Fortinet Fortinet Certifications NSE7_EFW-7.0 Questions & Answers

• Question 151:

  Refer to the exhibit, which contains the debug output of diagnose dvm device list.

  

  Which two statements about the output shown in the exhibit are correct? (Choose two.)

  A. ADOMs are disabled on the FortiManager

  B. The FortiGate configuration is in sync with latest running revision history.

  C. There are pending device-level changes yet to be installed on Local-FortiGate.

  D. The policy package has been modified for Local-FortiGate.

  Correct Answer: BC

  Reference: https://docs.fortinet.com/document/fortimanager/7.0.0/upgrade- guide/959309/cli-example-of-diagnose-dvm-device-list

• Question 152:

  Examine the output from the 'diagnose debug authd fsso list' command; then answer the question below.

  # diagnose debug authd fsso list --FSSO logons-IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is NOT the one used by the workstation INTERNAL2.

  TRAINING.

  LAB.

  What should the administrator check?

  A. The IP address recorded in the logon event for the user STUDENT.

  B. The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.

  C. The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.

  D. The reserve DNS lookup forthe IP address 192.168.3.1.

  Correct Answer: C

• Question 153:

  Refer to the exhibit, which contains the output of a BGP debug command.

  

  Which statement about the exhibit is true?

  A. The local router has received a total of three BGP prefixes from all peers.

  B. The local router has not established a TCP session with 100.64.3.1.

  C. Since the counters were last reset, the 10.200.3.1 peer has never been down.

  D. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.

  Correct Answer: B

• Question 154:

  View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

  

  The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

  

  However, the IKE real time debug does not show any output. Why?

  A. The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

  B. The log-filter setting was set incorrectly. The VPN's traffic does not match this filter.

  C. The debug shows only error messages. If there is no output, then the tunnel is operating normally.

  D. The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

  Correct Answer: B

• Question 155:

  Which two statements about application-layer test commands are true? (Choose two.)

  A. Some of them display real-time application debugs.

  B. Some of them can be used to restart an application.

  C. Some of them display statistics and configuration information about a feature or process.

  D. Some of them only display output, after you run the diagnose debug console enable command.

  Correct Answer: BC

• Question 156:

  How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)

  A. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

  B. When run on the Device Database, changes are applied directly to the managed FortiGate device.

  C. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

  D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device

  Correct Answer: CD

  CLI scripts can be run in three different ways:Device Database: By default, a script is executed on the device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what

  configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard.

  Policy Package, ADOM database: If a script contains changes related to ADOM level objects andpolicies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard.

  Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don't need to install these changes using the installation wizard. As the changes are directly installed on the managed device, no option is

  provided to verify and check the configuration changes through FortiManager prior to executing it.

• Question 157:

  Which two statements about the Security Fabric are true? (Choose two.)

  A. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.

  B. Only the root FortiGate sends logs to FortiAnalyzer.

  C. Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global CMDB objects sent by the root FortiGate.

  D. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

  Correct Answer: AC

  Explanation: FortiGate's to Root uses FortiTelemetry (TCP-8013) FortiTelemetry is also used for FortiClient communication Root Fortigate to FortiAnalyzer uses API (TCP-443)

• Question 158:

  Refer to the exhibit, which contains partial output from an IKE real-time debug.

  

  Why did the tunnel not come up?

  A. The local gateway has configured less secure encryption and hashing algorithms compared to the remote gateway.

  B. The Diffie-Hellman group does not match on the local and remote gateways.

  C. The proposal ID does not match between local and remote gateways.

  D. The encapsulation method for phase 2 is set to none on local and remote gateways.

  Correct Answer: A

  local gateway: encryption AES-128, hash SHA remote gateway: encryption AES-256, hash SHA-256 So local gateway has less secure settings

• Question 159:

  Which two statements about bulk configuration changes made using FortiManager CLI scripts are correct? (Choose two.)

  A. When run on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate device.

  B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

  C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

  D. When run on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate device.

  Correct Answer: AB

  Reference: https://docs.fortinet.com/document/fortimanager/6.2.1/administration- guide/71780/cli-scripts

• Question 160:

  Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

  

  Based on the output, which two statements are correct? (Choose two.)

  A. Phase 2 authentication is set to sha1 on both sides.

  B. Anti-replay is disabled.

  C. Hub2Spoke1 is a policy-based VPN.

  D. Hub2Spoke1 is configured on interface wan2.

  Correct Answer: AD