Fortinet NSE7_EFW-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE7_EFW-7.2 Online Questions & Answers

• Question 61:

  Refer to the exhibit, which shows config system central-management information.

  

  Which setting must you configure for the web filtering feature to function?

  A. Add server. fortiguard. net to the server list.
  B. Configure securewf.fortiguard. net on the default servers.
  C. Set update-server-location to automatic.
  D. Configure server-type with the rating option.
  D. Configure server-type with the rating option.

  ---

  For the web filtering feature to function effectively, the FortiGate device needs to have a server configured for rating services. The rating option in the server-type setting specifies that the server is used for URL rating lookup, which is essential for web filtering. The displayed configuration does not list any FortiGuard web filtering servers, which would be necessary for web filtering. The setting set include-default-servers disable indicates that the default FortiGuard servers are not being used, and hence, a specific server for web filtering (like securewf.fortiguard.net) needs to be configured.

• Question 62:

  Refer to the exhibit.

  

  The partial interlace configurator! of two FortiGate devices is shown

  Which two conclusions can you draw from this configuration? (Choose two.)

  A. You can include 4.4.4.4 and 4.4.4.2 IP addresses using sat vrdst command
  B. At the time of failover, FortiGate_A will change its priority to 30
  C. By default, preemption mode is enabled D. In VRRP, you are restricted to add a third FortiGate into VRRP group 1.
  B. At the time of failover, FortiGate_A will change its priority to 30
  C. By default, preemption mode is enabled D. In VRRP, you are restricted to add a third FortiGate into VRRP group 1.

• Question 63:

  An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?

  A. Verify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports
  B. Configure set link -failed signal enable under-config system ha on both Cluster members
  C. Configure remote Iink monitoring to detect an issue in the forwarding path
  D. Configure set send-garp-on-failover enables under config system ha on both cluster members
  D. Configure set send-garp-on-failover enables under config system ha on both cluster members

• Question 64:

  Winch two statements about ADVPN are true? (Choose two)

  A. auto-discovery receiver must be set to enable on the Spokes.
  B. Spoke to-spoke traffic never goes through the hub
  C. lt supports NAI for on-demand tunnels
  D. Routing is configured by enabling add-advpn-route
  A. auto-discovery receiver must be set to enable on the Spokes.
  C. lt supports NAI for on-demand tunnels

  ---

  ADVPN (Auto Discovery VPN) is a feature that allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture. The auto-discovery receiver must be set to enable on the spokes to allow them to receive NHRP messages from the hub and other spokes. NHRP (Next Hop Resolution Protocol) is used for on-demand tunnels, which are established when there is traffic between spokes. Routing is configured by enabling add-nhrp-route, not add-advpn- route. References: ADVPN | FortiGate / FortiOS 7.2.0 | Fortinet Document Library, Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

• Question 65:

  Refer to the exhibit, which shows an SSL certification inspection configuration.

  

  Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

  A. FortiGate uses the first entry listed in the SAN field in the server certificate
  B. FortiGate uses the CN information from the Subject field in the server certificate
  C. FortiGate uses the SNI from the user's web browser.
  D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration
  D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration

• Question 66:

  Refer to the exhibit, which shows an error in system fortiguard configuration.

  

  What is the reason you cannot set the protocol to udp in config system fortiguard?

  A. FortiManager provides FortiGuard.
  B. fortiguard-anycast is set to enable.
  C. You do not have the corresponding write access.
  D. udp is not a protocol option.
  B. fortiguard-anycast is set to enable.

  ---

  Explanation Explanation/Reference:The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

• Question 67:

  While configuring the BGP protocol, an administrator applies the set netuork-inport-check disable command under config network.

  What will FortiGate do as a result of this command?

  A. FortiGate will advertise only the corresponding prefixes in the BGP network table to its BGP neighbor, even if itis not in the routing table.
  B. FortiGate will advertise all the prefixes in the BGP network table to its BGP neighbor, even f itis not in the routing table.
  C. FortiGate will not advertise any imported routes received from one BGP neighbor to another.
  D. FortiGate will not advertise the prefixes, if it is not in the routing table.
  B. FortiGate will advertise all the prefixes in the BGP network table to its BGP neighbor, even f itis not in the routing table.

• Question 68:

  Refer to the exhibit, which shows an OSPF network.

  

  Which types of ink-state advertisements (LSA) will NGFW-1 send, if itis a backup designated router (BDR)?

  A. ONGFW-1 will send type 1 and type 2 LSAs.
  B. NGFW-1 will send type 1and type 3 LSA.
  C. ONGFW-1 will send type 1 and type 4 LSA.
  D. ONGFW-1 will send type 1and type 5 LSA.
  B. NGFW-1 will send type 1and type 3 LSA.

• Question 69:

  Exhibit.

  

  Refer to the exhibit, which contains a CLI script configuration on FortiManager.

  An administrator configured the CLI script on FortiManager Which statement is true based on the script configuration?

  A. The script successfully added a static route with gateway 10.20.121.2 on the manages device
  B. CLI scripts must start with # l.
  C. The commands are missing d3_cmd at beginning
  D. The CLI scripts failed to execute because of an incomplete command
  D. The CLI scripts failed to execute because of an incomplete command

• Question 70:

  After enabling IPS you receive feedback about traffic being dropped. What could be the reason?

  A. Np-accel-mode is set to enable
  B. Traffic-submit is set to disable
  C. IPS is configured to monitor
  D. Fail-open is set to disable
  D. Fail-open is set to disable

  ---

  Explanation Explanation/Reference:Fail-open is a feature that allows traffic to pass through the IPS sensor without inspection when the sensor fails or is overloaded. If fail-open is set to disable, traffic will be dropped in such scenarios. References: IPS | FortiGate / FortiOS 7.2.3 - Fortinet Documentation When IPS (Intrusion Prevention System) is configured, if fail-open is set to disable, it means that if the IPS engine fails, traffic will not be allowed to pass through, which can result in traffic being dropped (D). This is in contrast to a fail-open setting, which would allow traffic to bypass the IPS engine if it is not operational.