Fortinet NSE7_EFW-7.0 Exam Questions Free Practice Test

Viewing page 3 out of 5 pages

Viewing questions 21-30 out of questions

Questions # 21:

What does the dirty flag mean in a FortiGate session configured for NGFW policy mode?

Options:

The existing session table entry has been updated with the app_id and the firewall policy table needs to be checked for a match.

The application or URL category is unknown and needs to be rescanned by the IPS engine to try to identify the Layer 7 details.

The URL category for this session has been updated by FortiGuard and the session needs to be checked against the policy again to ensure proper web filtering is applied.

Traffic has been identified as coming from an application that is not allowed and the relevant replacement message needs to be displayed to the user, if configured.

Expert Solution

Questions # 22:

Refer to the exhibit, which shows a partial routing table.

Question # 22

Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)

Options:

Configure route leaking between VRF 12 and VRF 21.

Disable auto-asic-offload as this is not supported between VRF instances.

Configure RIPv2 to exchange route information between the VRF instances.

Configure route leaking between port3 and port4.

Enable SNAT on the relevant firewall policies to prevent RPF check drops.

Expert Solution

Questions # 23:

An administrator wants to capture encrypted phase 2 traffic between two FortiGate devices using the built-in sniffer.

If the administrator knows that there is no NAT device located between both FortiGate devices, which command should the administrator run?

Options:

diagnose sniffer packet any ‘ah’

diagnose sniffer packet any ‘ip proto 50’

diagnose sniffer packet any ‘udp port 4500’

diagnose sniffer packet any ‘udp port 500’

Expert Solution

Questions # 24:

View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

Question # 24

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

Question # 24

However, the IKE real time debug does not show any output. Why?

Options:

The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.

The debug shows only error messages. If there is no output, then the tunnel is operating normally.

The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Expert Solution

Questions # 25:

Refer to the exhibit, which contains a TCL script configuration on FortiManager.

Question # 25

An administrator has configured the TCL script on FortiManager, but failed to apply any changes to the managed device after being executed.

Why did the TCL script fail to make any changes to the managed device?

Options:

Changes in an interface configuration can only be done by CLI script.

The TCL script must start with #include <>.

Incomplete commands are ignored in TCL scripts.

The TCL command run_cmd has not been created.

Expert Solution

Questions # 26:

You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature databases.

Which two settings need to be verified for these features to function? (Choose two.)

Options:

FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management.

FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages.

Service access needs to be enabled on FortiManager under System Settings > Network.

FortiGate needs to have include-default-servers disabled under config system central-management.

Expert Solution

Questions # 27:

Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?

Options:

Diagnose debug application radius -1.

Diagnose debug application fnbamd -1.

Diagnose authd console –log enable.

Diagnose radius console –log enable.

Expert Solution

Questions # 28:

Which two statements about OCVPN are true? (Choose two.)

Options:

Only root vdom supports OCVPN.

OCVPN supports static and dynamic IPs in WAN interface.

OCVPN offers only Hub-Spoke VPNs.

FortiGate devices under different FortiCare accounts can be used to form OCVPN.

Expert Solution

Questions # 29:

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Question # 29

The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

Options:

Change phase 1 encryption to 3DES and authentication to SHA128.

Change phase 1 encryption to AES128 and authentication to SHA512.

Change phase 1 encryption to AESCBC and authentication to SHA2.

Change phase 1 encryption to AES256 and authentication to SHA256.

Expert Solution

Questions # 30:

An administrator has enabled HA session synchronization in a HA cluster with two members. Which flag is added to a primary unit’s session to indicate that it has been synchronized to the secondary unit?

Options:

redir.

dirty.

synced

nds.

Expert Solution

Viewing page 3 out of 5 pages

Viewing questions 21-30 out of questions

New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Pass the Fortinet NSE 7 Network Security Architect NSE7_EFW-7.0 Questions and answers with CertsForce