Uploaded by yarun sun

Reliable NSE7 EFW-7.2 Exam Questions - Your Key to Passing the Fortinet NSE7 EFW-7.2 Exam

advertisement
NSE 7 NETWORK SECURITY
ARCHITECT Exam
NSE7_EFW-7.2 Questions V13.03
NSE 7 Network Security
Architect
Topics - Fortinet NSE 7 Enterprise Firewall 7.2
E
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
2.Refer to the exhibit, which contains a partial BGP combination.
xa
m
1.Which two statements about metadata variables are true? (Choose two.)
A. You create them on FortiGate
B. They apply only to non-firewall objects.
C. The metadata format is $<metadata_variabie_name>.
D. They can be used as variables in scripts
Answer: CD
Explanation:
Metadata variables are created on the FortiGate and can be used to dynamically
insert information into scripts or configurations.
Metadata variables are designed to be used as placeholders within scripts, allowing
for dynamic content to be applied when the script is executed.
R
el
ia
bl
e
N
S
You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)
A. ebgp-enforce-multihop
B. recursive-next-hop
C. ibgp-enfoce-multihop
Questions and Answers PDF 3/41
D. update-source
Answer: A, D
Explanation:
To configure a loopback as the BGP source, you need to set the “ebgp-enforcemultihop” and “update-source” parameters in the BGP configuration. The “ebgpenforce-multihop” allows EBGP connections to neighbor routers that are not directly
connected, while “update-source” specifies the IP address that should be used for
the BGP session1.
Reference := BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP
Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table
with loopback as update source
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
3.Exhibit.
Refer to the exhibit, which shows a partial web filter profile conjuration
What can you cone udo from this configuration about access to www.facebook, com,
which is categorized as Social Networking?
FW
-7
.2
E
xa
m
A. The access is blocked based on the Content Filter configuration
B. The access is allowed based on the FortiGuard Category Based Filter
configuration
C. The access is blocked based on the URL Filter configuration
D. The access is hocked if the local or the public FortiGuard server does not reply
Answer: C
Explanation:
The access to www.facebook.com is blocked based on the URL Filter configuration.
In the exhibit, it shows that the URL “www.facebook.com” is specifically set to
“Block” under the URL Filter section1.
Reference:= Fortigate: How to configure Web Filter function on Fortigate, Web filter |
FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL
filtering … - Fortinet … - Fortinet Community
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
4.An administrator has configured two fortiGate devices for an HA cluster. While
testing HA failover, the administrator notices that some of the switches in the network
continue to send traffic to the former primary device
What can the administrator do to fix this problem?
A. Verify that the speed and duplex settings match between me FortiGate interfaces
and the connected switch ports
B. Configure set link -failed signal enable under-config system ha on both Cluster
members
C. Configure remote Iink monitoring to detect an issue in the forwarding path
D. Configure set send-garp-on-failover enables under config system ha on both
cluster members
Answer: B
R
el
ia
bl
e
N
S
E
7_
5.Exhibit.
xa
m
E
-7
.2
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
Refer to the exhibit, which shows information about an OSPF interlace
What two conclusions can you draw from this command output? (Choose two.)
A. The port3 network has more man one OSPF router
B. The OSPF routers are in the area ID of 0.0.0.1.
C. The interfaces of the OSPF routers match the MTU value that is configured as
1500.
D. NGFW-1 is the designated router
Answer: A, C
Explanation:
From the OSPF interface command output, we can conclude that the port3 network
has more than one OSPF router because the Neighbor Count is 2, indicating the
presence of another OSPF router besides NGFW-1. Additionally, we can deduce that
the interfaces of the OSPF routers match the MTU value configured as 1500, which is
necessary for OSPF neighbors to form adjacencies. The MTU mismatch would
prevent OSPF from forming a neighbor relationship.
Reference: Fortinet FortiOS Handbook: OSPF Configuration
R
el
6.In which two ways does fortiManager function when it is deployed as a local FDS?
(Choose two)
A. It can be configured as an update server a rating server or both
B. It provides VM license validation services
C. It supports rating requests from non-FortiGate devices.
D. It caches available firmware updates for unmanaged devices
Answer: BD
Explanation:
When deployed as a local FortiGuard Distribution Server (FDS), FortiManager
functions in several capacities. It can act as an update server, a rating server, or both,
providing firmware updates and FortiGuard database updates. Additionally, it plays a
crucial role in VM license validation services, ensuring that the connected FortiGate
devices are operating with valid licenses. However, it does not support rating requests
from non-FortiGate devices nor cache firmware updates for unmanaged devices.
Fortinet FortiOS Handbook: FortiManager as a Local FDS Configuration
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
7.Refer to the exhibit.
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
which contains a partial configuration of the global system.
What can you conclude from this output?
A. NPs and CPs are enabled
B. Only CPs arc disabled
C. Only NPs are disabled
D. NPs and CPs arc disabled
Answer: D
Explanation:
The configuration output shows various global settings for a FortiGate device. The
terms NP (Network Processor) and CP (Content Processor) relate to FortiGate's
hardware acceleration features. However, the provided configuration output does not
directly mention the status (enabled or disabled) of NPs and CPs. Typically, the
command to disable or enable hardware acceleration features would specifically
mention NP or CP in the command syntax. Therefore, based on the output provided,
we cannot conclusively determine the status of NPs and CPs, hence option D is the
closest answer since the output does not confirm that they are enabled.
Reference: FortiOS Handbook - CLI Reference for FortiOS 5.2
8.Refer to the exhibit, which shows a routing table.
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
What two options can you configure in OSPF to block the advertisement of the
10.1.10.0 prefix? (Choose two.)
A. Remove the 16.1.10.C prefix from the OSPF network
B. Configure a distribute-list-out
C. Configure a route-map out
D. Disable Redistribute Connected
Answer: B, C
Explanation:
To block the advertisement of the 10.1.10.0 prefix in OSPF, you can configure a
distribute-list-out or a route-map out. A distribute-list-out is used to filter outgoing
routing updates from being advertised to OSPF neighbors1. A route-map out can also
be used for filtering and is applied to outbound routing updates2.
Reference: = Technical Tip: Inbound route filtering in OSPF usi … - Fortinet
Community, OSPF | FortiGate / FortiOS 7.2.2 - Fortinet Documentation
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
9.Exhibit.
Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration?
(Choose two.)
A. IPSec Tunnel aggregation is configured
B. net-device is enabled in the tunnel IPSec phase 1 configuration
C. OSPI is configured to run over IPSec.
D. add-route is disabled in the tunnel IPSec phase 1 configuration.
Answer: B, C
Explanation:
xa
m
From the partial routing table in the exhibit, here are two conclusions that can be
drawn regarding the FortiGate configuration:
net-device is enabled in the tunnel IPSec phase 1 configuration.
The routing table shows multiple entries for tunnel interfaces (e.g., tunnel 0 and tunnel
1). This typically indicates that each IPSec tunnel has a corresponding interface in the
FortiGate configuration, which is characteristic of the net-device feature being
enabled in the IPSec phase 1 configuration.
OSPF is configured to run over IPSec.
The routes with the protocol "O" are OSPF routes. Given that OSPF routes appear for
IPs that are reachable through tunnel interfaces, it suggests that OSPF is running
over these IPSec tunnels, which is likely used for dynamic routing over the VPN.
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
10.Which ADVPN configuration must be configured using a script on fortiManager,
when using VPN Manager to manage fortiGate VPN tunnels?
A. Enable AD-VPN in IPsec phase 1
B. Disable add-route on hub
C. Configure IP addresses on IPsec virtual interlaces
D. Set protected network to all
Answer: A
Explanation:
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the
Auto-Discovery VPN toggle. This will automatically add the required settings to the
IPsec template and the BGP template. You cannot enable AD-VPN directly in the
IPsec phase 1 settings using VPN Manager.
Reference: = ADVPN | FortiManager 7.2.0 - Fortinet Documentation
R
el
ia
bl
e
N
S
E
7_
E
FW
11.Exhibit.
Refer to the exhibit, which provides information on BGP neighbors.
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
Which can you conclude from this command output?
A. The router are in the number to match the remote peer.
B. You must change the AS number to match the remote peer.
C. BGP is attempting to establish a TCP connection with the BGP peer.
D. The bfd configuration to set to enable.
Answer: C
Explanation:
The BGP state is “Idle”, indicating that BGP is attempting to establish a TCP
connection with the peer. This is the first state in the BGP finite state machine, and it
means that no TCP connection has been established yet. If the TCP connection fails,
the BGP state will reset to either active or idle, depending on the configuration.
Reference: You can find more information about BGP states and troubleshooting in
the following Fortinet Enterprise Firewall 7.2 documents:
Troubleshooting BGP
How BGP works
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
12.Exhibit.
R
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.
Which two parameters must you configure on the corresponding single hub? (Choose
two.)
A. Set auto-discovery-sender enable
B. Set ike-version 2
C. Set auto-discovery-forwarder enable
D. Set auto-discovery-receiver enable
Answer: A, B
Explanation:
On the hub side of an ADVPN setup, you need to enable auto-discovery-sender. This
allows the hub to send shortcut offers to the spokes, which are necessary for setting
up direct tunnels between spokes for optimized traffic flow.
The Internet Key Exchange (IKE) version should match between the spokes and the
hub for the VPN to establish correctly. Since the spoke is configured with ike-version
2, the hub must also be configured to use IKE version 2 for compatibility.
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
13.Which FortiGate in a Security I auric sends togs to FortiAnalyzer?
A. Only the root FortiGate.
B. Each FortiGate in the Security fabric.
C. The FortiGate devices performing network address translation (NAT) or unified
threat management (UTM). if configured.
D. Only the last FortiGate that handled a session in the Security Fabric
Answer: B
Explanation:
Option B is correct because each FortiGate in the Security Fabric can send logs to
FortiAnalyzer for centralized logging and analysis12. This allows you to monitor and
manage the entire Security Fabric from a single console and view aggregated reports
and dashboards.
Option A is incorrect because the root FortiGate is not the only device that can send
logs to FortiAnalyzer. The root FortiGate is the device that initiates the Security Fabric
and acts as the central point of contact for other FortiGate devices3. However, it does
not have to be the only log source for FortiAnalyzer.
Option C is incorrect because the FortiGate devices performing NAT or UTM are not
the only devices that can send logs to FortiAnalyzer. These devices can perform
additional security functions on the traffic that passes through them, such as firewall,
antivirus, web filtering, etc4. However, they are not the only devices that generate
logs in the Security Fabric.
Option D is incorrect because the last FortiGate that handled a session in the Security
Fabric is not the only device that can send logs to FortiAnalyzer. The last FortiGate is
the device that terminates the session and applies the final security policy5. However,
it does not have to be the only device that reports the session information to
FortiAnalyzer.
Reference: =
1: Security Fabric - Fortinet Documentation1
2: FortiAnalyzer Demo6
3: Security Fabric topology
4: Security Fabric UTM features
5: Security Fabric session handling
14.Which configuration can be used to reduce the number of BGP sessions in on
IBGP network?
A. Route-reflector-peer enable
-7
.2
E
xa
m
B. Route-reflector-client enable
C. Route-reflector enable
D. Route-reflector-server enable
Answer: B
Explanation:
To reduce the number of BGP sessions in an IBGP network, you can use a route
reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes
to all other peers. To configure a route reflector, you need to enable the routereflector-client option on the neighbor-group settings of the hub device. This will make
the hub device act as a route reflector server and the other devices as route reflector
clients.
Reference: = Route exchange | FortiGate / FortiOS 7.2.0 - Fortinet Documentation
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
15.Exhibit.
R
el
ia
bl
e
N
S
E
7_
E
Refer to the exhibit, which contains an active-active toad balancing scenario.
During the traffic flow the primary FortiGate forwards the SYN packet to the
secondary FortiGate.
What is the destination MAC address or addresses when packets are forwarded from
the primary FortiGate to the secondary FortiGate?
A. Secondary physical MAC port1
B. Secondary virtual MAC port1
C. Secondary virtual MAC port1 then physical MAC port1
D. Secondary physical MAC port2 then virtual MAC port2
Answer: A
Explanation:
In an active-active load balancing scenario, when the primary FortiGate forwards the
SYN packet to the secondary FortiGate, the destination MAC address would be the
secondary's physical MAC on port1, as the packet is being sent over the network and
the physical MAC is used for layer 2 transmissions.
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
16.Which two statements about IKE vision 2 are true? (Choose two.)
A. Phase 1 includes main mode
B. It supports the extensible authentication protocol (EAP)
C. It supports the XAuth protocol.
D. It exchanges a minimum of four messages to establish a secure tunnel
Answer: B, D
Explanation:
IKE version 2 supports the extensible authentication protocol (EAP), which allows for
more flexible and secure authentication methods1. IKE version 2 also exchanges a
minimum of four messages to establish a secure tunnel, which is more efficient than
IKE version 12.
Reference: = IKE settings | FortiClient 7.2.2 - Fortinet Documentation, Technical Tip:
How to configure IKE version 1 or 2 … - Fortinet Community
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
17.Which statement about network processor (NP) offloading is true?
A. For TCP traffic FortiGate CPU offloads the first packets of SYN/ACK and ACK of
the three-way handshake to NP
B. The NP provides IPS signature matching
C. You can disable the NP for each firewall policy using the command np-acceleration
st to loose.
D. The NP checks the session key or IPSec SA
Answer: D
R
el
ia
bl
e
N
S
E
7_
E
FW
18.Exhibit.
xa
m
E
-7
.2
FW
E
7_
E
S
N
in
et
Fo
rt
th
e
ng
si
as
P
to
K
ey
ou
r
-Y
on
s
ti
ue
s
Q
xa
m
E
.2
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is
experiencing an outage?
A. Public FortiGuard servers
B. 10.0.1.242
C. 10.0.1.244
D. 10.0.1.243
Answer: C
Explanation:
In the event of an outage at 10.0.1.240, the FortiGate will choose the next server in
the sequence for web filter rating requests, which is 10.0.1.244 according to the
configuration shown in the exhibit. This is because the server list is ordered by
priority, and the server with the lowest priority number is chosen first. If that server is
unavailable, the next server with the next lowest priority number is chosen, and so on.
The public FortiGuard servers are only used if the include-default-servers option is
enabled and all the custom servers are unavailable.
Reference: = Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 132.
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
19.Exhibit.
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
Refer to the exhibit, which contains the partial interface configuration of two FortiGate
devices.
Which two conclusions can you draw from this con figuration? (Choose two)
A. 10.1.5.254 is the default gateway of the internal network
B. On failover new primary device uses the same MAC address as the old primary
C. The VRRP domain uses the physical MAC address of the primary FortiGate
D. By default FortiGate B is the primary virtual router
Answer: BD
Explanation:
From the partial interface configuration of two FortiGate devices:
On failover, the new primary device uses the same MAC address as the old primary.
The configuration line set vrrp-virtual-mac enable suggests that Virtual Router
Redundancy Protocol (VRRP) is being used with a virtual MAC address. This ensures
that if a failover occurs, the new primary device will use the same virtual MAC
address that was used by the previous primary, preventing the need for ARP cache
updates on downstream devices.
By default, FortiGate B is the primary virtual router.
The priority setting in VRRP determines which device will be the master. The device
with the higher priority will become the master router. In this configuration, FortiGate
B has a higher priority (50) than FortiGate A (priority 255, which is a lower priority in
VRRP terms).
R
el
ia
bl
e
N
S
E
7_
E
FW
-7
.2
E
xa
m
Q
ue
s
ti
on
s
-Y
ou
r
K
ey
to
P
as
si
ng
th
e
Fo
rt
in
et
N
S
E
7_
E
FW
-7
.2
E
xa
m
20.After enabling IPS you receive feedback about traffic being dropped.
What could be the reason?
A. Np-accel-mode is set to enable
B. Traffic-submit is set to disable
C. IPS is configured to monitor
D. Fail-open is set to disable
Answer: D
Explanation:
Fail-open is a feature that allows traffic to pass through the IPS sensor without
inspection when the sensor fails or is overloaded. If fail-open is set to disable, traffic
will be dropped in such scenarios1.
Reference: = IPS | FortiGate / FortiOS 7.2.3 - Fortinet Documentation
When IPS (Intrusion Prevention System) is configured, if fail-open is set to disable, it
means that if the IPS engine fails, traffic will not be allowed to pass through, which
can result in traffic being dropped (D). This is in contrast to a fail-open setting, which
would allow traffic to bypass the IPS engine if it is not operational.
Get full version of
NSE7_EFW-7.2
Q&As
Powered by TCPDF (www.tcpdf.org)
Download