A Review Of Actual NSE7_EFW-7.0 Exam Guide

NEW QUESTION 1
Which action will FortiGate take when using the default settings for SSL certificate inspection, where the server name indication (SNI) does not match either the common name (CN) or any of the subject altemative names (SAN) in the server certificate?

• A. FortiGate uses the CN information from the Subject field in the server certificate.
• B. FortiGate uses the first entry listed in the SAN field in the server certificate.
• C. FortiGate uses the SNI from the user's web browser.
• D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.

Answer: A

Explanation:
#Config firewall ssl-ssh-profile
edit <profile_name> config https
set sni-server-cert-check [enable* | strict | disable]
Enable: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG uses the CN field instead of the SNI to obtain the FQDN.
Strict: If the SNI does NOT match the CN or SAN fields in the returned server's certificate, FG closes the connection.
Disable: FG does not check the SNI.

NEW QUESTION 2
Which statement about IKE and IKE NAT-T is true?

• A. IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.
• B. IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.
• C. They both use UDP as their transport protocol and the port number is configurable.
• D. They each use their own IP protocol number.

Answer: C

Explanation:
IKE without NAT-T runs over UDP port 500. IKE with NAT-T runs over UDP port 4500. It can be configurable - https://docs.fortinet.com/document/fortigate/7.0.0/new-features/33578/configurable-ike-port

NEW QUESTION 3
Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)

• A. Configure route leaking between VRF 12 and VRF 21.
• B. Disable auto-asic-offload as this is not supported between VRF instances.
• C. Configure RIPv2 to exchange route information between the VRF instances.
• D. Configure route leaking between port3 and port4.
• E. Enable SNAT on the relevant firewall policies to prevent RPF check drops.

Answer: AE

Explanation:
Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 148, 159

NEW QUESTION 4
View the exhibit, which contains an entry in the session table, and then answer the question below.

Which one of the following statements is true regarding FortiGate’s inspection of this session?

• A. FortiGate applied proxy-based inspection.
• B. FortiGate forwarded this session without any inspection.
• C. FortiGate applied flow-based inspection.
• D. FortiGate applied explicit proxy-based inspection.

Answer: A

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NEW QUESTION 5
View the following FortiGate configuration.

All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for Internet traffic from a user on the internal network:

If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user’s session?

• A. The session would remain in the session table, and its traffic would still egress from port1.
• B. The session would remain in the session table, but its traffic would now egress from both port1 and port2.
• C. The session would remain in the session table, and its traffic would start to egress from port2.
• D. The session would be deleted, so the client would need to start a new session.

Answer: A

Explanation:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD40943

NEW QUESTION 6
An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration. The administrator has also enabled the IKE real time debug:
diagnose debug application ike-1 diagnose debug enable
In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN?

• A. Phase1; IKE mode configuration; XAuth; phase 2.
• B. Phase1; XAuth; IKE mode configuration; phase2.
• C. Phase1; XAuth; phase 2; IKE mode configuration.
• D. Phase1; IKE mode configuration; phase 2; XAuth.

Answer: B

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Concepts/IKE_Packet

NEW QUESTION 7
Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

• A. This session cannot be synced with the slave unit.
• B. The inspection of this session has been offloaded to the slave unit.
• C. The master unit is processing this traffic.
• D. This session is for HA heartbeat traffic.

Answer: C

NEW QUESTION 8
Refer to exhibit, which contains the output of a BGP debug command.

Which statement explains why the state of the 10.200.3.1 peer is Connect?

• A. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfirm yet.
• B. The TCP session to 10.200.3.1 has not completed the three-way handshake.
• C. The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.
• D. The local router has received the BGP prefixes from the remote peer.

Answer: B

Explanation:
BGP neighbor states and how they change:• Idle: Initial state• Connect: Waiting for a successful three-way TCP connection• Active: Unable to establish the TCP session• OpenSent: Waiting for an OPEN message from the peer• OpenConfirm: Waiting for the keepalive message from the peer• Established: Peers have successfully exchanged OPEN and keepalive messages

NEW QUESTION 9
Refer to the exhibit, which shows a FortiGate configuration.

An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that is passing through the policy.
What must the administrator change to fix the issue?

• A. Increase webfilter-timeout.
• B. Change protocol to TCP.
• C. Enable fortiguard-anycast.
• D. Disable webfilter-force-off.

Answer: D

NEW QUESTION 10
Which statement about protocol options is true?

• A. Protocol options allows administrators a streamlined method to instruct FortiGate to block all sessions corresponding to disabled protocols.
• B. Protocol options allows administrators the ability to configure the Any setting for all enabled protocols which provides the most efficient use of system resources.
• C. Protocol options allow administrators to configure a maximum number of sessions for each configured protocol.
• D. Protocol options allows administrators to configure which Layer 4 port numbers map to upper-layer protocols, such as HTTP, SMTP, FTP, and so on.

Answer: D

NEW QUESTION 11
Refer to the exhibit, which contains the output of a BGP debug command.

Which statement about the exhibit is true?

• A. The local router has received a total of three BGP prefixes from all peers.
• B. The local router has not established a TCP session with 100.64.3.1.
• C. Since the counters were last reset, the 10.200.3.1 peer has never been down.
• D. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.

Answer: B

NEW QUESTION 12
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?

• A. Configure remote link monitoring to detect an issue in the forwarding path.
• B. Configure set send-garp-on-failover enable under config system ha on both cluster members.
• C. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
• D. Configure set link-failed-signal enable under config system ha on both cluster members.

Answer: D

Explanation:
Virtual MAC Address and Failover - The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port. - Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces): #Config system ha set link-failed-signal enable end - This simulates a link failure that clears the related entries from MAC table of the switches.

NEW QUESTION 13
Examine the following routing table and BGP configuration; then answer the question below.

TheBGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix?

• A. Enable the redistribution of connected routers into BGP.
• B. Enable the redistribution of static routers into BGP.
• C. Disable the setting network-import-check.
• D. Enable the setting ebgp-multipath.

Answer: C

NEW QUESTION 14
Refer to the exhibit, which shows a central management configuration.

Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?

• A. Public FortiGuard servers
• B. 10.0.1.243
• C. 10.0.1.242
• D. 10.0.1.244

Answer: D

Explanation:
by default,( include-default-servers ) enabled .this allows fortigate to communicate with the public fortiguard servers , if the fortimanger devices (configured in server-list) are unavailable .

NEW QUESTION 15
Examine the output from the BGP real time debug shown in the exhibit, then the answer the question below:

Which statements are true regarding the output in the exhibit? (Choose two.)

• A. BGP peers have successfully interchanged Open and Keepalive messages.
• B. Local BGP peer received a prefix for a default route.
• C. The state of the remote BGP peer is OpenConfirm.
• D. The state of the remote BGP peer will go to Connect after it confirms the received prefixes.

Answer: AB

NEW QUESTION 16
Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1
diagnose debug application ike -1 diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged
between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output?

• A. The IKE real time shows the phases 1 and 2 negotiations onl
• B. It does not show any more output once the tunnel is up.
• C. The log-filter setting is set incorrectl
• D. The VPN’s traffic does not match this filter.
• E. The IKE real time debug shows the phase 1 negotiation onl
• F. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
• G. The IKE real time debug shows error messages onl
• H. If it does not provide any output, it indicates that the tunnel is operating normally.

Answer: B

NEW QUESTION 17
......