Spring Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Fortinet
NSE 7 Network Security Architect
NSE7_EFW-7.0
Fortinet NSE 7 - Enterprise Firewall 7.0 Questions and Answers

Pass the Fortinet NSE 7 Network Security Architect NSE7_EFW-7.0 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam NSE7_EFW-7.0 Premium Access

View all detail and faqs for the NSE7_EFW-7.0 exam

Go to Exam

779 Students Passed

85% Average Score

90% Same Questions

Viewing page 3 out of 5 pages

Viewing questions 21-30 out of questions

Questions # 21:

What does the dirty flag mean in a FortiGate session configured for NGFW policy mode?

Options:

The existing session table entry has been updated with the app_id and the firewall policy table needs to be checked for a match.

The application or URL category is unknown and needs to be rescanned by the IPS engine to try to identify the Layer 7 details.

The URL category for this session has been updated by FortiGuard and the session needs to be checked against the policy again to ensure proper web filtering is applied.

Traffic has been identified as coming from an application that is not allowed and the relevant replacement message needs to be displayed to the user, if configured.

Answer

Explanation

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 99

Questions # 22:

Refer to the exhibit, which shows partial outputs from two routing debug commands.

Question # 22

Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?

Options:

Set the priority of the static default route using port1 to 10. Most Voted

Set the priority of the static default route using port2 to 1.

Set preserve-session-route to enable.

Set snat-route-change to enable.

Answer

Explanation

ECMP pre-requisite is "routes must have the same destination and costs. In the case of static routes, costs include distance and priority". In this case traffic is routed through port 1 because of the lower priority. If we raise priority on port 1 to the value of 10 the traffic should be routed through both ports 1 and 2.

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/25967/equal-cost-multi-path

Questions # 23:

Refer to the exhibit, which shows a partial web filter profile configuration.

Question # 23

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

Options:

FortiGate will block the connection, based on the FortiGuard category based filter configuration.

FortiGate will block the connection as an invalid URL.

FortiGate will exempt the connection, based on the Web Content Filter configuration.

FortiGate will allow the connection, based on the URL Filter configuration.

Answer

Explanation

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 351 url filter -> FortiGuard Web Filter -> Web Content Filter -> Advanced Filter Options Allow -> Block

Questions # 24:

A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

Options:

The user student must not be listed in the CA’s ignore user list.

The user student must belong to one or more of the monitored user groups.

The student workstation’s IP subnet must be listed in the CA’s trusted list.

At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

Answer

A, D

Explanation

https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828

Questions # 25:

A FortiGate device has the following LDAP configuration:

Question # 25

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:

>dsquery user –samid administrator

“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab”

Based on the output, what FortiGate LDAP setting is configured incorrectly?

Options:

cnid.

username.

password.

dn.

Answer

Explanation

https://kb.fortinet.com/kb/viewCo ntent.do?externalId=FD37516

Questions # 26:

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Question # 26

The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?

Options:

Change phase 1 encryption to 3DES and authentication to SHA128.

Change phase 1 encryption to AES128 and authentication to SHA512.

Change phase 1 encryption to AESCBC and authentication to SHA2.

Change phase 1 encryption to AES256 and authentication to SHA256.

Answer

Questions # 27:

An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Question # 27

Why didn’t the script make any changes to the managed device?

Options:

Commands that start with the # sign are not executed.

CLI scripts will add objects only if they are referenced by policies.

Incomplete commands are ignored in CLI scripts.

Static routes can only be added using TCL scripts.

Answer

Explanation

https://help.fortinet.com/fmgr/50hlp/56 /5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scripts/1000_Script%20samples/0200_CLI%20scripts+.htm#Error_Messages

A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.

Questions # 28:

Refer to the exhibit, which contains the output of a BGP debug command.

Question # 28

Which statement about the exhibit is true?

Options:

The local router has received a total of three BGP prefixes from all peers.

The local router has not established a TCP session with 100.64.3.1.

Since the counters were last reset, the 10.200.3.1 peer has never been down.

The local router BGP state is OpenConfirm with the 10.127.0.75 peer.

Answer

Questions # 29:

The CLI command set intelligent-mode controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

Options:

Determines the optimal number of IPS engines required based on system load.

Downloads signatures on demand from FDS based on scanning requirements.

Determines when it is secure enough to stop scanning session traffic.

Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer

Explanation

Configuring IPS intelligenceStarting with FortiOS 5.2, intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte.

config ips globalset intelligent-mode {enable|disable}end

Questions # 30:

Which two configuration commands change the default behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.)