NSE7_EFW-7.0 Fortinet NSE 7 - Enterprise Firewall 7.0 Questions and Answers

BGP peers have successfully interchanged Open and Keepalive messages.

Local BGP peer received a prefix for a default route.

The state of the remote BGP peer is OpenConfirm.

The state of the remote BGP peer will go to Connect after it confirms the received prefixes.

FortiGate uses CN information from the Subject field in the server’s certificate.

FortiGate switches to the full SSL inspection method to decrypt the data.

FortiGate blocks the request without any further inspection.

FortiGate uses the requested URL from the user’s web browser.

The OSPF router with the ID 0.0.0.69 has its OSPF priority set to 0.

The local FortiGate has a different MTU value from the OSPF router with ID 0.0.0.2, based on the state information.

There are more than two OSPF routers on the wan2 network.

The interface ToRemote is a broadcast OSPF network.

Preview pending configuration changes for managed devices.

Add devices to FortiManager.

Import policy packages from managed devices.

Install configuration changes to managed devices.

Import interface mappings from managed devices.

Commands that start with the # sign are not executed.

CLI scripts will add objects only if they are referenced by policies.

Incomplete commands are ignored in CLI scripts.

Static routes can only be added using TCL scripts.

The administrator must also run the command diagnose debug enable.

The administrator must enable the following real-time debug: diagnose debug application ipsec -1.

The log-filter setting is incorrect. The VPN traffic does not match this filter.

The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match.

In the phase 1 network configuration, set the IKE version to 2.

In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

port!

port2.

Both portl and port2.

port3.

When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

When run on the Device Database, changes are applied directly to the managed FortiGate device.

When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device

In the network on port4, two OSPF routers are down.

Port4 is connected to the OSPF backbone area.

The local FortiGate’s OSPF router ID is 0.0.0.4

The local FortiGate has been elected as the OSPF backup designated router.

IPS will scan every byte in every session.

FortiGate will spawn IPS engine instances based on the system load.

New packets will be passed through without inspection if the IPS socket buffer runs out of memory.

IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

The session would remain in the session table, and its traffic would still egress from port1.

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

The session would remain in the session table, and its traffic would start to egress from port2.

The session would be deleted, so the client would need to start a new session.

The server does not have the user credentials yet.

The server requires more information from the user, such as the token code for two-factor authentication.

The user credentials are wrong.

The user account is not found in the server.

There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.

The TZ value represents the delta between each FortiGuard server ' s time zone and the FortiGate ' s time zone.

FortiGate will send the FortiGuard queries to the server with highest weight.

A server ' s round trip delay (RTT) is not used to calculate its weight.

IPS inspection is affected when FortiGate enters FD conserve mode.

A FortiGate enters FD conserve mode when the amount of available description is less than 5%.

FD conserve mode affects all daemons running on the device.

Restarting the WAD process is required to leave FD conserve mode.

set server-type rating under config system central-management

set webfilter-cache enable under config system fortiguard

set webfilter-force-off disable under config system fortiguard

set ngfw-mode policy-based under config system settings

The remote gateway IP address is 10.0.0.1.

It shows a phase 1 negotiation.

The negotiation is using AES128 encryption with CBC hash.

The initiator has provided remote as its IPsec peer ID.

set av-failopen off

set av-failopen pass

set fail-open enable

set ips fail-open disable

The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.

The log-filter setting was set incorrectly. The VPN’s traffic does not match this filter.

The debug shows only error messages. If there is no output, then the tunnel is operating normally.

The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

If FGVM...649 is rebooted, FGVM...650 will become the primary and retain that role, even after FGVM...649 rejoins the cluster.

If no action is taken, the primary FortiGate will leave the cluster due to the current sync status.

If port7 becomes disconnected on the secondary, both FortiGate devices will elect itself the primary.

If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a synchronization reset.

FortiManager can download and maintain local copies of FortiGuard databases.

FortiManager supports only FortiGuard push to managed devices.

FortiManager will respond to update requests only if they originate from a managed device.

FortiManager does not support rating requests.

Both session have the local flag on.

The destination IP addresses of both sessions are IP addresses assigned to FortiGate ' s interfaces.

One session has the proxy flag on, the other one does not.

One of the sessions has the IP address of port2 as the source IP address.

ADOMs are disabled on the FortiManager

The FortiGate configuration is in sync with latest running revision history.

There are pending device-level changes yet to be installed on Local-FortiGate.

The policy package has been modified for Local-FortiGate.

diagnose sniffer packet any ‘ah’

diagnose sniffer packet any ‘ip proto 50’

diagnose sniffer packet any ‘udp port 4500’

diagnose sniffer packet any ‘udp port 500’

For the peer 10.125.0.60, the BGP state of is Established.

The local BGP peer has received a total of three BGP prefixes.

Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.

The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.

A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.

A FortiGate starts dropping new sessions when the configured memory use threshold reaches red

A FortiGate enters conserve mode when the configured memory use threshold reaches red

The local router ' s BGP state is Established with the 10.125.0.60 peer.

Since the counters were last reset; the 10.200.3.1 peer has never been down.

The local router has received a total of three BGP prefixes from all peers.

The local router has not established a TCP session with 100.64.3.1.

The port2 interface is disabled in the FortiGate configuration.

The port1 default route has a lower distance than the default route using port2.

The port1 default route has a higher priority value than the default route using port2.

The port1 default route has a lower priority value than the default route using port2.

It is currently in system conserve mode because of high CPU usage.

It is currently in extreme conserve mode because of high memory usage.

It is currently in proxy conserve mode because of high memory usage.

It is currently in memory conserve mode because of high memory usage.

Group ID.

Group name.

Session pickup.

Gratuitous ARPs.

The slave configuration is not synchronized with the master.

The HA management IP is 169.254.0.2.

Master is selected because it is the only device in the cluster.

port 7 is used the HA heartbeat on all devices in the cluster.

FortiGate starts taking the configured action for new sessions requiring content inspection when the system memory reaches the configured red threshold.

FortiGate starts dropping all new sessions when the system memory reaches the configured red threshold.

FortiGate enters conserve mode when the system memory reaches the configured extreme threshold.

FortiGate exits conserve mode when the system memory goes below the configured green threshold.

Both port1 and port2

port3

port1

port2

Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer.

Only the root FortiGate sends logs to FortiAnalyzer.

Only FortiGate devices with fabric-object-unification set to default will receive and synchronize global CMDB objects sent by the root FortiGate.

FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

It provides VM license validation services.

It supports rating requests from non-FortiGate devices.

It caches available firmware updates for unmanaged devices.

It can be configured as an update server, a rating server, or both.

The administrator has reallocated the cache memory to a separate process.

There are no users making web requests.

The FortiGuard web filter cache is disabled in the FortiGate’s configuration.

FortiGate is using a flow-based web filter and the cache applies only to proxy-based inspection.

Set the priority of the static default route using port1 to 10. Most Voted

Set the priority of the static default route using port2 to 1.

Set preserve-session-route to enable.

Set snat-route-change to enable.

auto-discovery-shortcut

auto-discovery-forwarder

auto-discovery-sender

auto-discovery-receiver

10.0.1.240

One of the public FortiGuard distribution servers

10.0.1.244

10.0.1.242

IPS failopen

mem failopen

AV failopen

UTM failopen

Source IP address: 10.1.0.10. Destination IP address: 10.64.1.52

Source IPaddress: 10.72.3.52. Destination IP address: 10.1.0.254

Source IPaddress: 10.10.4.24, Destination IPaddress: 10.72.3.20

Source IPaddress: 10.73.9.10, Destination IPaddress: 10.72.3.15

HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

Redirection of HTTP to HTTPS administrative access is disabled.

HTTP administrative access is configured with a port number different than 80.

The packet is denied because of reverse path forwarding check.

The local router has a different AS number than the remote peer.

The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the openConfirm yet.

The local router initiated the BGP session to 10.200.3.1 but did not receive a response.

The router 10.200.3.1 has authentication configured for BGP and the local router does not.

Configure remote link monitoring to detect an issue in the forwarding path.

Configure set send-garp-on-failover enable under config system ha on both cluster members.

Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.

Configure set link-failed-signal enable under config system ha on both cluster members.

This is an expected session created by a session helper.

Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.

Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.

This is an expected session created by an application control profile.