Fortinet NSE7_EFW-7.2 Exam Practice Test Instant Access

Question 1

Exhibit.

ISFW is installed in the access layer NGFW is performing SNAT and web tittering DCFW is running IPS Which two statements are true regarding the Security Fabric logging? (Choose two.)

ADCFW is responsible for generating UTM logs for file server sessions initiated by Client-1. only if an IPS inspection is triggered

BISFW is responsible for generating traffic logs for only Web traffic and SMB traffic from Client-1.

CThe SMB session which is forwarded to NGFW logs that event

DDCFW generates traffic logs for all sessions from Corporate File Server

EThe web session forwarded to the NGFW generates the relevant UTM logs along with initial traffic log

Answer : A, B

Question 2

Exhibit.

Refer to the exhibit, which shows a partial touting table

What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

AIPSec Tunnel aggregation is configured

Bnet-device is enabled in the tunnel IPSec phase 1 configuration

COSPI is configured to run over IPSec.

Dadd-route is disabled in the tunnel IPSec phase 1 configuration.

Answer : B, D

Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration.This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 destination1.

Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration.This option controls whether the FortiGate adds a static route to the phase 2 destination network using the tunnel interface as the gateway2.

Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance3. This feature is not related to the routing table or the phase 1 configuration.

Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device4. This option is not related to the routing table or the phase 1 configuration.Reference: =

1: Technical Tip: 'set net-device' new route-based IPsec logic2

2: Adding a static route5

3: IPSec VPN concepts6

4: Dynamic routing over IPsec VPN7

Question 3

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

ANeighbors maintain communication with the restarting router.

BThe router sends grace LSAs before it restarts.

CFortiGate restarts if the topology changes.

DThe restarting router sends gratuitous ARP for 30 seconds.

Answer : C

From the partial OSPF (Open Shortest Path First) configuration output:

B . The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful-restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.

Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.

Question 4

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

AFortiManager provides FortiGuard.

Bfortiguard-anycast is set to enable.

CYou do not have the corresponding write access.

Dudp is not a protocol option.

Answer : B

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

Question 5

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from the output?

Aset strict-d^rty-session-check enable command instructs the FortiGate to offload all dirty session traffic to its SPU

Bset check-protocol-header loose command enables hardware acceleration on this FortiGate device.

Cset av-failopen pass command instructs the FortiGate to offload all traffic that uses the antivirus proxy to NP.

Dset memory-use-threshoId-extreme command instructs the FortiGate to disable hardware acceleration if the memory extreme threshold reaches 95%

Answer : B

Question 6

Which two statements about metadata variables are true? (Choose two.)

AYou create them on FortiGate

BThey apply only to non-firewall objects.

CThe metadata format is $<metadata_variabie_name>.

DThey can be used as variables in scripts

Answer : C, D

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference

Question 7

What is true about the Fitter override option in the application control profile?

AHelps to configure actions for predefined categories

BHelps to categorize applications based on behavior risk or on technology

CHelps to view the application control signatures for a specific category

DHelps to control specific signature and applications

Answer : B

Fortinet NSE 7 - Enterprise Firewall 7.2 NSE7_EFW-7.2 Exam Practice Test