Fortinet NSE7_EFW-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE7_EFW-7.2 Online Questions & Answers

• Question 31:

  Which two statements about the Security fabric are true? (Choose two.)

  A. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.
  B. Only the root FortiGate sends logs to FortiAnalyzer
  C. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends
  D. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer
  C. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends
  D. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer

  ---

  In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices with configuration-sync enabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer.

• Question 32:

  How would £=c-ingress and fec-sgress IPsec configuration affect an IPsec tunnel?

  A. When an FGSP member in FortiGate fails, FortiGate flushes the corresponding tunnels and sends out dead peer detection probes to find unavailable remote peers.
  B. FortiGate will consider all IKEV2 packets as fragmentable.
  C. If fragmentation occurs, FortiGate will allow the packets at the IKE layer.
  D. FortiGate will add additional redundant information to reconstruct any lost or erratically received packets.
  D. FortiGate will add additional redundant information to reconstruct any lost or erratically received packets.

  ---

  Explanation Explanation/Reference:

• Question 33:

  Refer to the exhibit, which shows an ADVPN network.

  

  Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.)

  A. set auto-discovery-forwarder enable
  B. set add-route enable
  C. set auto-discovery-receiver enable
  D. set auto-discovery-sender enable
  A. set auto-discovery-forwarder enable
  C. set auto-discovery-receiver enable

  ---

  For the ADVPN feature to function properly on the hub, the following phase 1 parameters must be configured: A. set auto-discovery-forwarder enable: This enables the hub to forward shortcut information to the spokes, which is essential for them to establish direct tunnels. C. set auto-discovery-receiver enable: This allows the hub to receive shortcut offers from the spokes. This information is corroborated by the Fortinet documentation, which explains that in an ADVPN setup, the hub must be able to both forward and receive shortcut information for dynamic tunnel creation between spokes.

• Question 34:

  Refer to the exhibit, which contains a partial OSPF configuration.

  

  What can you conclude from this output?

  A. Neighbors maintain communication with the restarting router.
  B. The router sends grace LSAs before it restarts.
  C. FortiGate restarts if the topology changes.
  D. The restarting router sends gratuitous ARP for 30 seconds.
  C. FortiGate restarts if the topology changes.

  ---

  From the partial OSPF (Open Shortest Path First) configuration output: B. The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes. Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

• Question 35:

  Which configuration can be used to reduce the number of BGP sessions in on IBGP network?

  A. Route-reflector-peer enable
  B. Route-reflector-client enable
  C. Route-reflector enable
  D. Route-reflector-server enable
  B. Route-reflector-client enable

  ---

  To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector- client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients. References: Route exchange | FortiGate / FortiOS 7.2.0 - Fortinet Documentation

• Question 36:

  Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

  A. Only the root FortiGate.
  B. Each FortiGate in the Security fabric.
  C. The FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.
  D. Only the last FortiGate that handled a session in the Security Fabric
  B. Each FortiGate in the Security fabric.

  ---

  Option B is correct because each FortiGate in the Security Fabric can send logs to FortiAnalyzer for centralized logging and analysis. This allows you to monitor and manage the entire Security Fabric from a single console and view aggregated reports and dashboards. Option A is incorrect because the root FortiGate is not the only device that can send logs to FortiAnalyzer. The root FortiGate is the device that initiates the Security Fabric and acts as the central point of contact for other FortiGate devices. However, it does not have to be the only log source for FortiAnalyzer. Option C is incorrect because the FortiGate devices performing NAT or UTM are not the only devices that can send logs to FortiAnalyzer. These devices can perform additional security functions on the traffic that passes through them, such as firewall, antivirus, web filtering, etc. However, they are not the only devices that generate logs in the Security Fabric. Option D is incorrect because the last FortiGate that handled a session in the Security Fabric is not the only device that can send logs to FortiAnalyzer. The last FortiGate is the device that terminates the session and applies the final security policy. However, it does not have to be the only device that reports the session information to FortiAnalyzer. References: 1: Security Fabric - Fortinet Documentation 2: FortiAnalyzer Demo 3: Security Fabric topology 4: Security Fabric UTM features 5: Security Fabric session handling

• Question 37:

  Exhibit.

  

  ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

  A. DCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered
  B. ISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.
  C. The SMB session which is forwarded to NGFW logs that event
  D. DCFW generates traffic logs for all sessions from Corporate File Server
  E. The web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log
  A. DCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered
  B. ISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

• Question 38:

  Exhibit.

  

  Refer to the exhibit, which provides information on BGP neighbors. Which can you conclude from this command output?

  A. The router are in the number to match the remote peer.
  B. You must change the AS number to match the remote peer.
  C. BGP is attempting to establish a TCP connection with the BGP peer.
  D. The bfd configuration to set to enable.
  C. BGP is attempting to establish a TCP connection with the BGP peer.

  ---

  Explanation Explanation/Reference:The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration.

• Question 39:

  Which two statements about the neighbor-group command are true? (Choose two.)

  A. You can configure it on the GUI.
  B. It applies common settings in an OSPF area.
  C. It is combined with the neighbor-range parameter.
  D. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).
  B. It applies common settings in an OSPF area.
  D. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).

  ---

  Explanation Explanation/Reference:The neighbor-group command in FortiOS allows for the application of common settings to a group of neighbors in OSPF, and can also be used to simplify configuration by applying common settings to both IBGP and EBGP neighbors. This grouping functionality is a part of the FortiOS CLI and is documented in the Fortinet CLI reference.

• Question 40:

  Exhibit.

  

  Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.

  Which two conclusions can you draw from this con figuration? (Choose two)

  A. 10.1.5.254 is the default gateway of the internal network
  B. On failover new primary device uses the same MAC address as the old primary
  C. The VRRP domain uses the physical MAC address of the primary FortiGate
  D. By default FortiGate B is the primary virtual router
  A. 10.1.5.254 is the default gateway of the internal network
  B. On failover new primary device uses the same MAC address as the old primary

  ---

  The Virtual Router Redundancy Protocol (VRRP) configuration in the exhibit indicates that 10.1.5.254 is set as the virtual IP (VRIP), commonly serving as the default gateway for the internal network (A). With vrrp-virtual-mac enabled, both FortiGates would use the same virtual MAC address, ensuring a seamless transition during failover (B). The VRRP domain does not use the physical MAC address (C), and the priority settings indicate that FortiGate-A would be the primary router by default due to its higher priority (D).