Fortinet Fortinet Certifications NSE7_EFW-7.2 Questions & Answers

• Question 21:

  You want to configure faster failure detection for BGP

  Which parameter should you enable on both connected FortiGate devices?

  A. Ebgp-enforce-multihop

  B. bfd

  C. Distribute-list-in

  D. Graceful-restart

  Correct Answer: B

  BFD (Bidirectional Forwarding Detection) is a protocol that provides fast failure detection for BGP by sending periodic messages to verify the connectivity between two peers1. BFD can be enabled on both connected FortiGate devices by using the command set bfd enable under the BGP configuration2. References: = Technical Tip : FortiGate BFD implementation and examples ..., Configure BGP | FortiGate / FortiOS 7.0.2

  -Fortinet Documentation

• Question 22:

  Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

  A. Enable AD-VPN in IPsec phase 1

  B. Disable add-route on hub

  C. Configure IP addresses on IPsec virtual interlaces

  D. Set protected network to all

  Correct Answer: A

  To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. References := ADVPN | FortiManager 7.2.0 - Fortinet Documentation

• Question 23:

  Refer to the exhibit, which shows two configured FortiGate devices and peering over FGSP.

  

  The main link directly connects the two FortiGate devices and is configured using the set session-syn-dev command.

  What is the primary reason to configure the main link?

  A. To have both sessions and configuration synchronization in layer 2

  B. To load balance both sessions and configuration synchronization between layer 2 and 3

  C. To have only configuration synchronization in layer 3

  D. To have both sessions and configuration synchronization in layer 3

  Correct Answer: D

  The primary purpose of configuring a main link between the devices is to synchronize session information so that if one unit fails, the other can continue processing traffic without dropping active sessions.

  A.To have both sessions and configuration synchronization in layer 2.This is incorrect because FGSP is used for session synchronization, not configuration synchronization. B.To load balance both sessions and configuration synchronization

  between layer 2 and 3.FGSP does not perform load balancing and is not used for configuration synchronization.

  C.To have only configuration synchronization in layer 3.The main link is not used solely for configuration synchronization.

  D.To have both sessions and configuration synchronization in layer 3.The main link in an FGSP setup is indeed used to synchronize session information across the devices, and it operates at layer 3 since it uses IP addresses to establish the

  peering.

• Question 24:

  Refer to the exhibit.

  

  which contains a partial configuration of the global system. What can you conclude from this output?

  A. NPs and CPs are enabled

  B. Only CPs arc disabled

  C. Only NPs are disabled

  D. NPs and CPs arc disabled

  Correct Answer: D

  The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled. References: FortiOS Handbook - CLI Reference for FortiOS 5.2

• Question 25:

  Which two statements about IKE vision 2 are true? (Choose two.)

  A. Phase 1 includes main mode

  B. It supports the extensible authentication protocol (EAP)

  C. It supports the XAuth protocol.

  D. It exchanges a minimum of four messages to establish a secure tunnel

  Correct Answer: BD

  IKE version 2 supports the extensible authentication protocol (EAP), which allows for more flexible and secure authentication methods1. IKE version 2 also exchanges a minimum of four messages toestablish a secure tunnel, which is more efficient than IKE version 12. References: = IKE settings | FortiClient 7.2.2 - Fortinet Documentation, Technical Tip: How to configure IKE version 1 or 2 ... - Fortinet Community

• Question 26:

  After enabling IPS you receive feedback about traffic being dropped.

  What could be the reason?

  A. Np-accel-mode is set to enable

  B. Traffic-submit is set to disable

  C. IPS is configured to monitor

  D. Fail-open is set to disable

  Correct Answer: D

  Fail-open is a feature that allows traffic to pass through the IPS sensor without inspection when the sensor fails or is overloaded. If fail-open is set to disable, traffic will be dropped in such scenarios1. References: = IPS | FortiGate / FortiOS

  7.2.3 - Fortinet Documentation

  When IPS (Intrusion Prevention System) is configured, iffail-openis set to disable, it means that if the IPS engine fails, traffic will not be allowed to pass through, which can result in traffic being dropped (D). This is in contrast to a fail-open setting, which would allow traffic to bypass the IPS engine if it is not operational.

• Question 27:

  Which two statements about metadata variables are true? (Choose two.)

  A. You create them on FortiGate

  B. They apply only to non-firewall objects.

  C. The metadata format is $.

  D. They can be used as variables in scripts

  Correct Answer: AD

  Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs. Fortinet FortiOS Handbook: CLI Reference

• Question 28:

  Refer to the exhibit, which shows the output of a BGP summary.

  

  What two conclusions can you draw from this BGP summary? (Choose two.)

  A. External BGP (EBGP) exchanges routing information.

  B. The BGP session with peer 10. 127. 0. 75 is established.

  C. The router 100. 64. 3. 1 has the parameter bfd set to enable.

  D. The neighbors displayed are linked to a local router with the neighbor-range set to a value of 4.

  Correct Answer: AB

  The output of the BGP (Border Gateway Protocol) summary shows details about the BGP neighbors of a router, their Autonomous System (AS) numbers, the state of the BGP session, and other metrics like messages received and sent.

  From the BGP summary provided:

  A.External BGP (EBGP) exchanges routing information.This conclusion can be inferred because the AS numbers for the neighbors are different from the local AS number (65117), which suggests that these are external connections. B.The

  BGP session with peer 10.127.0.75 is established.This is indicated by the state/prefix received column showing a numeric value (1), which typically means that the session is established and a number of prefixes has been received. C.The

  router 100.64.3.1 has the parameter bfd set to enable.This cannot be concluded directly from the summary without additional context or commands specifically showing BFD (Bidirectional Forwarding Detection) configuration. D.The neighbors

  displayed are linked to a local router with the neighbor-range set to a value of 4.The neighbor-range concept does not apply here; the value 4 in the 'V' column stands for the BGP version number, which is typically 4.

• Question 29:

  Which configuration can be used to reduce the number of BGP sessions in on IBGP network?

  A. Route-reflector-peer enable

  B. Route-reflector-client enable

  C. Route-reflector enable

  D. Route-reflector-server enable

  Correct Answer: B

  To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector- client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients. References := Route exchange | FortiGate / FortiOS

  7.2.0 - Fortinet Documentation

• Question 30:

  Which two statements about ADVPN are true? (Choose two.)

  A. You must disable add-route in the hub.

  B. AllFortiGate devices must be in the same autonomous system (AS).

  C. The hub adds routes based on IKE negotiations.

  D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

  Correct Answer: CD

  C. The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes. D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels. These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.