New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Certensure Logo
  1. Home
  2. Fortinet
  3. NSE 7 Network Security Architect
  4. NSE7_EFW-6.4 - Fortinet NSE 7 - Enterprise Firewall 7.0

Fortinet NSE7_EFW-6.4 Fortinet NSE 7 - Enterprise Firewall 7.0 Exam Practice Test

Demo: 18 questions
Total 1 questions
Get NSE7_EFW-6.4 Full Access Download NSE7_EFW-6.4 PDF

Fortinet NSE 7 - Enterprise Firewall 7.0 Questions and Answers

Question 1

Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

Options:

A.

When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.

B.

When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.

C.

When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.

D.

When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

Question 2

A FortiGate device has the following LDAP configuration:

The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time debug while testing the student account:

Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)

Options:

A.

cnid.

B.

username.

C.

password.

D.

dn.

Question 3

Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?

Options:

A.

Diagnose debug application radius -1.

B.

Diagnose debug application fnbamd -1.

C.

Diagnose authd console –log enable.

D.

Diagnose radius console –log enable.

Question 4

View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

However, the IKE real time debug does not show any output. Why?

Options:

A.

The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

B.

The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.

C.

The debug shows only error messages. If there is no output, then the tunnel is operating normally.

D.

The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Question 5

Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?

Options:

A.

FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.

B.

FortiGate limits the total number of simultaneous explicit web proxy users.

C.

FortiGate limits the number of simultaneous sessions per explicit web proxy user The limit CAN be modified by the administrator

D.

FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.

Question 6

What is the purpose of an internal segmentation firewall (ISFW)?

Options:

A.

It inspects incoming traffic to protect services in the corporate DMZ.

B.

It is the first line of defense at the network perimeter.

C.

It splits the network into multiple security segments to minimize the impact of breaches.

D.

It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

Question 7

A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)

Options:

A.

Firewall monitor.

B.

Policy monitor.

C.

Logs.

D.

Crashlogs.

Question 8

Refer to the exhibit, which contains a TCL script configuration on FortiManager.

An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being run.

Why did the TCL script fail to make any changes to the managed device?

Options:

A.

The TCL command run_cmd has not been created.

B.

The TCL script must start with tinclude <>.

C.

Incomplete commands are ignored in TCL scripts.

D.

Changes to an interface configuration can be made only by a CLI script.

Question 9

Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

Options:

A.

This session cannot be synced with the slave unit.

B.

The inspection of this session has been offloaded to the slave unit.

C.

The master unit is processing this traffic.

D.

This session is for HA heartbeat traffic.

Question 10

Examine the output from the ‘diagnose vpn tunnel list’ command shown in the exhibit; then answer the question below.

Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?

Options:

A.

diagnose sniffer packet any ‘port 500’

B.

diagnose sniffer packet any ‘esp’

C.

diagnose sniffer packet any ‘host 10.0.10.10’

D.

diagnose sniffer packet any ‘port 4500’

Question 11

When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

Options:

A.

FortiGate uses CN information from the Subject field in the server’s certificate.

B.

FortiGate switches to the full SSL inspection method to decrypt the data.

C.

FortiGate blocks the request without any further inspection.

D.

FortiGate uses the requested URL from the user’s web browser.

Question 12

View the exhibit, which contains the output of a diagnose command, and then answer the question below.

Which statements are true regarding the output in the exhibit? (Choose two.)

Options:

A.

FortiGate will probe 121.111.236.179 every fifteen minutes for a response.

B.

Servers with the D flag are considered to be down.

C.

Servers with a negative TZ value are experiencing a service outage.

D.

FortiGate used 209.222.147.3 as the initial server to validate its contract.

Question 13

Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

Options:

A.

Preview pending configuration changes for managed devices.

B.

Add devices to FortiManager.

C.

Import policy packages from managed devices.

D.

Install configuration changes to managed devices.

E.

Import interface mappings from managed devices.

Question 14

View the global IPS configuration, and then answer the question below.

Which of the following statements is true regarding this configuration?

Options:

A.

IPS will scan every byte in every session.

B.

FortiGate will spawn IPS engine instances based on the system load.

C.

New packets will be passed through without inspection if the IPS socket buffer runs out of memory.

D.

IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Question 15

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

Options:

A.

The local router's BGP state is Established with the 10.125.0.60 peer.

B.

Since the counters were last reset; the 10.200.3.1 peer has never been down.

C.

The local router has received a total of three BGP prefixes from all peers.

D.

The local router has not established a TCP session with 100.64.3.1.

Question 16

View the exhibit, which contains a session entry, and then answer the question below.

Which statement is correct regarding this session?

Options:

A.

It is an ICMP session from 10.1.10.10 to 10.200.1.1.

B.

It is an ICMP session from 10.1.10.10 to 10.200.5.1.

C.

It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.

D.

It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.

Question 17

Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, which two pings will FortiGate route? (Choose two.)

Options:

A.

Source IP address: 10.1.0.10. Destination IP address: 10.64.1.52

B.

Source IPaddress: 10.72.3.52. Destination IP address: 10.1.0.254

C.

Source IPaddress: 10.10.4.24, Destination IPaddress: 10.72.3.20

D.

Source IPaddress: 10.73.9.10, Destination IPaddress: 10.72.3.15

Question 18

Refer to the exhibits.

Which contain the partial configurations of two VPNs on FortiGate.

An administrator has configured two VPNs for two different user groups. Users who are in the Users-2 group are not able to connect to the VPN. After running a diagnostics command, the administrator discovered that FortiGate is not matching the user-2 VPN for members of the Users-2 group.

Which two changes must administrator make to fix the issue? (Choose two.)

Options:

A.

Use different pre-shared keys on both VPNs

B.

Enable Mode Config on both VPNs.

C.

Set up specific peer IDs on both VPNs.

D.

Change to aggressive mode on both VPNs.

Load More NSE7_EFW-6.4 Questions
Demo: 18 questions
Total 1 questions
Get NSE7_EFW-6.4 Full Access Download NSE7_EFW-6.4 PDF