CertsTopics Logo

Weekend Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Fortinet NSE7_EFW-6.4 Dumps Questions Answers

Page: 1 / 5
Total 1 questions
Get NSE7_EFW-6.4 Full Access Download NSE7_EFW-6.4 PDF

Fortinet NSE 7 - Enterprise Firewall 7.0 Questions and Answers

Question 1

When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

Options:

A.

FortiGate uses CN information from the Subject field in the server’s certificate.

B.

FortiGate switches to the full SSL inspection method to decrypt the data.

C.

FortiGate blocks the request without any further inspection.

D.

FortiGate uses the requested URL from the user’s web browser.

Buy Now
Question 2

Refer to the exhibit, which contains partial output from an IKE real-time debug.

Which two statements about this debug output are correct? (Choose two.)

Options:

A.

The remote gateway IP address is 10.0.0.1.

B.

The initiator provided remote as its IPsec peer ID.

C.

It shows a phase 1 negotiation.

D.

The negotiation is using AES128 encryption with CBC hash.

Question 3

Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)

Options:

A.

SIP session helper runs in the kernel; SIP ALG runs as a user space process.

B.

SIP ALG supports SIP HA failover; SIP helper does not.

C.

SIP ALG supports SIP over IPv6; SIP helper does not.

D.

SIP ALG can create expected sessions for media traffic; SIP helper does not.

E.

SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.

Question 4

View the exhibit, which contains the output of diagnose sys session stat, and then answer the question below.

Which statements are correct regarding the output shown? (Choose two.)

Options:

A.

There are 0 ephemeral sessions.

B.

All the sessions in the session table are TCP sessions.

C.

No sessions have been deleted because of memory pages exhaustion.

D.

There are 166 TCP sessions waiting to complete the three-way handshake.

Question 5

Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.

Why didn’t the tunnel come up?

Options:

A.

IKE mode configuration is not enabled in the remote IPsec gateway.

B.

The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration.

C.

The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration.

D.

One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

Question 6

View the exhibit, which contains the output of a debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

Options:

A.

In the network on port4, two OSPF routers are down.

B.

Port4 is connected to the OSPF backbone area.

C.

The local FortiGate’s OSPF router ID is 0.0.0.4

D.

The local FortiGate has been elected as the OSPF backup designated router.

Question 7

A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)

Options:

A.

Firewall monitor.

B.

Policy monitor.

C.

Logs.

D.

Crashlogs.

Question 8

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

Options:

A.

For the peer 10.125.0.60, the BGP state of is Established.

B.

The local BGP peer has received a total of three BGP prefixes.

C.

Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.

D.

The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

Question 9

Which two configuration settings change the behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.)

Options:

A.

IPS failopen

B.

mem failopen

C.

AV failopen

D.

UTM failopen

Question 10

Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

Options:

A.

When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.

B.

When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.

C.

When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.

D.

When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

Question 11

Examine the output of the ‘diagnose sys session list expectation’ command shown in the exhibit; than answer the question below.

Which statement is true regarding the session in the exhibit?

Options:

A.

It was created by the FortiGate kernel to allow push updates from FotiGuard.

B.

It is for management traffic terminating at the FortiGate.

C.

It is for traffic originated from the FortiGate.

D.

It was created by a session helper or ALG.

Question 12

View the central management configuration shown in the exhibit, and then answer the question below.

Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?

Options:

A.

10.0.1.240

B.

One of the public FortiGuard distribution servers

C.

10.0.1.244

D.

10.0.1.242

Question 13

The logs in a FSSO collector agent (CA) are showing the following error:

failed to connect to registry: PIKA1026 (192.168.12.232)

What can be the reason for this error?

Options:

A.

The CA cannot resolve the name of the workstation.

B.

The FortiGate cannot resolve the name of the workstation.

C.

The remote registry service is not running in the workstation 192.168.12.232.

D.

The CA cannot reach the FortiGate with the IP address 192.168.12.232.

Question 14

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Which statements about this debug output are correct? (Choose two.)

Options:

A.

The remote gateway IP address is 10.0.0.1.

B.

It shows a phase 1 negotiation.

C.

The negotiation is using AES128 encryption with CBC hash.

D.

The initiator has provided remote as its IPsec peer ID.

Question 15

An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link-failed-signal to fix the problem.

Which statement about this setting is true?

Options:

A.

It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.

B.

It sends a link failed signal to all connected devices.

C.

It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.

D.

It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.

Question 16

Examine the output from the BGP real time debug shown in the exhibit, then the answer the question below:

Which statements are true regarding the output in the exhibit? (Choose two.)

Options:

A.

BGP peers have successfully interchanged Open and Keepalive messages.

B.

Local BGP peer received a prefix for a default route.

C.

The state of the remote BGP peer is OpenConfirm.

D.

The state of the remote BGP peer will go to Connect after it confirms the received prefixes.

Question 17

View the global IPS configuration, and then answer the question below.

Which of the following statements is true regarding this configuration?

Options:

A.

IPS will scan every byte in every session.

B.

FortiGate will spawn IPS engine instances based on the system load.

C.

New packets will be passed through without inspection if the IPS socket buffer runs out of memory.

D.

IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Question 18

When does a RADIUS server send an Access-Challenge packet?

Options:

A.

The server does not have the user credentials yet.

B.

The server requires more information from the user, such as the token code for two-factor authentication.

C.

The user credentials are wrong.

D.

The user account is not found in the server.

Exam Detail
Vendor: Fortinet
Certification: Fortinet Other Certification
Exam Code: NSE7_EFW-6.4
Exam Name: Fortinet NSE 7 - Enterprise Firewall 7.0
Last Update: Mar 14, 2025
NSE7_EFW-6.4 Question Answers
Page: 1 / 5
Total 1 questions
Get NSE7_EFW-6.4 Full Access Download NSE7_EFW-6.4 PDF