NSE7_EFW | Fortinet NSE7_EFW Exam Questions and Answers 2019
Proper study guides for NSE7_EFW NSE7 Enterprise Firewall - FortiOS 5.4 certified begins with preparation products which designed to deliver the by making you pass the NSE7_EFW test at your first time. Try the free right now.
Also have NSE7_EFW free dumps questions for you:
NEW QUESTION 1
Examine the output of the ‘diagnose ips anomaly list’ command shown in the exhibit; then answer the question below.
Which IP addresses are included in the output of this command?
- A. Those whose traffic matches a DoS policy.
- B. Those whose traffic matches an IPS sensor.
- C. Those whose traffic exceeded a threshold of a matching DoS policy.
- D. Those whose traffic was detected as an anomaly by an IPS senso
NEW QUESTION 2
What does the dirty flag mean in a FortiGate session?
- A. Traffic has been blocked by the antivirus inspection.
- B. The next packet must be re-evaluated against the firewall policies.
- C. The session must be removed from the former primary unit after an HA failover.
- D. Traffic has been identified as from an application that is not allowe
NEW QUESTION 3
Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)
- A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.
- B. SIP ALG supports SIP HA failover; SIP helper does not.
- C. SIP ALG supports SIP over IPv6; SIP helper does not.
- D. SIP ALG can create expected sessions for media traffic; SIP helper does not.
- E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UD
NEW QUESTION 4
A FortiGate device has the following LDAP configuration:
The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time debug while testing the student account:
Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)
- A. cnid.
- B. username.
- C. password.
- D. d
NEW QUESTION 5
Examine the partial output from two web filter debug commands; then answer the question below:
Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?
- A. Finance and banking
- B. General organization.
- C. Business.
- D. Information technolog
NEW QUESTION 6
An administrator has configured a FortiGate device with two VDOMs: root and internal. The administrator has also created and inter-VDOM link that connects both VDOMs. The objective is to have each VDOM advertise some routes to the other VDOM via OSPF through the inter-VDOM link. What OSPF configuration settings must match in both VDOMs to have the OSPF adjacency successfully forming? (Choose three.)
- A. Router ID.
- B. OSPF interface area.
- C. OSPF interface cost.
- D. OSPF interface MTU.
- E. Interface subnet mas
NEW QUESTION 7
View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below.
The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?
- A. Change phase 1 encryption to AESCBC and authentication to SHA128.
- B. Change phase 1 encryption to 3DES and authentication to CBC.
- C. Change phase 1 encryption to AES128 and authentication to SHA512.
- D. Change phase 1 encryption to 3DES and authentication to SHA256.
NEW QUESTION 8
Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?
- A. FortiGate limits the number of simultaneous sessions per explicit web proxy use
- B. This limit CANNOT be modified by the administrator.
- C. FortiGate limits the total number of simultaneous explicit web proxy users.
- D. FortiGate limits the number of simultaneous sessions per explicit web proxy use
- E. The limit CAN be modified by the administrator.
- F. FortiGate limits the number of workstations that authenticate using the same web proxy user credential
- G. This limit CANNOT be modified by the administrator.
NEW QUESTION 9
View the central management configuration shown in the exhibit, and then answer the question below.
Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?
- A. 10.0.1.240
- B. One of the public FortiGuard distribution servers
- C. 10.0.1.244
- D. 10.0.1.242
NEW QUESTION 10
Examine the IPsec configuration shown in the exhibit; then answer the question below.
An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:
diagnose vpn ike log-filter src-addr4 10.0.10.1 diagnose debug application ike -1
diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output?
- A. The IKE real time shows the phases 1 and 2 negotiations onl
- B. It does not show any more outputonce the tunnel is up.
- C. The log-filter setting is set incorrectl
- D. The VPN’s traffic does not match this filter.
- E. The IKE real time debug shows the phase 1 negotiation onl
- F. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
- G. The IKE real time debug shows error messages onl
- H. If it does not provide any output, it indicates that the tunnel is operating normally.
NEW QUESTION 11
View the exhibit, which contains the output of get sys ha status, and then answer the question below.
Which statements are correct regarding the output? (Choose two.)
- A. The slave configuration is not synchronized with the master.
- B. The HA management IP is 169.254.0.2.
- C. Master is selected because it is the only device in the cluster.
- D. port 7 is used the HA heartbeat on all devices in the cluste
NEW QUESTION 12
View the global IPS configuration, and then answer the question below.
Which of the following statements is true regarding this configuration?
- A. IPS will scan every byte in every session.
- B. FortiGate will spawn IPS engine instances based on the system load.
- C. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.
- D. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.
NEW QUESTION 13
An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.
- A. User student is not found in the LDAP server.
- B. User student is using a wrong password.
- C. The FortiGate has been configured with the wrong password for the LDAP administrator.
- D. The FortiGate has been configured with the wrong authentication schem
NEW QUESTION 14
Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)
- A. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.
- B. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.
- C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.
- D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
NEW QUESTION 15
What global configuration setting changes the behavior for content-inspected traffic while FortiGate is in system conserve mode?
- A. av-failopen
- B. mem-failopen
- C. utm-failopen
- D. ips-failopen
NEW QUESTION 16
Examine the output of the ‘diagnose sys session list expectation’ command shown in the exhibit; than answer the question below.
Which statement is true regarding the session in the exhibit?
- A. It was created by the FortiGate kernel to allow push updates from FotiGuard.
- B. It is for management traffic terminating at the FortiGate.
- C. It is for traffic originated from the FortiGate.
- D. It was created by a session helper or AL
NEW QUESTION 17
An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration. The administrator has also enabled the IKE real time debug: diagnose debug application ike-1
diagnose debug enable
In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN?
- A. Phase1; IKE mode configuration; XAuth; phase 2.
- B. Phase1; XAuth; IKE mode configuration; phase2.
- C. Phase1; XAuth; phase 2; IKE mode configuration.
- D. Phase1; IKE mode configuration; phase 2; XAut
P.S. Dumpscollection now are offering 100% pass ensure NSE7_EFW dumps! All NSE7_EFW exam questions have been updated with correct answers: http://www.dumpscollection.net/dumps/NSE7_EFW/ (88 New Questions)