Professional Documents
Culture Documents
NSE7 _ EFW -6 .0 Ex am
Fortinet NSE 7- Enterprise Firewall 6.0 Exam
Version:8.0
Question:1
ExaminetheIPsecconfigurationshownintheexhibit;thenanswerthequestionbelow.
diagnosevpnikelog-filtersrc-addr410.0.10.1
diagnosedebugapplicationike-1
diagnosedebugenable
TheVPNis currentlyup, thereis notrafficcrossingthetunnel andDPDpackets arebeing
interchangedbetweenbothIPsecgateways.However,theIKEreal timedebugdoesNOTshowany
output.Whyisn’tthereanyoutput?
A.TheIKErealtimeshowsthephases1and2negotiationsonly.Itdoesnotshowanymoreoutput
oncethetunnelisup.
B.Thelog-filtersettingissetincorrectly.TheVPN’strafficdoesnotmatchthisfilter.
C. TheIKEreal timedebugshowsthephase1negotiationonly. Forinformationafterthat, the
administratormustusetheIPsecrealtimedebuginstead:diagnosedebugapplicationipsec-1.
D.TheIKErealtimedebugshowserrormessagesonly.Ifitdoesnotprovideanyoutput,itindicates
thatthetunnelisoperatingnormally.
Answer:B
Question:2
WhichofthefollowingstatementsaretrueregardingtheSIPsessionhelperandtheSIPapplication
layergateway(ALG)?(Choosethree.)
A.SIPsessionhelperrunsinthekernel;SIPALGrunsasauserspaceprocess.
B.SIPALGsupportsSIPHAfailover;SIPhelperdoesnot.
C.SIPALGsupportsSIPoverIPv6;SIPhelperdoesnot.
D.SIPALGcancreateexpectedsessionsformediatraffic;SIPhelperdoesnot.
E.SIPhelpersupportsSIPoverTCPandUDP;SIPALGsupportsonlySIPoverUDP.
Answer:B,C,D
Question:3
AFortiGatedevicehasthefollowingLDAPconfiguration:
Page4
Theadministratorexecutedthe‘dsquery’commandintheWindowsLDApserver10.0.1.10,andgot
thefollowingoutput:
>dsqueryuser–samidadministrator
“CN=Administrator,CN=Users,DC=trainingAD,DC=training,DC=lab”
Basedontheoutput,whatFortiGateLDAPsettingisconfiguredincorrectly?
A.cnid.
B.username.
C.password.
D.dn.
Answer:B
Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD37516
Question:4
AcorporatenetworkallowsInternetAccesstoFSSOusersonly.TheFSSOuserstudentdoesnothave
InternetaccessaftersuccessfullyloggedintotheWindowsADnetwork.Theoutputofthe‘diagnose
debugauthdfssolist’commanddoesnotshowstudentasanactiveFSSOuser.OtherFSSOuserscan
accesstheInternetwithoutproblems.Whatshouldtheadministratorcheck?(Choosetwo.)
A.TheuserstudentmustnotbelistedintheCA’signoreuserlist.
B.Theuserstudentmustbelongtooneormoreofthemonitoredusergroups.
C.Thestudentworkstation’sIPsubnetmustbelistedintheCA’strustedlist.
D.Atleastoneofthestudent’susergroupsmustbeallowedbyaFortiGatefirewallpolicy.
Answer:A,D
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD38828
Question:5
Page5
AnadministratorhasdecreasedalltheTCPsessiontimerstooptimizetheFortiGatememoryusage.
However, after thechanges, onenetwork applicationstartedtohaveproblems. Duringthe
troubleshooting,theadministratornoticedthattheFortiGatedeletesthesessionsaftertheclients
sendtheSYNpackets,andbeforethearrivaloftheSYN/ACKs.WhentheSYN/ACKpacketsarriveto
theFortiGate,theunithasalreadydeletedtherespectivesessions.WhichTCPsessiontimermustbe
increasedtofixthisproblem?
A.TCPhalfopen.
B.TCPhalfclose.
C.TCPtimewait.
D.TCPsessiontimetolive.
Answer:A
Explanation:
http://docs-
legacy.fortinet.com/fos40hlp/43prev/wwhelp/wwhimpl/common/html/wwhelp.htm?context=fgt&fil
e=CLI_get_Commands.58.25.html
Thetcp-halfopen-timer controlsfor howlong, after aSYNpacket, asessionwithout SYN/ACK
remainsinthetable.
Thetcp-halfclose-timer controls for howlong, after aFINpacket, asessionwithout FIN/ACK
remainsinthetable.
Thetcp-timewait-timercontrolsforhowlong, afteraFIN/ACKpacket, asessionremainsinthe
table. Aclosedsessionremainsinthesessiontableforafewsecondsmoretoallowanyout-of-
sequencepacket.
Question:6
AnadministratorisrunningthefollowingsnifferinaFortiGate:
diagnosesnifferpacketany“host10.0.2.10”2
Whatinformationisincludedintheoutputofthesniffer?(Choosetwo.)
A.Ethernetheaders.
B.IPpayload.
C.IPheaders.
D.Portnames.
Answer:B,C
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=11186
Question:7
Examinethepartialoutputfromtwowebfilterdebugcommands;thenanswerthequestionbelow:
Page6
A.Financeandbanking
B.Generalorganization.
C.Business.
D.Informationtechnology.
Answer:C
Question:8
Whichstatementsaretrueregardingtheaboveoutput?(Choosetwo.)
A.Theport4interfaceisconnectedtotheOSPFbackbonearea.
B.ThelocalFortiGatehasbeenelectedastheOSPFbackupdesignatedrouter.
C.Thereareatleast5OSPFroutersconnectedtotheport4network.
D.TwoOSPFroutersaredownintheport4network.
Answer:A,C
Explanation:
onBROADCASTnetworkthereare4neighbors, amongwhich1*DR+1*BDR. Soour FGhas4
neighbors,butcreateadjacencyonlywith2(withDRandBDR).2neighborsDRother(notdown).