Fortinet Fortinet Certifications NSE7_EFW-7.0 Questions & Answers

• Question 61:

  View the exhibit, which contains the output of a real-time debug, Which statement about this output is true?

  

  Which of the following statements is true regarding this output?

  A. The requested URL belongs to category ID 255.

  B. The server hostname Is training, fortinet.com.

  C. FortiGate found the requested URL in its local cache.

  D. This web request was inspected using the ftgd-allow web filler profile.

  Correct Answer: C

  Example log for no local cache case: #id=93000 msg="pid=57 urlfilter_main-723 in main.c received pkt:count=91 "IPS and WAD will only send request to urlfilter daemon when cache is missed. " So the WAD process by itself found the URL rating in the local cache and didn`t ask for help from the URL process as in the example.

• Question 62:

  An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

  

  Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

  A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

  B. Redirection of HTTP to HTTPS administrative access is disabled.

  C. HTTP administrative access is configured with a port number different than 80.

  D. The packet is denied because of reverse path forwarding check.

  Correct Answer: AC

• Question 63:

  Refer to the exhibit, which shows the output of a diagnose command.

  

  What can be concluded about the debug output in this scenario?

  A. Servers with a negative TZ value are less preferred for rating requests.

  B. There is a natural correlation between the value in the Packets field and the value in the Weight field.

  C. FortiGate used 64.26.151.37 as the initial server to validate its contract.

  D. The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers, was 121.111.236.179.

  Correct Answer: B

• Question 64:

  An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link- failed-signal to fix the problem.

  Which statement about this setting is true?

  A. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.

  B. It sends a link failed signal to all connected devices.

  C. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.

  D. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.

  Correct Answer: D

  Reference: https://kb.fortinet.com/kb/viewContent.do?externalId=FD40860andsliceId=1

• Question 65:

  An administrator has created a VPN community within VPN Manager on FortiManager. They also added gateways to the VPN community and are now trying to create firewall policies to permit traffic over the tunnel; however, the VPN interfaces are not listed as available options.

  What step must the administrator take to resolve this issue?

  A. Install the VPN community and gateway configuration to the FortiGate devices, in order for the interfaces to be displayed within Policy and Objects on FortiManager

  B. Set up all of the phase 1 settings in the VPN community that they neglected to set up initially. The interfaces will be automatically generated after the administrator configures all of the required settings.

  C. Refresh the device status from the Device Manager so that FortiGate will populate the IPsec interfaces.

  D. Create interface mappings for the IPsec VPN interfaces, before they can be used in a policy.

  Correct Answer: A

  Explanation: 1- Create a VPN Community 2- Install VPN Configuration 3- Add IPsec Firewall Policies 4- Install the Policies

• Question 66:

  Which of the following conditions must be met for a static route to be active in the routing table? (Choose three.)

  A. The next-hop IP address is up.

  B. There is no other route, to the same destination, with a higher distance.

  C. The link health monitor (if configured) is up.

  D. The next-hop IP address belongs to one of the outgoing interface subnets.

  E. The outgoing interface is up.

  Correct Answer: CDE

  A configured static route only goes to routing table from routing database when all the following are met : The outgoing interface is up There is no other matching route with a lower distance The link health monitor (if configured) is successful The next-hop IP address belongs to one of the outgoing interface subnets

• Question 67:

  Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

  A. 1

  B. 2

  C. 3

  D. 4

  Correct Answer: B

• Question 68:

  Examine the output of the `diagnose ips anomaly list' command shown in the exhibit; then answer the question below.

  

  Which IP addresses are included in the output of this command?

  A. Those whose traffic matches a DoS policy.

  B. Those whose traffic matches an IPS sensor.

  C. Those whose traffic exceeded a threshold of a matching DoS policy.

  D. Those whose traffic was detected as an anomaly by an IPS sensor.

  Correct Answer: A

• Question 69:

  Refer to the exhibits, which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network.

  

  If the priority on route ID 2 were changed from 10 to 0, what would happen to traffic matching that user session?

  A. The session would remain in the session table, but its traffic would now egress from both port1 and port2.

  B. The session would remain in the session table, and its traffic would egress from port2.

  C. The session would be deleted, and the client would need to start a new session.

  D. The session would remain in the session table, and its traffic would egress from port1.

  Correct Answer: D

  https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-SNAT-route-change-to- update-existing-NAT/ta-p/198439

• Question 70:

  Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

  A. Neighbor range

  B. Route reflector

  C. Next-hop-self

  D. Neighbor group

  Correct Answer: B

  Route reflectors help to reduce the number of IBGP sessions inside an AS. A route reflector forwards the routers learned from one peer to the other peers. If you configure route reflectors, you dont' need to create a full mesh IBGP network. All clients in a cluster only talck to route reflector to get sync routing updates. Route reflectors pass the routing updates to other route reflectors and border routers within the AS.