Fortinet Fortinet Certifications NSE7_EFW-6.4 Questions & Answers

• Question 11:

  View the exhibit, which contains the output of a real-time debug, Which statement about this output is true?

  

  Which of the following statements is true regarding this output?

  A. The requested URL belongs to category ID 255.

  B. The server hostname Is training, fortinet.com.

  C. FortiGate found the requested URL in its local cache.

  D. This web request was inspected using the ftgd-allow web filler profile.

  Correct Answer: C

• Question 12:

  An administrator added the following Ipsec VPN to a FortiGate configuration: configvpn ipsec phasel -interface edit "RemoteSite" set type dynamic set interface "portl" set mode main set psksecret ENC LCVkCiK2E2PhVUzZe next end config vpn ipsec phase2-interface edit "RemoteSite" set phasel name "RemoteSite" set proposal 3des-sha256 next end However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while

  attempting the Ipsec connection. The output is shown in the exhibit.

  

  What is causing the IPsec problem in the phase 1 ?

  A. The incoming IPsec connection is matching the wrong VPN configuration

  B. The phrase-1 mode must be changed to aggressive

  C. The pre-shared key is wrong

  D. NAT-T settings do not match

  Correct Answer: C

• Question 13:

  Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

  A. Preview pending configuration changes for managed devices.

  B. Add devices to FortiManager.

  C. Import policy packages from managed devices.

  D. Install configuration changes to managed devices.

  E. Import interface mappings from managed devices.

  Correct Answer: AD

  https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device% 20Manager/1200_install_to%20devices/0400 _Install%20wizard-device%20settings.htm There are 4 main wizards:Add Device: is used to add devices to central management and import their configurations. Install: is used to install configuration changes from Device Manager or Policies and Objects to themanaged devices. It allows you to preview the changes and, if the administrator doesn't agree with the changes, cancel and modify them. Import policy: is used to import interface mapping, policy database, and objects associated with the managed devices into a policy package under the Policy and Object tab. It runs with the Add Device wizard by default and may be run at any time from the managed device list. Re-install policy: is used to perform a quick install of the policy package. It doesn't give the ability to preview the changes that will be installed to the managed device.

• Question 14:

  Exhibits:

  

  Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

  An administrator is trying to configure ADVPN with a hub-spoke VPN setup using iBGP. All the VPNs are

  up and connected to the hub. The hub is receiving route information from both spokes over iBGP;

  however, the spokes are not receiving route information from each other.

  What change must the administrator make to the hub BGP configuration so that the routes learned by one

  spoke are forwarded to the other spokes?

  A. Configure an individual neighbor and remove neighbor-range configuration.

  B. Configure the hub as a route reflector client.

  C. Change the router id to 10.1.0.254.

  D. Make the configuration of remote-as different from the configuration of local-as.

  Correct Answer: B

• Question 15:

  Examine the output of the `get router info ospf interface' command shown in the exhibit; then answer the question below.

  

  Which statements are true regarding the above output? (Choose two.)

  A. The port4 interface is connected to the OSPF backbone area.

  B. The local FortiGate has been elected as the OSPF backup designated router.

  C. There are at least 5 OSPF routers connected to the port4 network.

  D. Two OSPF routers are down in the port4 network.

  Correct Answer: AC

  on BROADCAST network there are 4 neighbors, among which 1*DR +1*BDR. So our FG has 4 neighbors, but create adjacency only with 2 (with DR and BDR). 2 neighbors DRother (not down).

• Question 16:

  Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the question below.

  

  Which statement are true regarding the output in the exhibit? (Choose two.)

  A. There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

  B. The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.

  C. FortiGate will send the FortiGuard queries to the server with highest weight.

  D. A server's round trip delay (RTT) is not used to calculate its weight.

  Correct Answer: BC

• Question 17:

  Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)

  A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.

  B. SIP ALG supports SIP HA failover; SIP helper does not.

  C. SIP ALG supports SIP over IPv6; SIP helper does not.

  D. SIP ALG can create expected sessions for media traffic; SIP helper does not.

  E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.

  Correct Answer: BCD

• Question 18:

  View the exhibit, which contains a session entry, and then answer the question below.

  

  Which statement is correct regarding this session?

  A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.

  B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.

  C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.

  D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

  Correct Answer: B

• Question 19:

  What is the purpose of an internal segmentation firewall (ISFW)?

  A. It inspects incoming traffic to protect services in the corporate DMZ.

  B. It is the first line of defense at the network perimeter.

  C. It splits the network into multiple security segments to minimize the impact of breaches.

  D. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

  Correct Answer: C

  ISFW splits your network into multiple security segments. They serve as a breach containers from attacks that come from inside.

• Question 20:

  Which two statements about OCVPN are true? (Choose two.)

  A. Only root vdom supports OCVPN.

  B. OCVPN supports static and dynamic IPs in WAN interface.

  C. OCVPN offers only Hub-Spoke VPNs.

  D. FortiGate devices under different FortiCare accounts can be used to form OCVPN.

  Correct Answer: AB

  Reference: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/977344/one-click-vpn-ocvpn https:// docs.fortinet.com/document/fortigate/6.2.9/cookbook/496884/overlay-controller-vpn- ocvpn