Join Us Among the Stars

Sign Up & unlock 100% of Exam Questions

Log in / Sign up

No Strings Attached!

70Practice Questions

3Study Modes

Free

TopicSort

Question 1

System troubleshooting

Refer to the exhibit.
Partial output of FortiOS kernel slabs

Question Image

The partial output of FortiOS kernel slabs is shown.
Which statement about total slab size is true?

A The total slab size of the ip6_session slab is 1472 kB and is associated with the kernel.
B The total slab size of the ip_session slab is 14080 kB and is associated with the user space.
C The total slab size of the UDPv6 slab is 14080 kB and is associated with the user space.
D The total slab size of the tcp_session slab is 7500 kB and is associated with the kernel.

Question 2

System troubleshooting

Question 3

Routing

Question 4

System troubleshooting

Question 5

Security profiles

Question 6

VPN

Question 7

Security profiles

Question 8

System troubleshooting

Question 9

VPN

Question 10

System troubleshooting

Question 11

Authentication

Question 12

System troubleshooting

Question 13

VPN

Question 14

System troubleshooting

Question 15

System troubleshooting

Question 16

System troubleshooting

Question 17

VPN

Question 18

System troubleshooting

Question 19

Routing

Question 20

Routing

Question 21

System troubleshooting

Question 22

System troubleshooting

Question 23

Authentication

Question 24

VPN

Question 25

VPN

Page 1 of 3 • Questions 1-25 of 70

1 2 3

→

Know a question that should be here? Contribute to this exam

Refer to the exhibit.
The partial output of diagnose sys session stat command is shown.

Question Image

Which statement about the output shown in the exhibit is correct?

A 27 sessions have expired but are still in the session table in case any out-of-order packets arrive.
B 562 TCP sessions have their proto_state set to 01 if there is no inspection.
C There have been 131072 recorded ephemeral sessions but there are no current ones.
D 113 sessions have been dropped because of memory page exhaustion.

Refer to the exhibit.
The output of a BGP debug command is shown.

Question Image

Why has the local router at 172.16.23.58 been unable to establish adjacency with its only neighbor?

A The local router has not received an OPEN message from the neighbor.
B There is no active route to the BGP neighbor.
C The neighbor router has become unreachable, which is evident by the low ratio of messages received to messages sent.
D The local router has not received a SYN/ACK packet from the neighbor.

Refer to the exhibit.

Debug output -

Question Image

Which two statements about FortiGate behavior relating to this session are correct? (Choose two.)

A FortiGate either initiated the session or the session terminates at FortiGate.
B FortiGate redirected the client to the captive portal to authenticate so that a correct policy match could be made.
C FortiGate forwarded this session without any inspection.
D FortiGate is performing a security profile inspection using the CPU.

Which two protocol states indicate that traffic is bidirectional? (Choose two.)

A proto_state=05 for a TCP session.
B proto_state=01 for a TCP session.
C proto_state=01 for a UDP session.
D proto_state=00 for an ICMP session.

Question 6

VPN

Question 7

Security profiles

Question 8

System troubleshooting

Question 9

VPN

Question 10

System troubleshooting

Question 11

Authentication

Question 12

System troubleshooting

Question 13

VPN

Question 14

System troubleshooting

Question 15

System troubleshooting

Question 16

System troubleshooting

Question 17

VPN

Question 18

System troubleshooting

Question 19

Routing

Question 20

Routing

Question 21

System troubleshooting

Question 22

System troubleshooting

Question 23

Authentication

Question 24

VPN

Question 25

VPN

Refer to the exhibit.

VPN tunnel details -

Question Image

Partial output of the get vpn ipsec tunnel details command is shown.
Based on the output, which two statements are correct? (Choose two.)

A Anti-replay is enabled.
B The npu_flag for this tunnel is 03.
C The npu_flag for this tunnel is 02.
D Different SPI values are a result of auto-negotiation being disabled for phase2 selectors.

Which two statements about Security Fabric communications are true? (Choose two.)

A The default ports for FortiTelemetry and Neighbor Discovery can be modified.
B Security Fabric communication is enabled by default among all Fortinet devices.
C FortiTelemetry must be manually enabled on the FortiGate interface.
D By default, the downstream FortiGate establishes a connection with the upstream FortiGate using TCP port 8013.

Refer to the exhibit.
High Availability configuration status

Question Image

Which two statements about the output are true considering NGFW-1 and NGFW-2 have been up for a week? (Choose two.)

A If a configuration change is made to the secondary FortiGate, the Configuration Status will not change.
B If a configuration change is made to the primary FortiGate at this time, the secondary will initiate a synchronization reset.
C If FGVM...649 is rebooted, FGVM...650 will become the primary FortiGate and retain that role, even after FGVM...649 rejoins the cluster.
D If port7 becomes disconnected on the secondary FortiGate, both FortiGate devices will elect themselves as primary.

Refer to the exhibit.

Debug output -

Question Image

The output of the command diagnose vpn tunnel list is shown.
Reviewing the debug command, what is the current status of the traffic flowing through the tunnel?

A NP6 is handling the offloading.
B The inbound IPsec SA was copied to the NPU.
C The outbound IPsec SA was copied to the NPU.
D The inbound and outbound IPsec SAs were copied to the NPU.

Refer to the exhibit.

Question Image

Which three pieces of information does the diagnose sys top command provide? (Choose three.)

A The miglogd daemon is running on CPU core ID 0.
B The cmdbsvr process is occupying 2.4% of the total user memory space.
C The diagnose sys top command has been running for 18 minutes.
D If the newcli daemon continues to be in the R state, it will need to be manually restarted.
E The miglogd daemon would be on top of the list, if the administrator pressed m on the keyboard.

Refer to the exhibit.

Real-time OSPF debug output -

Question Image

Partial output of a real-time OSPF debug is shown.
Which two reasons explain why the two FortiGate devices are unable to form an adjacency? (Choose two.)

A The remote peer has either OSPF cleartext or MD5 authentication configured.
B The local FortiGate has either OSPF cleartext or MD5 authentication configured.
C There is an OSPF authentication configuration mismatch.
D The local FortiGate does not have OSPF authentication configured.

Refer to the exhibit.
Partial output of a diagnose command

Question Image

The partial output of a diagnose command is shown.
Which two conclusions can you draw from the output shown in the exhibit? (Choose two.)

A FortiGate will drop the expected traffic if it does not arrive within 23 seconds.
B The packets that belong to this session are checked against firewall policy ID 25.
C The TCP session is not established.
D This is a pinhole session to allow traffic for a TCP protocol that dynamically assigns TCP ports.

Refer to the exhibit.

Debug output -

Question Image

A partial output from an IKE real-time debug is shown.
The administrator does not have access to the remote gateway.
Based on the debug output, which two conclusions can you draw? (Choose two.)

A There is a Diffie-Hellman group mismatch.
B This is a phase1 negotiation.
C The remote peer is the initiating peer.
D This is a phase2 negotiation.

Refer to the exhibit.

Question Image

The exhibit shows a session entry.

Which statement about this TCP session is true?

A The session will expire in one second.
B The session is offloaded using NP7.
C Return traffic to the initiator is sent to 10.9.31.117.
D It is a TCP session from 10.9.31.117 to 10.1.0.3.

What are two reasons you might see iprope_in_check() check failed, drop when using the debug flow? (Choose two.)

A The packet was dropped because the trusted host list is misconfigured.
B The packet was dropped because it is not allowed by any firewall policy.
C The packet was dropped because the requested service is not enabled on FortiGate.
D The packet was dropped because there is no route to the source.

Refer to the exhibit.

Question Image

The administrator did not override the FortiGuard FQDN or IP address in the FortiGate configuration.

Which IP address did FortiGate get when resolving the service.fortiguard.net name?

A 64.26.151.37
B 209.22.147.36
C 208.91.112.194
D 96.45.33.65

Refer to the exhibits.

Question Image

Partial configurations of two VPNs on FortiGate are shown.

An administrator has configured two VPNs for two different user groups. Users who are in the Users-2 group are not able to connect to the VPN. After running a diagnostics command, the administrator discovers that FortiGate is not matching the user-2 VPN for members of the Users-2 group.

Which two changes must the administrator make to fix the issue? (Choose two.)

A Change to aggressive mode on both VPNs.
B Enable XAuth on both VPNs.
C Set up specific peer IDs on both VPNs.
D Use different pre-shared keys on both VPNs.

Refer to the exhibit.

Question Image

FortiGate is showing continuous high CPU usage. During a maintenance window, the CLI command diagnose sys top displays the output shown in the exhibit.

The CLI command diagnose test application ipsmonitor 5 was run, but the CPU usage by daemon ipsengine did not drop.

Which immediate action can you take to reduce the CPU usage effectively?

A Reduce the number of IPS signatures enabled on the active IPS profiles.
B Bypass all IPS engines.
C Execute diagnose test application ipsmonitor 2 instead.
D Disable IPS on all firewall policies.

Refer to the exhibit.
Network topology and a partial routing table

Question Image

Network topology and a partial routing table is shown.
FortiGate has already been configured with a firewall policy that allows all ICMP traffic to flow from port1 to port3.
Which two changes can the administrator perform to ensure the server at 10.4.0.1/24 receives the echo reply from the laptop at 10.1.0.1/24? (Choose two.)

A Modify the default gateway on the laptop from 10.1.0.2 to 10.1.0.254.
B Change the FortiGate configuration from strict RPF check mode to feasible RPF check mode.
C Enable asymmetric routing under config system settings.
D Add a default static route on FortiGate to forward all traffic to port3.

Refer to the exhibits.

Exhibit 1 -

Question Image

Exhibit 2 -

Question Image

The configuration on FortiGate and partial internet session information from a user on the internal network are shown.
An administrator would like to test session failover between the two service provider connections.
Which two changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

A Modify the distance of the port1 route to 1.
B Change the priority of the port1 static route to 11.
C Configure set snat-route-change enable.
D Change the priority of the port2 static route to 5.

Which two troubleshooting steps should you perform if you encounter issues with intermittent web filter behavior? (Choose two.)

A Check that the correct port is mapped to HTTP in the Protocol Options.
B Check that the communication between FortiGate and FortiGuard is stable.
C Check that the inspection mode configured for the web filter profile matches that of the firewall policy where it is applied.
D Check that FortiGate is not entering conserve mode.

Refer to the exhibit.

Question Image

The output of diagnose sys session list command is shown.

If the HA ID for the primary device is 0, what happens if the primary falils and the secondary becomes the primary?

A The session is synchronized with the secondary device, however, because application control is applied, the session is marked dirty and has to be re-evaluated after failover.
B The session state is preserved but the kernel will re-evaluate the session because the routing information will be flushed.
C The session will be removed from the session table of the secondary device because the TCP session is not yet fully established.
D The session continues to permit traffic on the new primary device after failover, without requiring the client to restart the session with the server.

Refer to the exhibit.

Question Image

An administrator deployed FSSO in DC Agent mode but FSSO is failing on FortiGate. Pinging FortiGate from where the collector agent is deployed is successful. The administrator then produces the debug output shown in the exhibit.

Which two components could be causing this error message? (Choose two.)

A The collector agent preshared password is mismatched.
B FortiGate and the collector agent are using different TCP ports.
C The connection is blocked by the Windows firewall.
D TCP port 445 is blocked between FortiGate and the collector agent.

Refer to the exhibit.
The sniffer log on two FortiGate devices are shown.

Question Image

Based on the information in the log, which two factors explain the output on FortiGate FGT-02?

A The administrator configured the wrong remote peer IP address on FGT-01.
B The administrator set the wrong sniffer filter on FGT-02.
C The administrator has not yet configured the VPN tunnel on FGT-02.
D A third-party device is blocking protocol 50.

A VPN tunnel is up. To monitor traffic flow, the administrator enters the following CLI commands on an SSH session on FortiGate:

diagnose debug enable

diagnose sniffer packet any ’udp and port 500’ 4

However, the sniffer does not show any output.
Assuming default configuration values, what are two possible reasons there is no output? (Choose two.)

A The sniffer output will be ignored because running diagnose debug enable shows only application real-time debugs.
B NAT Traversal is enabled.
C The sniffer must be restricted to the remote peer IP address.
D The filter should be modified to also capture packets for TCP port 443 or TCP port 4500.

Join Us Among the Stars

FCSS-NST-SE-7-6Preview

About the FCSS-NST-SE-7-6 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

diagnose debug enable

diagnose sniffer packet any ’udp and port 500’ 4