Refer to the exhibit, which contains a TCL script configuration on FortiManager.
An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being run.
Why did the TCL script fail to make any changes to the managed device?
AThe TCL procedure run_cmd has not been created.
BThe TCL script must start with #include.
CThere is no corresponding #! to signify the end of the script.
DThe TCL procedure lacks the required loop statements to iterate through the changes.
How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)
AWhen run on the Device Database, changes are applied directly to the managed FortiGate device.
BWhen run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.
CWhen run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.
DWhen run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate device.
Which two statements about the neighbor-group command are true? (Choose two.)
AIt applies common settings in an OSPF area
BYou can apply it in Internal BGP (IBGP) and External BGP (EBGP)
CYou can configure it on the GUI
DIt is combined with the neighbor-range parameter
Refer to the exhibit, which contains a partial configuration of the global system.
What can you conclude from this output?
AOnly NPs are disabled
BOnly CPs are disabled
CNPs and CPs are enabled
DNPs and CPs are disabled
Question 6
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
0
Question 7
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 8
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 9
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 10
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 11
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 12
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 13
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 14
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 16
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 17
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 18
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 19
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 20
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 21
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 22
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 23
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 24
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 25
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Question 26
No official Fortinet exam-topic breakdown located for NSE7-EFW-7-2 in the publicly accessible Fortinet pages I could verify
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Which two statements about IKE version 2 fragmentation are true? (Choose two.)
AOnly some IKE version 2 packets are considered fragmentable
BThe reassembly timeout default value is 30 seconds
CIt is performed at the IP layer
DThe maximum number of IKE version 2 fragments is 128
Refer to the exhibits, which show the configurations of two address objects from the same FortiGate.
Engineering address object -
Finance address object -
Why can you modify the Engineering address object, but not the Finance address object?
AYou have read-only access.
BAnother user is editing the Finance address object in workspace mode.
CFortiGate joined the Security Fabric and the Finance address object was configured on the root FortiGate.
DFortiGate is registered on FortiManager.
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?
AConfigure set link-failed-signal enable under config system ha on both cluster members
BConfigure set send-garp-on-failover enable under config system ha on both cluster members.
CConfigure remote link monitoring to detect an issue in the forwarding path.
DVerify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
Refer to the exhibit, which contains information about an IPsec VPN tunnel.
What two conclusions can you draw from the command output? (Choose two.)
ADead peer detection is set to enable
BThe IKE version is 2
CBoth IPsec SAs are loaded on the kernel
DForward error correction in phase 2 is set to enable
Refer to the exhibit, which shows the output of a BGP summary.
What two conclusions can you draw from this BGP summary? (Choose two.)
AThe BGP session with peer 10.127.0.75 is established.
CThe router 100.64.3.1 has the parameter bfd set to enable.
DThe neighbors displayed are linked to a local router with the neighbor-range set to a value of 4.
What are two functions of automation stitches? (Choose two.)
AAutomation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.
BAn automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.
CAutomation stitches can be configured on any FortiGate device in a Security Fabric environment.
DAn automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.
Refer to the exhibit, which shows a custom signature.
Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (Choose two.)
AEnsure that the header syntax is F-SBID.
BAdd severity.
CAdd attack_id.
DStart options with --.
Refer to the exhibit which shows config system central-management information.
Which setting must you configure for the web filtering feature to function?
ASet update-server-location to automatic
BAdd server.fortiguard.net to the Server list
CConfigure securewf.fortiguard.net on the default servers
DConfigure server-type with the rating option
Refer to the exhibit which shows two configured FortiGate devices and peering over
FGSP.
The main link directly connects the two FortiGate devices and is configured using the set session-syn-dev <interface> command.
What is the primary reason to configure the main link?
ATo have only configuration synchronization in layer 3
BTo load balance both sessions and configuration synchronization between layer 2 and 3
CTo have both sessions and configuration synchronization in layer 3
DTo have both sessions and configuration synchronization in layer 2
Refer to the exhibit, which shows a network diagram.
Which protocol should you use to configure the FortiGate cluster?
AFGCP in active-passive mode
BFGCP in active-active mode
CFGSP
DVRRP
Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?
AOnly the DR receives link state information from non-DR routers.
BNon-DR and non-BDR routers form full adjacencies to DR only.
CFortiGate first checks the OSPF ID to elect a DR.
DNon-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6.
Refer to the exhibit, which shows an SSL certification inspection configuration.
Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate?
AFortiGate uses the first entry listed in the SAN field in the server certificate
BFortiGate uses the CN information from the Subject field in the server certificate
CFortiGate uses the SNI from the user's web browser.
DFortiGate closes the connection because this represents an invalid SSL/TLS configuration
Refer to the exhibit, which contains a partial OSPF configuration.
What can you conclude from this output?
ANeighbors maintain communication with the restarting router.
BThe restarting router sends gratuitous ARP for 30 seconds.
CFortiGate restarts if the topology changes.
DThe router sends grace LSAs before it restarts.
Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP configuration.
Network diagram -
Partial BGP configuration -
Which two parameters should you configure in config neighbor-range? (Choose two.)
Aset neighbor-group advpn
Bset route-reflector-client enable
Cset prefix 10.1.0 255.255.254.0
Dset prefix 172.16.1.0 255.255.255.0
Which two statements about ADVPN are true? (Choose two.)
AThe hub adds routes based on IKE negotiations.
BYou must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0.
CAll FortiGate devices must be in the same autonomous system (AS).
DYou must disable add-route in the hub.
Which statement about network processor (NP) offloading is true?
AThe NP checks the session key or IPSec SA.
BThe NP provides IPS signature matching.
CYou can disable the NP for each firewall policy using the command np-acceleration set to loose.
DFor TCP traffic, FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP.
Refer to the exhibits, which contain the network topology and BGP configuration for a hub.
Exhibit A.
Exhibit B.
An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.
What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other spoke?
AConfigure the hub as a route reflector
BConfigure auto-discovery-sender on the hub
CAdd a prefix list to the hub that permits routes to be shared between the spokes
DEnable route redistribution under config router bgp
Refer to the exhibit, which shows an error in system fortiguard configuration.
What is the reason you cannot set the protocol to udp in config system fortiguard?
Audp is not a protocol option.
Bfortiguard-anycast is set to enable.
CYou do not have the corresponding write access.
DFortiManager provides FortiGuard.
After enabling IPS, you receive feedback about traffic being dropped.
What could be the reason?
AIPS is configured to monitor.
Bnp-accel-node is set to enable.
Cfail-open is set to disable.
Dtraffic-submit is set to disable.
Refer to the exhibit which shows an ADVPN network.
Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.)
