Fortinet NSE 7 - Enterprise Firewall 6.2 v1.0 (NSE7-EFW-6.2)

Page:    1 / 4   
Total 53 questions

Which two statements about FortiManager are true when it is deployed as a local FDS? (Choose two.)

  • A. It caches available firmware updates for unmanaged devices.
  • B. It provides VM license validation services.
  • C. It can be configured as an update server, or a rating server, but not both.
  • D. It supports rating requests from both managed and unmanaged devices.


Answer : AB


Refer to the exhibit, which contains a CLI script configuration on FortiManager.
An administrator has configured the CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.
Why did the script not make any changes to the managed device?

  • A. There is an existing route with a lower priority value.
  • B. CLI scripts will add objects only if they are referenced by policies.
  • C. Commands that start with the #sign are not executed.
  • D. Static routes can only be added using TCL scripts.


Answer : C


Refer to the exhibit, which contains the output of a BGP debug command.
Which statement explains why the state of the 10.200.3.1 peer is Connect?

  • A. The local router has received the BGP prefixes from the remote peer.
  • B. The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.
  • C. The TCP session to 10.200.3.1 has not completed the 3-way handshake.
  • D. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfirm yet.


Answer : C


Refer to the exhibit, which contains a session entry.
Which statement about this session is true?

  • A. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.
  • B. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
  • C. It is an ICMP session from 10.1.10.10 to 10.200.5.1.
  • D. It is an ICMP session from 10.1.10.10 to 10.200.1.1.


Answer : C


Refer to the exhibit, which contains the output of get system ha status.
Which two statements about the output are true? (Choose two.)

  • A. The slave configuration is synchronized with the master.
  • B. port7 is used as the HA heartbeat on all devices in the cluster.
  • C. Master is selected based on the priority configured under config system ha.
  • D. The HA management IP is 169.254.0.2.


Answer : BC


Refer to the exhibit, which contains a screenshot of some phase-1 settings.
The VPN is not up. To diagnose, the administrator enters the following CLI commands:

However, the IKE real-time debug does not show any output. Why?

  • A. The log-filter setting was set incorrectly. The VPN traffic does not match this filter.
  • B. The administrator must enable the following real-time debug: diagnose debug application ipsec ""1.
  • C. The debug output only shows pre-shared key, encryption, and authentication mismatch(es).
  • D. The debug shows only error messages. If there is no output, then phase-1 and phase-2 configurations are matching.


Answer : A

Which statement about memory conserve mode is true?

  • A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.
  • B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.
  • C. A FortiGate enters conserve mode when the configured memory use threshold reaches red.
  • D. A FortiGate starts dropping new sessions when the configured memory use thresholds reaches red.


Answer : D


Refer to the exhibit, which contains output of diagnose vpn tunnel list.
Which command will capture ESP traffic for the VPN named DialUp_0?

  • A. diagnose sniffer packet any "˜port 500"™
  • B. diagnose sniffer packet any "˜host 10.0.10.10"™
  • C. diagnose sniffer packet any "˜ESP"™
  • D. diagnose sniffer packet any "˜port 4500"™


Answer : D


Refer to the exhibit, which contains a partial web filter profile configuration.
Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

  • A. FortiGate will exempt the connection based on the Web Content Filter configuration.
  • B. FortiGate will block the connection as an invalid URL.
  • C. FortiGate will block the connection based on the URL Filter configuration.
  • D. FortiGate will allow the connection based on the FortiGuard category based filter configuration.


Answer : C

Refer to the exhibit, which contains the output of a diagnose command.


Which statement regarding the Weight value is true?

  • A. It determines which FortiGuard server is used for license validation.
  • B. Its initial value is statically set to 10.
  • C. Its value is incremented with each packet lost.
  • D. Its initial value is calculated based on the round trip delay (RTT).


Answer : C


Refer to the exhibit, which contains the partial output of an IKE real-time debug.
The administrator does not have access to the remote gateway.
Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error?

  • A. Change phase 1 encryption to 3DES and authentication to SHA256.
  • B. Change phase 1 encryption to 3DES and authentication to CBC.
  • C. Change phase 1 encryption to AESCBC and authentication to SHA128.
  • D. Change phase 1 encryption to AES128 and authentication to SHA512.


Answer : B

In which two states is a given session categorized as ephemeral? (Choose two.)

  • A. A TCP session waiting for FIN ACK.
  • B. A TCP session waiting to complete the three-way handshake.
  • C. A UDP session with packets sent and received.
  • D. A UDP session with only one packet received.


Answer : AC

Refer to the exhibit, which contains a partial output of an IKE real-time debug.


Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?

  • A. auto-discovery-receiver
  • B. auto-discovery-forwarder
  • C. auto-discovery-sender
  • D. auto-discovery-shortcut


Answer : B

Which statement describes IPS adaptive scanning?

  • A. Downloads signatures on demand from FDS based on scanning requirements.
  • B. Determines when it is secure enough to stop scanning session traffic.
  • C. Determines the optimal number of IPS engines required based on system load.
  • D. Choose a matching algorithm based on the type of inspection being performed.


Answer : B


Refer to the exhibit, which contains the output of a debug command.
Which two statements about the exhibit are true? (Choose two.)

  • A. The OSPF routers with the IDS 0.0.0.69 and 0.0.0.117 are both designated routers for the wan1 network.
  • B. The interface ToRemote is a point-to-point OSPF network.
  • C. The local ForitGate is the backup designated router for the wan1 network.
  • D. The OSPF router with the ID 0.0.0.2 is the designated router for the ToRemote network.


Answer : BC

Page:    1 / 4   
Total 53 questions