nse7_efw-70 Exam QuestionsBrowse all questions from this exam

nse7_efw-70 Exam - Question 5

Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.

An administrator would like to test session failover between the two service provider connections.

What changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

Configure set snat-route-change enable.

Change the priority of the port2 static route to 5.

Change the priority of the port1 static route to 11.

unset snat-route-change to return it to the default setting.

Show Answer

Correct Answer: ABC

To force the existing session to immediately start using the other interface, the administrator needs to enable the 'snat-route-change' setting and change the priority of the static routes. Enabling 'snat-route-change' ensures that routing information is flushed from existing SNAT sessions after a routing change, enabling these sessions to use the new best route. Additionally, changing the priority of the port1 static route to a higher value will force the failover by making port2 the preferred route. Therefore, the correct options are to configure 'set snat-route-change enable' and to change the priority of the port1 static route to 11.

Discussion

17 comments

ComatoseOptions: AC

Jan 5, 2023

It's A & C. B would just create an equal cost solution and not a failover scenario.

Agent1994Options: AC

May 1, 2023

A, C: snat-route-changed needs to be changed to enabled (default: disabled) to make this test, and then change the priority to force traffic to go through port2. B: nope, both ports would have the same priority. D: default is disabled, and we need to enable it. Ref: Enterprise_Firewall_7.0_Study_Guide-Online 147

pcbbjOptions: AC

Jan 4, 2023

A and C

Seph1Options: AC

Jan 28, 2023

A - to change the route when failover happens C - to force the failover

mastheoooOptions: AC

Jan 5, 2023

A & C for answer , snat-route for force existing traffic (may_dirty flag)

stalker1uaOptions: AC

Feb 7, 2023

vote A & C

ducduc95Options: AC

Feb 20, 2023

vote A & C

Beluga123Options: AC

Mar 1, 2023

A - When 'snat-route-change' is enabled, after a routing change, routing information is flushed from existing SNAT sessions; so, the existing SNAT sessions can use the new best route C - same distance, different priority : The routing table contains the two static routes but only the one with the lowest priority is used for routing traffic.

zanssanzOptions: AB

Mar 9, 2023

I agree with answer A and B, the question is asking for the straight solution; I read it as either or instead of step 1 step 2, I wonder which one is the correct answer. Depending on how we read it can be A and B or A and C.

QuetchupOptions: AC

Mar 24, 2023

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 148-149

certifi46Options: AC

May 10, 2023

A and C

caleidoscopioOptions: AC

May 21, 2023

Correct answer: A C

pete79Options: AC

Jul 23, 2023

vote A & C

cediggerOptions: AC

Jul 29, 2023

A and C

MalasxdOptions: AC

Oct 13, 2023

A and C

roniaOptions: AC

Dec 8, 2023

A and C

cbu_chOptions: AC

Feb 1, 2024

A and C