Fortinet NSE7_NST-7.2 Exam Practice Test Instant Access

Question 1

Exhibit.

Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command. Based on the output, which two statements are correct? (Choose two.)

AAnti-replay is enabled.

BThe npu_flag for this tunnel is 03.

CThe npu_flag for this tunnel is 02

DDifferent SPI values are a result of auto-negotiation being disabled for phase 2 selectors.

Answer : A, C

Anti-replay Enabled:

The exhibit shows replay: enabled, which confirms that anti-replay is enabled for this IPsec tunnel. Anti-replay is a security feature that prevents replay attacks by ensuring that packets are not duplicated or reused.

NPU Acceleration:

The NPU acceleration: encryption (outbound) decryption (inbound) line indicates that Network Processing Unit (NPU) acceleration is used.

The npu_flag for this tunnel is 02. This indicates that encryption and decryption are handled by the NPU, improving the performance of the VPN tunnel.

Fortinet Community: Troubleshooting IPsec VPN Tunnels (Welcome to the Fortinet Community!) (Welcome to the Fortinet Community!).

Fortinet Documentation: Verifying IPsec VPN Tunnels (Fortinet Docs) (Fortinet Docs).

Question 2

Exhibit.

Refer to the exhibit, which shows the output of diagnose sys session list.

If the HA ID for the primary device is 0. what happens if the primary fails and the secondary becomes the primary?

AThe session will be removed from the session table of the secondary device because of the presence of allowed error packets, which will force the client to restart the session with the server.

BThe session state is preserved but the kernel will need to re-evaluate the session because NAT was applied.

CTraffic for this session continues to be permitted on the new primary device after failover. without requiring the client to restart the session with the server.

DThe secondary device has this session synchronized; however, because application control is applied, the session is marked dirty and has to be re-evaluated after failover.

Answer : C

Session Synchronization:

FortiGate HA (High Availability) ensures that active sessions are synchronized between the primary and secondary devices. This synchronization allows for seamless failover and continuity of sessions.

Handling NAT Sessions:

The session in the exhibit has NAT applied, as indicated by the hook=post dir=org act=snat entry. FortiGate's HA setup is designed to handle such sessions, ensuring that traffic continues without interruption during failover.

Session Preservation:

Even with the presence of NAT, the session state is preserved across the HA devices. This means that ongoing sessions do not require re-establishment by the client, thus providing a seamless experience.

Fortinet Documentation: HA session synchronization and failover

Fortinet Community: Understanding session synchronization in FortiGate HA

Question 3

Refer to the exhibit.

Refer to the exhibit, which shows a partial output of the fssod daemon real-time debug command

What two conclusions can you draw from the output? (Choose two.)

AFSSO is using agentless polling mode to detect logon events.

BThe workstation with IP 10.124.2.90 will be polled frequently using TCP port 445 to see if the user is still logged on

CThe logon event can be seen on the collector agent installed on Windows.

DFSSO is using DC agent mode to detect logon events.

Answer : C, D

Logon Event on Collector Agent: The debug output indicates that the logon event is recorded, showing that the collector agent on Windows is logging user activities and transmitting this data to the FortiGate.

DC Agent Mode: The presence of detailed logon events and their corresponding metadata, such as the domain and workstation information, suggests that the FortiGate is using DC agent mode. This mode involves an agent installed on the Domain Controller (DC) to capture and forward logon events.

Fortinet Community: How FSSO Works and Troubleshooting Steps (Welcome to the Fortinet Community!) (Fortinet GURU).

Question 4

Refer to the exhibit. which contains the output of diagnose vpn tunnel list.

Which command will capture ESP traffic for the VPN named DialUp_0?

Adiagnose sniffer packet any 'host 10.0.10.10'

Bdiagnose sniffer packet any 'ip proto 50'

Cdiagnose sniffer packet any 'esp and host 10*200.3.2'

Ddiagnose sniffer packet any 'port 4500'

Answer : C

Capturing ESP Traffic:

ESP (Encapsulating Security Payload) traffic is associated with IPsec and is identified by the protocol number 50. To capture ESP traffic, you need to filter packets based on this protocol.

In this specific case, you also need to filter for the host associated with the VPN tunnel, which is 10.200.3.2 as indicated in the exhibit.

Sniffer Command:

The correct command to capture ESP traffic for the VPN named DialUp_0 is:

diagnose sniffer packet any 'esp and host 10.200.3.2'

This command ensures that only ESP packets to and from the specified host are captured, providing a focused and relevant data set for troubleshooting.

Fortinet Documentation: Verifying IPsec VPN Tunnels (Fortinet Docs) (Welcome to the Fortinet Community!).

Fortinet Community: Troubleshooting IPsec VPN Tunnels (Welcome to the Fortinet Community!) (Fortinet Docs).

Question 5

Refer to the exhibit, which shows oneway communication of the downstream FortiGate with the upstream FortiGate within a Security Fabric.

What three actions must you take to ensure successful communication? (Choose three.)

AEnsure the port for Neighbor Discovery has been changed.

BFortiGate must not be in NAT mode.

CEnsure TCP port 8013 is not blocked along the way

DYou must authorize the downstream FortiGate on the root FortiGate.

EYou must enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate.

Answer : C, D, E

The exhibit shows a sniffer capture where TCP port 8013 is being used for communication. The communication appears one-way, indicating potential issues with the upstream FortiGate receiving the necessary packets or being able to respond.

To ensure successful communication in a Security Fabric setup:

Ensure TCP port 8013 is not blocked along the way: Verify that no firewalls or network devices between the downstream and upstream FortiGates are blocking TCP port 8013. This port is crucial for Security Fabric communication.

Authorize the downstream FortiGate on the root FortiGate: In the Security Fabric, the root FortiGate must recognize and authorize the downstream FortiGate to allow proper communication and management.

Enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate: The upstream FortiGate must have the Security Fabric or Fortitelemetry enabled on the interface that receives the communication from the downstream FortiGate. This enables proper data exchange and monitoring within the Security Fabric.

Fortinet Documentation on Security Fabric Configuration

Fortinet Community Discussion on Port Requirements

Question 6

There are four exchanges during IKEv2 negotiation.

Which sequence is correct?

AIKE_Proposal, ID_Auth, PiggyBack_CHILD and Informational

Blnit_Req, Wait_lnit_Req, ID_Auth_Req and Create_CHILD_SA

CINIT_Re, INIT_Auth, ID_Child and SET_Nonce

DIKE_SAJNIT, IKE_Auth, Create_CHILD_SA and Informational

Answer : D

IKE_SA_INIT:

This is the first exchange in IKEv2. It establishes a secure, authenticated channel between peers and negotiates cryptographic algorithms and keys.

IKE_Auth:

The second exchange authenticates the IKE SA (Security Association) using the previously negotiated keys and algorithms. This exchange also establishes the first IPsec SA.

Create_CHILD_SA:

This exchange creates additional IPsec SAs after the initial authentication. It can also be used to rekey existing IPsec SAs to maintain security.

Informational:

This is a generic exchange used for various purposes such as error notification, deletion of SAs, and other control messages.

Fortinet Community: IKEv2 packet exchanges and troubleshooting

Fortinet Documentation: IPsec VPN Concepts

Question 7

What are two functions of automation stitches? (Choose two.)

AYou can configure automation stitches on any FortiGate device in a Security Fabric environment.

BYou can create automation stitches to run diagnostic commands and attach the results to an email message when CPU or memory usage exceeds specified thresholds.

CAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

DYou can set an automation stitch configured to execute actions in parallel to insert a specific delay between actions.

Answer : B, C

Automation Stitches Overview:

Automation stitches in FortiOS allow administrators to automate responses to specific events, such as running diagnostic commands or taking corrective actions when certain thresholds are exceeded.

Diagnostic Commands and Alerts:

Automation stitches can be configured to run diagnostic commands and attach the results to email alerts. This is useful for monitoring and troubleshooting purposes, particularly when CPU or memory usage exceeds set thresholds.

Sequential Execution with Parameters:

When actions are executed sequentially, each action can take parameters from the previous action as input. This enables more complex workflows and automation sequences where the output of one action influences the next.

Fortinet Documentation: Configuring and using automation stitches (Welcome to the Fortinet Community!) (Hammertux).

Fortinet Community: Automation stitches and their applications in FortiOS (Hammertux) (Fortinet GURU).

Fortinet NSE7_NST-7.2 Fortinet NSE 7 - Network Security 7.2 Support Engineer Exam Practice Test