Fortinet NSE 7 - Enterprise Firewall 6.4

Here you have the best Fortinet NSE7_EFW-6.4 practice exam questions

You have 35 total questions to study from
Each page has 5 questions, making a total of 7 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on November 11, 2024

Question 1 of 35

Which two tasks are automated using the Install Wizard on FortiManager? (Choose two.)

Installing configuration changes to managed devices

Importing interface mappings from managed devices

Adding devices to FortiManager

Previewing pending configuration changes for managed devices

Correct Answer: A, D

Reference:

https://docs.fortinet.com/document/fortimanager/6.2.0/administration-guide/668612/using-the-install-wizard-to-install-device-settings-only

Question 2 of 35

Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command.

Based on the output, which two statements are correct? (Choose two.)

Phase 2 authentication is set to sha1 on both sides.

Anti-replay is disabled.

Hub2Spoke1 is a policy-based VPN.

Hub2Spoke1 is configured on interface wan2.

Correct Answer: A, D

Based on the provided output of the get vpn ipsec tunnel details command, the following two statements are correct: Phase 2 authentication is set to sha1 on both sides, indicated by 'auth: sha1' for both inbound and outbound settings. Hub2Spoke1 is configured on interface wan2, as mentioned in the 'interface' line showing 'wan2' (6).

Question 3 of 35

Refer to the exhibit, which shows the output of a debug command.

Which two statements about the output are true? (Choose two.)

The local FortiGate OSPF router ID is 0.0.0.4.

Port4 is connected to the OSPF backbone area.

In the network connected to port4, two OSPF routers are down.

The local FortiGate is the backup designated router.

Correct Answer: A, D

The local FortiGate OSPF router ID is indeed 0.0.0.4, as indicated in the output. The output also shows that the Backup Designated Router (BDR) has an ID of 0.0.0.1 and is at the interface address 172.20.121.239, different from the local router. Therefore, the local FortiGate is the Designated Router (DR) since it matches the router ID of 172.20.140.2. The local FortiGate being DR contradicts option D, which would have been misleading if we assume it's a redundant statement. Hence correct choices are A.

Question 4 of 35

Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

Anti-replay is enabled

The remote gateway IP is 10.200.4.1.

DPD is disabled.

Quick mode selectors are disabled.

Correct Answer: A, B

Anti-replay is enabled, as indicated by the presence of a replay window and the replay window size (replaywin=2048). The remote gateway IP address is 10.200.4.1, as specified in the bound_if and proxyid sections.

Question 5 of 35

Refer to the exhibit, which contains partial output from an IKE real-time debug.

Which two statements about this debug output are correct? (Choose two.)

The remote gateway IP address is 10.0.0.1.

The initiator provided remote as its IPsec peer ID.

It shows a phase 1 negotiation.

The negotiation is using AES128 encryption with CBC hash.

Correct Answer: B, C

This debug output contains details from an IKE real-time debug. One of the key indicators for this being a phase 1 negotiation is the reference to 'VID' lines, which are vendor ID payloads used in IKE phase 1. The line indicating PSK (Pre-Shared Key) authentication and the subsequent success confirms it is part of phase 1. For the option regarding the remote peer ID, the debug log displays 'received peer identifier FQDN 'remote', indicating that the initiator provided 'remote' as its IPsec peer ID. Therefore, the correct statements are that it is a phase 1 negotiation, and the initiator provided 'remote' as its IPsec peer ID.