Fortinet Fortinet Certifications NSE7_EFW Questions & Answers

• Question 1:

  Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the question below.

  

  Which statement are true regarding the output in the exhibit? (Choose two.)

  A. There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

  B. The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.

  C. FortiGate will send the FortiGuard queries to the server with highest weight.

  D. A server's round trip delay (RTT) is not used to calculate its weight.

  Correct Answer: BC

• Question 2:

  Examine the following routing table and BGP configuration; then answer the question below.

  

  TheBGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix?

  A. Enable the redistribution of connected routers into BGP.

  B. Enable the redistribution of static routers into BGP.

  C. Disable the setting network-import-check.

  D. Enable the setting ebgp-multipath.

  Correct Answer: C

• Question 3:

  View the exhibit, which contains an entry in the session table, and then answer the question below.

  

  Which one of the following statements is true regarding FortiGate's inspection of this session?

  A. FortiGate applied proxy-based inspection.

  B. FortiGate forwarded this session without any inspection.

  C. FortiGate applied flow-based inspection.

  D. FortiGate applied explicit proxy-based inspection.

  Correct Answer: B

• Question 4:

  What conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

  A. IP addresses are in the same subnet.

  B. Hello and dead intervals match.

  C. OSPF IP MTUs match.

  D. OSPF peer IDs match.

  E. OSPF costs match.

  Correct Answer: ABD

• Question 5:

  Which of the following statements are true about FortiManager when it is deployed as a local FDS? (Choose two.)

  A. Caches available firmware updates for unmanaged devices.

  B. Can be configured as an update server, or a rating server, but not both.

  C. Supports rating requests from both managed and unmanaged devices.

  D. Provides VM license validation services.

  Correct Answer: AD

• Question 6:

  A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

  A. Both session have the local flag on.

  B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.

  C. One session has the proxy flag on, the other one does not.

  D. One of the sessions has the IP address of port2 as the source IP address.

  Correct Answer: AD

• Question 7:

  Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?

  A. Diagnose debug application radius -1.

  B. Diagnose debug application fnbamd -1.

  C. Diagnose authd console -log enable.

  D. Diagnose radius console -log enable.

  Correct Answer: A

• Question 8:

  A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the `diagnose debug authd fsso list' command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

  A. The user student must not be listed in the CA's ignore user list.

  B. The user student must belong to one or more of the monitored user groups.

  C. The student workstation's IP subnet must be listed in the CA's trusted list.

  D. At least one of the student's user groups must be allowed by a FortiGate firewall policy.

  Correct Answer: BD

• Question 9:

  An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth)

  and IKE mode configuration. The administrator has also enabled the IKE real time debug:

  diagnose debug application ike-1

  diagnose debug enable

  In which order is each step and phase displayed in the debug output each time a new dial-up user is

  connecting to the VPN?

  A. Phase1; IKE mode configuration; XAuth; phase 2.

  B. Phase1; XAuth; IKE mode configuration; phase2.

  C. Phase1; XAuth; phase 2; IKE mode configuration.

  D. Phase1; IKE mode configuration; phase 2; XAuth.

  Correct Answer: D

• Question 10:

  An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer. If the administrator knows that there is no NAT device located between both FortiGates, what command should the administrator execute?

  A. diagnose sniffer packet any `udp port 500'

  B. diagnose sniffer packet any `udp port 4500'

  C. diagnose sniffer packet any `esp'

  D. diagnose sniffer packet any `udp port 500 or udp port 4500'

  Correct Answer: C