Fortinet Fortinet Certification NSE7_EFW-6.4 Questions & Answers

• Question 1:

  A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the `diagnose debug authd fsso list' command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

  A. The user student must not be listed in the CA's ignore user list.

  B. The user student must belong to one or more of the monitored user groups.

  C. The student workstation's IP subnet must be listed in the CA's trusted list.

  D. At least one of the student's user groups must be allowed by a FortiGate firewall policy.

  Correct Answer: AD

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

• Question 2:

  An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

  

  Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

  A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

  B. Redirection of HTTP to HTTPS administrative access is disabled.

  C. HTTP administrative access is configured with a port number different than 80.

  D. The packet is denied because of reverse path forwarding check.

  Correct Answer: AC

• Question 3:

  The logs in a FSSO collector agent (CA) are showing the following error: failed to connect to registry: PIKA1026 (192.168.12.232)

  What can be the reason for this error?

  A. The CA cannot resolve the name of the workstation.

  B. The FortiGate cannot resolve the name of the workstation.

  C. The remote registry service is not running in the workstation 192.168.12.232.

  D. The CA cannot reach the FortiGate with the IP address 192.168.12.232.

  Correct Answer: C

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD30548

• Question 4:

  When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

  A. FortiGate uses CN information from the Subject field in the server's certificate.

  B. FortiGate switches to the full SSL inspection method to decrypt the data.

  C. FortiGate blocks the request without any further inspection.

  D. FortiGate uses the requested URL from the user's web browser.

  Correct Answer: A

• Question 5:

  Refer to the exhibit, which contains the partial output of a diagnose command.

  

  Based on the output, which two statements are correct? (Choose two.)

  A. Anti-replay is enabled

  B. The remote gateway IP is 10.200.4.1.

  C. DPD is disabled.

  D. Quick mode selectors are disabled.

  Correct Answer: AB

• Question 6:

  A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

  A. Both session have the local flag on.

  B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.

  C. One session has the proxy flag on, the other one does not.

  D. One of the sessions has the IP address of port2 as the source IP address.

  Correct Answer: AD

• Question 7:

  Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

  A. The link health monitor (if configured) is up.

  B. There is no other route, to the same destination, with a higher distance.

  C. The outgoing interface is up.

  D. The next-hop IP address is up.

  Correct Answer: AC

• Question 8:

  An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.

  

  Based on the output in the exhibit, what can cause this authentication problem?

  A. User student is not found in the LDAP server.

  B. User student is using a wrong password.

  C. The FortiGate has been configured with the wrong password for the LDAP administrator.

  D. The FortiGate has been configured with the wrong authentication schema.

  Correct Answer: A

• Question 9:

  Which two statements about an auxiliary session are true? (Choose two.)

  A. With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.

  B. With the auxiliary session setting enabled, two sessions will be created in case of routing change.

  C. With the auxiliary session setting disabled, for each traffic path, FortiGate will use the same auxiliary session.

  D. With the auxiliary session disabled, only auxiliary sessions will be offloaded.

  Correct Answer: CD

  Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration- guide/14295/controllingreturn-path-with-auxiliary-session

• Question 10:

  Examine the output from the `diagnose vpn tunnel list' command shown in the exhibit; then answer the question below.

  

  Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?

  A. diagnose sniffer packet any `port 500'

  B. diagnose sniffer packet any `esp'

  C. diagnose sniffer packet any `host 10.0.10.10'

  D. diagnose sniffer packet any `port 4500'

  Correct Answer: D

  NAT-T is enabled. natt: mode=silentProtocol ESP is used. ESP is encapsulated in UDP port 4500 when NAT-T is enabled.

  natt: mode=silent means IPSec is behind NAT (NAT traversal) https://kb.fortinet.com/kb/documentLink.do? externalID=FD48755