Fortinet Fortinet Certifications NSE7_EFW-6.4 Questions & Answers

• Question 51:

  View the exhibit, which contains the output of diagnose sys session list, and then answer the question below.

  

  If the HA ID for the primary unit is zero (0), which statement is correct regarding the output?

  A. This session is for HA heartbeat traffic.

  B. This session is synced with the slave unit.

  C. The inspection of this session has been offloaded to the slave unit.

  D. This session cannot be synced with the slave unit.

  Correct Answer: B

• Question 52:

  Refer to the exhibit, which shows the output of a debug command.

  

  Which two statements about the output are true? (Choose two.)

  A. The local FortiGate OSPF router ID is 0.0.0.4.

  B. Port4 is connected to the OSPF backbone area.

  C. In the network connected to port4, two OSPF routers are down.

  D. The local FortiGate is the backup designated router.

  Correct Answer: AB

  Area 0.0.0.0 is the backbone area.

• Question 53:

  Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

  A. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.

  B. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.

  C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.

  D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

  Correct Answer: BD

  CLI scripts can be run in three different ways:Device Database: By default, a script is executed on the device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard. Policy Package, ADOM database: If a script contains changes related to ADOM level objects andpolicies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard. Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don't need to install these changes using the installation wizard. As the changes are directly installed on the managed device, no option is provided to verify and check the configuration changes through FortiManager prior to executing it.

• Question 54:

  Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?

  A. FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.

  B. FortiGate limits the total number of simultaneous explicit web proxy users.

  C. FortiGate limits the number of simultaneous sessions per explicit web proxy user The limit CAN be modified by the administrator

  D. FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.

  Correct Answer: B

  Explanation: https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-WAN-opt- 52/ web_proxy.htm#Explicit2 The explicit proxy does not limit the number of active sessions for each user. As a result the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of explicit web proxy sessions is compromising system performance you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.

• Question 55:

  View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

  

  The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

  A. Change phase 1 encryption to 3DES and authentication to SHA128.

  B. Change phase 1 encryption to AES128 and authentication to SHA512.

  C. Change phase 1 encryption to AESCBC and authentication to SHA2.

  D. Change phase 1 encryption to AES256 and authentication to SHA256.

  Correct Answer: D

• Question 56:

  Examine the output of the `get router info bgp summary' command shown in the exhibit; then answer the question below.

  

  Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?

  A. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP prefix yet.

  B. The TCP session for the BGP connection to 10.200.3.1 is down.

  C. The local peer has received the BGP prefixed from the remote peer.

  D. The local peer is receiving the BGP keepalives from the remote peer but it has not received the OpenConfirm yet.

  Correct Answer: B

  http://www.ciscopress.com/articles/article.asp?p=2756480andseqNum=4

• Question 57:

  

  Refer to the exhibit, which contains the output of get system ha status. Which two statements about the output are true? (Choose two.)

  A. The slave configuration is synchronized with the master.

  B. port7 is used as the HA heartbeat on all devices in the cluster.

  C. Primary is selected based on the priority configured under config system ha.

  D. The HA management IP is 169.254.0.2.

  Correct Answer: BC

• Question 58:

  An administrator is running the following sniffer in a FortiGate:

  diagnose sniffer packet any "host 10.0.2.10" 2

  What information is included in the output of the sniffer? (Choose two.)

  A. Ethernet headers.

  B. IP payload.

  C. IP headers.

  D. Port names.

  Correct Answer: BC

  https://kb.fortinet.com/kb/documentLink.do?externalID=11186

• Question 59:

  An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link- failed-signal to fix the problem. Which statement is correct regarding this command?

  A. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.

  B. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.

  C. Sends a link failed signal to all connected devices.

  D. Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.

  Correct Answer: A

• Question 60:

  Which statement is true regarding File description (FD) conserve mode?

  A. IPS inspection is affected when FortiGate enters FD conserve mode.

  B. A FortiGate enters FD conserve mode when the amount of available description is less than 5%.

  C. FD conserve mode affects all daemons running on the device.

  D. Restarting the WAD process is required to leave FD conserve mode.

  Correct Answer: B