Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

NSE7_EFW-7.0Free trial

By fortinet

Verified

25Q per page

Question 1

Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

A: OSPF interface network types match.
B: OSPF router IDs are unique.
C: OSPF interface priority settings are unique.
D: Authentication settings match.
E: OSPF link costs match.

—

Question 2

Refer to the exhibits, which contain the partial configurations of two VPNs on FortiGate.

An administrator has configured two VPNs for two different user groups. Users who are in the Users-2 group are not able to connect to the VPN. After running a diagnostics command, the administrator discovered that FortiGate is not matching the user-2 VPN for members of the Users-2 group.
Which two changes must the administrator make to fix the issue? (Choose two.)

A: Use different pre-shared keys on both VPNs.
B: Enable XAuth on both VPNs.
C: Set up specific peer IDs on both VPNs.
D: Change to aggressive mode on both VPNs.

—

Question 3

Refer to the exhibit, which shows partial outputs from two routing debug commands.

Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?

A: Set the priority of the static default route using port1 to 10.
B: Set the priority of the static default route using port2 to 1.
C: Set preserve-session-route to enable.
D: Set snat-route-change to enable.

—

Question 4

Refer to the exhibit, which shows a partial routing table.

Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)

A: Configure route leaking between VRF 12 and VRF 21.
B: Disable auto-asic-offload as this is not supported between VRF instances.
C: Configure RIPv2 to exchange route information between the VRF instances.
D: Configure route leaking between port3 and port4.
E: Enable SNAT on the relevant firewall policies to prevent RPF check drops.

—

Question 5

What is the diagnose test application ipsmenitor 5 command used for?

A: To enable IPS bypass mode
B: To disable the IPS engine
C: To restart all IPS engines and monitors
D: To provide information regarding IPS sessions

—

Question 6

An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?

A: Configure remote link monitoring to detect an issue in the forwarding path.
B: Configure set send-garp-on-failover enable under config system ha on both cluster members.
C: Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
D: Configure set link-failed-signal enable under config system ha on both cluster members.

—

Question 7

Which statement about IKE and IKE NAT-T is true?

A: IKE is used to encapsulate ESP traffic in some situations, and IKE NAT-T is used only when the local FortiGate is using NAT on the IPsec interface.
B: IKE is the standard implementation for IKEv1 and IKE NAT-T is an extension added in IKEv2.
C: They both use UDP as their transport protocol and the port number is configurable.
D: They each use their own IP protocol number.

—

Question 8

Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

A: The remote gateway has quick mode selectors containing a destination subnet of 10.1.2.0/24.
B: The remote gateway IP is 10.200.5.1.
C: DPD is disabled.
D: Anti-replay is enabled.

—

Question 9

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?

A: Only the DR receives link state information from non-DR routers.
B: Non-DR and non-BDR routers form full adjacencies to DR only.
C: Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6.
D: FortiGate first checks the OSPF ID to elect a DR.

—

Question 10

An administrator has been assigned the task of creating a set of firewall policies which must be evaluated before any custom policies defined within the policy packages of managed FortiGate devices, across all 25 ADOMSs in FortiManager.
How should the administrator accomplish this task?

A: Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this footer policy to all other ADOMs.
B: Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this header policy to all other ADOMs.
C: Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting the new firewall policies at the top.
D: Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate devices, through the FGFM tunnel.

—

Question 11

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

A: route-reflector enable
B: route-reflector-server enable
C: route-reflector-client enable
D: route-reflector-peer enable

—

Question 12

Refer to the exhibit, which contains partial output from an IKE real-time debug.

The administrator does not have access to the remote gateway.
Based on the debug output, which configuration change can the administrator make to the local gateway to resolve the phase 1 negotiation error?

A: In the phase 1 network configuration, set the IKE version to 2.
B: In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.
C: In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.
D: In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

—

That’s the end of your free questions

You’ve reached the preview limit for NSE7_EFW-7.0

Consider upgrading to gain full access!

Page 1 of 3 • Questions 1-25 of 60

1 2 3

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!