The Up To The Minute Guide To NSE7 Vce

NEW QUESTION 1
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.

Which statements are true regarding the output in the exhibit? (Choose two.)

• A. BGP state of the peer 10.125.0.60 is Established.
• B. BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.
• C. Local BGP peer has not received an OpenConfirm from 10.200.3.1.
• D. The local BGP peer has received a total of 3 BGP prefixes.

Answer: AC

NEW QUESTION 2
A FortiGate device has the following LDAP configuration:

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user –samid administrator
“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab” Based on the output, what FortiGate LDAP setting is configured incorrectly?

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: A

NEW QUESTION 3
View the IPS exit log, and then answer the question below.
# diagnose test application ipsmonitor 3
ipsengine exit log”
pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2021 code = 11, reason: manual
What is the status of IPS on this FortiGate?

• A. IPS engine memory consumption has exceeded the model-specific predefined value.
• B. IPS daemon experienced a crash.
• C. There are communication problems between the IPS engine and the management database.
• D. All IPS-related features have been disabled in FortiGate’s configuration.

Answer: B

NEW QUESTION 4
Which of the following conditions must be met for a static route to be active in the routing table? (Choose three.)

• A. The next-hop IP address is up.
• B. There is no other route, to the same destination, with a higher distance.
• C. The link health monitor (if configured) is up.
• D. The next-hop IP address belongs to one of the outgoing interface subnets.
• E. The outgoing interface is up.

Answer: ABE

NEW QUESTION 5
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

• A. Neighbor range
• B. Route reflector
• C. Next-hop-self
• D. Neighbor group

Answer: B

NEW QUESTION 6
Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1
diagnose debug application ike -1 diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn’t there any output?

• A. The IKE real time shows the phases 1 and 2 negotiations onl
• B. It does not show any more output once the tunnel is up.
• C. The log-filter setting is set incorrectl
• D. The VPN’s traffic does not match this filter.
• E. The IKE real time debug shows the phase 1 negotiation onl
• F. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
• G. The IKE real time debug shows error messages onl
• H. If it does not provide any output, it indicates that the tunnel is operating normally.

Answer: A

NEW QUESTION 7
Which statement is true regarding File description (FD) conserve mode?

• A. IPS inspection is affected when FortiGate enters FD conserve mode.
• B. A FortiGate enters FD conserve mode when the amount of available description is less than 5%.
• C. FD conserve mode affects all daemons running on the device.
• D. Restarting the WAD process is required to leave FD conserve mode.

Answer: B

NEW QUESTION 8
Examine the partial output from two web filter debug commands; then answer the question below:

Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?

• A. Finance and banking
• B. General organization.
• C. Business.
• D. Information technology.

Answer: C

NEW QUESTION 9
An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link-failed-signal to fix the problem. Which statement is correct regarding this command?

• A. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.
• B. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
• C. Sends a link failed signal to all connected devices.
• D. Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.

Answer: A

NEW QUESTION 10
Examine the following partial output from a sniffer command; then answer the question below.

What is the meaning of the packets dropped counter at the end of the sniffer?

• A. Number of packets that didn’t match the sniffer filter.
• B. Number of total packets dropped by the FortiGate.
• C. Number of packets that matched the sniffer filter and were dropped by the FortiGate.
• D. Number of packets that matched the sniffer filter but could not be captured by the sniffer.

Answer: C

NEW QUESTION 11
Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the question below.

Which statement are true regarding the output in the exhibit? (Choose two.)

• A. There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.
• B. The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.
• C. FortiGate will send the FortiGuard queries to the server with highest weight.
• D. A server's round trip delay (RTT) is not used to calculate its weight.

Answer: BC

NEW QUESTION 12
View the exhibit, which contains the output of get sys ha status, and then answer the question below.

Which statements are correct regarding the output? (Choose two.)

• A. The slave configuration is not synchronized with the master.
• B. The HA management IP is 169.254.0.2.
• C. Master is selected because it is the only device in the cluster.
• D. port 7 is used the HA heartbeat on all devices in the cluster.

Answer: AC

NEW QUESTION 13
Which the following events can trigger the election of a new primary unit in a HA cluster? (Choose two.)

• A. Primary unit stops sending HA heartbeat keepalives.
• B. The FortiGuard license for the primary unit is updated.
• C. One of the monitored interfaces in the primary unit is disconnected.
• D. A secondary unit is removed from the HA cluster.

Answer: AB

NEW QUESTION 14
A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the Windows AD network. The output of the ‘diagnose debug authd fsso list’ command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

• A. The user student must not be listed in the CA’s ignore user list.
• B. The user student must belong to one or more of the monitored user groups.
• C. The student workstation’s IP subnet must be listed in the CA’s trusted list.
• D. At least one of the student’s user groups must be allowed by a FortiGate firewall policy.

Answer: BD

NEW QUESTION 15
What is the purpose of an internal segmentation firewall (ISFW)?

• A. It inspects incoming traffic to protect services in the corporate DMZ.
• B. It is the first line of defense at the network perimeter.
• C. It splits the network into multiple security segments to minimize the impact of breaches.
• D. It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

Answer: B

NEW QUESTION 16
View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

• A. For the peer 10.125.0.60, the BGP state of is Established.
• B. The local BGP peer has received a total of three BGP prefixes.
• C. Since the BGP counters were last reset, the BGP peer 10.200.3.1 has never been down.
• D. The local BGP peer has not established a TCP session to the BGP peer 10.200.3.1.

Answer: BC

NEW QUESTION 17
Examine the output of the ‘diagnose sys session list expectation’ command shown in the exhibit; than answer the question below.

Which statement is true regarding the session in the exhibit?

• A. It was created by the FortiGate kernel to allow push updates from FotiGuard.
• B. It is for management traffic terminating at the FortiGate.
• C. It is for traffic originated from the FortiGate.
• D. It was created by a session helper or ALG.

Answer: A

NEW QUESTION 18
How does FortiManager handle FortiGuard requests from FortiGate devices, when it is configured as a local FDS?

• A. FortiManager can download and maintain local copies of FortiGuard databases.
• B. FortiManager supports only FortiGuard push to managed devices.
• C. FortiManager will respond to update requests only if they originate from a managed device.
• D. FortiManager does not support rating requests.

Answer: A

NEW QUESTION 19
When does a RADIUS server send an Access-Challenge packet?

• A. The server does not have the user credentials yet.
• B. The server requires more information from the user, such as the token code for two-factor authentication.
• C. The user credentials are wrong.
• D. The user account is not found in the server.

Answer: B

NEW QUESTION 20
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn’t the tunnel come up?

• A. The pre-shared keys do not match.
• B. The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.
• C. The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.
• D. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Answer: C

NEW QUESTION 21
Examine the following partial outputs from two routing debug commands; then answer the question below.
# get router info kernel
tab=254 vf=0 scope=0type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.200.1.254 dev=2(port1)
tab=254 vf=0 scope=0type=1 proto=11 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=10.200.2.254 dev=3(port2)
tab=254 vf=0 scope=253type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/.->10.0.1.0/24 pref=10.0.1.254 gwy=0.0.0.0 dev=4(port3)
# get router info routing-table all s*0.0.0.0/0 [10/0] via 10.200.1.254, portl [10/0] via 10.200.2.254, port2, [10/0] dO.0.1.0/24 is directly connected, port3 dO.200.1.0/24 is directly connected, portl d0.200.2.0/24 is directly connected, port2
Which outbound interface or interfaces will be used by this FortiGate to route web traffic from internal users to the Internet?

• A. port!
• B. port2.
• C. Both portl and port2.
• D. port3.

Answer: B

NEW QUESTION 22
A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

What should the administrator check to fix the problem?

• A. The connectivity between the FortiGate unit and the DNS server.
• B. The connectivity between the client workstations and the DNS server.
• C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.
• D. That DNS service is enabled in the explicit web proxy interface.

Answer: AB

NEW QUESTION 23
A FortiGate's portl is connected to a private network. Its port2 is connected to the Internet. Explicit web proxy is enabled in port1 and only explicit web proxy users can access the Internet. Web cache is NOT enabled. An internal web proxy user is downloading a file from the Internet via HTTP. Which statements are true regarding the two entries in the FortiGate session table related with this traffic? (Choose two.)

• A. Both session have the local flag on.
• B. The destination IP addresses of both sessions are IP addresses assigned to FortiGate's interfaces.
• C. One session has the proxy flag on, the other one does not.
• D. One of the sessions has the IP address of port2 as the source IP address.

Answer: AD

NEW QUESTION 24
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

• A. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.
• B. Redirection of HTTP to HTTPS administrative access is disabled.
• C. HTTP administrative access is configured with a port number different than 80.
• D. The packet is denied because of reverse path forwarding check.

Answer: AC

NEW QUESTION 25
Examine the following traffic log; then answer the question below.
date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."
What does the log mean?

• A. There is not enough available memory in the system to create a new entry in the NAT port table.
• B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
• C. FortiGate does not have any available NAT port for a new connection.
• D. The limit for the maximum number of entries in the NAT port table has been reached.

Answer: B

NEW QUESTION 26
......