Fortinet Fortinet Certifications NSE7 Questions & Answers

• Question 21:

  Examine the following routing table and BGP configuration; then answer the question below.

  

  TheBGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix?

  A. Enable the redistribution of connected routers into BGP.

  B. Enable the redistribution of static routers into BGP.

  C. Disable the setting network-import-check.

  D. Enable the setting ebgp-multipath.

  Correct Answer: C

• Question 22:

  Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network. What HA setting must be changed in one of the HA clusters to fix the problem?

  A. Group ID.

  B. Group name.

  C. Session pickup.

  D. Gratuitous ARPs.

  Correct Answer: A

• Question 23:

  A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the `diagnose debug authd fsso list' command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

  A. The user student must not be listed in the CA's ignore user list.

  B. The user student must belong to one or more of the monitored user groups.

  C. The student workstation's IP subnet must be listed in the CA's trusted list.

  D. At least one of the student's user groups must be allowed by a FortiGate firewall policy.

  Correct Answer: BD

• Question 24:

  A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

  

  What should the administrator check to fix the problem?

  A. The connectivity between the FortiGate unit and the DNS server.

  B. The connectivity between the client workstations and the DNS server.

  C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.

  D. That DNS service is enabled in the explicit web proxy interface.

  Correct Answer: AB

• Question 25:

  Examine the output from the 'diagnose debug authd fsso list' command; then answer the question below.

  # diagnose debug authd fsso list --FSSO logons-IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/

  USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is NOT the one used by

  the workstation INTERNAL2. TRAINING.

  LAB.

  What should the administrator check?

  A. The IP address recorded in the logon event for the user STUDENT.

  B. The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.

  C. The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.

  D. The reserve DNS lookup forthe IP address 192.168.3.1.

  Correct Answer: C

• Question 26:

  View the exhibit, which contains a session entry, and then answer the question below.

  

  Which statement is correct regarding this session?

  A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.

  B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.

  C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.

  D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

  Correct Answer: A

• Question 27:

  How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?

  A. FortiManager can download and maintain local copies of FortiGuard databases.

  B. FortiManager supports only FortiGuard push to managed devices.

  C. FortiManager will respond to update requests only if they originate from a managed device.

  D. FortiManager does not support rating requests.

  Correct Answer: A

• Question 28:

  View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.

  

  The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

  A. Change phase 1 encryption to AESCBC and authentication to SHA128.

  B. Change phase 1 encryption to 3DES and authentication to CBC.

  C. Change phase 1 encryption to AES128 and authentication to SHA512.

  D. Change phase 1 encryption to 3DES and authentication to SHA256.

  Correct Answer: C

• Question 29:

  Examine the output of the `get router info ospf neighbor' command shown in the exhibit; then answer the question below.

  

  Which statements are true regarding the output in the exhibit? (Choose two.)

  A. The interface ToRemote is OSPF network type point-to-point.

  B. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.

  C. The local FortiGate is the backup designated router for the wan1 network.

  D. The OSPF routers with the IDs 0.0.0.69 and 0.0.0.117 are both designated routers for the wan1 network.

  Correct Answer: AC

• Question 30:

  Examine the following traffic log; then answer the question below.

  date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted." What does the log mean?

  A. There is not enough available memory in the system to create a new entry in the NAT port table.

  B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.

  C. FortiGate does not have any available NAT port for a new connection.

  D. The limit for the maximum number of entries in the NAT port table has been reached.

  Correct Answer: B