NSE7_EFW-6.4 Online Practice Questions and Answers

A FortiGate has two default routes:

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?

A. The session would be deleted, and the client would need to start a new session.

B. The session would remain in the session table, and its traffic would start to egress from port2.

C. The session would remain in the session table, but its traffic would now egress from both port1 and port2.

D. The session would remain in the session table, and its traffic would still egress from port1.

An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration. The administrator has also enabled the IKE real time debug:

diagnose debug application ike-1 diagnose debug enable

In which order is each step and phase displayed in the debug output each time a new dial- up user is connecting to the VPN?

A. Phase1; IKE mode configuration; XAuth; phase 2.

B. Phase1; XAuth; IKE mode configuration; phase2.

C. Phase1; XAuth; phase 2; IKE mode configuration.

D. Phase1; IKE mode configuration; phase 2; XAuth.

View the exhibit, which contains the output of a diagnose command, and then answer the question below.

What statements are correct regarding the output? (Choose two.)

A. This is an expected session created by a session helper.

B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.

C. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.

D. This is an expected session created by an application control profile.

Examine the following partial output from a sniffer command; then answer the question below.

What is the meaning of the packets dropped counter at the end of the sniffer?

A. Number of packets that didn't match the sniffer filter.

B. Number of total packets dropped by the FortiGate.

C. Number of packets that matched the sniffer filter and were dropped by the FortiGate.

D. Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Which two statements about the Security Fabric are true? (Choose two.)

A. Only the root FortiGate collects network information and forwards it to FortiAnalyzer.

B. FortiGate uses FortiTelemetry protocol to communicate with FortiAnalyzer.

C. All FortiGate devices in the Security Fabric must have bidirectional FortiTelemetry connectivity.

D. Branch FortiGate devices must be configured first.

Which two statements about FortiManager is true when it is deployed as a local FDS? (Choose two.)

A. It caches available firmware updates for unmanaged devices.

B. It can be configured as an update server, or a rating server, but not both.

C. It supports rating requests from both managed and unmanaged devices.

D. It provides VM license validation services.

View the following FortiGate configuration.

All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for Internet traffic from a user on the internal network:

If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user's session?

A. The session would remain in the session table, and its traffic would still egress from port1.

B. The session would remain in the session table, but its traffic would now egress from both port1 and port2.

C. The session would remain in the session table, and its traffic would start to egress from port2.

D. The session would be deleted, so the client would need to start a new session.

Refer to the exhibits.

Which contain the partial configurations of two VPNs on FortiGate.

An administrator has configured two VPNs for two different user groups. Users who are in the Users-2 group are not able to connect to the VPN. After running a diagnostics command, the administrator discovered that FortiGate is not matching the user-2 VPN for members of the Users-2 group.

Which two changes must administrator make to fix the issue? (Choose two.)

A. Use different pre-shared keys on both VPNs

B. Enable Mode Config on both VPNs.

C. Set up specific peer IDs on both VPNs.

D. Change to aggressive mode on both VPNs.

An administrator is running the following sniffer in a FortiGate:

diagnose sniffer packet any "host 10.0.2.10" 2

What information is included in the output of the sniffer? (Choose two.)

A. Ethernet headers.

B. IP payload.

C. IP headers.

D. Port names.

Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

Based on the output, which two statements are correct? (Choose two.)

A. Phase 2 authentication is set to sha1 on both sides.

B. Anti-replay is disabled.

C. Hub2Spoke1 is a policy-based VPN.

D. Hub2Spoke1 is configured on interface wan2.

Examine the following partial output from two system debug commands; then answer the question below.

Which of the following statements are true regarding the above outputs? (Choose two.)

A. The unit is running a 32-bit FortiOS

B. The unit is in kernel conserve mode

C. The Cached value is always the Active value plus the Inactive value

D. Kernel indirectly accesses the low memory (LowTotal) through memory paging

View the exhibit, which contains a partial output of an IKE real-time debug, and then answer the question below.

Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?

A. auto-discovery-sender

B. auto-discovery-forwarder

C. auto-discovery-shortcut

D. auto-discovery-receiver

An administrator added the following Ipsec VPN to a FortiGate configuration: configvpn ipsec phasel -interface edit "RemoteSite" set type dynamic set interface "portl" set mode main set psksecret ENC LCVkCiK2E2PhVUzZe next end config vpn ipsec phase2-interface edit "RemoteSite" set phasel name "RemoteSite" set proposal 3des-sha256 next end However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while

attempting the Ipsec connection. The output is shown in the exhibit.

What is causing the IPsec problem in the phase 1 ?

A. The incoming IPsec connection is matching the wrong VPN configuration

B. The phrase-1 mode must be changed to aggressive

C. The pre-shared key is wrong

D. NAT-T settings do not match

An LDAP user cannot authenticate against a FortiGate device. Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.

Based on the output in the exhibit, what can cause this authentication problem?

A. User student is not found in the LDAP server.

B. User student is using a wrong password.

C. The FortiGate has been configured with the wrong password for the LDAP administrator.

D. The FortiGate has been configured with the wrong authentication schema.

Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

A. The link health monitor (if configured) is up.

B. There is no other route, to the same destination, with a higher distance.

C. The outgoing interface is up.

D. The next-hop IP address is up.