Actual Fortinet NSE7_EFW-6.4 Practice Test Online

NEW QUESTION 1
What global configuration setting changes the behavior for content-inspected traffic while FortiGate is in system conserve mode?

• A. av-failopen
• B. mem-failopen
• C. utm-failopen
• D. ips-failopen

Answer: A

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Other_Profile_Consideratio

NEW QUESTION 2
Examine the output of the ‘diagnose ips anomaly list’ command shown in the exhibit; then answer the question below.

Which IP addresses are included in the output of this command?

• A. Those whose traffic matches a DoS policy.
• B. Those whose traffic matches an IPS sensor.
• C. Those whose traffic exceeded a threshold of a matching DoS policy.
• D. Those whose traffic was detected as an anomaly by an IPS sensor.

Answer: A

NEW QUESTION 3
View the central management configuration shown in the exhibit, and then answer the question below.

Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?

• A. 10.0.1.240
• B. One of the public FortiGuard distribution servers
• C. 10.0.1.244
• D. 10.0.1.242

Answer: B

NEW QUESTION 4
Which two conditions must be met for a statistic route to be active in the routing table? (Choose two.)

• A. The link health monitor (if configured) is up.
• B. There is no other route, to the same destination, with a higher distance.
• C. The outgoing interface is up.
• D. The next-hop IP address is up.

Answer: AC

NEW QUESTION 5
View the exhibit, which contains the output of a diagnose command, and then answer the question below.

What statements are correct regarding the output? (Choose two.)

• A. This is an expected session created by a session helper.
• B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.
• C. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.
• D. This is an expected session created by an application control profile.

Answer: AC

NEW QUESTION 6
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn’t the tunnel come up?

• A. The pre-shared keys do not match.
• B. The remote gateway’s phase 2 configuration does not match the local gateway’s phase 2 configuration.
• C. The remote gateway’s phase 1 configuration does not match the local gateway’s phase 1 configuration.
• D. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.

Answer: C

NEW QUESTION 7
Refer to the exhibit, which contains partial outputs from two routing debug commands.

Why is the port2 default route not in the second command's output?

• A. It has a higher priority value than the default route using port1.
• B. It is disabled in the FortiGate configuration.
• C. It has a lower priority value than the default route using port1.
• D. It has a higher distance than the default route using port1.

Answer: D

NEW QUESTION 8
Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)

• A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.
• B. SIP ALG supports SIP HA failover; SIP helper does not.
• C. SIP ALG supports SIP over IPv6; SIP helper does not.
• D. SIP ALG can create expected sessions for media traffic; SIP helper does not.
• E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.

Answer: BCD

NEW QUESTION 9
A FortiGate is configured as an explicit web proxy. Clients using this web proxy are reposting DNS errors when accessing any website. The administrator executes the following debug commands and observes that the n-dns-timeout counter is increasing:

What should the administrator check to fix the problem?

• A. The connectivity between the FortiGate unit and the DNS server.
• B. The connectivity between the client workstations and the DNS server.
• C. That DNS traffic from client workstations is allowed by the explicit web proxy policies.
• D. That DNS service is enabled in the explicit web proxy interface.

Answer: A

NEW QUESTION 10
Examine the following traffic log; then answer the question below.
date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted."
What does the log mean?

• A. There is not enough available memory in the system to create a new entry in the NAT port table.
• B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
• C. FortiGate does not have any available NAT port for a new connection.
• D. The limit for the maximum number of entries in the NAT port table has been reached.

Answer: B

NEW QUESTION 11
Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?

• A. Diagnose debug application radius -1.
• B. Diagnose debug application fnbamd -1.
• C. Diagnose authd console –log enable.
• D. Diagnose radius console –log enable.

Answer: B

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD32838

NEW QUESTION 12
Which statement about memory conserve mode is true?

• A. A FortiGate exits conserve mode when the configured memory use threshold reaches yellow.
• B. A FortiGate starts dropping all the new and old sessions when the configured memory use threshold reaches extreme.
• C. A FortiGate starts dropping new sessions when the configured memory use threshold reaches red
• D. A FortiGate enters conserve mode when the configured memory use threshold reaches red

Answer: C

NEW QUESTION 13
Refer to the exhibit, which contains the debug output of diagnose dvm device list.

Which two statements about the output shown in the exhibit are correct? (Choose two.)

• A. ADOMs are disabled on the FortiManager
• B. The FortiGate configuration is in sync with latest running revision history.
• C. There are pending device-level changes yet to be installed on Local-FortiGate.
• D. The policy package has been modified for Local-FortiGate.

Answer: BC

NEW QUESTION 14
Four FortiGate devices configured for OSPF connected to the same broadcast domain. The first unit is elected as the designated router The second unit is elected as the backup designated router Under normal operation, how many OSPF full adjacencies are formed to each of the other two units?

• A. 1
• B. 2
• C. 3
• D. 4

Answer: B

NEW QUESTION 15
Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.

Why didn’t the tunnel come up?

• A. IKE mode configuration is not enabled in the remote IPsec gateway.
• B. The remote gateway’s Phase-2 configuration does not match the local gateway’s phase-2 configuration.
• C. The remote gateway’s Phase-1 configuration does not match the local gateway’s phase-1 configuration.
• D. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

Answer: C

NEW QUESTION 16
Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

• A. Neighbor range
• B. Route reflector
• C. Next-hop-self
• D. Neighbor group

Answer: B

Explanation:
Route reflectors help to reduce the number of IBGP sessions inside an AS. A route reflector forwards the routers learned from one peer to the other peers. If you configure route reflectors, you dont’ need to create a full mesh IBGP network. All clients in a cluster only talck to route reflector to get sync routing updates. Route reflectors pass the routing updates to other route reflectors and border routers within the AS.

NEW QUESTION 17
Refer to the exhibit, which shows the output of a debug command.

Which two statements about the output are true? (Choose two.)

• A. The local FortiGate OSPF router ID is 0.0.0.4.
• B. Port4 is connected to the OSPF backbone area.
• C. In the network connected to port4, two OSPF routers are down.
• D. The local FortiGate is the backup designated router.

Answer: AB

Explanation:
Area 0.0.0.0 is the backbone area.

NEW QUESTION 18
View the exhibit, which contains the output of a diagnose command, and the answer the question below.

Which statements are true regarding the Weight value?

• A. Its initial value is calculated based on the round trip delay (RTT).
• B. Its initial value is statically set to 10.
• C. Its value is incremented with each packet lost.
• D. It determines which FortiGuard server is used for license validation.

Answer: C

NEW QUESTION 19
......