NSE7_EFW-7.0 Exam Dumps - Fortinet NSE 7 - Enterprise Firewall 7.0

IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.

IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.

They both use UDP as their transport protocol and the port number is configurable.

They each use their own IP protocol number.

The session would be deleted, and the client would need to start a new session.

The session would remain in the session table, and its traffic would start to egress from port2.

The session would remain in the session table, but its traffic would now egress from both port1 and port2.

The session would remain in the session table, and its traffic would still egress from port1.

IPS engine memory consumption has exceeded the model-specific predefined value.

IPS daemon experienced a crash.

There are communication problems between the IPS engine and the management database.

All IPS-related features have been disabled in FortiGate’s configuration.

BGP peers have successfully interchanged Open and Keepalive messages.

Local BGP peer received a prefix for a default route.

The state of the remote BGP peer is OpenConfirm.

The state of the remote BGP peer will go to Connect after it confirms the received prefixes.

After the application has been identified, the kernel uses only the Layer 4 header to match the traffic.

The IPS security profile is the only security option you can apply to the security policy with the action set to ACCEPT.

After IPS identifies the application, it adds an entry to a dynamic ISDB table.

FortiGate will drop all packets until the application can be identified.

1

2

3

4

This is an expected session created by a session helper.

Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.

Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.

This is an expected session created by an application control profile.

The user student must not be listed in the CA’s ignore user list.

The user student must belong to one or more of the monitored user groups.

The student workstation’s IP subnet must be listed in the CA’s trusted list.

At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

A TCP session waiting for FIN ACK

A UDP session with packets sent and received

A UDP session with only one packet received

A TCP session waiting for the SYN ACK

Automation stitches can be configured on any FortiGate device in a Security Fabric environment.

An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Automation stitches can be created to run diagnostic commands and attach the results to an email message when CPU or memory usage exceeds specified thresholds.

An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

Redirection of HTTP to HTTPS administrative access is disabled.

HTTP administrative access is configured with a port number different than 80.

The packet is denied because of reverse path forwarding check.

The incoming IPsec connection is matching the wrong VPN configuration

The phrase-1 mode must be changed to aggressive

The pre-shared key is wrong

NAT-T settings do not match

cnid.

username.

password.

dn.

If FGVM...649 is rebooted, FGVM...650 will become the primary and retain that role, even after FGVM...649 rejoins the cluster.

If no action is taken, the primary FortiGate will leave the cluster due to the current sync status.

If port7 becomes disconnected on the secondary, both FortiGate devices will elect itself the primary.

If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a synchronization reset.

FortiGate uses CN information from the Subject field in the server’s certificate.

FortiGate switches to the full SSL inspection method to decrypt the data.

FortiGate blocks the request without any further inspection.

FortiGate uses the requested URL from the user’s web browser.

Static routes can be added using only TCL scripts.

The commands that start with the # sign did not run.

CLI scripts must start with #!.

Incomplete commands can cause CLI scripts to fail.

In the phase 1 network configuration, set the IKE version to 2.

In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

The port2 interface is disabled in the FortiGate configuration.

The port1 default route has a lower distance than the default route using port2.

The port1 default route has a higher priority value than the default route using port2.

The port1 default route has a lower priority value than the default route using port2.

The npu_flag for this tunnel is 03.

Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.

Anti-replay is enabled.

The npu_flag for this tunnel is 02.

The link health monitor (if configured) is up.

There is no other route, to the same destination, with a higher distance.

The outgoing interface is up.

The next-hop IP address is up.

Only root vdom supports OCVPN.

OCVPN supports static and dynamic IPs in WAN interface.

OCVPN offers only Hub-Spoke VPNs.

FortiGate devices under different FortiCare accounts can be used to form OCVPN.