NSE7 Enterprise Firewall - FortiOS 5.4

Here you have the best Fortinet NSE7 practice exam questions

You have 86 total questions to study from
Each page has 5 questions, making a total of 18 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on October 23, 2025
This site is not affiliated with or endorsed by Fortinet.

Question 1 of 86

Examine the IPsec configuration shown in the exhibit; then answer the question below.
Exam NSE7: Question 1 - Image 1

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1 diagnose debug application ike -1 diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.

The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

Correct Answer: A

The IKE real-time debug primarily shows the Phase 1 and Phase 2 negotiations. Therefore, if the tunnel is already up and running, there would be no further output displayed for regular traffic or keepalive messages as these would not trigger Phase 1 or Phase 2 negotiations. The lack of output simply indicates that there are no active negotiations occurring since the VPN tunnel is already established, which aligns with the expected behavior when the tunnel is up and stable.

Question 2 of 86

Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)

SIP session helper runs in the kernel; SIP ALG runs as a user space process.

SIP ALG supports SIP HA failover; SIP helper does not.

SIP ALG supports SIP over IPv6; SIP helper does not.

SIP ALG can create expected sessions for media traffic; SIP helper does not.

SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.

Correct Answer: A, B, C

The SIP session helper runs in the kernel, while the SIP ALG runs as a user space process. The SIP ALG supports SIP over IPv6, which the SIP helper does not. Additionally, the SIP ALG supports SIP HA failover, while the SIP session helper does not.

Question 3 of 86

Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?

FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.

FortiGate limits the total number of simultaneous explicit web proxy users.

FortiGate limits the number of simultaneous sessions per explicit web proxy user. The limit CAN be modified by the administrator.

FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.

Correct Answer: B

FortiGate limits the total number of simultaneous explicit web proxy users. This limit varies depending on the FortiGate model, and it includes both explicit FTP proxy and explicit web proxy users. This total limit cannot be modified by the administrator.

Question 4 of 86

A corporate network allows Internet Access to FSSO users only. The FSSO user student does not have Internet access after successfully logged into the
Windows AD network. The output of the "˜diagnose debug authd fsso list' command does not show student as an active FSSO user. Other FSSO users can access the Internet without problems. What should the administrator check? (Choose two.)

The user student must not be listed in the CA's ignore user list.

The user student must belong to one or more of the monitored user groups.

The student workstation's IP subnet must be listed in the CA's trusted list.

At least one of the student's user groups must be allowed by a FortiGate firewall policy.

Correct Answer: A, B

The user student must not be listed in the CA's ignore user list, as being on this list would prevent the user from appearing in the FSSO monitored users list. Additionally, the user student must belong to one or more of the monitored user groups, since only users in monitored groups are tracked and allowed access. These two checks ensure that the user is recognized and authorized by the FortiGate system to access the internet.

Question 5 of 86

An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?

TCP half open.

TCP half close.

TCP time wait.

TCP session time to live.

Correct Answer: A

The issue described involves the FortiGate deleting sessions after clients send SYN packets but before receiving the SYN/ACK packets. This indicates a problem with how long half-open TCP sessions (sessions where the handshake is not yet complete) are kept alive. To fix this, increasing the TCP half open session timer would allow more time for the SYN/ACK packets to arrive and complete the handshake before the session is terminated.