NSE7_EFW-7.0 Practice Exam Questions with Answers Fortinet NSE 7 - Enterprise Firewall 7.0 Certification

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

The session would remain in the session table, and its traffic would egress from port2.

The session would be deleted, and the client would need to start a new session.

The session would remain in the session table, and its traffic would egress from port1.

A process crash.

Configuration changes.

Changes in the status of any of the FortiGuard licenses.

System entering to and leaving from the proxy conserve mode.

Servers with a negative TZ value are less preferred for rating requests.

There is a natural correlation between the value in the Packets field and the value in the Weight field.

FortiGate used 64.26.151.37 as the initial server to validate its contract.

The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers, was 121.111.236.179.

The local router's BGP state is Established with the 10.125.0.60 peer.

Since the counters were last reset; the 10.200.3.1 peer has never been down.

The local router has received a total of three BGP prefixes from all peers.

The local router has not established a TCP session with 100.64.3.1.

Diagnose debug application radius -1.

Diagnose debug application fnbamd -1.

Diagnose authd console –log enable.

Diagnose radius console –log enable.

Configure route leaking between VRF 12 and VRF 21.

Disable auto-asic-offload as this is not supported between VRF instances.

Configure RIPv2 to exchange route information between the VRF instances.

Configure route leaking between port3 and port4.

Enable SNAT on the relevant firewall policies to prevent RPF check drops.

The incoming IPsec connection is matching the wrong VPN configuration

The phrase-1 mode must be changed to aggressive

The pre-shared key is wrong

NAT-T settings do not match

diagnose sniffer packet any ‘esp and host 10.200.3.2’

diagnose sniffer packet any ‘ip proto 50’

diagnose sniffer packet any ‘host 10.0.10.10’

diagnose sniffer packet any ‘port 4500’

Primary unit stops sending HA heartbeat keepalives.

The FortiGuard license for the primary unit is updated.

One of the monitored interfaces in the primary unit is disconnected.

A secondary unit is removed from the HA cluster.

Determines the optimal number of IPS engines required based on system load.

Downloads signatures on demand from FDS based on scanning requirements.

Determines when it is secure enough to stop scanning session traffic.

Choose a matching algorithm based on available memory and the type of inspection being performed.

The local router has a different AS number than the remote peer.

The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the openConfirm yet.

The local router initiated the BGP session to 10.200.3.1 but did not receive a response.

The router 10.200.3.1 has authentication configured for BGP and the local router does not.

IKE mode configuration is not enabled in the remote IPsec gateway.

The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration.

The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration.

One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

In the phase 1 network configuration, set the IKE version to 2.

In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

This session is for HA heartbeat traffic.

This session is synced with the slave unit.

The inspection of this session has been offloaded to the slave unit.

This session cannot be synced with the slave unit.

The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfirm yet.

The TCP session to 10.200.3.1 has not completed the three-way handshake.

The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.

The local router has received the BGP prefixes from the remote peer.

Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.

The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.

The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.

The next-hop IP address is up.

There is no other route, to the same destination, with a higher distance.

The link health monitor (if configured) is up.

The next-hop IP address belongs to one of the outgoing interface subnets.

The outgoing interface is up.

Set the priority of the static default route using port1 to 10. Most Voted

Set the priority of the static default route using port2 to 1.

Set preserve-session-route to enable.

Set snat-route-change to enable.

1

2

3

4