NSE7 Enterprise Firewall - FortiOS 5.4 (NSE7_EFW) Free Practice Test

Question 1

Examine the following routing table and BGP configuration; then answer the question below.

TheBGP connection is up, but the local peer is NOT advertising the prefix 192.168.1.0/24. Which configuration change will make the local peer advertise this prefix?

A. Enable the redistribution of static routers into BGP.

B. Disable the setting network-import-check.

C. Enable the setting ebgp-multipath.

D. Enable the redistribution of connected routers into BGP.

Correct Answer: B

Question 2

An administrator has enabled HA session synchronization in a HA cluster with two members. Which flag is added to a primary unit's session to indicate that it has been synchronized to the secondary unit?

A. synced

B. nds.

C. redir.

D. dirty.

Correct Answer: A

Question 3

Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:
diagnose vpn ike log-filter src-addr4 10.0.10.1
diagnose debug application ike -1
diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

B. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

C. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

D. The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.

Correct Answer: A

Question 4

Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

A. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.

B. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.

D. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.

Correct Answer: A,B

Question 5

A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

What should the administrator check to fix the problem?

A. That DNS service is enabled in the explicit web proxy interface.

B. The connectivity between the client workstations and the DNS server.

C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.

D. The connectivity between the FortiGate unit and the DNS server.

Correct Answer: B,D

Question 6

An administrator added the following Ipsec VPN to a FortiGate configuration:
configvpn ipsec phasel -interface
edit "RemoteSite"
set type dynamic
set interface "portl"
set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "RemoteSite"
set phasel name "RemoteSite"
set proposal 3des-sha256
next
end
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.

What is causing the IPsec problem in the phase 1 ?

A. The pre-shared key is wrong

B. The incoming IPsec connection is matching the wrong VPN configuration

C. The phrase-1 mode must be changed to aggressive

D. NAT-T settings do not match

Correct Answer: A

Question 7

When does a RADIUS server send an Access-Challenge packet?

A. The user account is not found in the server.

B. The server does not have the user credentials yet.

C. The user credentials are wrong.

D. The server requires more information from the user, such as the token code for two-factor authentication.

Correct Answer: D

Question 8

View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below.

Which statements are correct regarding the output shown? (Choose two.)

A. There are 166 TCP sessions waiting to complete the three-way handshake.

B. All the sessions in the session table are TCP sessions.

C. There are 0 ephemeral sessions.

D. No sessions have been deleted because of memory pages exhaustion.

Correct Answer: A,C

Question 9

The logs in a FSSO collector agent (CA) are showing the following error:
failed to connect to registry: PIKA1026 (192.168.12.232)
What can be the reason for this error?

A. The CA cannot reach the FortiGate with the IP address 192.168.12.232.

B. The CA cannot resolve the name of the workstation.

C. The FortiGate cannot resolve the name of the workstation.

D. The remote registry service is not running in the workstation 192.168.12.232.

Correct Answer: D

Welcome to TestSimulate

Fortinet NSE7 Enterprise Firewall - FortiOS 5.4 (NSE7_EFW) Free Practice Test