NSE 7 Network Security Architect Real Exam Questions and Answers FREE NSE7_EFW-7.0 Updated on Apr 01, 2024 [Q15-Q35]

NSE 7 Network Security Architect NSE7_EFW-7.0 Real Exam Questions and Answers FREE Updated on Apr 01, 2024

NSE7_EFW-7.0 Ultimate Study Guide - Actual4Labs

NEW QUESTION # 15
Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

• A. This session is for HA heartbeat traffic.
• B. The master unit is processing this traffic.
• C. The inspection of this session has been offloaded to the slave unit.
• D. This session cannot be synced with the slave unit.

Answer: B

NEW QUESTION # 16
Refer to the exhibit, which contains the output of a BGP debug command.

Which statement about the exhibit is true?

• A. The local router has received a total of three BGP prefixes from all peers.
• B. The local router has not established a TCP session with 100.64.3.1.
• C. Since the counters were last reset, the 10.200.3.1 peer has never been down.
• D. The local router BGP state is OpenConfirm with the 10.127.0.75 peer.

Answer: B

NEW QUESTION # 17
What events are recorded in the crashlogs of a FortiGate device? (Choose two.)

• A. Configuration changes.
• B. Changes in the status of any of the FortiGuard licenses.
• C. A process crash.
• D. System entering to and leaving from the proxy conserve mode.

Answer: C,D

NEW QUESTION # 18
Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.

Why didn't the tunnel come up?

• A. The remote gateway's Phase-1 configuration does not match the local gateway's phase-1 configuration.
• B. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.
• C. IKE mode configuration is not enabled in the remote IPsec gateway.
• D. The remote gateway's Phase-2 configuration does not match the local gateway's phase-2 configuration.

Answer: A

NEW QUESTION # 19
Which two conditions would prevent a static route from being added to the routing table? (Choose two.)

• A. The interface specified in the route configuration is down
• B. There is another other route to the same destination, with a lower distance.
• C. The route has a lower priority value than another route to the same destination.
• D. The next-hop IP address is unreachable.

Answer: A,B

Explanation:
The routing table contains only the static route with the lowest distance https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-and/ta-p/198221

NEW QUESTION # 20
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement about this setting is true?

• A. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.
• B. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
• C. It sends a link failed signal to all connected devices.
• D. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.

Answer: A

NEW QUESTION # 21
A FortiGate has two default routes:

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?

• A. The session would be deleted, and the client would need to start a new session.
• B. The session would remain in the session table, but its traffic would now egress from both port1 and port2.
• C. The session would remain in the session table, and its traffic would start to egress from port2.
• D. The session would remain in the session table, and its traffic would still egress from port1.

Answer: D

NEW QUESTION # 22
Refer to the exhibit, which contains the output of diagnose sys session list.

If the HA ID for the primary unit is zero (0), which statement about the output is true?

• A. This session is for HA heartbeat traffic.
• B. The master unit is processing this traffic.
• C. The inspection of this session has been offloaded to the slave unit.
• D. This session cannot be synced with the slave unit.

Answer: B

NEW QUESTION # 23
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn't the tunnel come up?

• A. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.
• B. The remote gateway's phase 1 configuration does not match the local gateway's phase 1 configuration.
• C. The pre-shared keys do not match.
• D. The remote gateway's phase 2 configuration does not match the local gateway's phase 2 configuration.

Answer: B

NEW QUESTION # 24
What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)

• A. Increase the FortiGuard cache time to live.
• B. Reduce the session time to live.
• C. Increase the TCP session timers.
• D. Reduce the maximum file size to inspect.

Answer: B,D

NEW QUESTION # 25
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)

• A. When run on the Device Database, changes are applied directly to the managed FortiGate device.
• B. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
• C. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device
• D. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

Answer: C,D

Explanation:
CLI scripts can be run in three different ways: Device Database: By default, a script is executed on the device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard.
Policy Package, ADOM database: If a script contains changes related to ADOM level objects and policies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard.
Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don't need to install these changes using the installation wizard. As the changes are directly installed on the managed device, no option is provided to verify and check the configuration changes through FortiManager prior to executing it.

NEW QUESTION # 26
Refer to the exhibit, which shows the output of diagnose sys session list.

If the HA ID for the primary device is 0, what will happen if the primary fails and the secondary becomes the primary?

• A. The session will be removed from the session table of the secondary device due to the presence of allowed error packets, which will force the client to restart the session with the server.
• B. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.
• C. The secondary device has this session synchronized; however, because application control is applied, the session will be marked dirty and have to be re-evaluated after failover.
• D. The session state will be preserved but the kernel will need to re-evaluate the session due to NAT being applied.

Answer: B

Explanation:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-see-if-a-session-is-synced-in-HA/ta-p/194185

NEW QUESTION # 27
An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer.
If the administrator knows that there is no NAT device located between both FortiGates, what command should the administrator execute?

• A. diagnose sniffer packet any 'esp'
• B. diagnose sniffer packet any 'udp port 500'
• C. diagnose sniffer packet any 'udp port 500 or udp port 4500'
• D. diagnose sniffer packet any 'udp port 4500'

Answer: A

NEW QUESTION # 28
An LDAP user cannot authenticate against a FortiGate device.
Examine the real time debug output shown in the exhibit when the user attempted the authentication; then answer the question below.


Based on the output in the exhibit, what can cause this authentication problem?

• A. User student is using a wrong password.
• B. User student is not found in the LDAP server.
• C. The FortiGate has been configured with the wrong password for the LDAP administrator.
• D. The FortiGate has been configured with the wrong authentication schema.

Answer: B

NEW QUESTION # 29
View these partial outputs from two routing debug commands:

Which outbound interface will FortiGate use to route web traffic from internal users to the Internet?

• A. port2
• B. port3
• C. port1
• D. Both port1 and port2

Answer: C

NEW QUESTION # 30
View the following FortiGate configuration.

All traffic to the Internet currently egresses from port1. The exhibit shows partial session information for Internet traffic from a user on the internal network:

If the priority on route ID 1 were changed from 5 to 20, what would happen to traffic matching that user's session?

• A. The session would be deleted, so the client would need to start a new session.
• B. The session would remain in the session table, but its traffic would now egress from both port1 and port2.
• C. The session would remain in the session table, and its traffic would start to egress from port2.
• D. The session would remain in the session table, and its traffic would still egress from port1.

Answer: D

Explanation:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD40943

NEW QUESTION # 31
View the exhibit, which contains a partial routing table, and then answer the question below.

Assuming all the appropriate firewall policies are configured, which of the following pings will FortiGate route? (Choose two.)

• A. Source IP address 10.72.3.52, Destination IP address 10.1.0.254.
• B. Source IP address 10.72.3.27, Destination IP address 10.1.0.52.
• C. Source IP address 10.1.0.24, Destination IP address 10.72.3.20.
• D. Source IP address 10.73.9.10, Destination IP address 10.72.3.15.

Answer: A,B

NEW QUESTION # 32
View the central management configuration shown in the exhibit, and then answer the question below.

Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?

• A. 10.0.1.240
• B. 10.0.1.244
• C. One of the public FortiGuard distribution servers
• D. 10.0.1.242

Answer: C

NEW QUESTION # 33
Examine the following partial outputs from two routing debug commands; then answer the question below:

Why the default route using port2 is not displayed in the output of the second command?

• A. It has a higher distance than the default route using port1.
• B. It has a higher priority than the default route using port1.
• C. It is disabled in the FortiGate configuration.
• D. It has a lower priority than the default route using port1.

Answer: A

NEW QUESTION # 34
What is the purpose of an internal segmentation firewall (ISFW)?

• A. It splits the network into multiple security segments to minimize the impact of breaches.
• B. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.
• C. It inspects incoming traffic to protect services in the corporate DMZ.
• D. It is the first line of defense at the network perimeter.

Answer: A

NEW QUESTION # 35
......

Ultimate Guide to Prepare NSE7_EFW-7.0 Certification Exam for NSE 7 Network Security Architect: https://www.actual4labs.com/Fortinet/NSE7_EFW-7.0-actual-exam-dumps.html

Use Real NSE7_EFW-7.0 Dumps - Fortinet Correct Answers: https://drive.google.com/open?id=1CQ-m2yImpPrIcVg91Y_-U_Zs6521DPd2