The Secret Of Fortinet NSE7_EFW-7.0 Answers

NEW QUESTION 1
A FortiGate device has the following LDAP configuration:

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user –samid administrator
“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab” Based on the output, what FortiGate LDAP setting is configured incorrectly?

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: B

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD37516

NEW QUESTION 2
Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

• A. Anti-replay is enabled
• B. The remote gateway IP is 10.200.4.1.
• C. DPD is disabled.
• D. Quick mode selectors are disabled.

Answer: AB

NEW QUESTION 3
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)

• A. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
• B. When run on the Device Database, changes are applied directly to the managed FortiGate device.
• C. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
• D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device

Answer: CD

Explanation:
CLI scripts can be run in three different ways:Device Database: By default, a script is executed on the
device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard.
Policy Package, ADOM database: If a script contains changes related to ADOM level objects and policies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard.
Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don’t need to install these changes using the installation wizard. As the changes are directly installed on the managed device, no option is provided to verify and check the configuration changes through FortiManager prior to executing it.

NEW QUESTION 4
Exhibits:


Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
An administrator is trying to configure ADVPN with a hub-spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however, the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned by one
spoke are forwarded to the other spokes?

• A. Configure an individual neighbor and remove neighbor-range configuration.
• B. Configure the hub as a route reflector client.
• C. Change the router id to 10.1.0.254.
• D. Make the configuration of remote-as different from the configuration of local-as.

Answer: B

Explanation:
Source:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-BGP-route-reflector/ta-p/191503 Source 2: RFC 4456

NEW QUESTION 5
A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

• A. Both session have the local flag on.
• B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
• C. One session has the proxy flag on, the other one does not.
• D. One of the sessions has the IP address of port2 as the source IP address.

Answer: AD

NEW QUESTION 6
Which statement about NGFW policy-based application filtering is true?

• A. After the application has been identified, the kernel uses only the Layer 4 header to match the traffic.
• B. The IPS security profile is the only security option you can apply to the security policy with the action set to ACCEPT.
• C. After IPS identifies the application, it adds an entry to a dynamic ISDB table.
• D. FortiGate will drop all packets until the application can be identified.

Answer: D

NEW QUESTION 7
View the exhibit, which contains a session entry, and then answer the question below.

Which statement is correct regarding this session?

• A. It is an ICMP session from 10.1.10.10 to 10.200.1.1.
• B. It is an ICMP session from 10.1.10.10 to 10.200.5.1.
• C. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
• D. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Answer: B

NEW QUESTION 8
Which statement about memory conserve mode is true?

• A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.
• B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.
• C. A FortiGate starts dropping new sessions when the configured memory use threshold reaches red
• D. A FortiGate enters conserve mode when the configured memory use threshold reaches red

Answer: D

NEW QUESTION 9
Refer to the exhibit, which shows the output of a diagnose command.

What can you conclude from the output shown in the exhibit? (Choose two.)

• A. This is a pinhole session created to allow traffic for a protocol that requires additional sessions to operate through FortiGate.
• B. This is an expected session created by the IPS engine.
• C. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.200.1.1.
• D. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to thenext-hop IP address 10.0.1.10.

Answer: AD

Explanation:
Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 110, 111, 115

NEW QUESTION 10
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Which statements about this debug output are correct? (Choose two.)

• A. The remote gateway IP address is 10.0.0.1.
• B. It shows a phase 1 negotiation.
• C. The negotiation is using AES128 encryption with CBC hash.
• D. The initiator has provided remote as its IPsec peer ID.

Answer: BD

NEW QUESTION 11
Which two statements about application-layer test commands are true? (Choose two.)

• A. Some of them display real-time application debugs.
• B. Some of them can be used to restart an application.
• C. Some of them display statistics and configuration information about a feature or process.
• D. Some of them only display output, after you run the diagnose debug console enable command.

Answer: BC

NEW QUESTION 12
An administrator has configured a FortiGate device with two VDOMs: root and internal. The administrator has also created and inter-VDOM link that connects both VDOMs. The objective is to have each VDOM advertise some routes to the other VDOM via OSPF through the inter-VDOM link. What OSPF configuration settings must match in both VDOMs to have the OSPF adjacency successfully forming? (Choose three.)

• A. Router ID.
• B. OSPF interface area.
• C. OSPF interface cost.
• D. OSPF interface MTU.
• E. Interface subnet mask.

Answer: BDE

NEW QUESTION 13
View the global IPS configuration, and then answer the question below.

Which of the following statements is true regarding this configuration?

• A. IPS will scan every byte in every session.
• B. FortiGate will spawn IPS engine instances based on the system load.
• C. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.
• D. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Answer: A

NEW QUESTION 14
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

• A. Change phase 1 encryption to 3DES and authentication to SHA128.
• B. Change phase 1 encryption to AES128 and authentication to SHA512.
• C. Change phase 1 encryption to AESCBC and authentication to SHA2.
• D. Change phase 1 encryption to AES256 and authentication to SHA256.

Answer: D

NEW QUESTION 15
Which two statements about OCVPN are true? (Choose two.)

• A. Only root vdom supports OCVPN.
• B. OCVPN supports static and dynamic IPs in WAN interface.
• C. OCVPN offers only Hub-Spoke VPNs.
• D. FortiGate devices under different FortiCare accounts can be used to form OCVPN.

Answer: AB

NEW QUESTION 16
Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

• A. Anti-replay is enabled.
• B. DPD is disabled.
• C. Remote gateway IP is 10.200.4.1.
• D. Quick mode selectors are disabled.

Answer: AC

NEW QUESTION 17
......