Fortinet NSE7_EFW-7.2 Online Practice
Questions and Exam Preparation
NSE7_EFW-7.2 Exam Details
Exam Code
:NSE7_EFW-7.2
Exam Name
:Fortinet NSE 7 - Enterprise Firewall 7.2
Certification
:Fortinet Certifications
Vendor
:Fortinet
Total Questions
:80 Q&As
Last Updated
:Jul 15, 2026
Fortinet NSE7_EFW-7.2 Online Questions &
Answers
Question 1:
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
A. OSPF peer interface must have same cost value B. OSPF peer interface must have same MTU size C. OSPF peer interface must have same Hello and Wait time D. OSPF peer interface must have same Hello and Dead time E. OSPF peer interfaces must have same network and mask
B. OSPF peer interface must have same MTU size D. OSPF peer interface must have same Hello and Dead time E. OSPF peer interfaces must have same network and mask
Question 2:
Exhibit.
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.
Which two parameters must you configure on the corresponding single hub? (Choose two.)
A. Set auto-discovery-sender enable B. Set ike-version 2 C. Set auto-discovery-forwarder enable D. Set auto-discovery-receiver enable
A. Set auto-discovery-sender enable B. Set ike-version 2
Question 3:
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)
A. When run on the Device Database, changes are applied directly to the managed FortiGate device. B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation. C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history. D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device.
B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation. D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device.
Question 4:
Refer to the exhibit, which shows a custom signature.
Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (Choose two.)
A. Add severity. B. Add attack_id. C. Ensure that the header syntax is F-SBID. D. Start options with --.
A. Add severity. C. Ensure that the header syntax is F-SBID. Explanation Explanation/Reference:For a custom signature to be valid and savable on a FortiGate device, it must include certain mandatory fields. Severity is used to specify the level of threat that the signature represents, and attack_id is a unique identifier for the signature. Without these, the signature would not be complete and could not be correctly utilized by the FortiGate's Intrusion Prevention System (IPS).
Question 5:
Which two statements about the BFD parameter in BGP are true? (Choose two.)
A. It allows failure detection in less than one second. B. The two routers must be connected to the same subnet. C. It is supported for neighbors over multiple hops. D. It detects only two-way failures.
A. It allows failure detection in less than one second. C. It is supported for neighbors over multiple hops. Bidirectional Forwarding Detection (BFD) is a rapid protocol for detecting failures in the forwarding path between two adjacent routers, including interfaces, data links, and forwarding planes. BFD is designed to detect forwarding path failures in a very short amount of time, often less than one second, which is significantly faster than traditional failure detection mechanisms like hold-down timers in routing protocols. Fortinet supports BFD for BGP, and it can be used over multiple hops, which allows the detection of failures even if the BGP peers are not directly connected. This functionality enhances the ability to maintain stable BGP sessions over a wider network topology and is documented in Fortinet's guides.
Question 6:
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?
A. Based on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated. B. On NGFW-A, the configuration was changed and spokes are wailing for an autoupdate. C. On both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database. D. Spoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.
B. On NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.
Question 7:
An administrator configured the following command on FortiGate config router ospf sec reszart-mode graceful-restart Which two statements correctly describe the result of the above command? (Choose two.)
A. FortiGate is configured with graceful restart and will exit graceful mode, if the network topology changes B. After the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router C. The OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode D. In an HA cluster FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover
B. After the default 40 seconds wait time the OSPF neighbors will resume communication with the restarting router C. The OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode
Question 8:
Refer to the exhibit, which shows an ADVPN network,
An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What must the administrator configure in the phase 1 VPN IPSEC configuration of the Hub2 b tunnels?
A. set auto-discovery-sender enable B. set auto-discovery-forwarder enable C. set add-route enable D. set auto-discovery-receiver enable
B. set auto-discovery-forwarder enable
Question 9:
Exhibit.
Refer to the exhibit, which shows an ADVPN network.
The client behind Spoke-1 generates traffic to the device located behind Spoke-2.
Which first message floes the hub send to Spoke-110 bring up the dynamic tunnel?
A. Shortcut query B. Shortcut reply C. Shortcut offer D. Shortcut forward
C. Shortcut offer
Question 10:
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
A. Enable AD-VPN in IPsec phase 1 B. Disable add-route on hub C. Configure IP addresses on IPsec virtual interfaces D. Set protected network to all
A. Enable AD-VPN in IPsec phase 1 To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. References: ADVPN | FortiManager 7.2.0 - Fortinet Documentation
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Fortinet exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your NSE7_EFW-7.2 exam preparations
and Fortinet certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.