NSE7_EFW-7.0 Practice Exam Questions with Answers Fortinet NSE 7 - Enterprise Firewall 7.0 Certification

Number of packets that didn’t match the sniffer filter.

Number of total packets dropped by the FortiGate.

Number of packets that matched the sniffer filter and were dropped by the FortiGate.

Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Primary unit stops sending HA heartbeat keepalives.

The FortiGuard license for the primary unit is updated.

One of the monitored interfaces in the primary unit is disconnected.

A secondary unit is removed from the HA cluster.

HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

Redirection of HTTP to HTTPS administrative access is disabled.

HTTP administrative access is configured with a port number different than 80.

The packet is denied because of reverse path forwarding check.

The pre-shared keys do not match.

The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.

The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.

The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

There is not enough available memory in the system to create a new entry in the NAT port table.

The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.

FortiGate does not have any available NAT port for a new connection.

The limit for the maximum number of entries in the NAT port table has been reached.

The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter.

The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

Determines the optimal number of IPS engines required based on system load.

Downloads signatures on demand from FDS based on scanning requirements.

Determines when it is secure enough to stop scanning session traffic.

Choose a matching algorithm based on available memory and the type of inspection being performed.

The local router's BGP state is Established with the 10.125.0.60 peer.

Since the counters were last reset; the 10.200.3.1 peer has never been down.

The local router has received a total of three BGP prefixes from all peers.

The local router has not established a TCP session with 100.64.3.1.

The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.

The debug shows only error messages. If there is no output, then the tunnel is operating normally.

The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Phase 2 authentication is set to sha1 on both sides.

Anti-replay is disabled.

Hub2Spoke1 is a policy-based VPN.

Hub2Spoke1 is configured on interface wan2.

The port4 interface is connected to the OSPF backbone area.

The local FortiGate has been elected as the OSPF backup designated router.

There are at least 5 OSPF routers connected to the port4 network.

Two OSPF routers are down in the port4 network.

Anti-reply is enabled.

DPD is disabled.

Quick mode selectors are disabled.

Remote gateway IP is 10.200.5.1.

Enable the redistribution of connected routers into BGP.

Enable the redistribution of static routers into BGP.

Disable the setting network-import-check.

Enable the setting ebgp-multipath.

Only root vdom supports OCVPN.

OCVPN supports static and dynamic IPs in WAN interface.

OCVPN offers only Hub-Spoke VPNs.

FortiGate devices under different FortiCare accounts can be used to form OCVPN.

Automation stitches can be configured on any FortiGate device in a Security Fabric environment.

An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Automation stitches can be created to run diagnostic commands and attach the results to an email message when CPU or memory usage exceeds specified thresholds.

An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

The TCL command run_cmd has not been created.

The TCL script must start with tinclude <>.

Incomplete commands are ignored in TCL scripts.

Changes to an interface configuration can be made only by a CLI script.

Preview pending configuration changes for managed devices.

Add devices to FortiManager.

Import policy packages from managed devices.

Install configuration changes to managed devices.

Import interface mappings from managed devices.

The remote gateway IP address is 10.0.0.1.

The initiator provided remote as its IPsec peer ID.

It shows a phase 1 negotiation.

The negotiation is using AES128 encryption with CBC hash.

Public FortiGuard servers

10.0.1.243

10.0.1.242

10.0.1.244

IPS engine memory consumption has exceeded the model-specific predefined value.

IPS daemon experienced a crash.

There are communication problems between the IPS engine and the management database.

All IPS-related features have been disabled in FortiGate’s configuration.

The IP address recorded in the logon event for the user STUDENT.

The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.

The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.

The reserve DNS lookup forthe IP address 192.168.3.1.

It inspects incoming traffic to protect services in the corporate DMZ.

It is the first line of defense at the network perimeter.

It splits the network into multiple security segments to minimize the impact of breaches.

It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

When run on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate device.

When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

When run on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate device.

FortiGate will exempt the connection based on the Web Content Filter configuration.

FortiGate will block the connection based on the URL Filter configuration.

FortiGate will allow the connection based on the FortiGuard category based filter configuration.

FortiGate will block the connection as an invalid URL.

In the phase 1 network configuration, set the IKE version to 2.

In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

It is an ICMP session from 10.1.10.10 to 10.200.1.1.

It is an ICMP session from 10.1.10.10 to 10.200.5.1.

It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.

It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.

The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.

The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.

BGP state of the peer 10.125.0.60 is Established.

BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.

Local BGP peer has not received an OpenConfirm from 10.200.3.1.

The local BGP peer has received a total of 3 BGP prefixes.

Neighbor range

Route reflector

Next-hop-self

Neighbor group

IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.

IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.

They both use UDP as their transport protocol and the port number is configurable.

They each use their own IP protocol number.

Configure set snat-route-change enable.

Change the priority of the port2 static route to 5.

Change the priority of the port1 static route to 11.

unset snat-route-change to return it to the default setting.

set av-failopen off

set av-failopen pass

set fail-open enable

set ips fail-open disable

In the network on port4, two OSPF routers are down.

Port4 is connected to the OSPF backbone area.

The local FortiGate’s OSPF router ID is 0.0.0.4

The local FortiGate has been elected as the OSPF backup designated router.

1

2

3

4

The connectivity between the FortiGate unit and the DNS server.

The connectivity between the client workstations and the DNS server.

That DNS traffic from client workstations is allowed by the explicit web proxy policies.

That DNS service is enabled in the explicit web proxy interface.

Group ID.

Group name.

Session pickup.

Gratuitous ARPs.

There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.

FortiGate will send the FortiGuard queries to the server with highest weight.

A server's round trip delay (RTT) is not used to calculate its weight.

The port2 interface is disabled in the FortiGate configuration.

The port1 default route has a lower distance than the default route using port2.

The port1 default route has a higher priority value than the default route using port2.

The port1 default route has a lower priority value than the default route using port2.

They are used to filter real-time debugs.

They display real-time application debugs.

Some of them display statistics and configuration information about a feature or process.

Some of them can be used to restart an application.

FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management.

FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages.

Service access needs to be enabled on FortiManager under System Settings > Network.

FortiGate needs to have include-default-servers disabled under config system central-management.

The server does not have the user credentials yet.

The server requires more information from the user, such as the token code for two-factor authentication.

The user credentials are wrong.

The user account is not found in the server.

With the auxiliary session setting disabled, only auxiliary sessions are offloaded.

With the auxiliary session setting enabled, two sessions are created in case of routing change.

With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.

With the auxiliary session setting disabled, for each traffic path, FortiGate uses the same auxiliary session.

The session would remain in the session table, and its traffic would still egress from port1.

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

The session would remain in the session table, and its traffic would start to egress from port2.

The session would be deleted, so the client would need to start a new session.