Exam Questions Answers Braindumps NSE7_EFW-7.2 Exam Dumps PDF Questions
Download Free Fortinet NSE7_EFW-7.2 Real Exam Questions
NEW QUESTION # 42
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
- A. FortiGate closes the connection because this represents an invalid SSL/TLS configuration
- B. FortiGate uses the first entry listed in the SAN field in the server certificate
- C. FortiGate uses the CN information from the Subject field in the server certificate
- D. FortiGate uses the SNI from the user's web browser.
Answer: C
Explanation:
If the domain in the SNI field does not match any of the domains listed in the CN and SAN fields, FortiGate uses the domain in the CN field instead of the domain in the SNI field.
NEW QUESTION # 43
Which configuration can be used to reduce the number of BGP sessions in on IBGP network?
- A. Route-reflector-peer enable
- B. Route-reflector-server enable
- C. Route-reflector enable
- D. Route-reflector-client enable
Answer: D
Explanation:
To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor- group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients.
NEW QUESTION # 44
Which statement about network processor (NP) offloading is true?
- A. For TCP traffic FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP
- B. The NP checks the session key or IPSec SA
- C. The NP provides IPS signature matching
- D. You can disable the NP for each firewall policy using the command np-acceleration st to loose.
Answer: A
Explanation:
Option A is correct because the FortiGate CPU offloads the first packets of TCP sessions to the NP for faster connection establishment and reduced CPU load1. This feature is called TCP offloading and it is enabled by default on FortiGate models with NP6 or higher2.
Option B is incorrect because the NP does not provide IPS signature matching. The NP only handles the packet forwarding and encryption/decryption functions, while the IPS signature matching is performed by the content processor (CP) or the CPU3.
Option C is incorrect because the command to disable the NP for each firewall policy is set np-acceleration disable, not set np-acceleration st to loose4. This command can be used to prevent certain traffic types from being offloaded to the NP, such as multicast, broadcast, or non-IP packets5.
Option D is incorrect because the NP does not check the session key or IPSec SA. The NP only offloads the IPSec encryption/decryption and tunneling functions, while the session key and IPSec SA are managed by the CPU. Reference: =
1: TCP offloading
2: Network processors (NP6, NP6XLite, NP6Lite, and NP4)
3: Content processors (CP9, CP9XLite, CP9Lite)
4: Disabling NP offloading for firewall policies
5: NP hardware acceleration alters packet flow
6: IPSec VPN concepts
NEW QUESTION # 45
Exhibit.
Refer to the exhibit, which contains a partial policy configuration.
Which setting must you configure to allow SSH?
- A. Configure pot 22 in the Protocol Options field.
- B. Select an application control profile corresponding to SSH in the Security Profiles section
- C. Specify SSH in the Service field
- D. Include SSH in the Application field
Answer: D
Explanation:
* Option A is correct because to allow SSH, you need to specify SSH in the Service field of the policy configuration. This is because the Service field determines which types of traffic are allowed by the policy1. By default, the Service field is set to App Default, which means that the policy will use the default ports defined by the applications. However, SSH is not one of the default applications, so you need to specify it manually or create a custom service for it2.
* Option B is incorrect because configuring port 22 in the Protocol Options field is not enough to allow SSH. The Protocol Options field allows you to customize the protocol inspection and anomaly protection settings for the policy3. However, this field does not override the Service field, which still needs to match the traffic type.
* Option C is incorrect because including SSH in the Application field is not enough to allow SSH. The Application field allows you to filter the traffic based on the application signatures and categories4.
However, this field does not override the Service field, which still needs to match the traffic type.
* Option D is incorrect because selecting an application control profile corresponding to SSH in the Security Profiles section is not enough to allow SSH. The Security Profiles section allows you to apply various security features to the traffic, such as antivirus, web filtering, IPS, etc. However, this section does not override the Service field, which still needs to match the traffic type. References: =
* 1: Firewall policies
* 2: Services
* 3: Protocol options profiles
* 4: Application control
NEW QUESTION # 46
Winch two statements about ADVPN are true? (Choose two)
- A. auto-discovery receiver must be set to enable on the Spokes.
- B. lt supports NAI for on-demand tunnels
- C. Routing is configured by enabling add-advpn-route
- D. Spoke to-spoke traffic never goes through the hub
Answer: A,B
Explanation:
ADVPN (Auto Discovery VPN) is a feature that allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture. The auto-discovery receiver must be set to enable on the spokes to allow them to receive NHRP messages from the hub and other spokes.
NHRP (Next Hop Resolution Protocol) is used for on-demand tunnels, which are established when there is traffic between spokes. Routing is configured by enabling add-nhrp-route, not add-advpn-route. References :
= ADVPN | FortiGate / FortiOS 7.2.0 | Fortinet Document Library, Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
NEW QUESTION # 47
Which two statements about the Security fabric are true? (Choose two.)
- A. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends
- B. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer
- C. Only the root FortiGate sends logs to FortiAnalyzer
- D. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.
Answer: A,C
Explanation:
In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices withconfiguration-syncenabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer.
References:
* FortiOS Handbook - Security Fabric
NEW QUESTION # 48
Which two statements about the Security Fabric are true? (Choose two.)
- A. Each member of the Security Fabric maintains the shared Security Fabric map.
- B. Only FortiGate devices with configuration-sync sel to Local receive and synchronize the global CMDB objects that the root FortiGate sends.
- C. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.
- D. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer.
- E. Each FortiGate device in the Security Fabric must have bidirectional FortiTelemetry connectivity.
Answer: C,E
NEW QUESTION # 49
Exhibit.
Refer to the exhibit, which provides information on BGP neighbors.
Which can you conclude from this command output?
- A. You must change the AS number to match the remote peer.
- B. The bfd configuration to set to enable.
- C. BGP is attempting to establish a TCP connection with the BGP peer.
- D. The router are in the number to match the remote peer.
Answer: C
Explanation:
The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet.
If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration. References: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents:
* Troubleshooting BGP
* How BGP works
NEW QUESTION # 50
Refer to the exhibit which shows config system central-management information.
Which setting must you configure for the web filtering feature to function?
- A. Configure server-type with the rating option
- B. Configure securewf.fortiguard.net on the default servers
- C. Add server.fortiguard.net to the Server list
- D. Set update-server-location to automatic
Answer: A
Explanation:
For the web filtering feature to function effectively, the FortiGate device needs to have a server configured for rating services. The rating option in the server-type setting specifies that the server is used for URL rating lookup, which is essential for web filtering. The displayed configuration does not list any FortiGuard web filtering servers, which would be necessary for web filtering. The setting set include-default-servers disable indicates that the default FortiGuard servers are not being used, and hence, a specific server for web filtering (like securewf.fortiguard.net) needs to be configured.
NEW QUESTION # 51
Exhibit.
Refer to the exhibit, which shows an ADVPN network.
The client behind Spoke-1 generates traffic to the device located behind Spoke-2.
Which first message floes the hub send to Spoke-110 bring up the dynamic tunnel?
- A. Shortcut reply
- B. Shortcut offer
- C. Shortcut query
- D. Shortcut forward
Answer: B
Explanation:
The first message that the hub sends to Spoke-1 to bring up the dynamic tunnel is a shortcut offer. This is a BGP message that contains the NHRP information of the destination spoke (Spoke-2) and offers to create a shortcut tunnel between the two spokes. The shortcut offer is sent after the hub receives a BGP update from Spoke-2 with the destination prefix and the NHRP information. Reference: You can find more information about ADVPN and BGP in the following Fortinet Enterprise Firewall 7.2 documents:
ADVPN
BGP
ADVPN with BGP as the routing protocol
NEW QUESTION # 52
Exhibit.
Refer to the exhibit, which contains an active-active toad balancing scenario.
During the traffic flow the primary FortiGate forwards the SYN packet to the secondary FortiGate.
What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?
- A. Secondary virtual MAC port1
- B. Secondary physical MAC port2 then virtual MAC port2
- C. Secondary virtual MAC port1 then physical MAC port1
- D. Secondary physical MAC port1
Answer: D
Explanation:
In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary's physical MAC on port1, as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.
NEW QUESTION # 53
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?
- A. Configure remote Iink monitoring to detect an issue in the forwarding path
- B. Configure set send-garp-on-failover enables under config system ha on both cluster members
- C. Configure set link -failed signal enable under-config system ha on both Cluster members
- D. Verify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports
Answer: C
Explanation:
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.
NEW QUESTION # 54
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
- A. Dead peer detection is set to enable.
- B. The IKE version is 2.
- C. Forward error correction in phase 2 is set to enable.
- D. Both IPsec SAs are loaded on the kernel.
Answer: B,D
Explanation:
From the command output shown in the exhibit:
B: The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates that IKEv2 is being used.
C: Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.
NEW QUESTION # 55
Exhibit.
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?
- A. 10.0.1.243
- B. 10.0.1.242
- C. 10.0.1.244
- D. Public FortiGuard servers
Answer: C
Explanation:
In the event of an outage at 10.0.1.240, the FortiGate will choose the next server in the sequence for web filter rating requests, which is 10.0.1.244 according to the configuration shown in the exhibit. This is because the server list is ordered by priority, and the server with the lowest priority number is chosen first. If that server is unavailable, the next server with the next lowest priority number is chosen, and so on. The public FortiGuard servers are only used if the include-default-servers option is enabled and all the custom servers are unavailable. References := Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 132.
NEW QUESTION # 56
You want to block access to the website ww.eicar.org using a custom IPS signature. Which custom IPS signature should you configure?
- A. F-SBID ( --name "detect_eicar"; --protocol udp; --service ssl; --flow from_client; --pattern
"www.eicar.org"; --no_case; --context host;) - B. F-SBID ( --name "eicar"; --protocol tcp; --service HTTP; --flow from_client; --pattern
"www.eicar.org"; --no_case; --context host;) - C. F-SBID ( --name "eicar"; --protocol udp; --flow from_server; --pattern "eicar"; --context host;)
- D. F-SBID ( --name "detect_eicar"; --protocol tcp; --service dns; --flow from_server; --pattern "eicar"; -
-no_case;)
Answer: B
Explanation:
Option D is the correct answer because it specifically blocks access to the website
"www.eicar.org" using TCP protocol and HTTP service, which are commonly used for web browsing. The other options either use the wrong protocol (UDP), the wrong service (DNS or SSL), or the wrong pattern ("eicar" instead of "www.eicar.org").
NEW QUESTION # 57
Refer to the exhibit, which shows config system central-management information.
Which setting must you configure for the web filtering feature to function?
- A. Configure server-type with the rating option.
- B. Set update-server-location to automatic.
- C. Add server. fortiguard. net to the server list.
- D. Configure securewf.fortiguard. net on the default servers.
Answer: A
Explanation:
For the web filtering feature to function effectively, the FortiGate device needs to have a server configured for rating services. The rating option in the server-type setting specifies that the server is used for URL rating lookup, which is essential for web filtering. The displayed configuration does not list any FortiGuard web filtering servers, which would be necessary for web filtering. The setting set include-default-servers disable indicates that the default FortiGuard servers are not being used, and hence, a specific server for web filtering (like securewf.fortiguard.net) needs to be configured.
NEW QUESTION # 58
Which two features are true regarding IPS hardware acceleration? (Choose two.)
- A. Network processors provide pre-IPS anomaly filtering and logging
- B. FortiGate does not support IPSA if the cp-accel-mode is configured as none.
- C. set np-access-mode basic will provide last path for IPS inspected traffic
- D. cp-accel-iaode advanced option is available only on FortiGate devices that have one or more CP8 processors
Answer: C,D
NEW QUESTION # 59
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?
- A. Enable AD-VPN in IPsec phase 1
- B. Configure IP addresses on IPsec virtual interlaces
- C. Disable add-route on hub
- D. Set protected network to all
Answer: A
Explanation:
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. References := ADVPN | FortiManager 7.2.0 - Fortinet Documentation
NEW QUESTION # 60
Refer to the exhibit, which shows device registration on FortiManager.
What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond:
Modified (recent auto-updated)?
- A. On both Spoke-1 and Spoke-2, the configuration was changed directly on the FortiGate device, and the changes were automatically retrieved by the device database.
- B. On NGFW-A, the configuration was changed and spokes are wailing for an autoupdate.
- C. Based on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.
- D. Spoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.
Answer: B
NEW QUESTION # 61
Refer to the exhibit, which shows a network diagram.
Which protocol should you use to configure the FortiGate cluster?
- A. FGCP in active-passive mode
- B. FGSP
- C. VRRP
- D. FGCP in active-active mode
Answer: B
Explanation:
Given the network diagram and the presence of two FortiGate devices, the Fortinet Gate Clustering Protocol (FGCP) in active-passive mode is the most appropriate for setting up a FortiGate cluster. FGCP supports high availability configurations and is designed to allow one FortiGate to seamlessly take over if the other fails, providing continuous network availability. This is supported by Fortinet documentation for high availability configurations using FGCP.
NEW QUESTION # 62
Exhibit.
Refer to the exhibit, which contains a partial policy configuration.
Which setting must you configure to allow SSH?
- A. Configure pot 22 in the Protocol Options field.
- B. Select an application control profile corresponding to SSH in the Security Profiles section
- C. Specify SSH in the Service field
- D. Include SSH in the Application field
Answer: D
Explanation:
* Option A is correct because to allow SSH, you need to specify SSH in the Service field of the policy configuration. This is because the Service field determines which types of traffic are allowed by the policy1. By default, the Service field is set to App Default, which means that the policy will use the default ports defined by the applications. However, SSH is not one of the default applications, so you need to specify it manually or create a custom service for it2.
* Option B is incorrect because configuring port 22 in the Protocol Options field is not enough to allow SSH. The Protocol Options field allows you to customize the protocol inspection and anomaly protection settings for the policy3. However, this field does not override the Service field, which still needs to match the traffic type.
* Option C is incorrect because including SSH in the Application field is not enough to allow SSH. The Application field allows you to filter the traffic based on the application signatures and categories4.
However, this field does not override the Service field, which still needs to match the traffic type.
* Option D is incorrect because selecting an application control profile corresponding to SSH in the Security Profiles section is not enough to allow SSH. The Security Profiles section allows you to apply various security features to the traffic, such as antivirus, web filtering, IPS, etc. However, this section does not override the Service field, which still needs to match the traffic type. References: =
* 1: Firewall policies
* 2: Services
* 3: Protocol options profiles
* 4: Application control
NEW QUESTION # 63
Which three conditions are required (or two FortiGate devices to form an OSPF adjacency? (Choose three.)
- A. OSPF peer interface must have same cost value
- B. OSPF peer interface must have same Hello and Wait time
- C. OSPF peer interface must have same Hello and Dead time
- D. OSPF peer interface must have same MTU size
- E. OSPF peer interfaces must have same network and mask
Answer: C,D,E
NEW QUESTION # 64
Refer to the exhibit, which contains a partial BGP combination.
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
- A. recursive-next-hop
- B. ebgp-enforce-multihop
- C. ibgp-enfoce-multihop
- D. update-source
Answer: B,D
Explanation:
To configure a loopback as the BGP source, you need to set the "ebgp-enforce-multihop" and
"update-source" parameters in the BGP configuration. The "ebgp-enforce-multihop" allows EBGP connections to neighbor routers that are not directly connected, while "update-source" specifies the IP address that should be used for the BGP session.
NEW QUESTION # 65
Exhibit.
Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.
Which two conclusions can you draw from this con figuration? (Choose two)
- A. By default FortiGate B is the primary virtual router
- B. 10.1.5.254 is the default gateway of the internal network
- C. The VRRP domain uses the physical MAC address of the primary FortiGate
- D. On failover new primary device uses the same MAC address as the old primary
Answer: B,D
Explanation:
The Virtual Router Redundancy Protocol (VRRP) configuration in the exhibit indicates that 10.1.5.254 is set as the virtual IP (VRIP), commonly serving as the default gateway for the internal network (A). With vrrp-virtual-macenabled, both FortiGates would use the same virtual MAC address, ensuring a seamless transition during failover (B). The VRRP domain does not use the physical MAC address (C), and the priority settings indicate that FortiGate-A would be the primary router by default due to its higher priority (D).
NEW QUESTION # 66
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.
Which two parameters must you configure on the corresponding single hub? (Choose two.)
- A. Set ike-version 2
- B. Set auto-discovery-receiver enable
- C. Set auto-discovery-forwarder enable
- D. Set auto-discovery-sender enable
Answer: A,D
NEW QUESTION # 67
......
Fortinet NSE7_EFW-7.2 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Latest Fortinet NSE7_EFW-7.2 Real Exam Dumps PDF: https://www.2pass4sure.com/NSE-7-Network-Security-Architect/NSE7_EFW-7.2-actual-exam-braindumps.html
NSE7_EFW-7.2 Exam Dumps, NSE7_EFW-7.2 Practice Test Questions: https://drive.google.com/open?id=1DG2Wm_yYeOpIos5ck7-F_kpZVi7l2663