Exam Code : NSE7_EFW-7.0
Exam Name : Fortinet NSE 7 - Enterprise Firewall 7.0
Vendor Name :
"Fortinet"
Fortinet NSE 7 - Enterprise Firewall 7.0
https://killexams.com/pass4sure/exam-detail/NSE7_EFW-7.0
Question: 1
tatements are true regarding the output in the exhibit? (Choose two.) iGate will probe 121.111.236.179 every fifteen minutes for a response. ers with the D flag are considered to be down.
ers with a negative TZ value are experiencing a service outage. iGate used 209.222.147.3 as the initial server to validate its contract.
ation:
cause flag is Failed so fortigate will check if server is available every 15 minD-state is I , contact to vali info
on: 2
View the exhibit, which contains the output of a diagnose command, and then answer the question below.
Which s
Fort
Serv
Serv
Fort
Explan
A C be date
contract
Questi
Refer to the exhibit, which contains partial output from an IKE real-time debug.
wo statements about this debug output are correct? (Choose two.) emote gateway IP address is 10.0.0.1.
nitiator provided remote as its IPsec peer ID. ows a phase 1 negotiation.
egotiation is using AES128 encryption with CBC hash.
on: 3
Gate has two default routes:
Which t
The r
The i
It sh
The n
ernet traffic is currently using port1. The exhibit shows partial information for one sample session of Inte rom an internal user:
ould happen with the traffic matching the above session if the priority on the first default route (IDd1) w from 5 to 20?
ession would be deleted, and the client would need to start a new session.
ession would remain in the session table, and its traffic would start to egress from port2. ession would remain in the session table, but its traffic would now egress from
rt1 and port2.
ession would remain in the session table, and its traffic would still egress from port1.
All Int rnet
traffic f
What w ere
changed
The s
The s
The s both po
The s
Question: 4
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.
tatements are true regarding the output in the exhibit? (Choose two.) state of the peer 10.125.0.60 is Established.
peer 10.200.3.1 has never been down since the BGP counters were cleared. BGP peer has not received an OpenConfirm from 10.200.3.1.
ocal BGP peer has received a total of 3 BGP prefixes.
on: 5
ministrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the admin that some of the switches in the network continue to send traffic to the former primary device. The strator decides to enable the setting link-failed-signal to fix the problem.
tatement about this setting is true?
nds an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable thr aster after a failover.
nds a link failed signal to all connected devices.
sabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.
rces the former primary device to shut down all its non-heartbeat interfaces for one second, while the fai
Which s
BGP
BGP
Local
The l
Questi
An ad istrator
notices admini
Which s
It se ough a
new m
It se
It di
It fo lover
occurs.
Explanation:
Reference: https://kb.fortinet.com/kb/viewContent.do?externalId=FD40860&sliceId=1
Question: 6
Examine the output from the BGP real time debug shown in the exhibit, then the answer the question below:
tatements are true regarding the output in the exhibit? (Choose two.) peers have successfully interchanged Open and Keepalive messages. BGP peer received a prefix for a default route.
tate of the remote BGP peer is OpenConfirm.
tate of the remote BGP peer will go to Connect after it confirms the received prefixes.
on: 7
he exhibit, which contains the output of a diagnose command, and then answer the question below.
Which s
BGP
Local
The s
The s
What statements are correct regarding the output? (Choose two.)
This is an expected session created by a session helper.
Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.
Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.
This is an expected session created by an application control profile.
Question: 8
View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.
Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?
FortiGate will exempt the connection based on the Web Content Filter configuration.
FortiGate will block the connection based on the URL Filter configuration.
FortiGate will allow the connection based on the FortiGuard category based filter configuration.
FortiGate will block the connection as an invalid URL.
fortigate does it in order Static URL -> FortiGuard C > Content -> Advanced (java, cookie removal..)so block it in first step
on: 9
he central management configuration shown in the exhibit, and then answer the question below.
Questi
View t
Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage? A. 10.0.1.240
B. One of the public FortiGuard distribution servers C. 10.0.1.244
D. 10.0.1.242
Question: 10
utbound interface will FortiGate use to route web traffic from internal users to the Internet? port1 and port2
on: 11
vents are recorded in the crashlogs of a FortiGate device? (Choose two.) ocess crash.
figuration changes.
nges in the status of any of the FortiGuard licenses.
em entering to and leaving from the proxy conserve mode.
ation:
diagnose debug crashlog read
View these partial outputs from two routing debug commands:
Which o
Both
port3
port1
port2
Questi
What e
A pr
Con
Cha
Syst
Explan
275: 2014-08-05 13:03:53 proxy=acceptor service=imap session fail mode=activated276: 2014-08-05 13:03:53 proxy=acceptor service=ftp session fail mode=activated277: 2014-08-05 13:03:53 proxy=acceptor service=nntp session fail mode=activated278: 2014-08-06 11:05:47 service=kernel conserve=on free=”45034 pages” red=”45874 pages” msg=”Kernel279: 2014-08-06 11:05:47 enters conserve mode”280: 2014-08-06 13:07:16 service=kernel conserve=exit free=”86704 pages”
green=”68811 pages”281: 2014-08-06 13:07:16 msg=”Kernel leaves conserve mode”282: 2014-08-06 13:07:16 proxy=imd sysconserve=exited total=1008 free=349 marginenter=201283: 2014-08-06 13:07:16 marginexit=302
Question: 12
An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration.
diagnose debug application ike-1 diagnose debug enable
which order is each step and phase displayed in the debug output each time a new dial-up user is connecting
se1; IKE mode configuration; XAuth; phase 2. e1; XAuth; IKE mode configuration; phase2. e1; XAuth; phase 2; IKE mode configuration. se1; IKE mode configuration; phase 2; XAuth.
help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn- c_VPN_Concepts/IKE_Packet_Processing.htm
on: 13
dependent FortiGate HA clusters are connected to the same broadcast domain. The administrator has rep both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem
.
A setting must be changed in one of the HA clusters to fix the problem? up ID.
The administrator has also enabled the IKE real time debug:
In to the
VPN?
Pha
Phas
Phas
Pha
54/IPse
Questi
Two in orted
that in the
network
What H
Gro
Group name.
Session pickup.
Gratuitous ARPs.
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverVMAC.htm
Question: 14
f the following statements is true regarding this configuration? ill scan every byte in every session.
iGate will spawn IPS engine instances based on the system load.
packets will be passed through without inspection if the IPS socket buffer runs out of memory.
ill use the faster matching algorithm which is only available for units with more than 4 GB memory.
on: 15
Examine the following partial outputs from two routing debug commands; then answer the question below:
default route using port2 is not displayed in the output of the second command? a lower priority than the default route using port1.
a higher priority than the default route using port1. a higher distance than the default route using port1. isabled in the FortiGate configuration.
View the global IPS configuration, and then answer the question below.
Which o
IPS w
Fort
New
IPS w
Questi
Why the
It has
It has
It has
It is d
https://kb.fortinet.com/kb/viewContent.do?externalId=FD32103
Question: 16
Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?
Diagnose debug application radius -1.
Diagnose debug application fnbamd -1.
Diagnose authd console Clog enable.
Diagnose radius console Clog enable.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD32838
Question: 17
he exhibit, which contains the output of a debug command, and then answer the question below.
ne of the following statements about this FortiGate is correct? urrently in system conserve mode because of high CPU usage. urrently in extreme conserve mode because of high memory usage. urrently in proxy conserve mode because of high memory usage. urrently in memory conserve mode because of high memory usage.
on: 18
tatement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-acce is true?
iGate first checks the OSPF ID to elect a DR.
DR and non-BDR routers will form full adjacencies to DR and BDR only.
is responsible for forwarding link state information from one router to another. the DR receives link state information from non-DR routers.
View t
Which o
It is c
It is c
It is c
It is c
Questi
Which s ss
network
Fort
Non-
BDR
Only
Question: 19
Refer to the exhibit, which shows a partial routing table.
ng all the appropriate firewall policies are configured, which two pings will FortiGate route? (Choose t rce IP address: 10.1.0.10. Destination IP address: 10.64.1.52
ce IPaddress: 10.72.3.52. Destination IP address: 10.1.0.254 ce IPaddress: 10.10.4.24, Destination IPaddress: 10.72.3.20
rce IPaddress: 10.73.9.10, Destination IPaddress: 10.72.3.15
on: 20
the exhibit, which contains partial output from an IKE real-time debug.
Assumi wo.)
Sou
Sour
Sour
Sou
Based on the debug output, which phase 1 setting is enabled in the configuration of this VPN?
auto-discovery-shortcut
auto-discovery-forwarder
auto-discovery-sender
auto-discovery-receiver
Reference: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/320160/example-advpn-configuration First the Spoke receives SHORTCUT_OFFER, it respondes with sending shortcut-query.
AT the end it receives SHORTCUT_REPLY and creates new dynamic tunnel (H2S_0_0).
Question: 21
dn’t the tunnel come up?
re-shared keys do not match.
emote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration. emote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration. emote gateway is using aggressive mode and the local gateway is configured to use man mode.
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.
Why di
The p
The r
The r
The r
Question: 22
View the exhibit, which contains the output of a diagnose command, and the answer the question below.
tatements are true regarding the Weight value?
nitial value is calculated based on the round trip delay (RTT). nitial value is statically set to 10.
alue is incremented with each packet lost.
termines which FortiGuard server is used for license validation.
on: 23
he exhibit, which contains the output of a BGP debug command, and then answer the question below.
Which s
Its i
Its i
Its v
It de
Which of the following statements about the exhibit are true? (Choose two.)
For the peer 10.125.0.60, the BGP state of is Established.
The local BGP peer has received a total of three BGP prefixes.
Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.
The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.
Question: 24
Which statement about memory conserve mode is true?
A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.
A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.
A FortiGate starts dropping new sessions when the configured memory use threshold reaches red
A FortiGate enters conserve mode when the configured memory use threshold reaches red
on: 25
wo configuration settings change the behavior for content-inspected traffic while FortiGate is in conser Choose two.)
ailopen failopen ailopen failopen
on: 26
the exhibit, which shows a FortiGate configuration.
Questi
Which t ve
mode? (
IPS f
mem
AV f
UTM
ministrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a web filt nd applied it to a policy; however, the web filter is not inspecting any traffic that is passing through the
ust the administrator change to fix the issue? dministrator must increase webfilter-timeout. dministrator must disable webfilter-force-off. dministrator must change protocol to TCP. dministrator must enable fortiguard-anycast.
An ad er
profile a policy.
What m
The a
The a
The a
The a
Reference: https://docs.fortinet.com/document/fortigate/6.4.5/cli-reference/109620/config-system-fortiguard
Question: 27
Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router. The second unit is elected as the backup designated router.
Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?
1
2
3
4
he exhibit, which contains a partial routing table, and then answer the question below.
ng all the appropriate firewall policies are configured, which of the following pings will FortiGate route two.)
rce IP address 10.1.0.24, Destination IP address 10.72.3.20. ce IP address 10.72.3.27, Destination IP address 10.1.0.52. ce IP address 10.72.3.52, Destination IP address 10.1.0.254. rce IP address 10.73.9.10, Destination IP address 10.72.3.15.
on: 29
ministrator has configured a FortiGate device with two VDOMs: root and internal. The administrator has
Answer: B
Question: 28 View t
Assumi ?
(Choose
Sou
Sour
Sour
Sou
Questi
An ad also
created and inter-VDOM link that connects both VDOMs. The objective is to have each VDOM advertise some routes to the other VDOM via OSPF through the inter-VDOM link .
What OSPF configuration settings must match in both VDOMs to have the OSPF adjacency successfully forming? (Choose three.)
Router ID.
OSPF interface area.
OSPF interface cost.
OSPF interface MTU.
Interface subnet mask.
Question: 30
dn’t the script make any changes to the managed device? mmands that start with the # sign are not executed.
cripts will add objects only if they are referenced by policies. mplete commands are ignored in CLI scripts.
Static routes can only be added using TCL scripts.
help.fortinet.com/fmgr/50hlp/56/5-6- Manager_Admin_Guide/1000_Device%20Manager/2400_Scripts/1000_Script%20sa 0200_CLI%20scripts+.htm#Error_Messages
ence of FortiGate CLI commands, as you would type them at the command line. A comment line starts w sign (#). A comment line will not be executed.
on: 31
Examine the output of the ‘diagnose ips anomaly list’ command shown in the exhibit; then answer the question
An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.
Why di
Co
CLI s
Inco D.
2/Forti mples/
A sequ ith the
number
Questi
below.
Which I
Tho
Tho
Tho
Tho
Questi
What is
Nu
P addresses are included in the output of this command? se whose traffic matches a DoS policy.
se whose traffic matches an IPS sensor.
se whose traffic exceeded a threshold of a matching DoS policy. se whose traffic was detected as an anomaly by an IPS sensor.
on: 32
Examine the following partial output from a sniffer command; then answer the question below.
the meaning of the packets dropped counter at the end of the sniffer? mber of packets that didn’t match the sniffer filter.
Number of total packets dropped by the FortiGate.
Number of packets that matched the sniffer filter and were dropped by the FortiGate.
Number of packets that matched the sniffer filter but could not be captured by the sniffer.
https://kb.fortinet.com/kb/documentLink.do?externalID=11655
Examine the following traffic log; then answer the question below.
date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx"
log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."
What does the log mean?
There is not enough available memory in the system to create a new entry in the NAT port table.
The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
imit for the maximum number of entries in the NAT port table has been reached.
on: 34
f the following statements are correct regarding application layer test commands? (Choose two.) are used to filter real-time debugs.
display real-time application debugs.
of them display statistics and configuration information about a feature or process. Some of them can be used to restart an application.
ation:
ation layer test commands don’t display info in real time, but they do show statistics and configuration i feature or process. You can also use some of these commands to restart a process or execute a change i on.
on: 35
which two states is a given session categorized as ephemeral? (Choose two.) CP session waiting to complete the three-way handshake.
CP session waiting for FIN ACK.
FortiGate does not have any available NAT port for a new connection.
The l
Questi
Which o
They
They
Some D.
Explan
Applic nfo
about a n its
operati
Questi
In
A T
A T
A UDP session with packets sent and received.
A UDP session with only one packet received.
Question: 36
Which two statements about the Security Fabric are true? (Choose two.)
Only the root FortiGate collects network information and forwards it to FortiAnalyzer.
FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.
All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity.
Branch FortiGate devices must be configured first.
Reference: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/327890/deploying-security-fabric
Question: 37
ministrator wants to capture ESP traffic between two FortiGates using the built-in sniffer.
dministrator knows that there is no NAT device located between both FortiGates, what command should strator execute?
nose sniffer packet any ‘udp port 500’ nose sniffer packet any ‘udp port 4500’ nose sniffer packet any ‘esp’
nose sniffer packet any ‘udp port 500 or udp port 4500’
IKE Traffic without NAT:diagnose sniffer packet ‘host and udp port
――――――――――――――――――――――――――――――――――――-Capture ESP T NAT:diagnose sniffer packet any ‘host and
――――――――――――――――――――――――――――――――――――-Capture IKE a AT-T:diagnose sniffer packet any ‘host and (udp port 500 or udp port 4500)’
on: 38
he exhibit, which contains the output of get sys ha status, and then answer the question below.
An ad
If the a the
admini
diag
diag
diag
diag
500’― raffic
without
esp’― nd ESP
with N
Questi
View t
tatements are correct regarding the output? (Choose two.) lave configuration is not synchronized with the master.
A management IP is 169.254.0.2.
ter is selected because it is the only device in the cluster. 7 is used the HA heartbeat on all devices in the cluster.
on: 39
Examine the IPsec configuration shown in the exhibit; then answer the question below.
Which s
The s
The H
Mas
port
Questi
An ad
ministrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1
diagnose debug application ike -1 diagnose debug enable
N is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged betwee ateways. However, the IKE real time debug does NOT show any output .
The VP n both
IPsec g
Why isn’t there any output?
The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.
The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter.
The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.
Which statement about NGFW policy-based application filtering is true?
After the application has been identified, the kernel uses only the Layer 4 header to match the traffic.
The IPS security profile is the only security option you can apply to the security policy with the action set to ACCEPT.
After IPS identifies the application, it adds an entry to a dynamic ISDB table.
FortiGate will drop all packets until the application can be identified.