Scribd
Upload
17 views63 pages

Vce PDF

Uploaded by

jclavrador
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views63 pages

Vce PDF

Uploaded by

jclavrador
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 63

NSE7-EFW_7.

2-DUMP3-EXAMTOPICS
Exam A

QUESTION 1
Refer to the exhibit, which contains a TCL script configuration on FortiManager.

An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after
being run. Why did the TCL script fail to make any changes to the managed device?
Select one:

A. The TCL procedure run_cmd has not been created.


B. The TCL script must start with #include.
C. There is no corresponding #! To signify the end of the script.
D. The TCL procedure lacks the required loop statements to iterate through the changes.

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
A is correct Study Guide 7.2 - Page 145

QUESTION 2
You want to improve reliability over a lossy IPsec tunnel.
Which combination of IPsec phase 1 parameters should you configure?
Select one:
A. fec-ingress and fec-egress
B. dpd and dpd-retryinterval
C. fragmentation and fragmentation-mtu
D. keepalive an keylife.

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
A is correct Study Guide 7.2 - Page 317

QUESTION 3
How are bulk configuration changes made using FortiManager CLI scripts? (choose two)
Select one or more:

A. When run on the Device Database, changes are applied to the managed FortiGate device.
B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
D. When run on the Policy Package, ADOM database, you must user the installation wizard to apply the changes to the managed FortiGate
device.

Correct Answer: BD
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 - Page 140 141

QUESTION 4
Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from this output?


Select one:

A. Only NPs are disabled.


B. Only CPs are disabled.
C. NPs and CPs are enabled.
D. NPs and CPs are disabled.

Correct Answer: C
Explanation

Explanation/Reference:
Study guide pg 53
QUESTION 5
Refer to the exhibit, which show the configurations of two address objects from the same FortiGate.
Why can modify the Engineering address object, but no the Finance address object?
Select one:

A. You have read-only access.


B. Another user is editing the Finance address object in workspace mode.
C. FortiGate joined the Security Fabric and the Finance address object was configured on the root FortiGate.
D. FortiGate is registered on FortiManager.

Correct Answer: B
Explanation

Explanation/Reference:
Reference:
Study Guide Pag. 25

QUESTION 6
Which two statements about the neighbor-group command are true? (choose two)
Select one or more:

A. It applies common settings in an OSPF area.


B. You can apply it in Internal BGP (iBGP) and External BGP (eBGP)
C. You can configure it on the GUI
D. It is combined with the neighbor-range parameter

Correct Answer: BD
Explanation

Explanation/Reference:
Study guide p. 208/209

QUESTION 7
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (choose two)
Select one or more:

A. Dead peer detection is set to enable.


B. The IKE version is 2
C. Both IPsec Sas are loaded on the kernel
D. Forward error connection in phase 2 is set to enable

Correct Answer: BC
Explanation

Explanation/Reference:
Reference:
ver=2 is IKEv2
dpd: mode=off (dead peer detection is disabled)
fec: egreess=0 ingress=0 (forward error correction is disabled) (also FEC is phase1 not 2)
npu_flag=00 means that both IPsec SA are loaded in the kernel
Study guide page 321

QUESTION 8
Which two statements about IKE version 2 fragmentation are true? (choose two)
Select one or more:

A. Only some IKE version 2 packets are considered fragmentable.


B. The reassembly timeout default value is 30 seconds.
C. It is performed at the IP layer
D. The maximum number of IKE version 2 fragments is 128

Correct Answer: AC
Explanation

Explanation/Reference:
Study Guide Pag. 299

QUESTION 9
An administrator has configured two FortiGate devices for an HA cluster.
While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former
primary device.

What can the administrator do to fix this problem?


Select one:

A. Configure se link-failed-signal enable under config system ha on both cluster members


B. Configure set send-garp-on-failover enable under config system ha on both cluster members
C. Configure remote link monitoring to detect an issue in the forwarding path
D. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
Study_Guide 7.2, page 98

QUESTION 10
Refer to the exhibit, which shows the output of a BGP summary.
What two conclusions can you draw from BGP summary? (choose two)
Select one or more:

A. The BGP session with peer 10.127.0.75 is established


B. External BGP (eBGP) exchanges routing information
C. The router 100.64.3.1 has the parameter bfd set to enable.
D. The neighbors displayed are linked to a local router with the neighbor-range se to a value of 4

Correct Answer: AB
Explanation

Explanation/Reference:
Reference:
Study guide pag 210

QUESTION 11
Refer to the exhibit, which shows a custom signature.
Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (choose two)
Select one or more:

A. Ensure that the header syntax is F-SBID


B. Add severity
C. Add attack_id
D. Start options with --.

Correct Answer: AD
Explanation

Explanation/Reference:
Reference:
study guide p. 274

QUESTION 12
What are two functions of automation stitches? (choose two)
Select one or more:

A. Automation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified
thresholds.
B. An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.
C. Automation stitches can be configured on any FortiGate device in Security Fabric environment.
D. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input the current action.

Correct Answer: AD
Explanation

Explanation/Reference:
Reference:
Pages 73 to 77 in the Study Guide

QUESTION 13
Refer to the exhibit, which shows config system central-management information.
Which setting must you configure for the web filtering feature to function?
Select one:

A. Set update-server-location to automatic


B. Add server.fortiguard.net to the Server list
C. Configure securewf.fortiguard.net on the default servers
D. Configure server-type with rating option

Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Page 223 in the Study Guide

QUESTION 14
Which two statements about the Security Fabric are true? (choose two)
Select one or more:

A. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer


B. Only the root FortiGate sends logs to FortiAnalyzer
C. Only FortiGate devices with configuration-sync set to default receive and synchronize global CMDB objects that the root FortiGate sends.
D. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer

Correct Answer: CD
Explanation

Explanation/Reference:
Reference:
Page 223 in the Study Guide

QUESTION 15
Refer to the exhibit, which shows two configured FortiGate devices and peering over FGSP

The Main link directly connects the two FortiGate devices and is configured using the set session-syn-dev <interface> command.
What is the primary reason to configure the main link?
Select one:
A. To have only configuration synchronization in layer 3
B. To load balance both sessions and configuration synchronization between layer 2 and 3.
C. To have both sessions and configuration synchronization in layer 3
D. To have both sessions and configuration synchronization in layer 2

Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Refer to study guide page 113

QUESTION 16
Refer to the exhibit, which shows a network diagram.
Which protocol should you use to configure the FortiGate cluster?
Select one:

A. FGCP in active-passive mode


B. FGCP in active-active mode
C. FGSP
D. VRRP

Correct Answer: C
Explanation

Explanation/Reference:
Reference:
Refer to study guide page 111
QUESTION 17
After enabling IPS, you receive feedback about traffic being dropped.
What could be reason?
Select one:

A. IPS is configured to monitor


B. np-accel-node is set to enable
C. fail-open is set to disable
D. traffic-submit is set to disable

Correct Answer: C
Explanation

Explanation/Reference:
Reference:
Refer to study guide page 271
QUESTION 18
Refer to exhibit, which shows an ADVPN network.
Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (choose two)
Select one or more:

A. set auto-discovery-sender enable


B. set auto-discovery-receiver enable
C. set add-route enable
D. set auto-discovery-forwarder enable

Correct Answer: AD
Explanation

Explanation/Reference:
Reference:
Refer to study guide page 332

QUESTION 19
Which two statements about metadata variables are true? (choose two)

Select one or more:

A. The metadata format is $<metadata_variable_name>


B. You create them on FortiGate
C. They can be used as variables in scripts
D. They apply only to non-firewall objects

Correct Answer: AC
Explanation

Explanation/Reference:
Reference:

Study Guide Pg. 158

https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/218740/metadata-variables-are-supported-in-firewall-objects-
configuration

QUESTION 20
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub.
The hub is receiving route information from both spokes over iBGP; however, the spokes are not receiving route information from each
other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other
spoke?

Select one:

A. Configure the hub as a route reflector


B. Configure auto-discovery-sender on the hub
C. Add prefix list to the hub that permits routes to be shared between the spokes
D. Enable route redistribution under config router bgp

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
page 338 Study Guide

QUESTION 21
Refer to the exhibit, which contains a partial VPN configuration.
What can you conclude from this configuration?

Select one:

A. FortiGate creates separate virtual interfaces for each dial-up client.


B. The VPN should use the Dynamic routing protocol to exchange routing information through the tunnels.
C. Dead peer detection is disabled.
D. The routing table shows a single IPsec virtual interface

Correct Answer: D
Explanation

Explanation/Reference:
Reference:

Study Guide Pag. 311-312

QUESTION 22
Refer to the exhibit, which shows information about on OSPF interface.
What two conclusions can you draw from this command output? (choose two)
Select one or more:

A. The interfaces of the OSPF routers match the MTU value is configured as 1500.
B. NGFW-1 is the designed router
C. The port3 network has more than one OSPF router.
D. The OSPF routers are in the area ID of 0.0.0.1

Correct Answer: AC
Explanation

Explanation/Reference:
Reference:
Study Guide Page 180
QUESTION 23
Which two statements about the BFD parameter in BGP are true? (choose two)
Select one or more:

A. It detects only two-way failures.


B. The two routers must be connected to the same subnet.
C. It allows failure detection in less than one second
D. It is supported for neighbors over multiple hosps.

Correct Answer: CD
Explanation

Explanation/Reference:
Reference:
study guide page 204
QUESTION 24
You created a VPN community using VPN Manager on FortiManager. You also added gateways to the VPN community. Now you are trying to create
firewall policies to permit traffic over the tunnel; however, the VPN interfaces do not appear as available options.
What step must you take to resolve this issue?
Select one:

A. Refresh the device status using the Device Manager so that FortiGate populates the IPsec interfaces.
B. Install the VPN community and gateway configuration on the FortiGate devices so that the VPN interfaces appear on the Policy Objects on
FortiManager.
C. Configure the phase 1 settings in the VPN community that you didn`t initially configure. FortiGate automatically generates the
interfaces after you configure the required settings.
D. Create interface mappings for the IPsec VPN interfaces before you use them in a policy.

Correct Answer: B
Explanation

Explanation/Reference:
Reference:
study guide page 304-307

QUESTION 25
Refer to the exhibit, which shows a central management configuration.
Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?
Select one:

A. 10.0.1.244
B. 10.0.1.242
C. Public FortiGuard servers
D. 10.0.1.243

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
Page 223 Study Guide
QUESTION 26
Which statement about the designated router (DR) and backup router (BDR) in an OSPF multi-access network is true?
Select one:

A. Only the DR receives link state information from non-DR routers.


B. Non-DR and Non-BDR routers form full adjacencies to DR only.
C. FortiGate first checks the OSPF ID to elect a DR.
D. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6

Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Page 365 Study Guide

QUESTION 27
Refer to the exhibit, which contains a partial policy configuration.
Which setting must you configure to allow SSH?
Select one:

A. Specify SSH int the Service field.


B. Select an application control profile corresponding to SSH in the Security Profiles section.
C. Include SSH in the Application
D. Configure port 22 in the Protocol Options field.

Correct Answer: C
Explanation

Explanation/Reference:
Reference:
Study Guide Page 250 - 252

QUESTION 28
Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject
alternative name (SAN) in the server certificate?
Select one:

A. FortiGate uses the first entry listed in the SAN field in the server certificate.
B. FortiGate uses the CN information from the Subject field in the in the server certificate
C. FortiGate uses the SNI from user’s web browser.
D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration

Correct Answer: B
Explanation

Explanation/Reference:
Reference:
Study Guide P. 238

QUESTION 29
Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?


Select one:

A. Neighbors maintain communication with the restarting router.


B. The restarting router sends gratuitous ARP for 30 seconds.
C. FortiGate restarts if the topology changes
D. The router sends grace LSAs before it restarts.

Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Study Guide p. 176

QUESTION 30
Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP configuration.
Network diagram
Select one or more:

A. set neighbor-group adpvn


B. set route-reflector-client enable
C. set prefix 10.1.0 255.255.254.0
D. set prefix 172.16.1.0 255.255.255.0

Correct Answer: AD
Explanation

Explanation/Reference:
Reference:
Study guide p. 338

QUESTION 31
You want to have faster detection for OSPF.
Which parameter should you enable on both connected FortiGate devices?
Select one:

A. distribute-list-in
B. rfc1583-compatible
C. restart-on-topology-change
D. bfd
Correct Answer: D
Explanation

Explanation/Reference:
Reference:
study guide p. 177

QUESTION 32
Refer to the exhibit, which provides information on BGP neighbors.

Which can you conclude from this command output?


Select one:

A. You must change the AS number to match the remote peer.


B. BGP is attempting to establish a TCP connection with the BGP peer.
C. The bfd configuration is set to enable.
D. The routers are in the same area ID of 0.0.0.0

Correct Answer: B
Explanation

Explanation/Reference:
Reference:

Study Guide Page 211

https://community.fortinet.com/t5/FortiGate/Technical-Tip-BGP-Neighbor-Adjacency-States/ta-p/208989

QUESTION 33
Which two statements about ADPVN are true (choose two)
Select one or more:

A. The hub adds routes based on IKE negotiations


B. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0
C. All FortiGate devices must be in the same autonomous system (AS)
D. You must disable add-route in the hub.

Correct Answer: BD
Explanation

Explanation/Reference:
Reference:
study guide p. 336

QUESTION 34
Which statement about network processor (NP) offloading is true?
Select one:

A. The NP checks the session key or IPsec SA


B. The NP provides IPS signature matching
C. You can disable the NP for each firewall policy using command np-acceleration set to loose.
D. For TCP traffic, FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP.

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
study guide 7.2, page 44

QUESTION 35
Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?
Select one:

A. udp is not a protocol option


B. fortiguard-anycast is set to enable
C. You do not have the corresponding write access
D. FortiManager provides FortiGuard.

Correct Answer: B
Explanation

Explanation/Reference:
Reference:
study guide page 245

QUESTION 36
Refer to the exhibit, which contains an active-active load balancing scenario.

What is the destination MAC address or address when packets are forwarded from the primary FortiGate to the secondary FortiGate?
Select one:

A. Secondary virtual MAC port1 then physical MAC port1


B. Secondary virtual MAC port1
C. Secondary physical MAC port1
D. Secondary physical MAC port1 then virtual MAC port2

Correct Answer: C
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 100
QUESTION 37
Which configuration can be used to reduce the number of BGP sessions in an iBGP network?
Select one:

A. route-reflector-peer enable
B. route-reflector-server enable
C. route-reflector-client enable
D. route-reflector enable

Correct Answer: C
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 203

QUESTION 38
In which two ways does FortiManger function when it is deployed as a local FDS? (choose two)
Select one or more:
A. It can be configured as an update server, a rating server, or both.
B. It caches available firmware updates for unmanaged devices.
C. It supports rating requests from non-FortiGate devices.
D. It provides VM license validation services.

Correct Answer: AD
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 222, 224

QUESTION 39
Refer to the exhibit, which shows a partial web filter profile configuration.
What can you conclude from this configuration about access to www.facebook.com, which is categorized as Social Networking?
Select one:

A. The access is blocked, based on the URL Filter configuration


B. The access is blocked, based on the Content Filter configuration.
C. The access is allowed, based on the FortiGuard Category Based Filter configuration.
D. The access is blocked if the local or the local or the public FortiGuard server does not reply.

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 235

QUESTION 40
Refer to the exhibit, which shows an ADVPN network.
The client behind Spoke-1 generates traffic to the device located behind Spoke-2
Which first message does the hub send to Spoke-1 to bring up the dynamic tunnel?
Select one:

A. Shortcut forward.
B. Shortcut reply.
C. Shortcut query.
D. Shortcut offer

Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 333
QUESTION 41
Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (choose three)
Select one or more:

A. OSPF interface network types match.


B. OSPF interface priority settings are unique.
C. OSPF router IDs are unique.
D. OSPF link costs match.
E. Authentication settings match.

Correct Answer: ACE


Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 364
QUESTION 42
Refer to the exhibit, which shows a partial routing enable.

What two conclusions can you draw from the corresponding FortiGate configuration? (choose two)
Select one or more:

A. OSPF is configured to run over IPsec


B. net-device is enabled in the tunnel IPsec phase 1 configuration.
C. IPsec tunnel aggregation is configured.
D. add-route is disabled in the tunnel IPsec phase 1 configuration.

Correct Answer: BD
Explanation
Explanation/Reference:
Reference:
Study Guide P. 311-313

QUESTION 43
Which two statements about bfd are true? (choose two)
Select one or more:

A. You must configure it globally only


B. You can disable it at the protocol level.
C. It can support neighbors only over the next hop in BGP.
D. It works for OSPF and BGP.

Correct Answer: BD
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 177 and 202

QUESTION 44
Refer to the exhibit, which contains a partial BGP configuration.

You want to configure a loopback as the BGP source.


Which two parameters must you set in the BGP configuration? (choose two)
Select one or more:

A. ebgp-enforce-multihop.
B. recursive-next-hop
C. ibgp-enforce-multihop
D. update-source

Correct Answer: AD
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 207
QUESTION 45
You want to configure faster failure detection for BGP.
Which parameter should you enable on both connected FortiGate devices?
Select one:

A. graceful-restart
B. distribute-list-in
C. ebgp-enforce-multihop
D. bfd

Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 202

QUESTION 46
You configured an address object on the root FortiGate in a Security Fabric. This object is not synchronized with a downstream device.
Which two reasons could be the cause? (choose two)
Select one or more:
A. The downstream FortiGate has fabric-object-unification set to local.
B. The root FortiGate has configuration-sync set to enable.
C. The address object on the root FortiGate has fabric-object set to disable.
D. The downstream FortiGate has configuration-sync set to local.

Correct Answer: CD
Explanation

Explanation/Reference:
Reference:
Study Guide P. 67

QUESTION 47
Refer to the exhibit, which contains a CLI script configuration on FortiManager. An administrator configured the CLI script on
FortiManager, but the script failed to apply any changes to the managed device after being executed.
Select one:

What are two reasons why the script did not make any changes to the managed device? (choose two)
Select one or more:

A. CLI scripts must start with #!


B. Static routes can be added using only TCL scripts
C. Incomplete commands can cause CLI scripts to fail
D. The commands that start with the # sign did not run

Correct Answer: CD
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 147
QUESTION 48
Refer to the exhibit, which shows the output from the webfilter fortiguard cache and webfilter categories commands.

Select one:

A. The administrator can look up the hex value 34 in the second command output.
B. The administrator must convert the first two digits of the Domain hex value to a decimal value.
C. The administrator must convert the first three digits of the IP hex value to binary
D. The administrator must add both the Domain and IPhex values of 34 to get category number.

Correct Answer: B
Explanation
Explanation/Reference:
Reference:
Study Guide P. 246

QUESTION 49
Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

Which two parameters must you configure on the corresponding single hub? (choose two)
Select one or more:

A. set auto-discovery-receiver enable


B. set auto-discovery-sender enable
C. set ike-version 2
D. set auto-discovery-forwarder enable

Correct Answer: BC
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 336
QUESTION 50
You want to block access to the website www.eicar.org using a custom IPS signature.
Which custom IPS signature should you configure?
Select one:

A. F-SBID ( --name “detect_eicar”; --protocol udp; --service ssl; --flow from_client; --pattern “www.eicar.org”; --no_case; --context
host;)
B. F-SBID ( --name “eicar”; --protocol udp; --flow from_server; --pattern “eicar”; --context host;)
C. F-SBID ( --name “detect_eicar”; --protocol tcp; --service dns; --flow from_server; --pattern “eicar”; --no_case;)
D. F-SBID ( --name “eicar”; --protocol tcp; --service HTTP; --flow from_client; --pattern “www.eicar.org”; --no_case; --context host;)

Correct Answer: D
Explanation

Explanation/Reference:
Reference:

Study Guide Pag. 277-280

QUESTION 51
Refer to the exhibit, which shows a network diagram.

Which IPsec phase 2 configuration should you implement so that only one remote site is connected at any time?
Select one:

A. Set net-device to enable


B. Set route-overlap to allow
C. Set single-source to enable
D. Set route-ouverlap to either use-new or use-old.
Correct Answer: D
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 315

QUESTION 52
Which ADVPN configuration must be configured using a script on FortiManager, when using VPN Manager to manage FortiGate VPN tunnels?
Select one:

A. Enable ADVPN in IPsec phase 1


B. Configure IP address on IPsec virtual interfaces
C. Set protected network to all
D. Disable add-route on hub

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 340

QUESTION 53
Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.
Which two conclusions can you draw from this configuration? (choose two)
select one or more:

A. The VRRP domain uses the physical MAC address of the primary FortiGate.
B. On failover, new primary device uses the same MAC address as the old primary.
C. 10.1.5.254 is the default gateway of the internal network.
D. By default, FortiGate-B is the primary virtual router.

Correct Answer: BC
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 124-125
QUESTION 54
Which two statements about IKE version 2 are true? (choose two)
Select one or more:

A. It supports the XAuth protocol


B. Phase 1 includes main mode.
C. It exchanges a minimum of four messages to establish a secure tunnel.
D. It supports the extensible authentication protocol (EAP)

Correct Answer: CD
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 294-295

QUESTION 55
Which FortiGate in a Security Fabric sends logs to FortiAnalyzer?
Select one:

A. Only the root FortiGate


B. Each FortiGate in the Security Fabric
C. The FortiGate devices performing network address translation (NAT) or unified threat management (UTM), if configured.
D. Only the last FortiGate that handled a session in the Security Fabric.

Correct Answer: B
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 64-68

Page 68

QUESTION 56
Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two)
Select one or more:

A. Configure a route-map-out
B. Disable Redistribute Connected
C. Configure a distribute-list-out
D. Remove the 10.1.10.0 prefix from the OSPF network.

Correct Answer: BD
Explanation

Explanation/Reference:
Reference:
study guide p.170-171
QUESTION 57
Which two statements about ADVPN are true? (choose two)
Select one or more:

A. auto-discovery-receiver must be set to enable on the spokes


B. Spoke-to-spoke traffic never goes through the hub
C. It supports NAT for on-demand tunnels
D. Routing is configured by enabling add-advpn-route

Correct Answer: AC
Explanation

Explanation/Reference:
Reference:
Study Guide 7.2 Page 331 and 337

You might also like