Fortinet NSE 7 - Enterprise Firewall 7.2 v1.0 (NSE7_EFW-7.2)

Page:    1 / 3   
Total 35 questions

Refer to the exhibit, which shows a network diagram.

Which protocol should you use to configure the FortiGate cluster?

  • A. FGCP in active-passive mode
  • B. FGCP in active-active mode
  • C. FGSP
  • D. VRRP

Answer : C

After enabling IPS, you receive feedback about traffic being dropped.
What could be the reason?

  • A. IPS is configured to monitor.
  • B. np-accel-node is set to enable.
  • C. fail-open is set to disable.
  • D. traffic-submit is set to disable.

Answer : C

Refer to the exhibit which shows an ADVPN network.

Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.)

  • A. set auto-discovery-sender enable
  • B. set auto-discovery-receiver enable
  • C. set add-route enable
  • D. set auto-discovery-forwarder enable

Answer : AD

Which two statements about metadata variables are true? (Choose two.)

  • A. The metadata format is $<metadata_variable_name>.
  • B. You create them on FortiGate.
  • C. They can be used as variables in scripts.
  • D. They apply only to non-firewall objects.

Answer : AC

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

  • A. Configure the hub as a route reflector
  • B. Configure auto-discovery-sender on the hub
  • C. Add a prefix list to the hub that permits routes to be shared between the spokes
  • D. Enable route redistribution under config router bgp

Answer : B

Refer to the exhibit, which contains a partial VPN configuration.

What can you conclude from this configuration?

  • A. FortiGate creates separate virtual interfaces for each dial-up client
  • B. The VPN should use the dynamic routing protocol to exchange routing information through the tunnels
  • C. Dead peer detection is disabled
  • D. The routing table shows a single IPSec virtual interface

Answer : A

Refer to the exhibit which shows information about an OSPF interface.

What two conclusions can you draw from this command output? (Choose two.)

  • A. The interfaces of the OSPF routers match the MTU value that is configured as 1500.
  • B. NGFW-1 is the designated router.
  • C. The port3 network has more than one OSPF router.
  • D. The OSPF routers are in the area ID of

Answer : AC

Which two statements about the BFD parameter in BGP are true? (Choose two.)

  • A. It detects only two-way failures.
  • B. The two routers must be connected to the same subnet.
  • C. It allows failure detection in less than one second.
  • D. It is supported for neighbors over multiple hops.

Answer : CD

You created a VPN community using VPN Manager on FortiManager. You also added gateways to the VPN community. Now you are trying to create firewall policies to permit traffic over the tunnel; however, the VPN interfaces do not appear as available options.
What step must you take to resolve this issue?

  • A. Refresh the device status using the Device Manager so that FortiGate populates the IPSec interfaces.
  • B. Install the VPN community and gateway configuration on the FortiGate devices so that the VPN interfaces appear on the Policy Objects on FortiManager.
  • C. Configure the phase 1 settings in the VPN community that you didn’t initially configure. FortiGate automatically generates the interfaces after you configure the required settings.
  • D. Create interface mappings for the IPsec VPN interfaces before you use them in a policy.

Answer : B

Refer to the exhibit, which shows a central management configuration.

Which server will FortiGate choose for web filter rating requests, if is experiencing an outage?

  • A.
  • B.
  • C. Public FortiGuard servers
  • D.

Answer : A

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?

  • A. Only the DR receives link state information from non-DR routers.
  • B. Non-DR and non-BDR routers form full adjacencies to DR only.
  • C. FortiGate first checks the OSPF ID to elect a DR.
  • D. Non-DR and non-BDR routers send link state updates and acknowledgements to

Answer : B

Refer to the exhibit, which contains a partial policy configuration.

Which setting must you configure to allow SSH?

  • A. Specify SSH in the Service field.
  • B. Select an application control profile corresponding to SSH in the Security Profiles section.
  • C. Include SSH in the Application field.
  • D. Configure port 22 in the Protocol Options field.

Answer : A

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?

  • A. FortiGate uses the first entry listed in the SAN field in the server certificate
  • B. FortiGate uses the CN information from the Subject field in the server certificate
  • C. FortiGate uses the SNI from the user's web browser.
  • D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration

Answer : D

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

  • A. Neighbors maintain communication with the restarting router.
  • B. The restarting router sends gratuitous ARP for 30 seconds.
  • C. FortiGate restarts if the topology changes.
  • D. The router sends grace LSAs before it restarts.

Answer : A

Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP configuration.

Network diagram -

Partial BGP configuration -

Which two parameters should you configure in config neighbor-range? (Choose two.)

  • A. set neighbor-group advpn
  • B. set route-reflector-client enable
  • C. set prefix 10.1.0
  • D. set prefix

Answer : AC

Page:    1 / 3   
Total 35 questions