Winter Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

NSE7_EFW-7.0 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

NSE7_EFW-7.0 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: Fortinet NSE 7 - Enterprise Firewall 7.0
  • Last Update: Dec 5, 2024
  • Questions and Answers: 163
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

NSE7_EFW-7.0 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

NSE7_EFW-7.0 Practice Exam Questions with Answers Fortinet NSE 7 - Enterprise Firewall 7.0 Certification

Question # 6

Examine the following partial output from a sniffer command; then answer the question below.

NSE7_EFW-7.0 question answer

What is the meaning of the packets dropped counter at the end of the sniffer?

A.

Number of packets that didn’t match the sniffer filter.

B.

Number of total packets dropped by the FortiGate.

C.

Number of packets that matched the sniffer filter and were dropped by the FortiGate.

D.

Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Full Access
Question # 7

Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)

A.

Primary unit stops sending HA heartbeat keepalives.

B.

The FortiGuard license for the primary unit is updated.

C.

One of the monitored interfaces in the primary unit is disconnected.

D.

A secondary unit is removed from the HA cluster.

Full Access
Question # 8

An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

NSE7_EFW-7.0 question answer

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

A.

HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

B.

Redirection of HTTP to HTTPS administrative access is disabled.

C.

HTTP administrative access is configured with a port number different than 80.

D.

The packet is denied because of reverse path forwarding check.

Full Access
Question # 9

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

NSE7_EFW-7.0 question answer

Why didn’t the tunnel come up?

A.

The pre-shared keys do not match.

B.

The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.

C.

The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.

D.

The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Full Access
Question # 10

Examine the following traffic log; then answer the question below.

date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."

What does the log mean?

A.

There is not enough available memory in the system to create a new entry in the NAT port table.

B.

The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.

C.

FortiGate does not have any available NAT port for a new connection.

D.

The limit for the maximum number of entries in the NAT port table has been reached.

Full Access
Question # 11

Examine the IPsec configuration shown in the exhibit; then answer the question below.

NSE7_EFW-7.0 question answer

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:

diagnose vpn ike log-filter src-addr4 10.0.10.1

diagnose debug application ike -1

diagnose debug enable

The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output?

A.

The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

B.

The log-filter setting is set incorrectly. The VPN’s traffic does not match this filter.

C.

The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

D.

The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

Full Access
Question # 12

The CLI command set intelligent-mode controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

A.

Determines the optimal number of IPS engines required based on system load.

B.

Downloads signatures on demand from FDS based on scanning requirements.

C.

Determines when it is secure enough to stop scanning session traffic.

D.

Choose a matching algorithm based on available memory and the type of inspection being performed.

Full Access
Question # 13

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

NSE7_EFW-7.0 question answer

Which of the following statements about the exhibit are true? (Choose two.)

A.

The local router's BGP state is Established with the 10.125.0.60 peer.

B.

Since the counters were last reset; the 10.200.3.1 peer has never been down.

C.

The local router has received a total of three BGP prefixes from all peers.

D.

The local router has not established a TCP session with 100.64.3.1.

Full Access
Question # 14

View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

NSE7_EFW-7.0 question answer

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

NSE7_EFW-7.0 question answer

However, the IKE real time debug does not show any output. Why?

A.

The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

B.

The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.

C.

The debug shows only error messages. If there is no output, then the tunnel is operating normally.

D.

The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Full Access
Question # 15

Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

NSE7_EFW-7.0 question answer

Based on the output, which two statements are correct? (Choose two.)

A.

Phase 2 authentication is set to sha1 on both sides.

B.

Anti-replay is disabled.

C.

Hub2Spoke1 is a policy-based VPN.

D.

Hub2Spoke1 is configured on interface wan2.

Full Access
Question # 16

Examine the output of the ‘get router info ospf interface’ command shown in the exhibit; then answer the question below.

NSE7_EFW-7.0 question answer

Which statements are true regarding the above output? (Choose two.)

A.

The port4 interface is connected to the OSPF backbone area.

B.

The local FortiGate has been elected as the OSPF backup designated router.

C.

There are at least 5 OSPF routers connected to the port4 network.

D.

Two OSPF routers are down in the port4 network.

Full Access
Question # 17

View the exhibit, which contains the partial output of a diagnose command, and then answer the question below.

NSE7_EFW-7.0 question answer

Based on the output, which of the following statements is correct?

A.

Anti-reply is enabled.

B.

DPD is disabled.

C.

Quick mode selectors are disabled.

D.

Remote gateway IP is 10.200.5.1.

Full Access
Question # 18

Examine the following routing table and BGP configuration; then answer the question below.

NSE7_EFW-7.0 question answer

TheBGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix?

A.

Enable the redistribution of connected routers into BGP.

B.

Enable the redistribution of static routers into BGP.

C.

Disable the setting network-import-check.

D.

Enable the setting ebgp-multipath.

Full Access
Question # 19

Which two statements about OCVPN are true? (Choose two.)

A.

Only root vdom supports OCVPN.

B.

OCVPN supports static and dynamic IPs in WAN interface.

C.

OCVPN offers only Hub-Spoke VPNs.

D.

FortiGate devices under different FortiCare accounts can be used to form OCVPN.

Full Access
Question # 20

What are two functions of automation stitches? (Choose two.)

A.

Automation stitches can be configured on any FortiGate device in a Security Fabric environment.

B.

An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

C.

Automation stitches can be created to run diagnostic commands and attach the results to an email message when CPU or memory usage exceeds specified thresholds.

D.

An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

Full Access
Question # 21

Refer to the exhibit, which contains a TCL script configuration on FortiManager.

An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being run.

NSE7_EFW-7.0 question answer

Why did the TCL script fail to make any changes to the managed device?

A.

The TCL command run_cmd has not been created.

B.

The TCL script must start with tinclude <>.

C.

Incomplete commands are ignored in TCL scripts.

D.

Changes to an interface configuration can be made only by a CLI script.

Full Access
Question # 22

Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

A.

Preview pending configuration changes for managed devices.

B.

Add devices to FortiManager.

C.

Import policy packages from managed devices.

D.

Install configuration changes to managed devices.

E.

Import interface mappings from managed devices.

Full Access
Question # 23

Refer to the exhibit, which contains partial output from an IKE real-time debug.

NSE7_EFW-7.0 question answer

Which two statements about this debug output are correct? (Choose two.)

A.

The remote gateway IP address is 10.0.0.1.

B.

The initiator provided remote as its IPsec peer ID.

C.

It shows a phase 1 negotiation.

D.

The negotiation is using AES128 encryption with CBC hash.

Full Access
Question # 24

Refer to the exhibit, which shows a central management configuration.

NSE7_EFW-7.0 question answer

Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?

A.

Public FortiGuard servers

B.

10.0.1.243

C.

10.0.1.242

D.

10.0.1.244

Full Access
Question # 25

View the IPS exit log, and then answer the question below.

# diagnose test application ipsmonitor 3

ipsengine exit log”

pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017

code = 11, reason: manual

What is the status of IPS on this FortiGate?

A.

IPS engine memory consumption has exceeded the model-specific predefined value.

B.

IPS daemon experienced a crash.

C.

There are communication problems between the IPS engine and the management database.

D.

All IPS-related features have been disabled in FortiGate’s configuration.

Full Access
Question # 26

Examine the output from the 'diagnose debug authd fsso list' command; then answer the question below.

# diagnose debug authd fsso list —FSSO logons-IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is NOT the one used by the workstation INTERNAL2. TRAINING. LAB.

What should the administrator check?

A.

The IP address recorded in the logon event for the user STUDENT.

B.

The DNS name resolution for the workstation name INTERNAL2. TRAINING. LAB.

C.

The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2. TRAINING. LAB.

D.

The reserve DNS lookup forthe IP address 192.168.3.1.

Full Access
Question # 27

What is the purpose of an internal segmentation firewall (ISFW)?

A.

It inspects incoming traffic to protect services in the corporate DMZ.

B.

It is the first line of defense at the network perimeter.

C.

It splits the network into multiple security segments to minimize the impact of breaches.

D.

It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

Full Access
Question # 28

Which two statements about bulk configuration changes made using FortiManager CLI scripts are correct? (Choose two.)

A.

When run on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate device.

B.

When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

C.

When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

D.

When run on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate device.

Full Access
Question # 29

View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

NSE7_EFW-7.0 question answer

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

A.

FortiGate will exempt the connection based on the Web Content Filter configuration.

B.

FortiGate will block the connection based on the URL Filter configuration.

C.

FortiGate will allow the connection based on the FortiGuard category based filter configuration.

D.

FortiGate will block the connection as an invalid URL.

Full Access
Question # 30

Refer to the exhibit, which contains partial output from an IKE real-time debug.

NSE7_EFW-7.0 question answer

The administrator does not have access to the remote gateway.

Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error?

A.

In the phase 1 network configuration, set the IKE version to 2.

B.

In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

C.

In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

D.

In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

Full Access
Question # 31

View the exhibit, which contains a session entry, and then answer the question below.

NSE7_EFW-7.0 question answer

Which statement is correct regarding this session?

A.

It is an ICMP session from 10.1.10.10 to 10.200.1.1.

B.

It is an ICMP session from 10.1.10.10 to 10.200.5.1.

C.

It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.

D.

It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Full Access
Question # 32

Refer to the exhibit, which shows the output of diagnose sys session list.

NSE7_EFW-7.0 question answer

If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?

A.

Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

B.

The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.

C.

The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.

D.

The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.

Full Access
Question # 33

Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.

NSE7_EFW-7.0 question answer

Which statements are true regarding the output in the exhibit? (Choose two.)

A.

BGP state of the peer 10.125.0.60 is Established.

B.

BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.

C.

Local BGP peer has not received an OpenConfirm from 10.200.3.1.

D.

The local BGP peer has received a total of 3 BGP prefixes.

Full Access
Question # 34

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

A.

Neighbor range

B.

Route reflector

C.

Next-hop-self

D.

Neighbor group

Full Access
Question # 35

Which statement about IKE and IKE NAT-T is true?

A.

IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.

B.

IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.

C.

They both use UDP as their transport protocol and the port number is configurable.

D.

They each use their own IP protocol number.

Full Access
Question # 36

Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.

NSE7_EFW-7.0 question answer

An administrator would like to test session failover between the two service provider connections.

What changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

A.

Configure set snat-route-change enable.

B.

Change the priority of the port2 static route to 5.

C.

Change the priority of the port1 static route to 11.

D.

unset snat-route-change to return it to the default setting.

Full Access
Question # 37

Which two configuration commands change the default behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.)

A.

set av-failopen off

B.

set av-failopen pass

C.

set fail-open enable

D.

set ips fail-open disable

Full Access
Question # 38

View the exhibit, which contains the output of a debug command, and then answer the question below.

NSE7_EFW-7.0 question answer

Which of the following statements about the exhibit are true? (Choose two.)

A.

In the network on port4, two OSPF routers are down.

B.

Port4 is connected to the OSPF backbone area.

C.

The local FortiGate’s OSPF router ID is 0.0.0.4

D.

The local FortiGate has been elected as the OSPF backup designated router.

Full Access
Question # 39

Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 40

A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

NSE7_EFW-7.0 question answer

What should the administrator check to fix the problem?

A.

The connectivity between the FortiGate unit and the DNS server.

B.

The connectivity between the client workstations and the DNS server.

C.

That DNS traffic from client workstations is allowed by the explicit web proxy policies.

D.

That DNS service is enabled in the explicit web proxy interface.

Full Access
Question # 41

Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network. What HA setting must be changed in one of the HA clusters to fix the problem?

A.

Group ID.

B.

Group name.

C.

Session pickup.

D.

Gratuitous ARPs.

Full Access
Question # 42

Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the question below.

NSE7_EFW-7.0 question answer

Which statement are true regarding the output in the exhibit? (Choose two.)

A.

There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

B.

The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.

C.

FortiGate will send the FortiGuard queries to the server with highest weight.

D.

A server's round trip delay (RTT) is not used to calculate its weight.

Full Access
Question # 43

Refer to the exhibit, which shows partial outputs from two routing debug commands.

NSE7_EFW-7.0 question answer

Why is the port2 default route not in the second command output?

A.

The port2 interface is disabled in the FortiGate configuration.

B.

The port1 default route has a lower distance than the default route using port2.

C.

The port1 default route has a higher priority value than the default route using port2.

D.

The port1 default route has a lower priority value than the default route using port2.

Full Access
Question # 44

Which of the following statements are correct regarding application layer test commands? (Choose two.)

A.

They are used to filter real-time debugs.

B.

They display real-time application debugs.

C.

Some of them display statistics and configuration information about a feature or process.

D.

Some of them can be used to restart an application.

Full Access
Question # 45

You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature databases.

Which two settings need to be verified for these features to function? (Choose two.)

A.

FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management.

B.

FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages.

C.

Service access needs to be enabled on FortiManager under System Settings > Network.

D.

FortiGate needs to have include-default-servers disabled under config system central-management.

Full Access
Question # 46

When does a RADIUS server send an Access-Challenge packet?

A.

The server does not have the user credentials yet.

B.

The server requires more information from the user, such as the token code for two-factor authentication.

C.

The user credentials are wrong.

D.

The user account is not found in the server.

Full Access
Question # 47

Which two statements about an auxiliary session are true? (Choose two.)

A.

With the auxiliary session setting disabled, only auxiliary sessions are offloaded.

B.

With the auxiliary session setting enabled, two sessions are created in case of routing change.

C.

With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.

D.

With the auxiliary session setting disabled, for each traffic path, FortiGate uses the same auxiliary session.

Full Access
Question # 48

View the following FortiGate configuration.

NSE7_EFW-7.0 question answer

All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for Internet traffic from a user on the internal network:

NSE7_EFW-7.0 question answer

If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s session?

A.

The session would remain in the session table, and its traffic would still egress from port1.

B.

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

C.

The session would remain in the session table, and its traffic would start to egress from port2.

D.

The session would be deleted, so the client would need to start a new session.

Full Access