Fortinet Fortinet Certifications NSE7_EFW-7.2 Questions & Answers

• Question 1:

  Refer to the exhibit, which shows a network diagram.

  

  Which protocol should you use to configure the FortiGate cluster?

  A. FGCP in active-passive mode

  B. OFGSP

  C. VRRP

  D. FGCP in active-active mode

  Correct Answer: A

  Given the network diagram and the presence of two FortiGate devices, the Fortinet Gate Clustering Protocol (FGCP) in active-passive mode is the most appropriate for setting up a FortiGate cluster. FGCP supports high availability configurations and is designed to allow one FortiGate to seamlessly take over if the other fails, providing continuous network availability. This is supported by Fortinet documentation for high availability configurations using FGCP.

• Question 2:

  Which two statements about bfd are true? (Choose two)

  A. It can support neighbor only over the next hop in BGP

  B. You can disable it at the protocol level

  C. It works for OSPF and BGP

  D. You must configure n globally only

  Correct Answer: BC

  BFD (Bidirectional Forwarding Detection) is a protocol that can quickly detect failures in the forwarding path between two adjacent devices. You can disable BFD at the protocol level by using the "set bfd disable" command under the OSPF or BGP configuration. BFD works for both OSPF and BGP protocols, as well as static routes and SD-WAN rules. References := BFD | FortiGate / FortiOS 7.2.0 - Fortinet Document Library, section "BFD".

• Question 3:

  Exhibit.

  

  Refer to the exhibit, which shows a partial touting table

  What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

  A. IPSec Tunnel aggregation is configured

  B. net-device is enabled in the tunnel IPSec phase 1 configuration

  C. OSPI is configured to run over IPSec.

  D. add-route is disabled in the tunnel IPSec phase 1 configuration.

  Correct Answer: BD

  Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration. This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 destination1. Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration. This option controls whether the FortiGate adds a static route to the phase 2 destination network using the tunnel interface as the gateway2. Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance3. This feature is not related to the routing table or the phase 1 configuration. Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device4. This option is not related to the routing table or the phase 1 configuration. References: =

  1: Technical Tip: `set net-device' new route-based IPsec logic2

  2: Adding a static route5

  3: IPSec VPN concepts6

  4: Dynamic routing over IPsec VPN7

• Question 4:

  Refer to the exhibit, which shows a custom signature.

  

  Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (Choose two.)

  A. Add severity.

  B. Add attack_id.

  C. Ensure that the header syntax is F-SBID.

  D. Start options with --.

  Correct Answer: AB

  For a custom signature to be valid and savable on a FortiGate device, it must include certain mandatory fields. Severity is used to specify the level of threat that the signature represents, and attack_id is a unique identifier for the signature. Without these, the signature would not be complete and could not be correctly utilized by the FortiGate's Intrusion Prevention System (IPS).

• Question 5:

  Which two statements about the neighbor-group command are true? (Choose two.)

  A. You can configure it on the GUI.

  B. It applies common settings in an OSPF area.

  C. It is combined with the neighbor-range parameter.

  D. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).

  Correct Answer: BD

  The neighbor-group command in FortiOS allows for the application of common settings to a group of neighbors in OSPF, and can also be used to simplify configuration by applyingcommon settings to both IBGP and EBGP neighbors. This grouping functionality is a part of the FortiOS CLI and is documented in the Fortinet CLI reference.

• Question 6:

  Winch two statements about ADVPN are true? (Choose two)

  A. auto-discovery receiver must be set to enable on the Spokes.

  B. Spoke to-spoke traffic never goes through the hub

  C. lt supports NAI for on-demand tunnels

  D. Routing is configured by enabling add-advpn-route

  Correct Answer: AC

  ADVPN (Auto Discovery VPN) is a feature that allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture. The auto-discovery receiver must be set to enable on the spokes to allow them to receive NHRP messages from the hub and other spokes. NHRP (Next Hop Resolution Protocol) is used for on-demand tunnels, which are established when there is traffic between spokes. Routing is configured by enabling add-nhrp-route, not add-advpn- route. References := ADVPN | FortiGate / FortiOS 7.2.0 | Fortinet Document Library, Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

• Question 7:

  Which two statements about the Security fabric are true? (Choose two.)

  A. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.

  B. Only the root FortiGate sends logs to FortiAnalyzer

  C. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends

  D. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer

  Correct Answer: BC

  In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices withconfiguration-syncenabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer. References: FortiOS Handbook - Security Fabric

• Question 8:

  Refer to the exhibit, which shows a network diagram.

  

  Which IPsec phase 2 configuration should you impalement so that only one remote site is connected at any time?

  A. Set route-overlap to allow.

  B. Set single-source to enable

  C. Set route-overlap to either use--new or use-old

  D. Set net-device to enable

  Correct Answer: C

  To ensure that only one remote site is connected at any given time in an IPsec VPN scenario, you should useroute-overlapwith the option to either use-new or use- old. This setting dictates which routes are preferred and how overlaps in

  routes are handled, allowing for one connection to take precedence over the other (C).

  References:

  FortiOS Handbook - IPsec VPN

• Question 9:

  Refer to the exhibit, which contains information about an IPsec VPN tunnel.

  

  What two conclusions can you draw from the command output? (Choose two.)

  A. Dead peer detection is set to enable.

  B. The IKE version is 2.

  C. Both IPsec SAs are loaded on the kernel.

  D. Forward error correction in phase 2 is set to enable.

  Correct Answer: BC

  From the command output shown in the exhibit:

  B. The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

  C. Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing. Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.

• Question 10:

  You want to block access to the website ww.eicar.org using a custom IPS signature.

  Which custom IPS signature should you configure?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: D

  Option D is the correct answer because it specifically blocks access to the website "www.eicar.org" using TCP protocol and HTTP service, which are commonly used for web browsing. The other options either use the wrong protocol (UDP), the wrong service (DNS or SSL), or the wrong pattern ("eicar" instead of "www.eicar.org"). References := Configuring custom signatures | FortiGate / FortiOS 7.4.0 - Fortinet Document Library, section "Signature to block access to example.com".