Fortinet NSE7_EFW-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE7_EFW-7.2 Online Questions & Answers

• Question 11:

  Refer to the exhibits, which contain the network topology and BGP configuration for a hub. Exhibit A.

  

  Exhibit B.

  

  An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

  What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

  A. Configure the hub as a route reflector
  B. Configure auto-discovery-sender on the hub
  C. Add a prefix list to the hub that permits routes to be shared between the spokes
  D. Enable route redistribution under config router bgp
  B. Configure auto-discovery-sender on the hub

• Question 12:

  Which two statements about IKE vision 2 are true? (Choose two.)

  A. Phase 1 includes main mode
  B. It supports the extensible authentication protocol (EAP)
  C. It supports the XAuth protocol.
  D. It exchanges a minimum of four messages to establish a secure tunnel
  B. It supports the extensible authentication protocol (EAP)
  D. It exchanges a minimum of four messages to establish a secure tunnel

• Question 13:

  Refer to the exhibit, which shows a partial routing table.

  

  What two conclusions can you draw from the FortiGate output shown in the exhibit? (Choose two.)

  A. FortiGate creates separate virtual interfaces for each VPN client.
  B. add-route is enabled in the tunnel IPSec phase 1 configuration.
  C. FortiGate is not using the destination subnets of the quick mode selectors to populate the routing table.
  D. net-device is disabled in the tunnel IPSec phase 1 configuration.
  C. FortiGate is not using the destination subnets of the quick mode selectors to populate the routing table.
  D. net-device is disabled in the tunnel IPSec phase 1 configuration.

• Question 14:

  You want to improve reliability over a lossy IPSec tunnel.

  Which combination of IPSec phase 1 parameters should you configure?

  A. fec-ingress and fec-egress
  B. Odpd and dpd-retryinterval
  C. fragmentation and fragmentation-mtu
  D. keepalive and keylive
  B. Odpd and dpd-retryinterval

• Question 15:

  Which two statements about metadata variables are true? (Choose two.)

  A. You create them on FortiGate
  B. They apply only to non-firewall objects.
  C. The metadata format is $.
  D. They can be used as variables in scripts
  C. The metadata format is $.
  D. They can be used as variables in scripts

• Question 16:

  Refer to the exhibit, which contains a partial configuration of the global system.

  

  What can you conclude from this output?

  A. NPs and CPs are enabled
  B. Only CPs arc disabled
  C. Only NPs are disabled
  D. NPs and CPs arc disabled
  A. NPs and CPs are enabled

• Question 17:

  Refer to the exhibit, which shows a network diagram.

  

  Which protocol should you use to configure the FortiGate cluster?

  A. FGCP in active-passive mode
  B. FGSP
  C. VRRP
  D. FGCP in active-active mode
  B. FGSP

  ---

  Explanation Explanation/Reference:Given the network diagram and the presence of two FortiGate devices, the Fortinet Gate Clustering Protocol (FGCP) in active-passive mode is the most appropriate for setting up a FortiGate cluster. FGCP supports high availability configurations and is designed to allow one FortiGate to seamlessly take over if the other fails, providing continuous network availability. This is supported by Fortinet documentation for high availability configurations using FGCP.

• Question 18:

  Refer to the exhibit.

  

  The exhibit shows a prefix list configuration

  What can you conclude from the above prefix-list configuration?

  A. The prefix 10.10.0.0/16 will be denied
  B. The prefixes 10.10.0/16 and 10.0.0.0/16 will be denied
  C. The prefix 10.10.10.0/24 will be permitted
  D. The prefix 10.0.0.0/8 will be permitted
  C. The prefix 10.10.10.0/24 will be permitted

• Question 19:

  Exhibit.

  

  Refer to the exhibit, which contains a partial VPN configuration.

  What can you conclude from this configuration1?

  A. FortiGate creates separate virtual interfaces for each dial up client.
  B. The VPN should use the dynamic routing protocol to exchange routing information Through the tunnels.
  C. Dead peer detection s disabled.
  D. The routing table shows a single IPSec virtual interface.
  D. The routing table shows a single IPSec virtual interface.

  ---

  The configuration line "set dpd on-idle" indicates that dead peer detection (DPD) is set to trigger only when the tunnel is idle, not actively disabled1. References: FortiGate IPSec VPN User Guide - Fortinet Document Library From the given VPN configuration, dead peer detection (DPD) is set to 'on-idle', indicating that DPD is enabled and will be used to detect if the other end of the VPN tunnel is still alive when no traffic is detected. Hence, option C is incorrect. The configuration shows the tunnel set to type 'dynamic', which does not create separate virtual interfaces for each dial- up client (A), and it is not specified that dynamic routing will be used (B). Since this is a phase 1 configuration snippet, the routing table aspect (D) cannot be concluded from this alone.

• Question 20:

  Which statement about network processor (NP) offloading is true?

  A. For TCP traffic FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP
  B. The NP provides IPS signature matching
  C. You can disable the NP for each firewall policy using the command np-acceleration st to loose.
  D. The NP checks the session key or IPSec SA
  D. The NP checks the session key or IPSec SA