NSE7_EFW-7.2 Fortinet NSE 7 - Enterprise Firewall 7.2 Questions and Answers

The configuration output shows various global settings for a FortiGate device. The terms NP (Network Processor) and CP (Content Processor) relate to FortiGate ' s hardware acceleration features. However, the provided configuration output does not directly mention the status (enabled or disabled) of NPs and CPs. Typically, the command to disable or enable hardware acceleration features would specifically mention NP or CP in the command syntax. Therefore, based on the output provided, we cannot conclusively determine the status of NPs and CPs, hence option D is the closest answer since the output does not confirm that they are enabled.

To reduce the number of BGP sessions in an IBGP network, you can use a rout e reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor-group settings of the hub device. This will ma ke the hub device act as a route reflector server and the other devices as route reflector clients.  References  :=  Route exchange | FortiGate / FortiOS 7.2.0 - Fortinet Documentation

In an active-active load balancing scenario, when the primary FortiGate forwards the SYN packet to the secondary FortiGate, the destination MAC address would be the secondary ' s physical MAC on port1 , as the packet is being sent over the network and the physical MAC is used for layer 2 transmissions.

To ensure that only one remote site is connected at any given time in an IPsec VPN scenario, you should use route-overlap with the option to either use-new or use-old. This setting dictates which routes are preferred and how overlaps in routes are handled, allowing for one connection to take precedence over the other (C).

To configure a loopback as the BGP source, you need to set the “ebgp-enforce-multihop” and “update-source” parameters in the BGP configuration.  The “ebgp-enforce-multihop” allows EBGP connections to neighbor routers that are not directly connected, while “update-source” specifies the IP address that should be used for the BGP session 1 .  References  :=  BGP on loopback ,  Loopback interface ,  Technical Tip: Configuring EBGP Multihop Load-Balancing ,  Technical Tip: BGP routes are not installed in routing table with loopback as update source

ADVPN (Auto Discovery VPN) is a feature that allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture. The auto-discovery receiver must be set to enable on the spokes to allow them to receive NHRP messages from the hub and other spokes. NHRP (Next Hop Resolution Protocol) is used for on-demand tunnels, which are established when there is traffic between spo kes. Routing is configured by enabling add-nhrp-route, not add-advpn-route.  References  :=  ADVPN | FortiGate / FortiOS 7.2.0 | Fortinet Docum ent Library ,  Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

The configuration line “set dpd on-idle” indicates that dead peer detection (DPD) is set to trigger only when the tunnel is idle, not actively d isabled 1 .  References :  FortiGate IPSec VPN User Guide - Fortinet Document Library

From the given VPN configuration, dead peer detection (DPD) is set to ' on-idle ' , indicating that DPD is enabled and will be used to detect if the other end of the VPN tunnel is still alive when no traffic is detected. Hence, option C is incorrect. The configuration shows the tunnel set to type ' dynamic ' , which does not crea te separate virtual interfaces for each dial-up client (A), and it is not specified that dynamic routing will be used (B). Since this is a phase 1 configuration snippet, the routing table aspect (D) cannot be concluded from this alone.

For improving reliability over a lossy IPSec tunnel, the fragmentation and fragmentation-mtu pa rameters should be configured. In scenarios where there might be issues with packet size or an unreliable network, setting the IPsec phase 1 to allow for fragmentation will enable large packets to be broken down, preventing them from being dropped due to s ize or poor network quality. The fragmentation-mtu specifies the size of the fragments. This is aligned with Fortinet ' s recommendations for handling IPsec VPN over networks with potential packet loss or size limitations.

For the ADVPN feature to function properly on the hub, the following phase 1 parameters must be configured:

A. set auto-discovery-forwarder enable: This enables the hub to forward shortcut information to the spokes, which is essential for them to establish direct tunnels.

C. set auto-discovery-receiver enable: This allows the hub to receive shortcut offers from the spokes.

This information is corroborated by the Fortinet documentation, which explains that in an ADVPN setup, the hub must be able to both forward and receive shortcut information for dynamic tunnel creation between spokes.

Virtual MAC Address and Failover

- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.

- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):

#Config system ha

set link-failed-signal enable

end

- This simulates a link failure that clears the related entries from MAC table of the switches.

The output of the BGP (Border Gateway Protocol) summary shows details about the BGP neighbors of a router, their Autonomous System (AS) numbers, the state of the BGP session, and other metrics like messages received and sent.

From the BGP summary provided:

A. External BGP (EBGP) exchanges routing information.

This conclusion can be inferred becau se the AS numbers for the neighbors are different from the local AS number (65117), which suggests that these are external connections.

B. The BGP session with peer 10.127.0.75 is established.

This is indicated by the state/prefix received column showing a numeric value (1), which typically means that the session is established and a number of prefixes has been received.

C. The router 100.64.3.1 has the parameter bfd set to enable.

This cannot be concluded directly from the summary without additional contex t or commands specifically showing BFD (Bidirectional Forwarding Detection) configuration.

D. The neighbors displayed are linked to a local router with the neighbor-range set to a value of 4.

The neighbor-range concept does not apply here; the value 4 in t he ' V ' column stands for the BGP version number, which is typically 4.

Option D is the correct answer because it specifically blocks access to the website “www.eicar.org” using TCP protocol and HTTP service, which are commonly used for web browsing. The other options either use the wrong protocol (UDP), the wrong service (DNS or SSL), or the wrong pattern (“eicar” instead of “www.eicar.org”).  References  :=  Configuring custom signatures | FortiGate / FortiOS 7.4.0 - Fortinet Document Library , section “Signature to block access to example.com”.

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Re ference