Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Fortinet NSE7_EFW-7.0

Fortinet NSE7_EFW-7.0 Exam Practice Questions (P. 3)

  • Full Access (60 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #11
Refer to the exhibit, which shows partial outputs from two routing debug commands.

Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?
  1. A
    Set the priority of the static default route using port1 to 10.
  2. B
    Set the priority of the static default route using port2 to 1.
  3. C
    Set preserve-session-route to enable.
  4. D
    Set snat-route-change to enable.

Correct Answer:
B

Question #12
Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)
  1. A
    Configure route leaking between VRF 12 and VRF 21.
  2. B
    Disable auto-asic-offload as this is not supported between VRF instances.
  3. C
    Configure RIPv2 to exchange route information between the VRF instances.
  4. D
    Configure route leaking between port3 and port4.
  5. E
    Enable SNAT on the relevant firewall policies to prevent RPF check drops.

Correct Answer:
AC

Question #13
What is the diagnose test application ipsmenitor 5 command used for?
  1. A
    To enable IPS bypass mode
  2. B
    To disable the IPS engine
  3. C
    To restart all IPS engines and monitors
  4. D
    To provide information regarding IPS sessions

Correct Answer:
D
chatbot-img GPT-4o - Answer
The 'diagnose test application ipsmonitor 5' command specifically pulls up information regarding IPS sessions, not toggling bypass status as the first user comment might suggest. Correctly understanding these commands is crucial for managing IPS in Fortinet environments effectively, especially concerning security and network management. It’s vital to remember this distinction to utilize Fortinet's diagnostic commands accurately.

Question #14
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?
  1. A
    Configure remote link monitoring to detect an issue in the forwarding path.
  2. B
    Configure set send-garp-on-failover enable under config system ha on both cluster members.
  3. C
    Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
  4. D
    Configure set link-failed-signal enable under config system ha on both cluster members.

Correct Answer:
B
chatbot-img GPT-4o - Answer
To address the issue of switches routing traffic to the former primary FortiGate in a high availability (HA) setup, it is effective to enable the sending of gratuitous ARP on failover. This can be configured using the command "set send-garp-on-failover enable" under the HA system settings. This setting ensures that immediately after a failover, the new primary device issues gratuitous ARP packets that update the network devices' ARP tables, thereby redirecting traffic to the new primary node. This solution directly targets the problem of outdated ARP tables in switches following a failover event.

Question #15
Which statement about IKE and IKE NAT-T is true?
  1. A
    IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.
  2. B
    IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.
  3. C
    They both use UDP as their transport protocol and the port number is configurable.
  4. D
    They each use their own IP protocol number.

Correct Answer:
B
chatbot-img GPT-4o - Answer
IKE NAT-T (Network Address Translation-Traversal) is indeed an extension specifically developed for resolving issues encountered when NAT devices exist between the VPN peers. Initially, IKE, as established in IKEv1, does not integrate mechanisms to detect or traverse NAT scenarios. NAT-T was subsequently added to support this functionality, particularly enhancing the IKE protocol's operational success across NAT devices, which became a significant feature inclusion in IKEv2. It is crucial to note that while ports for IKE can be configured, which is a separate adjustable parameter, the essence of the question highlights the evolution and integration of NAT-T within the IKE protocols.

Previous Questions Next Questions

All Pages