Fortinet NSE7_EFW-7.2 Fortinet NSE 7 - Enterprise Firewall 7.2 Exam Practice Test

Page: 1 / 14
Total 50 questions
Question 1

Which two statements about the neighbor-group command are true? (Choose two.)

Answer : B, D

The neighbor-group command in FortiOS allows for the application of common settings to a group of neighbors in OSPF, and can also be used to simplify configuration by applying common settings to both IBGP and EBGP neighbors. This grouping functionality is a part of the FortiOS CLI and is documented in the Fortinet CLI reference.

Question 2

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

Answer : B, C

From the command output shown in the exhibit:

B) The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.

C) Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.

Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.

Question 3

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

Answer : D

The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

Question 4

Refer to the exhibit, which shows an ADVPN network.

Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.)

Answer : A, C

For the ADVPN feature to function properly on the hub, the following phase 1 parameters must be configured:

A) set auto-discovery-forwarder enable: This enables the hub to forward shortcut information to the spokes, which is essential for them to establish direct tunnels.

C) set auto-discovery-receiver enable: This allows the hub to receive shortcut offers from the spokes.

This information is corroborated by the Fortinet documentation, which explains that in an ADVPN setup, the hub must be able to both forward and receive shortcut information for dynamic tunnel creation between spokes.

Question 5

After enabling IPS you receive feedback about traffic being dropped.

What could be the reason?

Answer : D

Fail-open is a feature that allows traffic to pass through the IPS sensor without inspection when the sensor fails or is overloaded.If fail-open is set to disable, traffic will be dropped in such scenarios1.Reference: =IPS | FortiGate / FortiOS 7.2.3 - Fortinet Documentation

When IPS (Intrusion Prevention System) is configured, if fail-open is set to disable, it means that if the IPS engine fails, traffic will not be allowed to pass through, which can result in traffic being dropped (D). This is in contrast to a fail-open setting, which would allow traffic to bypass the IPS engine if it is not operational.

Question 6
Question 7

Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

Page:    1 / 14   
Total 50 questions