Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

Fortinet NSE7_EFW-7.0 - Fortinet NSE 7 - Enterprise Firewall 7.0

Fortinet NSE7_EFW-7.0 Premium Access     Download Demo    
Page: 3 / 5
Total 163 questions

What is the diagnose test application ipsmonitor 99 command used for?

A.

To enable IPS bypass mode

B.

To provide information regarding IPS sessions

C.

To disable the IPS engine

D.

To restart all IPS engines and monitors

Refer to the exhibit, which shows a central management configuration.

Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?

A.

Public FortiGuard servers

B.

10.0.1.243

C.

10.0.1.242

D.

10.0.1.244

Refer to the exhibit, which contains the output of the diagnose vpn tunnel list.

Which command will capture ESP traffic for the VPN named DialUp_0?

A.

diagnose sniffer packet any ‘esp and host 10.200.3.2’

B.

diagnose sniffer packet any ‘ip proto 50’

C.

diagnose sniffer packet any ‘host 10.0.10.10’

D.

diagnose sniffer packet any ‘port 4500’

An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn’t the script make any changes to the managed device?

A.

Commands that start with the # sign are not executed.

B.

CLI scripts will add objects only if they are referenced by policies.

C.

Incomplete commands are ignored in CLI scripts.

D.

Static routes can only be added using TCL scripts.

Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

Based on the output, which two statements are correct? (Choose two.)

A.

Phase 2 authentication is set to sha1 on both sides.

B.

Anti-replay is disabled.

C.

Hub2Spoke1 is a policy-based VPN.

D.

Hub2Spoke1 is configured on interface wan2.

Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

A.

The link health monitor (if configured) is up.

B.

There is no other route, to the same destination, with a higher distance.

C.

The outgoing interface is up.

D.

The next-hop IP address is up.

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Which statements about this debug output are correct? (Choose two.)

A.

The remote gateway IP address is 10.0.0.1.

B.

It shows a phase 1 negotiation.

C.

The negotiation is using AES128 encryption with CBC hash.

D.

The initiator has provided remote as its IPsec peer ID.

A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

A.

The user student must not be listed in the CA’s ignore user list.

B.

The user student must belong to one or more of the monitored user groups.

C.

The student workstation’s IP subnet must be listed in the CA’s trusted list.

D.

At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.

Based on the output in the exhibit, what can cause this authentication problem?

A.

User student is not found in the LDAP server.

B.

User student is using a wrong password.

C.

The FortiGate has been configured with the wrong password for the LDAP administrator.

D.

The FortiGate has been configured with the wrong authentication schema.

An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?

A.

TCP half open.

B.

TCP half close.

C.

TCP time wait.

D.

TCP session time to live.