• Home
  • Blogs
  • Practice NSE7_EFW-7.2 Questions With Certification guide Q&A from Training Expert [Q46-Q68]

Practice NSE7_EFW-7.2 Questions With Certification guide Q&A from Training Expert [Q46-Q68]

Share

Practice NSE7_EFW-7.2 Questions With Certification guide Q&A from Training Expert ExamPrepAway

Free Fortinet NSE7_EFW-7.2 Test Practice Test Questions Exam Dumps


Fortinet NSE7_EFW-7.2 Exam Syllabus Topics:

TopicDetails
Topic 1
  • Routing: It covers implementing OSPF to route enterprise traffic and Border Gateway Protocol (BGP) to route enterprise traffic.
Topic 2
  • Security profiles: Using FortiManager as a local FortiGuard server is discussed in this topic. Moreover, it delves into configuring web filtering, application control, and the intrusion prevention system (IPS) in an enterprise network.
Topic 3
  • VPN: Implementing IPsec VPN IKE version 2 is discussed in this topic. Additionally, it delves into implementing auto-discovery VPN (ADVPN) to enable on-demand VPN tunnels between sites.
Topic 4
  • System configuration: This topic discusses Fortinet Security Fabric and hardware acceleration. Furthermore, it delves into configuring various operation modes for an HA cluster.
Topic 5
  • Central management: The topic of Central management covers implementing central management.

 

NEW QUESTION # 46
After enabling IPS you receive feedback about traffic being dropped.
What could be the reason?

  • A. IPS is configured to monitor
  • B. Fail-open is set to disable
  • C. Np-accel-mode is set to enable
  • D. Traffic-submit is set to disable

Answer: D

Explanation:
Fail-open is a feature that allows traffic to pass through the IPS sensor without inspection when the sensor fails or is overloaded. If fail-open is set to disable, traffic will be dropped in such scenarios1. References:
= IPS | FortiGate / FortiOS 7.2.3 - Fortinet Documentation
When IPS (Intrusion Prevention System) is configured, if fail-open is set to disable, it means that if the IPS engine fails, traffic will not be allowed to pass through, which can result in traffic being dropped (D). This is in contrast to a fail-open setting, which would allow traffic to bypass the IPS engine if it is not operational.


NEW QUESTION # 47
How would fec-ingress and fec-sgress IPsec configuration affect an IPsec tunnel?

  • A. If fragmentation occurs, FortiGate will allow the packets at the IKE layer.
  • B. When an FGSP member in FortiGate fails, FortiGate flushes the corresponding tunnels and sends out dead peer detection probes to find unavailable remote peers.
  • C. FortiGate will add additional redundant information to reconstruct any lost or erratically received packets.
  • D. FortiGate will consider all IKEV2 packets as fragmentable.

Answer: C


NEW QUESTION # 48
Refer to the exhibit, which shows the output of a BGP summary.

What two conclusions can you draw from this BGP summary? (Choose two.)

  • A. The BGP session with peer 10.127.0.75 is established.
  • B. The neighbors displayed are linked to a local router with the neighbor-range set to a value of 4.
  • C. The router 100.64.3.1 has the parameter bfd set to enable.
  • D. External BGP (EBGP) exchanges routing information.

Answer: A,D

Explanation:
The output of the BGP (Border Gateway Protocol) summary shows details about the BGP neighbors of a router, their Autonomous System (AS) numbers, the state of the BGP session, and other metrics like messages received and sent.
From the BGP summary provided:
A). External BGP (EBGP) exchanges routing information.
This conclusion can be inferred because the AS numbers for the neighbors are different from the local AS number (65117), which suggests that these are external connections.
B). The BGP session with peer 10.127.0.75 is established. This is indicated by the state/prefix received column showing a numeric value (1), which typically means that the session is established and a number of prefixes has been received.
C). The router 100.64.3.1 has the parameter bfd set to enable. This cannot be concluded directly from the summary without additional context or commands specifically showing BFD (Bidirectional Forwarding Detection) configuration.
D). The neighbors displayed are linked to a local router with the neighbor-range set to a value of 4. The neighbor- range concept does not apply here; the value 4 in the 'V' column stands for the BGP version number, which is typically 4.


NEW QUESTION # 49
Exhibit.

Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

  • A. Public FortiGuard servers
  • B. 10.0.1.243
  • C. 10.0.1.242
  • D. 10.0.1.244

Answer: D

Explanation:
In the event of an outage at 10.0.1.240, the FortiGate will choose the next server in the sequence for web filter rating requests, which is 10.0.1.244 according to the configuration shown in the exhibit. This is because the server list is ordered by priority, and the server with the lowest priority number is chosen first. If that server is unavailable, the next server with the next lowest priority number is chosen, and so on. The public FortiGuard servers are only used if the include-default-servers option is enabled and all the custom servers are unavailable. References := Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 132.


NEW QUESTION # 50
Refer to the exhibit, which provides information on BGP neighbors.

What can you conclude from this command output?

  • A. The routers are in the same area ID of 0.0.0.0.
  • B. BGP is attempting to establish a TCP connection with the BGP peer.
  • C. The bfd configuration is set to enable.
  • D. You must change the AS number to match the remote peer.

Answer: B

Explanation:
The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-Neighbor-Adjacency-States/ta- p/208989


NEW QUESTION # 51
You want to configure faster failure detection for BGP
Which parameter should you enable on both connected FortiGate devices?

  • A. Graceful-restart
  • B. Ebgp-enforce-multihop
  • C. bfd
  • D. Distribute-list-in

Answer: C

Explanation:
BFD (Bidirectional Forwarding Detection) is a protocol that provides fast failure detection for BGP by sending periodic messages to verify the connectivity between two peers1. BFD can be enabled on both connected FortiGate devices by using the command set bfd enable under the BGP configuration2. Reference: = Technical Tip : FortiGate BFD implementation and examples ..., Configure BGP | FortiGate / FortiOS 7.0.2 - Fortinet Documentation


NEW QUESTION # 52
Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)

  • A. recursive-next-hop
  • B. ebgp-enforce-multihop
  • C. update-source
  • D. ibgp-enfoce-multihop

Answer: B,C

Explanation:
To configure a loopback as the BGP source, you need to set the "ebgp-enforce-multihop" and "update-source" parameters in the BGP configuration. The "ebgp-enforce-multihop" allows EBGP connections to neighbor routers that are not directly connected, while "update-source" specifies the IP address that should be used for the BGP session1. Reference := BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update source


NEW QUESTION # 53
While configuring the BGP protocol, an administrator applies the set netuork-inport-check disable command under config network.
What will FortiGate do as a result of this command?

  • A. FortiGate will advertise all the prefixes in the BGP network table to its BGP neighbor, even f itis not in the routing table.
  • B. FortiGate will not advertise the prefixes, if it is not in the routing table.
  • C. FortiGate will not advertise any imported routes received from one BGP neighbor to another.
  • D. FortiGate will advertise only the corresponding prefixes in the BGP network table to its BGP neighbor, even if itis not in the routing table.

Answer: A


NEW QUESTION # 54
Refer to the exhibit, which shows the output of diagnose sys session list.

If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?

  • A. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.
  • B. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.
  • C. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.
  • D. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.

Answer: B

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-see-if-a-session-is-synced-in- HA/ta-p/194185


NEW QUESTION # 55
Exhibit.

Refer to the exhibit, which shows information about an OSPF interlace
What two conclusions can you draw from this command output? (Choose two.)

  • A. NGFW-1 is the designated router
  • B. The OSPF routers are in the area ID of 0.0.0.1.
  • C. The interfaces of the OSPF routers match the MTU value that is configured as 1500.
  • D. The port3 network has more man one OSPF router

Answer: C,D

Explanation:
From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1.
Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as
1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.
References:
* Fortinet FortiOS Handbook: OSPF Configuration


NEW QUESTION # 56
Refer to the exhibit which shows information about an OSPF interface.

What two conclusions can you draw from this command output? (Choose two.)

  • A. The OSPF routers are in the area ID of 0.0.0.1.
  • B. The interfaces of the OSPF routers match the MTU value that is configured as 1500.
  • C. NGFW-1 is the designated router.
  • D. The port3 network has more than one OSPF router.

Answer: B,D

Explanation:
From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1. Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.


NEW QUESTION # 57
Which two statements about the Security Fabric are true? (Choose two.)

  • A. Only FortiGate devices with configuration-sync set to default receive and synchronize global CMDB objects that the root FortiGate sends
  • B. Only the root FortiGate sends logs to FortiAnalyzer
  • C. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer
  • D. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer

Answer: A,C


NEW QUESTION # 58
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?

  • A. Enable route redistribution under config router bgp
  • B. Configure the hub as a route reflector
  • C. Add a prefix list to the hub that permits routes to be shared between the spokes
  • D. Configure auto-discovery-sender on the hub

Answer: B

Explanation:
If you are using ibgp for advpn, you must configure the hub as a route reflector. So, routes learned from one spoke are forwarded to the other spokes.


NEW QUESTION # 59
Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

  • A. udp is not a protocol option.
  • B. fortiguard-anycast is set to enable.
  • C. FortiManager provides FortiGuard.
  • D. You do not have the corresponding write access.

Answer: B

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-UDP-protocol-for- FortiGuard-web-filter/ta-p/191920


NEW QUESTION # 60
Which two statements about metadata variables are true? (Choose two.)

  • A. The metadata format is $<metadata_variabie_name>.
  • B. They apply only to non-firewall objects.
  • C. They can be used as variables in scripts
  • D. You create them on FortiGate

Answer: C,D

Explanation:
Metadata variables in FortiGate are created to store metadata associated with different FortiGate features.
These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.
Fortinet FortiOS Handbook: CLI Reference


NEW QUESTION # 61
Exhibit.

Refer to the exhibit, which contains a partial policy configuration.
Which setting must you configure to allow SSH?

  • A. Include SSH in the Application field
  • B. Configure pot 22 in the Protocol Options field.
  • C. Specify SSH in the Service field
  • D. Select an application control profile corresponding to SSH in the Security Profiles section

Answer: C

Explanation:
Option A is correct because to allow SSH, you need to specify SSH in the Service field of the policy configuration. This is because the Service field determines which types of traffic are allowed by the policy1. By default, the Service field is set to App Default, which means that the policy will use the default ports defined by the applications. However, SSH is not one of the default applications, so you need to specify it manually or create a custom service for it2.
Option B is incorrect because configuring port 22 in the Protocol Options field is not enough to allow SSH. The Protocol Options field allows you to customize the protocol inspection and anomaly protection settings for the policy3. However, this field does not override the Service field, which still needs to match the traffic type.
Option C is incorrect because including SSH in the Application field is not enough to allow SSH. The Application field allows you to filter the traffic based on the application signatures and categories4. However, this field does not override the Service field, which still needs to match the traffic type.
Option D is incorrect because selecting an application control profile corresponding to SSH in the Security Profiles section is not enough to allow SSH. The Security Profiles section allows you to apply various security features to the traffic, such as antivirus, web filtering, IPS, etc. However, this section does not override the Service field, which still needs to match the traffic type. Reference: =
1: Firewall policies
2: Services
3: Protocol options profiles
4: Application control


NEW QUESTION # 62
Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

  • A. udp is not a protocol option.
  • B. fortiguard-anycast is set to enable.
  • C. FortiManager provides FortiGuard.
  • D. You do not have the corresponding write access.

Answer: B

Explanation:
The reason for the command failure when trying to set the protocol to UDP in the config system fortiguard is likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.


NEW QUESTION # 63
Which two statements about the Security fabric are true? (Choose two.)

  • A. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.
  • B. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer
  • C. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends
  • D. Only the root FortiGate sends logs to FortiAnalyzer

Answer: C,D

Explanation:
In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices withconfiguration-syncenabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer.
References:
* FortiOS Handbook - Security Fabric


NEW QUESTION # 64
Which two statements about IKE vision 2 are true? (Choose two.)

  • A. It exchanges a minimum of four messages to establish a secure tunnel
  • B. It supports the extensible authentication protocol (EAP)
  • C. Phase 1 includes main mode
  • D. It supports the XAuth protocol.

Answer: A,B

Explanation:
IKE version 2 supports the extensible authentication protocol (EAP), which allows for more flexible and secure authentication methods1. IKE version 2 also exchanges a minimum of four messages to establish a secure tunnel, which is more efficient than IKE version 12. Reference: = IKE settings | FortiClient 7.2.2 - Fortinet Documentation, Technical Tip: How to configure IKE version 1 or 2 ... - Fortinet Community


NEW QUESTION # 65
Refer to the exhibit.

which contains a partial configuration of the global system. What can you conclude from this output?

  • A. Only CPs arc disabled
  • B. NPs and CPs are enabled
  • C. NPs and CPs arc disabled
  • D. Only NPs are disabled

Answer: B

Explanation:
The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs.
Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.
References:
* FortiOS Handbook - CLI Reference for FortiOS 5.2


NEW QUESTION # 66
Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

  • A. The restarting router sends gratuitous ARP for 30 seconds.
  • B. Neighbors maintain communication with the restarting router.
  • C. The router sends grace LSAs before it restarts.
  • D. FortiGate restarts if the topology changes.

Answer: D

Explanation:
From the partial OSPF (Open Shortest Path First) configuration output:
B: The router sends grace LSAs before it restarts: This is implied by the command 'set restart-mode graceful- restart'. When OSPF is configured with graceful restart, the router sends grace LSAs (Link State Advertisements) to inform its neighbors that it is restarting, allowing for a seamless transition without recalculating routes.
Fortinet documentation on OSPF configuration clearly states that enabling graceful restart mode allows the router to maintain its adjacencies and routes during a brief restart period.


NEW QUESTION # 67
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

  • A. Configure IP addresses on IPsec virtual interfaces
  • B. Set protected network to all
  • C. Disable add-route on hub
  • D. Enable AD-VPN in IPsec phase 1

Answer: D

Explanation:
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. References := ADVPN | FortiManager 7.2.0 - Fortinet Documentation


NEW QUESTION # 68
......

Prepare Top Fortinet NSE7_EFW-7.2 Exam Audio Study Guide Practice Questions Edition: https://skillmeup.examprepaway.com/Fortinet/braindumps.NSE7_EFW-7.2.ete.file.html

Related Blogs

more
Fortinet NSE7_EFW-7.2 Certification Practice Exam