Fortinet NSE7_EFW-7.2 시험

Question No : 1

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

• A.Enable AD-VPN in IPsec phase 1
• B.Disable add-route on hub
• C.Configure IP addresses on IPsec virtual interlaces
• D.Set protected network to all

답을 확인하기

정답:
Explanation:
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. Reference: = ADVPN | FortiManager 7.2.0 - Fortinet Documentation

Question No : 2

Exhibit.



Refer to the exhibit, which shows a partial touting table
What two concisions can you draw from the corresponding FortiGate configuration? (Choose two.)

• A.IPSec Tunnel aggregation is configured
• B.net-device is enabled in the tunnel IPSec phase 1 configuration
• C.OSPI is configured to run over IPSec.
• D.add-route is disabled in the tunnel IPSec phase 1 configuration.

답을 확인하기

정답:
Explanation:
Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration. This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 destination1.
Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration. This option controls whether the FortiGate adds a static route to the phase 2 destination network using the tunnel interface as the gateway2.
Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance3. This feature is not related to the routing table or the phase 1 configuration.
Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device4. This option is not related to the routing table or the phase 1 configuration.
Reference: =
1: Technical Tip: ‘set net-device’ new route-based IPsec logic2
2: Adding a static route5
3: IPSec VPN concepts6
4: Dynamic routing over IPsec VPN7

Question No : 3

Refer to the exhibit, which shows a routing table.



What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

• A.Remove the 16.1.10.C prefix from the OSPF network
• B.Configure a distribute-list-out
• C.Configure a route-map out
• D.Disable Redistribute Connected

답을 확인하기

정답:
Explanation:
To block the advertisement of the 10.1.10.0 prefix in OSPF, you can configure a distribute-list-out or a route-map out. A distribute-list-out is used to filter outgoing routing updates from being advertised to OSPF neighbors1. A route-map out can also be used for filtering and is applied to outbound routing updates2.
Reference: = Technical Tip: Inbound route filtering in OSPF usi … - Fortinet Community, OSPF | FortiGate / FortiOS 7.2.2 - Fortinet Documentation

Question No : 4

Refer to the exhibit.



which contains a partial configuration of the global system.
What can you conclude from this output?

• A.NPs and CPs are enabled
• B.Only CPs arc disabled
• C.Only NPs are disabled
• D.NPs and CPs arc disabled

답을 확인하기

정답:
Explanation:
The configuration does not show any explicit disabling of NPs (Network Processors) or CPs (Content Processors). In Fortinet Enterprise Firewall, unless explicitly disabled, these processors are enabled by default to handle specific types of traffic efficiently12. Reference: = Hardware acceleration | FortiGate / FortiOS 7.2.2 - Fortinet Documentation, NSE 7 Network Security Architect - Fortinet

Question No : 5

In which two ways does fortiManager function when it is deployed as a local FDS? (Choose two)

• A.lt can be configured as an update server a rating server or both
• B.It provides VM license validation services
• C.It supports rating requests from non-FortiGate devices.
• D.It caches available firmware updates for unmanaged devices

답을 확인하기

정답:
Explanation:
The command output shows that the Neighbor Count is 2, indicating that there are more than one OSPF routers on the port3 network (Option A). NGFW-1 is also identified as the Designated Router (Option D). Reference: = OSPF | FortiGate / FortiOS 7.2.2 - Fortinet Documentation, OSPF configuration guide for ABR … - Fortinet … - Fortinet Community

Question No : 6

Exhibit.



Refer to the exhibit, which shows information about an OSPF interlace
What two conclusions can you draw from this command output? (Choose two.)

• A.The port3 network has more man one OSPF router
• B.The OSPF routers are in the area ID of 0.0.0.1.
• C.The interfaces of the OSPF routers match the MTU value that is configured as 1500.
• D.NGFW-1 is the designated router

답을 확인하기

정답:

Question No : 7

An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?

• A.Verity Mai the speed and duplex settings match between me FortiGate interfaces and the connected switch ports
• B.Configure set link -failed signal enable under-config system ha on both Cluster members
• C.Configure remote Iink monitoring to detect an issue in the forwarding path
• D.Configure set send-garp-on-failover enables under config system ha on both cluster members

답을 확인하기

정답:
Explanation:
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.

Question No : 8

Exhibit.



Refer to the exhibit, which shows a partial web filter profile conjuration
What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

• A.The access is blocked based on the Content Filter configuration
• B.The access is allowed based on the FortiGuard Category Based Filter configuration
• C.The access is blocked based on the URL Filter configuration
• D.The access is hocked if the local or the public FortiGuard server does not reply

답을 확인하기

정답:
Explanation:
The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it shows that the URL “www.facebook.com” is specifically set to “Block” under the URL Filter section1. Reference: = Fortigate: How to configure Web Filter function on Fortigate, Web filter |
FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering … - Fortinet … - Fortinet Community

Question No : 9

Refer to the exhibit, which contains a partial BGP combination.



You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)

• A.ebgp-enforce-multihop
• B.recursive-next-hop
• C.ibgp-enfoce-multihop
• D.update-source

답을 확인하기

정답:
Explanation:
To configure a loopback as the BGP source, you need to set the “ebgp-enforce-multihop” and “update-source” parameters in the BGP configuration. The “ebgp-enforce-multihop” allows EBGP connections to neighbor routers that are not directly connected, while “update-source” specifies the IP address that should be used for the BGP session1.
Reference: = BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update source

Question No : 10

Which two statements about metadata variables are true? (Choose two.)

• A.You create them on FortiGate
• B.They apply only to non-firewall objects.
• C.The metadata format is $<metadata_variabie_name>.
• D.They can be used as variables in scripts

답을 확인하기

정답:
Explanation:
Metadata variables are custom fields that you can create on FortiManager to store additional information about objects or devices. They can be used as variables in Jinja2 CLI templates or scripts to apply configurations to multiple devices or objects. They do not apply only to non-firewall objects, but also to firewall objects such as addresses, services, policies, etc. The metadata format is not $<metadata_variable_name>, but @<metadata_variable_name>@.
Reference: = Using meta field variables, Metadata Variables are supported in Firewall Objects configuration, Technical Tip: New Meta Variables and their usage including Jinja Templates, Technical Tip: Firewall objects use as metadata variable