Fortinet NSE7_EFW-6.4 Online Practice Questions and Exam Preparation

Fortinet NSE7_EFW-6.4 Online Questions & Answers

• Question 111:

  Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

  A. The link health monitor (if configured) is up.
  B. There is no other route, to the same destination, with a higher distance.
  C. The outgoing interface is up.
  D. The next-hop IP address is up.
  A. The link health monitor (if configured) is up.
  C. The outgoing interface is up.

• Question 112:

  View the IPS exit log, and then answer the question below.

  # diagnose test application ipsmonitor 3 ipsengine exit log" pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017 code = 11, reason: manual What is the status of IPS on this FortiGate?

  A. IPS engine memory consumption has exceeded the model-specific predefined value.
  B. IPS daemon experienced a crash.
  C. There are communication problems between the IPS engine and the management database.
  D. All IPS-related features have been disabled in FortiGate's configuration.
  D. All IPS-related features have been disabled in FortiGate's configuration.

• Question 113:

  Examine the following traffic log; then answer the question below.

  date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."

  What does the log mean?

  A. There is not enough available memory in the system to create a new entry in the NAT port table.
  B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
  C. FortiGate does not have any available NAT port for a new connection.
  D. The limit for the maximum number of entries in the NAT port table has been reached.
  B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.

• Question 114:

  An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration. The administrator has also enabled the IKE real time debug:

  diagnose debug application ike-1 diagnose debug enable In which order is each step and phase displayed in the debug output each time a new dial- up user is connecting to the VPN?

  A. Phase1; IKE mode configuration; XAuth; phase 2.
  B. Phase1; XAuth; IKE mode configuration; phase2.
  C. Phase1; XAuth; phase 2; IKE mode configuration.
  D. Phase1; IKE mode configuration; phase 2; XAuth.
  B. Phase1; XAuth; IKE mode configuration; phase2.

• Question 115:

  An administrator added the following Ipsec VPN to a FortiGate configuration: configvpn ipsec phasel -interface edit "RemoteSite" set type dynamic set interface "portl" set mode main set psksecret ENC LCVkCiK2E2PhVUzZe next end config vpn ipsec phase2-interface edit "RemoteSite" set phasel name "RemoteSite" set proposal 3des-sha256 next end However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.

  

  What is causing the IPsec problem in the phase 1 ?

  A. The incoming IPsec connection is matching the wrong VPN configuration
  B. The phrase-1 mode must be changed to aggressive
  C. The pre-shared key is wrong
  D. NAT-T settings do not match
  C. The pre-shared key is wrong

• Question 116:

  Examine the output from the `diagnose vpn tunnel list' command shown in the exhibit; then answer the question below.

  

  Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?

  A. diagnose sniffer packet any `port 500'
  B. diagnose sniffer packet any `esp'
  C. diagnose sniffer packet any `host 10.0.10.10'
  D. diagnose sniffer packet any `port 4500'
  D. diagnose sniffer packet any `port 4500'

• Question 117:

  View the exhibit, which contains the output of get sys ha status, and then answer the question below.

  

  Which statements are correct regarding the output? (Choose two.)

  A. The slave configuration is not synchronized with the master.
  B. The HA management IP is 169.254.0.2.
  C. Master is selected because it is the only device in the cluster.
  D. port 7 is used the HA heartbeat on all devices in the cluster.
  A. The slave configuration is not synchronized with the master.
  D. port 7 is used the HA heartbeat on all devices in the cluster.

• Question 118:

  A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)

  A. Firewall monitor.
  B. Policy monitor.
  C. Logs.
  D. Crashlogs.
  C. Logs.
  D. Crashlogs.

• Question 119:

  When does a RADIUS server send an Access-Challenge packet?

  A. The server does not have the user credentials yet.
  B. The server requires more information from the user, such as the token code for two- factor authentication.
  C. The user credentials are wrong.
  D. The user account is not found in the server.
  B. The server requires more information from the user, such as the token code for two- factor authentication.

• Question 120:

  Which statement about NGFW policy-based application filtering is true?

  A. After the application has been identified, the kernel uses only the Layer 4 header to match the traffic.
  B. The IPS security profile is the only security option you can apply to the security policy with the action set to ACCEPT.
  C. After IPS identifies the application, it adds an entry to a dynamic ISDB table.
  D. FortiGate will drop all packets until the application can be identified.
  D. FortiGate will drop all packets until the application can be identified.