher priority value than the default route using port2.

D.

The port1 default route has a lower priority value than the default route using port2.

Buy Now
Questions 21

The CLI command set intelligent-mode controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

Options:

A.

Determines the optimal number of IPS engines required based on system load.

B.

Downloads signatures on demand from FDS based on scanning requirements.

C.

Determines when it is secure enough to stop scanning session traffic.

D.

Choose a matching algorithm based on available memory and the type of inspection being performed.

Buy Now
Questions 22

View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

Options:

A.

FortiGate will exempt the connection based on the Web Content Filter configuration.

B.

FortiGate will block the connection based on the URL Filter configuration.

C.

FortiGate will allow the connection based on the FortiGuard category based filter configuration.

D.

FortiGate will block the connection as an invalid URL.

Buy Now
Questions 23

Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)

Options:

A.

Primary unit stops sending HA heartbeat keepalives.

B.

The FortiGuard license for the primary unit is updated.

C.

One of the monitored interfaces in the primary unit is disconnected.

D.

A secondary unit is removed from the HA cluster.

Buy Now
Questions 24

Examine the output of the ‘diagnose sys session list expectation’ command shown in the exhibit; than answer the question below.

Which statement is true regarding the session in the exhibit?

Options:

A.

It was created by the FortiGate kernel to allow push updates from FotiGuard.

B.

It is for management traffic terminating at the FortiGate.

C.

It is for traffic originated from the FortiGate.

D.

It was created by a session helper or ALG.

Buy Now
Exam Code: NSE7_EFW-7.0
Exam Name: Fortinet NSE 7 - Enterprise Firewall 7.0
Last Update: Dec 21, 2024
Questions: 163

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99