Fortinet NSE7-EFW-7-0 Exam Questions
Questions for the NSE7-EFW-7-0 were updated on : Jul 20 ,2024
Page 1 out of 6. Viewing questions 1-10 out of 60
Question 1
Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)
- A. OSPF interface network types match.
- B. OSPF router IDs are unique.
- C. OSPF interface priority settings are unique.
- D. Authentication settings match.
- E. OSPF link costs match.
Answer:
abd
Question 2
An administrator has been assigned the task of creating a set of firewall policies which must be evaluated before any custom policies defined within the policy packages of managed FortiGate devices, across all 25 ADOMSs in FortiManager.
How should the administrator accomplish this task?
- A. Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this footer policy to all other ADOMs.
- B. Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this header policy to all other ADOMs.
- C. Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting the new firewall policies at the top.
- D. Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate devices, through the FGFM tunnel.
Answer:
b
Question 3
Refer to the exhibit, which shows the output of a BGP debug command.
Which statement explains why the state of the 10.200.3.1 peer is Connect?
- A. The local router has a different AS number than the remote peer.
- B. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the openConfirm yet.
- C. The local router initiated the BGP session to 10.200.3.1 but did not receive a response.
- D. The router 10.200.3.1 has authentication configured for BGP and the local router does not.
Answer:
b
Question 4
Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.)
- A. The npu_flag for this tunnel is 03.
- B. Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.
- C. Anti-replay is enabled.
- D. The npu_flag for this tunnel is 02.
Answer:
ac
Question 5
What are two functions of automation stitches? (Choose two.)
- A. Automation stitches can be configured on any FortiGate device in a Security Fabric environment.
- B. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.
- C. Automation stitches can be created to run diagnostic commands and attach the results to an email message when CPU or memory usage exceeds specified thresholds.
- D. An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.
Answer:
bc
Question 6
Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?
- A. FortiGate uses the CN information from the Subject field in the server certificate.
- B. FortiGate uses the first entry listed in the SAN field in the server certificate.
- C. FortiGate uses the SNI from the user's web browser.
- D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
Answer:
d
Question 7
Refer to the exhibit, which shows the output of diagnose sys session list.
If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?
- A. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.
- B. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.
- C. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.
- D. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.
Answer:
a
Question 8
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Which two statements about this debug output are correct? (Choose two.)
- A. The initiator provided remote as its IPsec peer ID.
- B. It shows a phase 2 negotiation.
- C. Perfect Forward Secrecy (PFS) is enabled in the configuration.
- D. The local gateway IP address is 10.0.0.1.
Answer:
ac
Question 9
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Based on the debug output, which phase 1 setting is enabled in the configuration of this VPN?
- A. auto-discovery-receiver
- B. auto-discovery-forwarder
- C. auto-discovery-shortcut
- D. auto-discovery-sender
Answer:
a
Question 10
An administrator wants to capture encrypted phase 2 traffic between two FortiGate devices using the built-in sniffer.
If the administrator knows that there is no NAT device located between both FortiGate devices, which command should the administrator run?
- A. diagnose sniffer packet any ah
- B. diagnose sniffer packet any ip proto 50
- C. diagnose sniffer packet any udp port 4500
- D. diagnose sniffer packet any udp port 500
Answer:
c