Fortinet nse7-efw-7-0 practice test
NSE 7 - Enterprise Firewall 7.0
Question 1
Which statement about IKE and IKE NAT-T is true?
- A. IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.
- B. IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.
- C. They both use UDP as their transport protocol and the port number is configurable.
- D. They each use their own IP protocol number.
Answer:
b
Question 2
Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being run.
Why did the TCL script fail to make any changes to the managed device?
- A. The TCL script must start with #include <>.
- B. The TCL procedure lacks the required loop statements to iterate through the changes.
- C. There is no corresponding #! to signify the end of the script.
- D. The TCL procedure run_cmd has not been created.
Answer:
a
Question 3
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)
- A. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
- B. When run on the Device Database, changes are applied directly to the managed FortiGate device.
- C. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
- D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device.
Answer:
ad
Question 4
Refer to the exhibit, which contains the partial output of a diagnose command.
Based on the output, which two statements are correct? (Choose two.)
- A. The remote gateway has quick mode selectors containing a destination subnet of 10.1.2.0/24.
- B. The remote gateway IP is 10.200.5.1.
- C. DPD is disabled.
- D. Anti-replay is enabled.
Answer:
ab
Question 5
Which ADVPN configuration must be configured using a script on FortiManager, when using VPN Manager to manage FortiGate VPN tunnels?
- A. Set protected network to all
- B. Enable AD-VPN in IPsec phase 1
- C. Configure IP addresses on IPsec virtual interfaces
- D. Disable add-route on hub
Answer:
c
Question 6
Refer to the exhibit, which contains the output of the diagnose vpn tunnel list.
Which command will capture ESP traffic for the VPN named DialUp_0?
- A. diagnose sniffer packet any esp and host 10.200.3.2
- B. diagnose sniffer packet any ip proto 50
- C. diagnose sniffer packet any host 10.0.10.10
- D. diagnose sniffer packet any port 4500
Answer:
a
Question 7
Refer to the exhibit, which shows a partial routing table.
Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)
- A. Configure route leaking between VRF 12 and VRF 21.
- B. Disable auto-asic-offload as this is not supported between VRF instances.
- C. Configure RIPv2 to exchange route information between the VRF instances.
- D. Configure route leaking between port3 and port4.
- E. Enable SNAT on the relevant firewall policies to prevent RPF check drops.
Answer:
ac
Question 8
Refer to the exhibit, which shows the output of diagnose sys session stat.
Which statement about the output shown in the exhibit is correct?
- A. There are two sessions that have not been removed in case of any out-of-order packets that arrive.
- B. There are 166 TCP sessions waiting to complete the three-way handshake.
- C. 162 sessions have been deleted because of memory page exhaustion.
- D. All the sessions in the session table are TCP sessions.
Answer:
b
Question 9
Refer to the exhibit, which shows the output of a diagnose command.
What can you conclude from the output shown in the exhibit? (Choose two.)
- A. This is a pinhole session created to allow traffic for a protocol that requires additional sessions to operate through FortiGate.
- B. This is an expected session created by the IPS engine.
- C. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.200.1.1.
- D. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.0.1.10.
Answer:
ac
Question 10
Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?
- A. Only the DR receives link state information from non-DR routers.
- B. Non-DR and non-BDR routers form full adjacencies to DR only.
- C. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6.
- D. FortiGate first checks the OSPF ID to elect a DR.
Answer:
d