Fortinet NSE7_EFW-7.2 Exam Practice Test Instant Access

Question 1

Exhibit.

Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.

Which two conclusions can you draw from this con figuration? (Choose two)

A10.1.5.254 is the default gateway of the internal network

BOn failover new primary device uses the same MAC address as the old primary

CThe VRRP domain uses the physical MAC address of the primary FortiGate

DBy default FortiGate B is the primary virtual router

Answer : A, B

The Virtual Router Redundancy Protocol (VRRP) configuration in the exhibit indicates that 10.1.5.254 is set as the virtual IP (VRIP), commonly serving as the default gateway for the internal network (A). With vrrp-virtual-mac enabled, both FortiGates would use the same virtual MAC address, ensuring a seamless transition during failover (B). The VRRP domain does not use the physical MAC address (C), and the priority settings indicate that FortiGate-A would be the primary router by default due to its higher priority (D).

Question 2

Exhibit.

Refer to exhibit, which shows a central management configuration

Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

APublic FortiGuard servers

B10.0.1.242

C10.0.1.244

D10.0.1.243

Answer : C

In the event of an outage at 10.0.1.240, the FortiGate will choose the next server in the sequence for web filter rating requests, which is 10.0.1.244 according to the configuration shown in the exhibit. This is because the server list is ordered by priority, and the server with the lowest priority number is chosen first. If that server is unavailable, the next server with the next lowest priority number is chosen, and so on. The public FortiGuard servers are only used if the include-default-servers option is enabled and all the custom servers are unavailable.Reference:=Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 132.

Question 3

Which statement about network processor (NP) offloading is true?

AFor TCP traffic FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP

BThe NP provides IPS signature matching

CYou can disable the NP for each firewall policy using the command np-acceleration st to loose.

DThe NP checks the session key or IPSec SA

Answer : B

Network processors (NPs) are specialized hardware within FortiGate devices that accelerate certain security functions. One of the primary functions of NPs is to provide IPS signature matching (B), allowing for high-speed inspection of traffic against a database of known threat signatures.

Question 4

Which two statements about IKE vision 2 are true? (Choose two.)

APhase 1 includes main mode

BIt supports the extensible authentication protocol (EAP)

CIt supports the XAuth protocol.

DIt exchanges a minimum of four messages to establish a secure tunnel

Answer : B, D

IKE version 2 supports the extensible authentication protocol (EAP), which allows for more flexible and secure authentication methods1.IKE version 2 also exchanges a minimum of four messages to establish a secure tunnel, which is more efficient than IKE version 12.Reference: =IKE settings | FortiClient 7.2.2 - Fortinet Documentation,Technical Tip: How to configure IKE version 1 or 2 ... - Fortinet Community

Question 5

Exhibit.

Refer to the exhibit, which contains an active-active toad balancing scenario.

During the traffic flow the primary FortiGate forwards the SYN packet to the secondary FortiGate.

What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?

ASecondary physical MAC port1

BSecondary virtual MAC port1

CSecondary virtual MAC port1 then physical MAC port1

DSecondary physical MAC port2 then virtual MAC port2

Answer : A

In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary's physical MAC on port1, as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.

Question 6

Which configuration can be used to reduce the number of BGP sessions in on IBGP network?

ARoute-reflector-peer enable

BRoute-reflector-client enable

CRoute-reflector enable

DRoute-reflector-server enable

Answer : B

To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients.Reference:=Route exchange | FortiGate / FortiOS 7.2.0 - Fortinet Documentation

Question 7

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

AOnly the root FortiGate.

BEach FortiGate in the Security fabric.