Fortinet NSE7_EFW-6.2 Free Practice Questions

NEW QUESTION 1
Which of thefollowing statements are correct regarding application layer test commands? (Choose two.)

• A. They are used to filter real-time debugs.
• B. They display real-time application debugs.
• C. Some of them display statistics and configuration information about a feature or process.
• D. Some of them can be used to restart an application.

Answer: CD

Explanation:
Application layer test commands don’t display info in real time, but they do show statistics and configuration info about a feature or process. You canalso use some of these commands to restart a process or execute a change in its operation.

NEW QUESTION 2
What is the purpose of an internal segmentation firewall (ISFW)?

• A. It inspects incoming traffic to protect services in the corporate DMZ.
• B. It is the first line of defense at the network perimeter.
• C. It splits the network into multiple security segments to minimize the impact of breaches.
• D. It is an all-in-one security appliance that is placed at remotesites to extend the enterprise network.

Answer: C

Explanation:
ISFW splits your network into multiple security segments. They serve as a breach containers from attacks that come from inside.

NEW QUESTION 3
A FortiGate device has the following LDAP configuration:

The LDAP user student cannotauthenticate. The exhibit shows the output of the authentication real time debug while testing the student account:

Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: BC

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=13141

NEW QUESTION 4
When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

• A. FortiGate uses CN information from the Subject field in the server’s certificate.
• B. FortiGate switches to the full SSL inspection method to decrypt the data.
• C. FortiGate blocks the request without any further inspection.
• D. FortiGate uses the requested URL from the user’s web browser.

Answer: A

NEW QUESTION 5
What conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

• A. IP addresses are in the same subnet.
• B. Helloand dead intervals match.
• C. OSPF IP MTUs match.
• D. OSPF peer IDs match.
• E. OSPF costs match.

Answer: ABC

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-advanced-routing-54/Routing_OSPF/OSPF_Bac

NEW QUESTION 6
A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

• A. The user student must not be listed in the CA’s ignore user list.
• B. The user student must belong to one or more of the monitored user groups.
• C. The student workstation’s IP subnet must be listed in the CA’s trusted list.
• D. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

Answer: AD

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

NEW QUESTION 7
Which of the following conditions must be met for a static route to be active in therouting table? (Choose three.)

• A. The next-hop IP address is up.
• B. There is no other route, to the same destination, with a higher distance.
• C. The link health monitor (if configured) is up.
• D. The next-hop IP address belongs to one of the outgoing interface subnets.
• E. The outgoing interface is up.

Answer: CDE

Explanation:
A configured static route only goes to routing table from routing database when all the following are met :
The outgoing interface is up
There is no other matching route with a lowerdistance
The link health monitor (if configured) is successful
The next-hop IP address belongs to one of the outgoing interface subnets

NEW QUESTION 8
Examine the output from the 'diagnose debug authd fsso list' command; then answer the question below.
# diagnose debug authd fsso list—FSSO logons-IP: 192.168.3.1 User: STUDENT Groups: TRAININGAD/USERS Workstation: INTERNAL2. TRAINING. LAB The IP address 192.168.3.1 is
NOT the one used by the workstation INTERNAL2. TRAINING. LAB.
What should the administrator check?

• A. The IP address recorded in the logon event for the user STUDENT.
• B. The DNS name resolution for the workstation name INTERNAL2. TRAININ
• C. LAB.
• D. The source IP address of the traffic arriving to the FortiGate from the workstation INTERNAL2.TRAININ
• E. LAB.
• F. The reserve DNS lookup forthe IP address 192.168.3.1.

Answer: C

NEW QUESTION 9
An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit.The administrator decides to enable the setting link-failed-signal to fix the problem. Which statement is correct regarding this command?

• A. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failoveroccurs.
• B. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
• C. Sends a link failed signal to all connected devices.
• D. Disables all the non-heartbeat interfaces inall the HA members for two seconds after a failover.

Answer: A

NEW QUESTION 10
Two independent FortiGate HA clusters are connected to the same broadcast domain. The administrator has reported that both clusters are using the same HA virtual MAC address. This creates a duplicated MAC address problem in the network.What HA setting must be changed in one of the HA clusters to fix the problem?

• A. Group ID.
• B. Group name.
• C. Session pickup.
• D. Gratuitous ARPs.

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-high-availability-52/HA_failoverVMAC.htm

NEW QUESTION 11
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of thedebug flow is shown in the exhibit:

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

• A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.
• B. Redirection of HTTP to HTTPS administrative access is disabled.
• C. HTTP administrative access is configured with a port number different than 80.
• D. The packet is denied because of reverse path forwarding check.

Answer: AC

NEW QUESTION 12
View the exhibit, which contains the partial output of an IKE real time debug, and then answer thequestion below.

The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

• A. Change phase 1encryption to AESCBC and authentication to SHA128.
• B. Change phase 1 encryption to 3DES and authentication to CBC.
• C. Change phase 1 encryption to AES128 and authentication to SHA512.
• D. Change phase 1 encryption to 3DES and authentication to SHA256.

Answer: C

NEW QUESTION 13
View the global IPSconfiguration, and then answer the question below.

Which of the following statements is true regarding this configuration?

• A. IPS will scan every byte in every session.
• B. FortiGate will spawn IPS engine instances based on the system load.
• C. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.
• D. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Answer: A

NEW QUESTION 14
How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?

• A. FortiManager can download and maintain local copies of FortiGuard databases.
• B. FortiManager supports only FortiGuard push to managed devices.
• C. FortiManager will respond to update requests only if they originate from a managed device.
• D. FortiManager does not support rating requests.

Answer: A

NEW QUESTION 15
Examine the partial output from two web filter debug commands; then answer the question below:

Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?

• A. Finance and banking
• B. General organization.
• C. Business.
• D. Information technology.

Answer: C

NEW QUESTION 16
Examine the output from the ‘diagnose vpn tunnel list’ command shown inthe exhibit; then answer the question below.

Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?

• A. diagnose sniffer packet any ‘port 500’
• B. diagnose sniffer packet any ‘esp’
• C. diagnose sniffer packet any ‘host10.0.10.10’
• D. diagnose sniffer packet any ‘port 4500’

Answer: D

Explanation:
NAT-T is enabled. natt: mode=silentProtocol ESP is used. ESP is encapsulated in UDP port 4500 when NAT-T is enabled.

NEW QUESTION 17
A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

• A. Both session have the local flag on.
• B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate'sinterfaces.
• C. One session has the proxy flag on, the other one does not.
• D. One of the sessions has the IPaddress of port2 as the source IP address.

Answer: AD

NEW QUESTION 18
View the exhibit, which contains the output of a diagnose command, and then answer the question below.

What statements are correctregarding the output? (Choose two.)

• A. This is an expected session created by a session helper.
• B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.
• C. Traffic in the originaldirection (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.
• D. This is an expected session created by an application control profile.

Answer: AC

NEW QUESTION 19
Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

• A. When executed on the Policy Package,ADOM database, changes are applied directly to the managed FortiGate.
• B. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.
• C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.
• D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

Answer: BD

Explanation:
CLI scripts can be run in threedifferent ways:Device Database: By default, a script is executed on the device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard.
Policy Package, ADOM database: If a script contains changes related to ADOM level objects and policies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard.
Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don’t need to install these changes using theinstallation wizard. As the changes are directly installed on the managed device, no option is provided to verify and check the configuration changes through FortiManager prior to executing it.

NEW QUESTION 20
Which two statements about FortiManager is true when it is deployed as a local FDS? (Choose two.)

• A. It caches available firmware updates for unmanaged devices.
• B. It can be configured as an update server, or a rating server, but not both.
• C. It supports rating requests fromboth managed and unmanaged devices.
• D. It provides VM license validation services.

Answer: AD

NEW QUESTION 21
View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

• A. The local router's BGP state is Established with the 10.125.0.60 peer.
• B. Since the counters were last reset; the 10.200.3.1 peer has never been down.
• C. The local router has received a total of three BGP prefixes from all peers.
• D. The local router has not established a TCP session with 100.64.3.1.

Answer: AD

NEW QUESTION 22
View the exhibit, which contains the output of areal-time debug, and then answer the question below.

Which of the following statements is true regarding this output? (Choose two.)

• A. This web request was inspected using the root web filter profile.
• B. FortiGate found the requested URL in its localcache.
• C. The requested URL belongs to category ID 52.
• D. The web request was allowed by FortiGate.

Answer: BC

NEW QUESTION 23
Examine the output of the ‘diagnose ips anomaly list’ command shown in the exhibit; then answer the question below.

Which IP addresses are included in the output of this command?

• A. Those whose traffic matches a DoS policy.
• B. Those whose traffic matches an IPS sensor.
• C. Those whose traffic exceeded a threshold of a matching DoS policy.
• D. Those whosetraffic was detected as an anomaly by an IPS sensor.

Answer: A

NEW QUESTION 24
......