Fortinet NSE7_EFW Bundle 2021

NEW QUESTION 1
Examine the output of the ‘get router info ospf interface’ command shown in the exhibit; then answer the question below.

Which statements are true regarding the above output? (Choose two.)

• A. The port4 interface is connected to the OSPF backbone area.


• B. The local FortiGate has been elected as the OSPF backup designated router.


• C. There are at least 5 OSPF routers connected to the port4 network.


• D. Two OSPF routers are down in the port4 networ

Answer: AD

NEW QUESTION 2
An administrator has enabled HA session synchronization in a HA cluster with two members. Which flag is added to a primary unit’s session to indicate that it has been synchronized to the secondary unit?

• A. redir.


• B. dirty.


• C. synced


• D. nd

Answer: C

NEW QUESTION 3
The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

• A. Determines the optimal number of IPS engines required based on system load.


• B. Downloads signatures on demand from FDS based on scanning requirements.


• C. Determines when it is secure enough to stop scanning session traffic.


• D. Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer: D

NEW QUESTION 4
View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

• A. Its initial value is calculated based on the round trip delay (RTT).


• B. Its initial value is statically set to 10.


• C. Its value is incremented with each packet lost.


• D. It determines which FortiGuard server is used for license validatio

Answer: C

NEW QUESTION 5
An administrator added the following Ipsec VPN to a FortiGate configuration: configvpn ipsec phasel -interface edit "RemoteSite" set type dynamic set interface "portl" set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe next
end
config vpn ipsec phase2-interface edit "RemoteSite"
set phasel name "RemoteSite" set proposal 3des-sha256
next end
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.

What is causing the IPsec problem in the phase 1 ?

• A. The incoming IPsec connection is matching the wrong VPN configuration


• B. The phrase-1 mode must be changed to aggressive


• C. The pre-shared key is wrong


• D. NAT-T settings do not match

Answer: C

NEW QUESTION 6
View the exhibit, which contains a session entry, and then answer the question below.

Which statement is correct regarding this session?

• A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.


• B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.


• C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.


• D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Answer: A

NEW QUESTION 7
An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer. If the administrator knows that there is no NAT device located between both FortiGates, what command should the administrator execute?

• A. diagnose sniffer packet any ‘udp port 500’


• B. diagnose sniffer packet any ‘udp port 4500’


• C. diagnose sniffer packet any ‘esp’


• D. diagnose sniffer packet any ‘udp port 500 or udp port 4500’

Answer: C

NEW QUESTION 8
How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?

• A. FortiManager can download and maintain local copies of FortiGuard databases.


• B. FortiManager supports only FortiGuard push to managed devices.


• C. FortiManager will respond to update requests only if they originate from a managed device.


• D. FortiManager does not support rating requests.

Answer: A

NEW QUESTION 9
A FortiGate has two default routes:

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?

• A. Session would remain in the session table and its traffic would keep using port1 as the outgoing interface.


• B. Session would remain in the session table and its traffic would start using port2 as the outgoing interface.


• C. Session would be deleted, so the client would need to start a new session.


• D. Session would remain in the session table and its traffic would be shared between port1 andport2.

Answer: A

NEW QUESTION 10
An administrator has configured a FortiGate device with two VDOMs: root and internal. The administrator has also created and inter-VDOM link that connects both VDOMs. The objective is to have each VDOM advertise some routes to the other VDOM via OSPF through the inter-VDOM link. What OSPF configuration settings must match in both VDOMs to have the OSPF adjacency successfully forming? (Choose three.)

• A. Router ID.


• B. OSPF interface area.


• C. OSPF interface cost.


• D. OSPF interface MTU.


• E. Interface subnet mas

Answer: BDE

NEW QUESTION 11
What conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

• A. IP addresses are in the same subnet.


• B. Hello and dead intervals match.


• C. OSPF IP MTUs match.


• D. OSPF peer IDs match.


• E. OSPF costs matc

Answer: ABD

NEW QUESTION 12
View the exhibit, which contains an entry in the session table, and then answer the question below.

Which one of the following statements is true regarding FortiGate’s inspection of this session?

• A. FortiGate applied proxy-based inspection.


• B. FortiGate forwarded this session without any inspection.


• C. FortiGate applied flow-based inspection.


• D. FortiGate applied explicit proxy-based inspectio

Answer: B

NEW QUESTION 13
Examine the output from the BGP real time debug shown in the exhibit, then the answer the question below:

Which statements are true regarding the output in the exhibit? (Choose two.)

• A. BGP peers have successfully interchanged Open and Keepalive messages.


• B. Local BGP peer received a prefix for a default route.


• C. The state of the remote BGP peer is OpenConfirm.


• D. The state of the remote BGP peer will go to Connect after it confirms the received prefixe

Answer: AB

NEW QUESTION 14
View the exhibit, which contains a partial output of an IKE real-time debug, and then answer the question below.

Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?

• A. auto-discovery-sender


• B. auto-discovery-forwarder


• C. auto-discovery-shortcut


• D. auto-discovery-receiver

Answer: C

NEW QUESTION 15
Examine the following partial output from a sniffer command; then answer the question below.

What is the meaning of the packets dropped counter at the end of the sniffer?

• A. Number of packets that didn’t match the sniffer filter.


• B. Number of total packets dropped by the FortiGate.


• C. Number of packets that matched the sniffer filter and were dropped by the FortiGate.


• D. Number of packets that matched the sniffer filter but could not be captured by the sniffe

Answer: C

NEW QUESTION 16
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

• A. Neighbor range


• B. Route refilector


• C. Next-hop-self


• D. Neighbor group

Answer: B

NEW QUESTION 17
View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.

The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

• A. Change phase 1 encryption to AESCBC and authentication to SHA128.


• B. Change phase 1 encryption to 3DES and authentication to CBC.


• C. Change phase 1 encryption to AES128 and authentication to SHA512.


• D. Change phase 1 encryption to 3DES and authentication to SHA256.

Answer: C

NEW QUESTION 18
A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

What should the administrator check to fix the problem?

• A. The connectivity between the FortiGate unit and the DNS server.


• B. The connectivity between the client workstations and the DNS server.


• C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.


• D. That DNS service is enabled in the explicit web proxy interfac

Answer: AB

NEW QUESTION 19
View the exhibit, which contains the output of a real-time debug, and then answer the question below.

Which of the following statements is true regarding this output? (Choose two.)

• A. This web request was inspected using the root web filter profile.


• B. FortiGate found the requested URL in its local cache.


• C. The requested URL belongs to category ID 52.


• D. The web request was allowed by FortiGat

Answer: BC

NEW QUESTION 20
Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

• A. 1


• B. 2


• C. 3


• D. 4

Answer: B

NEW QUESTION 21
View the IPS exit log, and then answer the question below.
# diagnose test application ipsmonitor 3 ipsengine exit log”
pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2021 code = 11, reason: manual
What is the status of IPS on this FortiGate?

• A. IPS engine memory consumption has exceeded the model-specific predefined value.


• B. IPS daemon experienced a crash.


• C. There are communication problems between the IPS engine and the management database.


• D. All IPS-related features have been disabled in FortiGate’s configuratio

Answer: B

NEW QUESTION 22
Examine the partial output from two web filter debug commands; then answer the question below:

Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?

• A. Finance and banking


• B. General organization.


• C. Business.


• D. Information technolog

Answer: C

NEW QUESTION 23
The logs in a FSSO collector agent (CA) are showing the following error: failed to connect to registry: PIKA1026 (192.168.12.232)
What can be the reason for this error?

• A. The CA cannot resolve the name of the workstation.


• B. The FortiGate cannot resolve the name of the workstation.


• C. The remote registry service is not running in the workstation 192.168.12.232.


• D. The CA cannot reach the FortiGate with the IP address 192.168.12.232.

Answer: C

NEW QUESTION 24
......