Fortinet Fortinet Certifications NSE7_EFW-7.0 Questions & Answers

• Question 21:

  View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below.

  

  Which statements are correct regarding the output shown? (Choose two.)

  A. There are 0 ephemeral sessions.

  B. All the sessions in the session table are TCP sessions.

  C. No sessions have been deleted because of memory pages exhaustion.

  D. There are 166 TCP sessions waiting to complete the three-way handshake.

  Correct Answer: AC

  https://kb.fortinet.com/kb/documentLink.do?externalID=FD40578

• Question 22:

  View the central management configuration shown in the exhibit, and then answer the question below.

  

  Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?

  A. 10.0.1.240

  B. One of the public FortiGuard distribution servers

  C. 10.0.1.244

  D. 10.0.1.242

  Correct Answer: B

• Question 23:

  Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

  

  Based on the output, which two statements are correct? (Choose two.)

  A. The npu_flag for this tunnel is 03.

  B. Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.

  C. Anti-replay is enabled.

  D. The npu_flag for this tunnel is 02.

  Correct Answer: AC

• Question 24:

  A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

  

  What should the administrator check to fix the problem?

  A. The connectivity between the FortiGate unit and the DNS server.

  B. The connectivity between the client workstations and the DNS server.

  C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.

  D. That DNS service is enabled in the explicit web proxy interface.

  Correct Answer: A

• Question 25:

  Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network. What HA setting must be changed in one of the HA clusters to fix the problem?

  A. Group ID.

  B. Group name.

  C. Session pickup.

  D. Gratuitous ARPs.

  Correct Answer: A

  https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability- 52/HA_failoverVMAC.htm

• Question 26:

  Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)

  A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.

  B. SIP ALG supports SIP HA failover; SIP helper does not.

  C. SIP ALG supports SIP over IPv6; SIP helper does not.

  D. SIP ALG can create expected sessions for media traffic; SIP helper does not.

  E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.

  Correct Answer: BCD

• Question 27:

  Refer to the exhibit, which contains a screenshot of some phase 1 settings.

  

  The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands to an SSH session on FortiGate: diagnose vpn ike log-filter dst-addr4 10.0.10.1 diagnose debug application ike -1 However, the IKE real-time debug does not show any output. Why?

  A. The administrator must also run the command diagnose debug enable.

  B. The administrator must enable the following real-time debug: diagnose debug application ipsec -1.

  C. The log-filter setting is incorrect. The VPN traffic does not match this filter.

  D. The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match.

  Correct Answer: A

  Explanation: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN- Diagnostics-Possible-reasons/ta-p/192006

• Question 28:

  Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

  A. Installing configuration changes to managed devices

  B. Importing interface mappings from managed devices

  C. Adding devices to FortiManager

  D. Previewing pending configuration changes for managed devices

  Correct Answer: AD

  Reference: https://docs.fortinet.com/document/fortimanager/6.2.0/administration- guide/668612/using-the-install-wizard-to-install-device-settings-only

• Question 29:

  An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.

  

  Based on the output in the exhibit, what can cause this authentication problem?

  A. User student is not found in the LDAP server.

  B. User student is using a wrong password.

  C. The FortiGate has been configured with the wrong password for the LDAP administrator.

  D. The FortiGate has been configured with the wrong authentication schema.

  Correct Answer: A

• Question 30:

  A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

  A. Both session have the local flag on.

  B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.

  C. One session has the proxy flag on, the other one does not.

  D. One of the sessions has the IP address of port2 as the source IP address.

  Correct Answer: AD