Fortinet Fortinet Certifications NSE7_EFW-7.2 Questions & Answers

• Question 41:

  In which two ways does fortiManager function when it is deployed as a local FDS? (Choose two)

  A. lt can be configured as an update server a rating server or both

  B. It provides VM license validation services

  C. It supports rating requests from non-FortiGate devices.

  D. It caches available firmware updates for unmanaged devices

  Correct Answer: AB

  When deployed as a local FortiGuard Distribution Server (FDS), FortiManager functions in several capacities. It can act as an update server, a rating server, or both, providing firmware updates and FortiGuard database updates. Additionally, it plays a crucial role in VM license validation services, ensuring that the connected FortiGate devices are operating with valid licenses. However, it does not support rating requests from non-FortiGate devices nor cache firmware updates for unmanaged devices. Fortinet FortiOS Handbook: FortiManager as a Local FDS Configuration

• Question 42:

  Refer to the exhibit, which shows an ADVPN network.

  

  Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.)

  A. set auto-discovery-forwarder enable

  B. set add-route enable

  C. set auto-discovery-receiver enable

  D. set auto-discovery-sender enable

  Correct Answer: AC

  For the ADVPN feature to function properly on the hub, the following phase 1 parameters must be configured:

  A. set auto-discovery-forwarder enable: This enables the hub to forward shortcut information to the spokes, which is essential for them to establish direct tunnels. C. set auto-discovery-receiver enable: This allows the hub to receive shortcut

  offers from the spokes.

  This information is corroborated by the Fortinet documentation, which explains that in an ADVPN setup, the hub must be able to both forward and receive shortcut information for dynamic tunnel creation between spokes.

• Question 43:

  Exhibit.

  

  Refer to the exhibit, which contains a CLI script configuration on fortiManager. An administrator configured the CLI script on FortiManager rut the script tailed to apply any changes to the managed

  device after being executed.

  What are two reasons why the script did not make any changes to the managed device? (Choose two)

  A. The commands that start with the # sign did not run.

  B. Incomplete commands can cause CLI scripts to fail.

  C. Static routes can be added using only TCI scripts.

  D. CLI scripts must start with #!.

  Correct Answer: AB

  The commands that start with the # sign did not run because they are treated as comments in the CLI script. Incomplete commands can cause CLI scripts to fail because they are not recognized by the FortiGate device. The other options are incorrect because static routes can be added using CLI or GUI, and CLI scripts do not need to start with #!. References := Configuring custom scripts | FortiManager 7.2.0 - Fortinet Documentation, section "CLI script syntax".

• Question 44:

  Refer to the exhibit, which contains a partial OSPF configuration.

  

  What can you conclude from this output?

  A. Neighbors maintain communication with the restarting router.

  B. The router sends grace LSAs before it restarts.

  C. FortiGate restarts if the topology changes.

  D. The restarting router sends gratuitous ARP for 30 seconds.

  Correct Answer: B

  From the partial OSPF (Open Shortest Path First) configuration output:

  B. The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes. Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

• Question 45:

  You contoured an address object on the tool fortiGate in a Security Fabric. This object is not synchronized with a downstream device. Which two reasons could be the cause? (Choose two)

  A. The address object on the tool FortiGate has fabric-object set to disable

  B. The root FortiGate has configuration-sync set to enable

  C. The downstream TortiGate has fabric-object-unification set to local

  D. The downstream FortiGate has configuration-sync set to local

  Correct Answer: AC

  Option A is correct because the address object on the tool FortiGate will not be synchronized with the downstream devices if it has fabric-object set to disable. This option controls whether the address object is shared with other FortiGate devices in the Security Fabric or not1. Option C is correct because the downstream FortiGate will not receive the address object from the tool FortiGate if it has fabric-object-unification set to local. This option controls whether the downstream FortiGate uses the address objects from the root FortiGate or its own local address objects2. Option B is incorrect because the root FortiGate has configuration-sync set to enable by default, which means that it will synchronize the address objects with the downstream devices unless they are disabled by the fabric-object option3. Option D is incorrect because the downstream FortiGate has configuration-sync set to local by default, which means that it will receive the address objects from the root FortiGate unless they are overridden by the fabric-object-unification option4. References: =

  1: Group address objects synchronized from FortiManager5

  2: Security Fabric address object unification6

  3: Configuration synchronization7

  4: Configuration synchronization7 : Security Fabric - Fortinet Documentation

• Question 46:

  You want to improve reliability over a lossy IPSec tunnel.

  Which combination of IPSec phase 1 parameters should you configure?

  A. fec-ingress and fec-egress

  B. Odpd and dpd-retryinterval

  C. fragmentation and fragmentation-mtu

  D. keepalive and keylive

  Correct Answer: C

  For improving reliability over a lossy IPSec tunnel, the fragmentation and fragmentation-mtu parameters should be configured. In scenarios where there might be issues with packet size or an unreliable network, setting the IPsec phase 1 to allow for fragmentation will enable large packets to be broken down, preventing them from being dropped due to size or poor network quality. The fragmentation-mtu specifies the size of the fragments. This is aligned with Fortinet's recommendations for handling IPsec VPN over networks with potential packet loss or size limitations.

• Question 47:

  Exhibit.

  

  Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP con figuration Which two parameters Should you configure in config neighbor range? (Choose two.)

  A. set prefix 172.16.1.0 255.255.255.0

  B. set route reflector-client enable

  C. set neighbor-group advpn

  D. set prefix 10.1.0 255.255.255.0

  Correct Answer: AC

  In the ADVPN configuration for BGP, you should specify the prefix that the neighbors can advertise. Option A is correct as you would configure the BGP network prefix that should be advertised to the neighbors, which matches the BGP network in the diagram. Option C is also correct since you should reference the neighbor group configured for the ADVPN setup within the BGP configuration.

• Question 48:

  An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?

  A. Verify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

  B. Configure set link -failed signal enable under-config system ha on both Cluster members

  C. Configure remote Iink monitoring to detect an issue in the forwarding path

  D. Configure set send-garp-on-failover enables under config system ha on both cluster members

  Correct Answer: B

  Virtual MAC Address and Failover

  -

  The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

  -

  Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces): #Config system ha set link-failed-signal enable end

  -

  This simulates a link failure that clears the related entries from MAC table of the switches.

• Question 49:

  Exhibit.

  

  Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

  Which two parameters must you configure on the corresponding single hub? (Choose two.)

  A. Set auto-discovery-sender enable

  B. Set ike-version 2

  C. Set auto-discovery-forwarder enable

  D. Set auto-discovery-receiver enable

  Correct Answer: AC

  For an ADVPN spoke configuration shown, the corresponding hub must have auto-discovery-senderenabled to send shortcut advertisement messages to the spokes. Also, the hub would need to haveauto-discovery-forwarderenabled if it is to forward on those shortcut advertisements to other spokes. This allows the hub to inform all spokes about the best path to reach each other. Theike-versiondoes not need to be reconfigured on the hub if it's already set to version 2 andautodiscovery-receiveris not necessary on the hub because it's the one sending the advertisements, not receiving. References: FortiOS Handbook - ADVPN

• Question 50:

  Exhibit.

  

  Refer to the exhibit, which shows the output from the webfilter fortiguard cache dump and webfilter categories commands.

  Using the output, how can an administrator determine the category of the training.fortinet.comam website?

  A. The administrator must convert the first three digits of the IP hex value to binary

  B. The administrator can look up the hex value of 34 in the second command output.

  C. The administrator must add both the Pima in and Iphex values of 34 to get the category number

  D. The administrator must convert the first two digits of the Domain hex value to a decimal value

  Correct Answer: B

  Option B is correct because the administrator can determine the category of the training.fortinet.com website by looking up the hex value of 34 in the second command output. This is because the first command output shows that the domain and the IP of the website are both in category (Hex) 34, which corresponds to Information Technology in the second command output1. Option A is incorrect because the administrator does not need to convert the first three digits of the IP hex value to binary. The IP hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2. Option C is incorrect because the administrator does not need to add both the Pima in and Iphex values of 34 to get the category number. The Pima in and Iphex values are not related to the category number, but to the cache TTL and the database version respectively3. Option D is incorrect because the administrator does not need to convert the first two digits of the Domain hex value to a decimal value. The Domain hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2. References: =

  1: Technical Tip: Verify the webfilter cache content4

  2: Hexadecimal to Decimal Converter5

  3: FortiGate - Fortinet Community6 : Web filter | FortiGate / FortiOS 7.2.0 - Fortinet Documentation7