Fortinet NSE7_EFW-7.2 Exam Questions Instant Access

Question 1

Refer to the exhibit.

The exhibit shows a prefix list configuration

What can you conclude from the above prefix-list configuration?

AThe prefix 10.10.0.0/16 will be denied

BThe prefixes 10.10.0/16 and 10.0.0.0/16 will be denied

CThe prefix 10.10.10.0/24 will be permitted

DThe prefix 10.0.0.0/8 will be permitted

Answer : C

Question 2

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

AIt caches available firmware updates for both managed and unmanaged devices

BIt can be configured as an update server a rating server or both

CIt functions as rating server only for web filtering and antispam services

DIt downloads license information for registered and unregistered devices

Answer : B, C

Question 3

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

Question 4

Which two statements about ADVPN are true? (Choose two.)

AYou must disable add-route in the hub.

BAllFortiGate devices must be in the same autonomous system (AS).

CThe hub adds routes based on IKE negotiations.

DYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Answer : A, D

C . The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D . You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.

Question 5

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

AThe access is blocked based on the Content Filter configuration

BThe access is allowed based on the FortiGuard Category Based Filter configuration

CThe access is blocked based on the URL Filter configuration

DThe access is hocked if the local or the public FortiGuard server does not reply

Answer : C

The access to www.facebook.com is blocked based on the URL Filter configuration.In the exhibit, it shows that the URL ''www.facebook.com'' is specifically set to ''Block'' under the URL Filter section1.Reference:=Fortigate: How to configure Web Filter function on Fortigate,Web filter | FortiGate / FortiOS 7.0.2 | Fortinet Document Library,FortiGate HTTPS web URL filtering ... - Fortinet ... - Fortinet Community

Question 6

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?

AVerify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

BConfigure set link -failed signal enable under-config system ha on both Cluster members

CConfigure remote Iink monitoring to detect an issue in the forwarding path

DConfigure set send-garp-on-failover enables under config system ha on both cluster members

Answer : D

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

Question 7

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

In the event of an outage at 10.0.1.240, the FortiGate will choose the next server in the sequence for web filter rating requests, which is 10.0.1.244 according to the configuration shown in the exhibit. This is because the server list is ordered by priority, and the server with the lowest priority number is chosen first. If that server is unavailable, the next server with the next lowest priority number is chosen, and so on. The public FortiGuard servers are only used if the include-default-servers option is enabled and all the custom servers are unavailable.Reference:=Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 132.

Fortinet NSE 7 - Enterprise Firewall 7.2 NSE7_EFW-7.2 Exam Questions