NSE7_EFW-6.2 Online Practice Questions and Answers

A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the `diagnose debug authd fsso list' command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

A. The user student must not be listed in the CA's ignore user list.

B. The user student must belong to one or more of the monitored user groups.

C. The student workstation's IP subnet must be listed in the CA's trusted list.

D. At least one of the student's user groups must be allowed by a FortiGate firewall policy.

An administrator has configured a FortiGate device with two VDOMs: root and internal. The administrator has also created and inter-VDOM link that connects both VDOMs. The objective is to have each VDOM advertise some routes to the other VDOM via OSPF through the inter-VDOM link. What OSPF configuration settings must match in both VDOMs to have the OSPF adjacency successfully forming? (Choose three.)

A. Router ID.

B. OSPF interface area.

C. OSPF interface cost.

D. OSPF interface MTU.

E. Interface subnet mask.

An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth)

and IKE mode configuration. The administrator has also enabled the IKE real time debug:

diagnose debug application ike-1

diagnose debug enable

In which order is each step and phase displayed in the debug output each time a new dial-up user is

connecting to the VPN?

A. Phase1; IKE mode configuration; XAuth; phase 2.

B. Phase1; XAuth; IKE mode configuration; phase2.

C. Phase1; XAuth; phase 2; IKE mode configuration.

D. Phase1; IKE mode configuration; phase 2; XAuth.

Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

A. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.

B. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.

C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.

D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

View the exhibit, which contains the output of diagnose sys session list, and then answer the question below.

If the HA ID for the primary unit is zero (0), which statement is correct regarding the output?

A. This session is for HA heartbeat traffic.

B. This session is synced with the slave unit.

C. The inspection of this session has been offloaded to the slave unit.

D. This session cannot be synced with the slave unit.

The CLI command set intelligent-mode controls the IPS engine's adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

A. Determines the optimal number of IPS engines required based on system load.

B. Downloads signatures on demand from FDS based on scanning requirements.

C. Determines when it is secure enough to stop scanning session traffic.

D. Choose a matching algorithm based on available memory and the type of inspection being performed.

View the exhibit, which contains a partial routing table, and then answer the question below.

Assuming all the appropriate firewall policies are configured, which of the following pings will FortiGate route? (Choose two.)

A. Source IP address 10.1.0.24, Destination IP address 10.72.3.20.

B. Source IP address 10.72.3.27, Destination IP address 10.1.0.52.

C. Source IP address 10.72.3.52, Destination IP address 10.1.0.254.

D. Source IP address 10.73.9.10, Destination IP address 10.72.3.15.

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

A. The local router's BGP state is Established with the 10.125.0.60 peer.

B. Since the counters were last reset; the 10.200.3.1 peer has never been down.

C. The local router has received a total of three BGP prefixes from all peers.

D. The local router has not established a TCP session with 100.64.3.1.

Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

A. This session cannot be synced with the slave unit.

B. The inspection of this session has been offloaded to the slave unit.

C. The master unit is processing this traffic.

D. This session is for HA heartbeat traffic.

When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web requests when the client browser does not provide the server name indication (SNI) extension?

A. FortiGate uses the requested URL from the user's web browser.

B. FortiGate uses the CN information from the Subject field in the server certificate.

C. FortiGate blocks the request without any further inspection.

D. FortiGate switches to the full SSL inspection method to decrypt the data.