Scribd
Upload
53 views6 pages

NSE7 - EFW-7.2 (67 Questions)

The document outlines the details of the Fortinet NSE 7 - Enterprise Firewall 7.2 exam, including the exam code, passing score, and time limit. It includes a series of questions and answers related to Fortinet configurations and troubleshooting scenarios. The document serves as a study guide for individuals preparing for the NSE7_EFW-7.2 certification exam.

Uploaded by

Innovior IT Tech
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views6 pages

NSE7 - EFW-7.2 (67 Questions)

The document outlines the details of the Fortinet NSE 7 - Enterprise Firewall 7.2 exam, including the exam code, passing score, and time limit. It includes a series of questions and answers related to Fortinet configurations and troubleshooting scenarios. The document serves as a study guide for individuals preparing for the NSE7_EFW-7.2 certification exam.

Uploaded by

Innovior IT Tech
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

NSE7_EFW-7.

2 (67 Questions)

Number: 000-000
Passing Score: 800
Time Limit: 120 min
File Version: 1.0

Vendor: Fortinet

Exam Code: NSE7_EFW-7.2

Exam Name: Fortinet NSE 7 - Enterprise Firewall 7.2


Innovior ITTech

Q&A

Fortinet NSE 7 - Enterprise Firewall 7.2


NSE7_EFW-7.2

(67 Questions)

http://www.facebook.com/InnoviorITTech

We Offer Free Update Service


For One Year.
QUESTION 1
Refer to the exhibit, which contains a TCL script configuration on FortiManager.

An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any
changes to the managed device after being run.
Why did the TCL script fail to make any changes to the managed device?

A. The TCL procedure run_cmd has not been created.


B. The TCL script must start with #include.
C. There is no corresponding #! to signify the end of the script.
D. The TCL procedure lacks the required loop statements to iterate through the changes.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:

QUESTION 2
You want to improve reliability over a lossy IPSec tunnel. Which combination of IPSec phase 1 parameters
should you configure?

A. fec-ingress and fsc-egrsss


B. dpd and dpd-retryinterval
C. fragmentation and fragmentation-mtu
D. keepalive and keylive

Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
It improves reliability that can overcome adverse WAN conditions such as lossy or noisy links.

QUESTION 3
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)

A. When run on the Device Database, changes are applied directly to the managed FortiGate device.
B. When run on the Remote FortiGate directly, administrators do not have the option to review the
changes prior to installation.
C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a
new revision history.
D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the
changes to the managed FortiGate device.

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 4
Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from this output?

A. Only NPs are disabled


B. Only CPs are disabled
C. NPs and CPs are enabled
D. NPs and CPs are disabled

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Enabling strict header checking disables all hardware acceleration. This includes NP, SP, and CP
processing.
https://docs.fortinet.com/document/fortigate/7.2.4/hardware-acceleration/39956
QUESTION 5
Refer to the exhibits, which show the configurations of two address objects from the same FortiGate.

Engineering address object

Finance address object

Why can you modify the Engineering address object, but not the Finance address object?

A. You have read-only access.


B. Another user is editing the Finance address object in workspace mode.
C. FortiGate joined the Security Fabric and the Finance address object was configured on the root
FortiGate.
D. FortiGate is registered on FortiManager.

Correct Answer: C
Section: (none)
Explanation

Explanation/Reference:
Explanation:
In workspace mode the "OK" button is present, you get an error message as soon as you click on it.
When you create a fabric object on a root device, it will synchronize to the downstream devices (if enable)
and you will not be able to modify the object on any downstream devices. The "OK" button will NOT be
available on downstream devices.

QUESTION 6
Which two statements about the neighbor-group command are true? (Choose two.)

A. It applies common settings in an OSPF area


B. You can apply it in Internal BGP (IBGP) and External BGP (EBGP)
C. You can configure it on the GUI
D. It is combined with the neighbor-range parameter

Correct Answer: BD
Section: (none)
Explanation

Explanation/Reference:

QUESTION 7
Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)
A. Dead peer detection is set to enable
B. The IKE version is 2
C. Both IPsec SAs are loaded on the kernel
D. Forward error correction in phase 2 is set to enable

Correct Answer: BC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
From the command output shown in the exhibit:
B) The IKE version is 2: This can be deduced from the presence of 'ver=2' in the output, which indicates
that IKEv2 is being used.
C) Both IPsec SAs are loaded on the kernel: This is indicated by the line 'npu flags=0x0/0', suggesting that
no offload to NPU is occurring, and hence, both Security Associations are loaded onto the kernel for
processing.
Fortinet documentation specifies that the version of IKE (Internet Key Exchange) used and the loading of
IPsec Security Associations can be verified through the diagnostic commands related to VPN tunnels.

QUESTION 8
Which two statements about IKE version 2 fragmentation are true? (Choose two.)

A. Only some IKE version 2 packets are considered fragmentable


B. The reassembly timeout default value is 30 seconds
C. It is performed at the IP layer
D. The maximum number of IKE version 2 fragments is 128

Correct Answer: AC
Section: (none)
Explanation

Explanation/Reference:
Explanation:
IKE version 2 fragmentation is not applicable to all IKE version 2 packets. Only some packets are
considered fragmentable, and fragmentation is performed selectively. IKE version 2 fragmentation occurs
at the IP layer. It is used when the size of the IKE message exceeds the maximum size allowed for the
underlying IP protocol (e.g., UDP). The fragmentation is done at the IP layer to ensure proper handling
across the network.

QUESTION 9
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the
administrator notices that some of the switches in the network continue to send traffic to the former primary
device.
What can the administrator do to fix this problem?

A. Configure set link-failed-signal enable under config system ha on both cluster members
B. Configure set send-garp-on-failover enable under config system ha on both cluster members.
C. Configure remote link monitoring to detect an issue in the forwarding path.
D. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected
switch ports.

Correct Answer: A
Section: (none)
Explanation

Explanation/Reference:
Explanation:
Virtual MAC Address and Failover

You might also like