NSE7_EFW-7.0 Online Practice Questions and Answers
You have configured FortiManager as a local FDS to provide FortiGate AV and IPS updates, but FortiGate devices are not receiving updates to their AV signature databases, IPS engines, or IPS signature databases. Which two settings need to be verified for these features to function? (Choose two.)
A. FortiGate needs to have the server list entry for FortiManager set to server-type update under config system central-management.
B. FortiManager needs to be the license validation server for FortiGate devices trying to retrieve updated AV and IPS packages.
C. Service access needs to be enabled on FortiManager under System Settings > Network.
D. FortiGate needs to have include-default-servers disabled under config system central- management.
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. What can the administrator do to fix this problem?
A. Configure remote link monitoring to detect an issue in the forwarding path.
B. Configure set send-garp-on-failover enable under config system ha on both cluster members.
C. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
D. Configure set link-failed-signal enable under config system ha on both cluster members.
Refer to the exhibit, which shows the output of diagnose sys session list.
If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?
A. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.
B. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.
C. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.
D. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:
Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)
A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.
B. Redirection of HTTP to HTTPS administrative access is disabled.
C. HTTP administrative access is configured with a port number different than 80.
D. The packet is denied because of reverse path forwarding check.
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link- failed-signal to fix the problem.
Which statement about this setting is true?
A. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
B. It sends a link failed signal to all connected devices.
C. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.
D. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.
An administrator has created a VPN community within VPN Manager on FortiManager. They also added gateways to the VPN community and are now trying to create firewall policies to permit traffic over the tunnel; however, the VPN interfaces are not listed as available options.
What step must the administrator take to resolve this issue?
A. Install the VPN community and gateway configuration to the FortiGate devices, in order for the interfaces to be displayed within Policy and Objects on FortiManager
B. Set up all of the phase 1 settings in the VPN community that they neglected to set up initially. The interfaces will be automatically generated after the administrator configures all of the required settings.
C. Refresh the device status from the Device Manager so that FortiGate will populate the IPsec interfaces.
D. Create interface mappings for the IPsec VPN interfaces, before they can be used in a policy.
Which of the following conditions must be met for a static route to be active in the routing table? (Choose three.)
A. The next-hop IP address is up.
B. There is no other route, to the same destination, with a higher distance.
C. The link health monitor (if configured) is up.
D. The next-hop IP address belongs to one of the outgoing interface subnets.
E. The outgoing interface is up.
View these partial outputs from two routing debug commands:
Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?
A. Both port1 and port2
B. port3
C. port1
D. port2
Refer to the exhibit, which contains the output of diagnose sys session list.
If the HA ID for the primary unit is zero (0), which statement about the output is true?
A. This session cannot be synced with the slave unit.
B. The inspection of this session has been offloaded to the slave unit.
C. The master unit is processing this traffic.
D. This session is for HA heartbeat traffic.
In which two states is a given session categorized as ephemeral? (Choose two.)
A. A TCP session waiting for FIN ACK
B. A UDP session with packets sent and received
C. A UDP session with only one packet received
D. A TCP session waiting for the SYN ACK