Fortinet nse7-efw-6-4 practice test
Fortinet NSE 7 - Enterprise Firewall 6.4 Exam
Question 1
Which two statements about an auxiliary session are true? (Choose two.)
- A. With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.
- B. With the auxiliary session setting enabled, two sessions will be created in case of routing change.
- C. With the auxiliary session setting disabled, for each traffic path, FortiGate will use the same auxiliary session.
- D. With the auxiliary session disabled, only auxiliary sessions will be offloaded.
Answer:
C, D
Reference:
https://docs.fortinet.com/document/fortigate/7.0.1/administration-
guide/14295/controlling-return-path-with-auxiliary-session
Question 2
Which two statements about the Security Fabric are true? (Choose two.)
- A. Only the root FortiGate collects network information and forwards it to FortiAnalyzer.
- B. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.
- C. All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity.
- D. Branch FortiGate devices must be configured first.
Answer:
B, C
Reference:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/327890/deploying-
security-fabric
Question 3
Which two statements about bulk configuration changes made using FortiManager CLI scripts are
correct? (Choose two.)
- A. When run on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate device.
- B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
- C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
- D. When run on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate device.
Answer:
A, B
Reference:
https://docs.fortinet.com/document/fortimanager/6.2.1/administration-guide/71780/cli-
scripts
Question 4
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover,
the administrator notices that some of the switches in the network continue to send traffic to the
former primary device. The administrator decides to enable the setting link-failed-signal to fix the
problem.
Which statement about this setting is true?
- A. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
- B. It sends a link failed signal to all connected devices.
- C. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.
- D. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.
Answer:
D
Reference:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD40860&sliceId=1
Question 5
Which two statements about OCVPN are true? (Choose two.)
- A. Only root vdom supports OCVPN.
- B. OCVPN supports static and dynamic IPs in WAN interface.
- C. OCVPN offers only Hub-Spoke VPNs.
- D. FortiGate devices under different FortiCare accounts can be used to form OCVPN.
Answer:
A, B
Reference:
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/977344/one-click-vpn-ocvpn
https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/496884/overlay-controller-vpn-
ocvpn
Question 6
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Based on the debug output, which phase 1 setting is enabled in the configuration of this VPN?
- A. auto-discovery-shortcut
- B. auto-discovery-forwarder
- C. auto-discovery-sender
- D. auto-discovery-receiver
Answer:
C
Reference:
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/320160/example-advpn-
configuration
Question 7
Refer to the exhibit, which shows a FortiGate configuration.
An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured
a web filter profile and applied it to a policy; however, the web filter is not inspecting any traffic that
is passing through the policy.
What must the administrator change to fix the issue?
- A. The administrator must increase webfilter-timeout.
- B. The administrator must disable webfilter-force-off.
- C. The administrator must change protocol to TCP.
- D. The administrator must enable fortiguard-anycast.
Answer:
D
Reference:
https://docs.fortinet.com/document/fortigate/6.4.5/cli-reference/109620/config-system-
fortiguard
Question 8
Refer to the exhibit, which contains the debug output of diagnose dvm device list.
Which two statements about the output shown in the exhibit are correct? (Choose two.)
- A. ADOMs are disabled on the FortiManager
- B. The FortiGate configuration is in sync with latest running revision history.
- C. There are pending device-level changes yet to be installed on Local-FortiGate.
- D. The policy package has been modified for Local-FortiGate.
Answer:
B, C
Reference:
https://docs.fortinet.com/document/fortimanager/7.0.0/upgrade-guide/959309/cli-
example-of-diagnose-dvm-device-list
Question 9
Refer to the exhibit, which contains partial output from an IKE real-time debug.
Which two statements about this debug output are correct? (Choose two.)
- A. The remote gateway IP address is 10.0.0.1.
- B. The initiator provided remote as its IPsec peer ID.
- C. It shows a phase 1 negotiation.
- D. The negotiation is using AES128 encryption with CBC hash.
Answer:
B, C
Question 10
Refer to the exhibit, which contains the partial output of a diagnose command.
Based on the output, which two statements are correct? (Choose two.)
- A. Anti-replay is enabled
- B. The remote gateway IP is 10.200.4.1.
- C. DPD is disabled.
- D. Quick mode selectors are disabled.
Answer:
A, B
Question 11
Refer to the exhibit, which shows the output of a debug command.
Which two statements about the output are true? (Choose two.)
- A. The local FortiGate OSPF router ID is 0.0.0.4.
- B. Port4 is connected to the OSPF backbone area.
- C. In the network connected to port4, two OSPF routers are down.
- D. The local FortiGate is the backup designated router.
Answer:
A, B
Explanation:
Area 0.0.0.0 is the backbone area.
Question 12
Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.
Based on the output, which two statements are correct? (Choose two.)
- A. Phase 2 authentication is set to sha1 on both sides.
- B. Anti-replay is disabled.
- C. Hub2Spoke1 is a policy-based VPN.
- D. Hub2Spoke1 is configured on interface wan2.
Answer:
A, D
Question 13
Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)
- A. Installing configuration changes to managed devices
- B. Importing interface mappings from managed devices
- C. Adding devices to FortiManager
- D. Previewing pending configuration changes for managed devices
Answer:
A, D
Reference:
https://docs.fortinet.com/document/fortimanager/6.2.0/administration-
guide/668612/using-the-install-wizard-to-install-device-settings-only
Question 14
Refer to the exhibit, which contains the output of get system ha status.
Which two statements about the output are true? (Choose two.)
- A. The slave configuration is synchronized with the master.
- B. port7 is used as the HA heartbeat on all devices in the cluster.
- C. Master is selected based on the priority configured under config system ha.
- D. The HA management IP is 169.254.0.2.
Answer:
BC
Question 15
Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but failed to apply any changes to
the managed device after being executed.
Why did the TCL script fail to make any changes to the managed device?
- A. Changes in an interface configuration can only be done by CLI script.
- B. The TCL script must start with #include <>.
- C. Incomplete commands are ignored in TCL scripts.
- D. The TCL command run_cmd has not been created.
Answer:
D