Fortinet Fortinet Certifications NSE7_EFW-7.2 Questions & Answers

• Question 11:

  Exhibit.

  

  Refer to the exhibit, which shows a partial web filter profile conjuration

  What can you cone udo from this configuration about access towww.facebook, com, which is categorized as Social Networking?

  A. The access is blocked based on the Content Filter configuration

  B. The access is allowed based on the FortiGuard Category Based Filter configuration

  C. The access is blocked based on the URL Filter configuration

  D. The access is hocked if the local or the public FortiGuard server does not reply

  Correct Answer: C

  The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it shows that the URL "www.facebook.com" is specifically set to "Block" under the URL Filter section1. References := Fortigate: How to configure Web Filter function on Fortigate, Web filter | FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering ... - Fortinet ... - Fortinet Community

• Question 12:

  Exhibit.

  

  Refer to the exhibit, which contains an active-active toad balancing scenario.

  During the traffic flow the primary FortiGate forwards the SYN packet to the secondary FortiGate.

  What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?

  A. Secondary physical MAC port1

  B. Secondary virtual MAC port1

  C. Secondary virtual MAC port1 then physical MAC port1

  D. Secondary physical MAC port2 then virtual MAC port2

  Correct Answer: A

  In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary's physical MAC on port1, as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.

• Question 13:

  Exhibit.

  

  Refer to the exhibit, which contains a partial VPN configuration. What can you conclude from this configuration1?

  A. FortiGate creates separate virtual interfaces for each dial up client.

  B. The VPN should use the dynamic routing protocol to exchange routing information Through the tunnels.

  C. Dead peer detection s disabled.

  D. The routing table shows a single IPSec virtual interface.

  Correct Answer: C

  The configuration line "set dpd on-idle" indicates that dead peer detection (DPD) is set to trigger only when the tunnel is idle, not actively disabled1. References: FortiGate IPSec VPN User Guide - Fortinet Document Library

  From the given VPN configuration, dead peer detection (DPD) is set to 'on-idle', indicating that DPD is enabled and will be used to detect if the other end of the VPN tunnel is still alive when no traffic is detected. Hence, option C is incorrect. The configuration shows the tunnel set to type 'dynamic', which does not create separate virtual interfaces for each dial- up client (A), and it is not specified that dynamic routing will be used (B). Since this is a phase 1 configuration snippet, the routing table aspect (D) cannot be concluded from this alone.

• Question 14:

  Refer to the exhibit, which shows an error in system fortiguard configuration.

  

  What is the reason you cannot set the protocol to udp in config system fortiguard?

  A. FortiManager provides FortiGuard.

  B. fortiguard-anycast is set to enable.

  C. You do not have the corresponding write access.

  D. udp is not a protocol option.

  Correct Answer: D

  The reason for the command failure when trying to set the protocol to UDP in theconfig system fortiguardis likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

• Question 15:

  Exhibit.

  

  Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.

  Which two conclusions can you draw from this con figuration? (Choose two)

  A. 10.1.5.254 is the default gateway of the internal network

  B. On failover new primary device uses the same MAC address as the old primary

  C. The VRRP domain uses the physical MAC address of the primary FortiGate

  D. By default FortiGate B is the primary virtual router

  Correct Answer: AB

  The Virtual Router Redundancy Protocol (VRRP) configuration in the exhibit indicates that 10.1.5.254 is set as the virtual IP (VRIP), commonly serving as the default gateway for the internal network (A). Withvrrp-virtual-macenabled, both FortiGates would use the same virtual MAC address, ensuring a seamless transition during failover (B). The VRRP domain does not use the physical MAC address (C), and the priority settings indicate that FortiGate-A would be the primary router by default due to its higher priority (D).

• Question 16:

  Which two statements about the BFD parameter in BGP are true? (Choose two.)

  A. It allows failure detection in less than one second.

  B. The two routers must be connected to the same subnet.

  C. It is supported for neighbors over multiple hops.

  D. It detects only two-way failures.

  Correct Answer: AC

  Bidirectional Forwarding Detection (BFD) is a rapid protocol for detecting failures in the forwarding path between two adjacent routers, including interfaces, data links, and forwarding planes. BFD is designed to detect forwarding path failures in a very short amount of time, often less than one second, which is significantly faster than traditional failure detection mechanisms like hold-down timers in routing protocols. Fortinet supports BFD for BGP, and it can be used over multiple hops, which allows the detection of failures even if the BGP peers are not directly connected. This functionality enhances the ability to maintain stable BGP sessions over a wider network topology and is documented in Fortinet's guides.

• Question 17:

  Exhibit.

  

  Refer to the exhibit, which shows information about an OSPF interlace

  What two conclusions can you draw from this command output? (Choose two.)

  A. The port3 network has more man one OSPF router

  B. The OSPF routers are in the area ID of 0.0.0.1.

  C. The interfaces of the OSPF routers match the MTU value that is configured as 1500.

  D. NGFW-1 is the designated router

  Correct Answer: AC

  From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can

  deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.

  References:

  Fortinet FortiOS Handbook: OSPF Configuration

• Question 18:

  Refer to the exhibits, which show the configurations of two address objects from the same FortiGate.

  

  Why can you modify the Engineering address object, but not the Finance address object?

  A. You have read-only access.

  B. FortiGate joined the Security Fabric and the Finance address object was configured on the root FortiGate.

  C. FortiGate is registered on FortiManager.

  D. Another user is editing the Finance address object in workspace mode.

  Correct Answer: B

  The inability to modify the Finance address object while being able to modify the Engineering address object suggests that the Finance object is being managed by a higher authority in the Security Fabric, likely the root FortiGate. When a FortiGate is part of a Security Fabric, address objects and other configurations may be managed centrally. This aligns with the Fortinet FortiGate documentation on Security Fabric and central management of address objects.

• Question 19:

  Exhibit.

  

  Refer to the exhibit, which provides information on BGP neighbors. Which can you conclude from this command output?

  A. The router are in the number to match the remote peer.

  B. You must change the AS number to match the remote peer.

  C. BGP is attempting to establish a TCP connection with the BGP peer.

  D. The bfd configuration to set to enable.

  Correct Answer: C

  The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration. References: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents: Troubleshooting BGP How BGP works

• Question 20:

  Which two statements about IKE version 2 fragmentation are true? (Choose two.)

  A. Only some IKE version 2 packets are considered fragmentable.

  B. The reassembly timeout default value is 30 seconds.

  C. It is performed at the IP layer.

  D. The maximum number of IKE version 2 fragments is 128.

  Correct Answer: AD

  In IKE version 2, not all packets are fragmentable. Only certain messages within the IKE negotiation process can be fragmented. Additionally, there is a limit to the number of fragments that IKE version 2 can handle, which is 128. This is specified in the Fortinet documentation and ensures that the IKE negotiation process can proceed even in networks that have issues with large packets. The reassembly timeout and the layer at which fragmentation occurs are not specified in this context within Fortinet documentation.