Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

NSE7_EFW-6.4 Questions and Answers

Note! Following NSE7_EFW-6.4 Exam is Retired now. Please select the alternative replacement for your Exam Certification. The new exam code is NSE7_EFW-7.0

NSE7_EFW-6.4 Questions and Answers

Question # 6

What is the purpose of an internal segmentation firewall (ISFW)?

A.

It inspects incoming traffic to protect services in the corporate DMZ.

B.

It is the first line of defense at the network perimeter.

C.

It splits the network into multiple security segments to minimize the impact of breaches.

D.

It is an all-in-one security appliance that is placed at remote sites to extend the enterprise network.

Full Access
Question # 7

The CLI command set intelligent-mode controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

A.

Determines the optimal number of IPS engines required based on system load.

B.

Downloads signatures on demand from FDS based on scanning requirements.

C.

Determines when it is secure enough to stop scanning session traffic.

D.

Choose a matching algorithm based on available memory and the type of inspection being performed.

Full Access
Question # 8

A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)

A.

Firewall monitor.

B.

Policy monitor.

C.

Logs.

D.

Crashlogs.

Full Access
Question # 9

Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

A.

Anti-replay is enabled.

B.

DPD is disabled.

C.

Remote gateway IP is 10.200.4.1.

D.

Quick mode selectors are disabled.

Full Access
Question # 10

Refer to exhibit, which contains the output of a BGP debug command.

Which statement explains why the state of the 10.200.3.1 peer is Connect?

A.

The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfirm yet.

B.

The TCP session to 10.200.3.1 has not completed the three-way handshake.

C.

The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.

D.

The local router has received the BGP prefixes from the remote peer.

Full Access
Question # 11

An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link-failed-signal to fix the problem. Which statement is correct regarding this command?

A.

Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.

B.

Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.

C.

Sends a link failed signal to all connected devices.

D.

Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.

Full Access
Question # 12

When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web requests when the client browser does not provide the server name indication (SNI) extension?

A.

FortiGate uses the requested URL from the user’s web browser.

B.

FortiGate uses the CN information from the Subject field in the server certificate.

C.

FortiGate blocks the request without any further inspection.

D.

FortiGate switches to the full SSL inspection method to decrypt the data.

Full Access
Question # 13

Refer to the exhibits.

Which contain the partial configurations of two VPNs on FortiGate.

An administrator has configured two VPNs for two different user groups. Users who are in the Users-2 group are not able to connect to the VPN. After running a diagnostics command, the administrator discovered that FortiGate is not matching the user-2 VPN for members of the Users-2 group.

Which two changes must administrator make to fix the issue? (Choose two.)

A.

Use different pre-shared keys on both VPNs

B.

Enable Mode Config on both VPNs.

C.

Set up specific peer IDs on both VPNs.

D.

Change to aggressive mode on both VPNs.

Full Access
Question # 14

Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 15

Refer to the exhibit, which shows the output of a debug command.

Which two statements about the output are true? (Choose two.)

A.

The local FortiGate OSPF router ID is 0.0.0.4.

B.

Port4 is connected to the OSPF backbone area.

C.

In the network connected to port4, two OSPF routers are down.

D.

The local FortiGate is the backup designated router.

Full Access
Question # 16

View the exhibit, which contains the output of a debug command, and then answer the question below.

What statement is correct about this FortiGate?

A.

It is currently in system conserve mode because of high CPU usage.

B.

It is currently in FD conserve mode.

C.

It is currently in kernel conserve mode because of high memory usage.

D.

It is currently in system conserve mode because of high memory usage.

Full Access
Question # 17

Examine the following traffic log; then answer the question below.

date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."

What does the log mean?

A.

There is not enough available memory in the system to create a new entry in the NAT port table.

B.

The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.

C.

FortiGate does not have any available NAT port for a new connection.

D.

The limit for the maximum number of entries in the NAT port table has been reached.

Full Access
Question # 18

View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn’t the tunnel come up?

A.

The pre-shared keys do not match.

B.

The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.

C.

The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.

D.

The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Full Access