1. Home
  2. Fortinet
  3. NSE7_EFW

NSE7 Enterprise Firewall - FortiOS 5.4

Exam Details

  • Exam Code
    :NSE7_EFW
  • Exam Name
    :NSE7 Enterprise Firewall - FortiOS 5.4
  • Certification
    :Fortinet Certifications
  • Vendor
    :Fortinet
  • Total Questions
    :88 Q&As
  • Last Updated
    :Jun 16, 2025

Fortinet Fortinet Certifications NSE7_EFW Questions & Answers

  • Question 21:

    Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)

    A. Primary unit stops sending HA heartbeat keepalives.

    B. The FortiGuard license for the primary unit is updated.

    C. One of the monitored interfaces in the primary unit is disconnected.

    D. A secondary unit is removed from the HA cluster.

  • Question 22:

    View the IPS exit log, and then answer the question below.

    # diagnose test application ipsmonitor 3

    ipsengine exit log"

    pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017

    code = 11, reason: manual

    What is the status of IPS on this FortiGate?

    A. IPS engine memory consumption has exceeded the model-specific predefined value.

    B. IPS daemon experienced a crash.

    C. There are communication problems between the IPS engine and the management database.

    D. All IPS-related features have been disabled in FortiGate's configuration.

  • Question 23:

    The CLI command set intelligent-mode controls the IPS engine's adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

    A. Determines the optimal number of IPS engines required based on system load.

    B. Downloads signatures on demand from FDS based on scanning requirements.

    C. Determines when it is secure enough to stop scanning session traffic.

    D. Choose a matching algorithm based on available memory and the type of inspection being performed.

  • Question 24:

    Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

    A. Neighbor range

    B. Route reflector

    C. Next-hop-self

    D. Neighbor group

  • Question 25:

    View the exhibit, which contains the output of get sys ha status, and then answer the question below. Which statements are correct regarding the output? (Choose two.)

    A. The slave configuration is not synchronized with the master.

    B. The HA management IP is 169.254.0.2.

    C. Master is selected because it is the only device in the cluster.

    D. port 7 is used the HA heartbeat on all devices in the cluster.

  • Question 26:

    What global configuration setting changes the behavior for content-inspected traffic while FortiGate is in system conserve mode?

    A. av-failopen

    B. mem-failopen

    C. utm-failopen

    D. ips-failopen

  • Question 27:

    View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

    The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

    However, the IKE real time debug does not show any output. Why?

    A. The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

    B. The log-filter setting was set incorrectly. The VPN's traffic does not match this filter.

    C. The debug shows only error messages. If there is no output, then the tunnel is operating normally.

    D. The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

  • Question 28:

    Examine the output of the `get router info bgp summary' command shown in the exhibit; then answer the question below.

    Which statements are true regarding the output in the exhibit? (Choose two.)

    A. BGP state of the peer 10.125.0.60 is Established.

    B. BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.

    C. Local BGP peer has not received an OpenConfirm from 10.200.3.1.

    D. The local BGP peer has received a total of 3 BGP prefixes.

  • Question 29:

    Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

    A. 1

    B. 2

    C. 3

    D. 4

  • Question 30:

    Examine the output from the 'diagnose debug authd fsso list' command; then answer the question below.

    # diagnose debug authd fsso list --FSSO logons-IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is NOT the one used by the workstation INTERNAL2. TRAINING. LAB.

    What should the administrator check?

    A. The IP address recorded in the logon event for the user STUDENT.

    B. The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.

    C. The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.

    D. The reserve DNS lookup forthe IP address 192.168.3.1.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Fortinet exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your NSE7_EFW exam preparations and Fortinet certification application, do not hesitate to visit our Vcedump.com to find your solutions here.