Fortinet NSE7_EFW-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE7_EFW-7.2 Online Questions & Answers

• Question 21:

  In which two ways does fortiManager function when it is deployed as a local FDS? (Choose two)

  A. lt can be configured as an update server a rating server or both
  B. It provides VM license validation services
  C. It supports rating requests from non-FortiGate devices.
  D. It caches available firmware updates for unmanaged devices
  A. lt can be configured as an update server a rating server or both
  B. It provides VM license validation services

  ---

  Explanation Explanation/Reference:When deployed as a local FortiGuard Distribution Server (FDS), FortiManager functions in several capacities. It can act as an update server, a rating server, or both, providing firmware updates and FortiGuard database updates. Additionally, it plays a crucial role in VM license validation services, ensuring that the connected FortiGate devices are operating with valid licenses. However, it does not support rating requests from non-FortiGate devices nor cache firmware updates for unmanaged devices. Fortinet FortiOS Handbook: FortiManager as a Local FDS Configuration

• Question 22:

  Refer to the exhibit, which contains information about an IPsec VPN tunnel.

  

  What two conclusions can you draw from the command output? (Choose two.)

  A. Dead peer detection is set to enable.
  B. The IKE version is 2.
  C. Both IPsec SAs are loaded on the kernel.
  D. Forward error correction in phase 2 is set to enable.
  B. The IKE version is 2.
  C. Both IPsec SAs are loaded on the kernel.

  ---

  From the command output shown in the exhibit: B. The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used. C. Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing. Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.

• Question 23:

  Exhibit.

  

  Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP con figuration Which two parameters Should you configure in config neighbor range? (Choose two.)

  A. set prefix 172.16.1.0 255.255.255.0
  B. set route reflector-client enable
  C. set neighbor-group advpn
  D. set prefix 10.1.0 255.255.254.0
  A. set prefix 172.16.1.0 255.255.255.0
  C. set neighbor-group advpn

  ---

  Explanation Explanation/Reference:In the ADVPN configuration for BGP, you should specify the prefix that the neighbors can advertise. Option A is correct as you would configure the BGP network prefix that should be advertised to the neighbors, which matches the BGP network in the diagram. Option C is also correct since you should reference the neighbor group configured for the ADVPN setup within the BGP configuration.

• Question 24:

  Exhibit.

  

  Refer to the exhibit, which contains an active-active toad balancing scenario.

  During the traffic flow the primary FortiGate forwards the SYN packet to the secondary FortiGate.

  What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?

  A. Secondary physical MAC port1
  B. Secondary virtual MAC port1
  C. Secondary virtual MAC port1 then physical MAC port1
  D. Secondary physical MAC port2 then virtual MAC port2
  A. Secondary physical MAC port1

  ---

  Explanation Explanation/Reference:In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary's physical MAC on port1, as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.

• Question 25:

  Which two statements about the Security Fabric are true? (Choose two.)

  A. Each member of the Security Fabric maintains the shared Security Fabric map.
  B. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.
  C. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer.
  D. Each FortiGate device in the Security Fabric must have bidirectional FortiTelemetry connectivity.
  E. Only FortiGate devices with configuration-sync sel to Local receive and synchronize the global CMDB objects that the root FortiGate sends.
  B. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.
  D. Each FortiGate device in the Security Fabric must have bidirectional FortiTelemetry connectivity.

• Question 26:

  Which two statements about ADVPN are true? (Choose two.)

  A. You must disable add-route in the hub.
  B. AllFortiGate devices must be in the same autonomous system (AS).
  C. The hub adds routes based on IKE negotiations.
  D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.
  A. You must disable add-route in the hub.
  D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

• Question 27:

  Which two features are true regarding IPS hardware acceleration? (Choose two.)

  A. cp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors
  B. set np-access-mode basic will provide last path for IPS inspected traffic
  C. FortiGate does not support IPSA if the cp-accel-mode is configured as none.
  D. Network processors provide pre-IPS anomaly filtering and logging
  A. cp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors
  B. set np-access-mode basic will provide last path for IPS inspected traffic

• Question 28:

  Exhibit.

  

  Refer to the exhibit, which contains a CLI script configuration on fortiManager. An administrator configured the CLI script on FortiManager rut the script tailed to apply any changes to the managed device after being executed. What are two reasons why the script did not make any changes to the managed device? (Choose two)

  A. The commands that start with the # sign did not run.
  B. Incomplete commands can cause CLI scripts to fail.
  C. Static routes can be added using only TCI scripts.
  D. CLI scripts must start with #!.
  A. The commands that start with the # sign did not run.
  B. Incomplete commands can cause CLI scripts to fail.

  ---

  The commands that start with the # sign did not run because they are treated as comments in the CLI script. Incomplete commands can cause CLI scripts to fail because they are not recognized by the FortiGate device. The other options are incorrect because static routes can be added using CLI or GUI, and CLI scripts do not need to start with #!. References: Configuring custom scripts | FortiManager 7.2.0 - Fortinet Documentation, section "CLI script syntax".

• Question 29:

  You contoured an address object on the tool fortiGate in a Security Fabric. This object is not synchronized with a downstream device. Which two reasons could be the cause? (Choose two)

  A. The address object on the tool FortiGate has fabric-object set to disable
  B. The root FortiGate has configuration-sync set to enable
  C. The downstream TortiGate has fabric-object-unification set to local
  D. The downstream FortiGate has configuration-sync set to local
  A. The address object on the tool FortiGate has fabric-object set to disable
  C. The downstream TortiGate has fabric-object-unification set to local

  ---

  Option A is correct because the address object on the tool FortiGate will not be synchronized with the downstream devices if it has fabric-object set to disable. This option controls whether the address object is shared with other FortiGate devices in the Security Fabric or not. Option C is correct because the downstream FortiGate will not receive the address object from the tool FortiGate if it has fabric-object-unification set to local. This option controls whether the downstream FortiGate uses the address objects from the root FortiGate or its own local address objects. Option B is incorrect because the root FortiGate has configuration-sync set to enable by default, which means that it will synchronize the address objects with the downstream devices unless they are disabled by the fabric-object option. Option D is incorrect because the downstream FortiGate has configuration-sync set to local by default, which means that it will receive the address objects from the root FortiGate unless they are overridden by the fabric-object-unification option. References: 1: Group address objects synchronized from FortiManager 2: Security Fabric address object unification 3: Configuration synchronization 4: Configuration synchronization Security Fabric - Fortinet Documentation

• Question 30:

  What are two functions of automation stitches? (Choose two.)

  A. Automation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.
  B. An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.
  C. Automation stitches can be configured on any FortiGate device in a Security Fabric environment.
  D. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.
  A. Automation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.
  D. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.