1. Home
  2. Fortinet
  3. NSE7_EFW-7.0

Fortinet NSE 7 - Enterprise Firewall 7.0

Exam Details

  • Exam Code
    :NSE7_EFW-7.0
  • Exam Name
    :Fortinet NSE 7 - Enterprise Firewall 7.0
  • Certification
    :Fortinet Certifications
  • Vendor
    :Fortinet
  • Total Questions
    :163 Q&As
  • Last Updated
    :Jun 11, 2025

Fortinet Fortinet Certifications NSE7_EFW-7.0 Questions & Answers

  • Question 51:

    An administrator has been assigned the task of creating a set of firewall policies which must be evaluated before any custom policies defined within the policy packages of managed FortiGate devices, across all 25 ADOMSs in FortiManager. How should the administrator accomplish this task?

    A. Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this footer policy to all other ADOMs.

    B. Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this header policy to all other ADOMs.

    C. Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting the new firewall policies at the top.

    D. Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate devices, through the FGFM tunnel.

  • Question 52:

    Which statement about NGFW policy-based application filtering is true?

    A. After the application has been identified, the kernel uses only the Layer 4 header to match the traffic.

    B. The IPS security profile is the only security option you can apply to the security policy with the action set to ACCEPT.

    C. After IPS identifies the application, it adds an entry to a dynamic ISDB table.

    D. FortiGate will drop all packets until the application can be identified.

  • Question 53:

    An administrator added the following Ipsec VPN to a FortiGate configuration: configvpn ipsec phasel -interface edit "RemoteSite" set type dynamic set interface "portl" set mode main set psksecret ENC LCVkCiK2E2PhVUzZe next end config vpn ipsec phase2-interface edit "RemoteSite" set phasel name "RemoteSite" set proposal 3des-sha256 next end However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.

    What is causing the IPsec problem in the phase 1 ?

    A. The incoming IPsec connection is matching the wrong VPN configuration

    B. The phrase-1 mode must be changed to aggressive

    C. The pre-shared key is wrong

    D. NAT-T settings do not match

  • Question 54:

    Refer to the exhibit, which shows the output of diagnose sys session list.

    If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?

    A. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

    B. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.

    C. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.

    D. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.

  • Question 55:

    Which statement about memory conserve mode is true?

    A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.

    B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.

    C. A FortiGate starts dropping new sessions when the configured memory use threshold reaches red

    D. A FortiGate enters conserve mode when the configured memory use threshold reaches red

  • Question 56:

    Which two conditions would prevent a static route from being added to the routing table? (Choose two.)

    A. There is another other route to the same destination, with a lower distance.

    B. The route has a lower priority value than another route to the same destination.

    C. The next-hop IP address is unreachable.

    D. The interface specified in the route configuration is down

  • Question 57:

    Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.

    An administrator would like to test session failover between the two service provider connections.

    What changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

    A. Configure set snat-route-change enable.

    B. Change the priority of the port2 static route to 5.

    C. Change the priority of the port1 static route to 11.

    D. unset snat-route-change to return it to the default setting.

  • Question 58:

    Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?

    A. FortiGate uses the CN information from the Subject field in the server certificate.

    B. FortiGate uses the first entry listed in the SAN field in the server certificate.

    C. FortiGate uses the SNI from the user's web browser.

    D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.

  • Question 59:

    Refer to the exhibit, which contains partial outputs from two routing debug commands.

    Why is the port2 default route not in the second command's output?

    A. It has a higher priority value than the default route using port1.

    B. It is disabled in the FortiGate configuration.

    C. It has a lower priority value than the default route using port1.

    D. It has a higher distance than the default route using port1.

  • Question 60:

    Examine the output of the `get router info ospf neighbor' command shown in the exhibit; then answer the question below.

    Which statements are true regarding the output in the exhibit? (Choose two.) Refer to the exhibit, which shows the output of a debug command. Which statement about the output is true?

    A. TheOSPF routers with the IDs 0.0.0.69 and 0.0.0.117 are both designated routers for the war. l network.

    B. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.

    C. The local FortiGate is the designated router for the wan1 network.

    D. The interface ToRemote is a point-to-point OSPF network.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Fortinet exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your NSE7_EFW-7.0 exam preparations and Fortinet certification application, do not hesitate to visit our Vcedump.com to find your solutions here.