NSE7 by Fortinet Valid Free Exam Practice Test

Question 1

An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link-failed-signal to fix the problem. Which statement is correct regarding this command?

A. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover. B. Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover. C. Sends a link failed signal to all connected devices. D. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.

Correct Answer: D

Question 2

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn't the tunnel come up?

A. The remote gateway's phase 2 configuration does not match the local gateway's phase 2 configuration. B. The pre-shared keys do not match. C. The remote gateway's phase 1 configuration does not match the local gateway's phase 1 configuration. D. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Correct Answer: C

Question 3

A FortiGate has two default routes:

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?

A. Session would remain in the session table and its traffic would start using port2 as the outgoing interface. B. Session would remain in the session table and its traffic would keep using port1 as the outgoing interface. C. Session would be deleted, so the client would need to start a new session. D. Session would remain in the session table and its traffic would be shared between port1 and port2.

Correct Answer: B

Question 4

What is the purpose of an internal segmentation firewall (ISFW)?

A. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network. B. It inspects incoming traffic to protect services in the corporate DMZ. C. It is the first line of defense at the network perimeter. D. It splits the network into multiple security segments to minimize the impact of breaches.

Correct Answer: C

Question 5

Examine the output from the 'diagnose vpn tunnel list' command shown in the exhibit; then answer the question below.

Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?

A. diagnose sniffer packet any 'port 500' B. diagnose sniffer packet any 'port 4500' C. diagnose sniffer packet any 'host 10.0.10.10' D. diagnose sniffer packet any 'esp'

Correct Answer: D

Question 6

An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer. If the administrator knows that there is no NAT device located between both FortiGates, what command should the administrator execute?

A. diagnose sniffer packet any 'esp' B. diagnose sniffer packet any 'udp port 4500' C. diagnose sniffer packet any 'udp port 500' D. diagnose sniffer packet any 'udp port 500 or udp port 4500'

Correct Answer: A

Question 7

The CLI command set intelligent-mode <enable | disable> controls the IPS engine's adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

A. Determines the optimal number of IPS engines required based on system load. B. Determines when it is secure enough to stop scanning session traffic. C. Choose a matching algorithm based on available memory and the type of inspection being performed. D. Downloads signatures on demand from FDS based on scanning requirements.

Correct Answer: C

Question 8

View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

A. It determines which FortiGuard server is used for license validation. B. Its value is incremented with each packet lost. C. Its initial value is calculated based on the round trip delay (RTT). D. Its initial value is statically set to 10.

Correct Answer: B

Question 9

The logs in a FSSO collector agent (CA) are showing the following error:
failed to connect to registry: PIKA1026 (192.168.12.232)
What can be the reason for this error?

A. The CA cannot reach the FortiGate with the IP address 192.168.12.232. B. The CA cannot resolve the name of the workstation. C. The remote registry service is not running in the workstation 192.168.12.232. D. The FortiGate cannot resolve the name of the workstation.

Correct Answer: C

Fortinet NSE7 Enterprise Firewall - FortiOS 5.4 - NSE7 Exam Practice Test