Free NSE7_EFW-7.2 Exam Braindumps

Exhibit.

Refer to the exhibit, which contains a CLI script configuration on fortiManager. An administrator configured the CLI script on FortiManager rut the script tailed to apply any changes to the managed
device after being executed.
What are two reasons why the script did not make any changes to the managed device? (Choose two)

1. A. The commands that start with the # sign did not run.
2. B. Incomplete commands can cause CLI scripts to fail.
3. C. Static routes can be added using only TCI scripts.
4. D. CLI scripts must start with #!.

Correct Answer: AB
The commands that start with the # sign did not run because they are treated as comments in the CLI script. Incomplete commands can cause CLI scripts to fail because they are not recognized by the FortiGate device. The other options are incorrect because static routes can be added using CLI or GUI, and CLI scripts do not need to start with #!. References := Configuring custom scripts | FortiManager 7.2.0 - Fortinet Documentation, section “CLI script syntax”.

Exhibit.

Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

1. A. IPSec Tunnel aggregation is configured
2. B. net-device is enabled in the tunnel IPSec phase 1 configuration
3. C. OSPI is configured to run over IPSec.
4. D. add-route is disabled in the tunnel IPSec phase 1 configuration.

Correct Answer: BD
✑ Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration. This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 destination1.
✑ Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration. This option controls whether the FortiGate adds a static route to the phase 2 destination network using the tunnel interface as the gateway2.
✑ Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance3. This feature is not related to the routing table or the phase 1 configuration.
✑ Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device4. This option is not related to the routing table or the phase 1 configuration. References: =
✑ 1: Technical Tip: ‘set net-device’ new route-based IPsec logic2
✑ 2: Adding a static route5
✑ 3: IPSec VPN concepts6
✑ 4: Dynamic routing over IPsec VPN7

Which two statements about ADVPN are true? (Choose two.)

1. A. You must disable add-route in the hub.
2. B. AllFortiGate devices must be in the same autonomous system (AS).
3. C. The hub adds routes based on IKE negotiations.
4. D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.

Correct Answer: CD
C. The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.
* D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard
setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.
These configurations are outlined in Fortinet's documentation for setting up ADVPN, where the hub's role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling betwen spokes.

After enabling IPS you receive feedback about traffic being dropped. What could be the reason?

1. A. Np-accel-mode is set to enable
2. B. Traffic-submit is set to disable
3. C. IPS is configured to monitor
4. D. Fail-open is set to disable

Correct Answer: D
Fail-open is a feature that allows traffic to pass through the IPS sensor without inspection when the sensor fails or is overloaded. If fail-open is set to disable, traffic will be dropped in such scenarios1. References: = IPS | FortiGate / FortiOS 7.2.3 - Fortinet Documentation
When IPS (Intrusion Prevention System) is configured, iffail-openis set to disable, it means that if the IPS engine fails, traffic will not be allowed to pass through, which can result in traffic being dropped (D). This is in contrast to a fail-open setting, which would allow traffic to bypass the IPS engine if it is not operational.

Which two statements about the BFD parameter in BGP are true? (Choose two.)

1. A. It allows failure detection in less than one second.
2. B. The two routers must be connected to the same subnet.
3. C. It is supported for neighbors over multiple hops.
4. D. It detects only two-way failures.

Correct Answer: AC
Bidirectional Forwarding Detection (BFD) is a rapid protocol for detecting failures in the forwarding path between two adjacent routers, including interfaces, data links, and forwarding planes. BFD is designed to detect forwarding path failures in a very short amount of time, often less than one second, which is significantly faster than traditional failure detection mechanisms like hold-down timers in routing protocols.
Fortinet supports BFD for BGP, and it can be used over multiple hops, which allows the detection of failures even if the BGP peers are not directly connected. This functionality enhances the ability to maintain stable BGP sessions over a wider network topology and is documented in Fortinet's guides.