Fortinet Fortinet Certifications NSE7_EFW Questions & Answers

• Question 31:

  View the following FortiGate configuration.

  

  All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for Internet traffic from a user on the internal network:

  

  If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user's session?

  A. The session would remain in the session table, and its traffic would still egress from port1.

  B. The session would remain in the session table, but its traffic would now egress from both port1 and port2.

  C. The session would remain in the session table, and its traffic would start to egress from port2.

  D. The session would be deleted, so the client would need to start a new session.

  Correct Answer: D

• Question 32:

  Which of the following statements are correct regarding application layer test commands? (Choose two.)

  A. They are used to filter real-time debugs.

  B. They display real-time application debugs.

  C. Some of them display statistics and configuration information about a feature or process.

  D. Some of them can be used to restart an application.

  Correct Answer: BC

• Question 33:

  View the exhibit, which contains a partial output of an IKE real-time debug, and then answer the question

  below.

  Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?

  A. auto-discovery-sender

  B. auto-discovery-forwarder

  C. auto-discovery-shortcut

  D. auto-discovery-receiver

  Correct Answer: C

• Question 34:

  What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)

  A. Reduce the session time to live.

  B. Increase the TCP session timers.

  C. Increase the FortiGuard cache time to live.

  D. Reduce the maximum file size to inspect.

  Correct Answer: AD

• Question 35:

  Examine the IPsec configuration shown in the exhibit; then answer the question below.

  

  An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1

  diagnose debug application ike -1

  diagnose debug enable

  The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

  A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

  B. The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.

  C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

  D. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

  Correct Answer: A

• Question 36:

  Examine the output of the `get router info bgp summary' command shown in the exhibit; then answer the question below.

  

  Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?

  A. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP prefix yet.

  B. The TCP session for the BGP connection to 10.200.3.1 is down.

  C. The local peer has received the BGP prefixed from the remote peer.

  D. The local peer is receiving the BGP keepalives from the remote peer but it has not received the OpenConfirm yet.

  Correct Answer: B

• Question 37:

  View the exhibit, which contains the output of a diagnose command, and then answer the question below.

  

  What statements are correct regarding the output? (Choose two.)

  A. This is an expected session created by a session helper.

  B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.

  C. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.

  D. This is an expected session created by an application control profile.

  Correct Answer: AC

• Question 38:

  When does a RADIUS server send an Access-Challenge packet?

  A. The server does not have the user credentials yet.

  B. The server requires more information from the user, such as the token code for two-factor authentication.

  C. The user credentials are wrong.

  D. The user account is not found in the server.

  Correct Answer: B

• Question 39:

  An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?

  A. TCP half open.

  B. TCP half close.

  C. TCP time wait.

  D. TCP session time to live.

  Correct Answer: A

• Question 40:

  A FortiGate device has the following LDAP configuration:

  

  The administrator executed the `dsquery' command in the Windows LDAp server 10.0.1.10, and got the

  following output:

  >dsquery user -samid administrator

  "CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab"

  Based on the output, what FortiGate LDAP setting is configured incorrectly?

  A. cnid.

  B. username.

  C. password.

  D. dn.

  Correct Answer: A