Fortinet NSE7_EFW-7.2 Practice Test - Questions Answers, Page 4

Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration.This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 destination1.

Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration.This option controls whether the FortiGate adds a static route to the phase 2 destination network using the tunnel interface as the gateway2.

Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance3. This feature is not related to the routing table or the phase 1 configuration.

Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device4. This option is not related to the routing table or the phase 1 configuration.Reference: =

1: Technical Tip: 'set net-device' new route-based IPsec logic2

2: Adding a static route5

3: IPSec VPN concepts6

4: Dynamic routing over IPsec VPN7

To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients.Reference:=Route exchange | FortiGate / FortiOS 7.2.0 - Fortinet Documentation

Option A is correct because to allow SSH, you need to specify SSH in the Service field of the policy configuration.This is because the Service field determines which types of traffic are allowed by the policy1. By default, the Service field is set to App Default, which means that the policy will use the default ports defined by the applications.However, SSH is not one of the default applications, so you need to specify it manually or create a custom service for it2.

Option B is incorrect because configuring port 22 in the Protocol Options field is not enough to allow SSH.The Protocol Options field allows you to customize the protocol inspection and anomaly protection settings for the policy3. However, this field does not override the Service field, which still needs to match the traffic type.

Option C is incorrect because including SSH in the Application field is not enough to allow SSH.The Application field allows you to filter the traffic based on the application signatures and categories4. However, this field does not override the Service field, which still needs to match the traffic type.

Option D is incorrect because selecting an application control profile corresponding to SSH in the Security Profiles section is not enough to allow SSH. The Security Profiles section allows you to apply various security features to the traffic, such as antivirus, web filtering, IPS, etc. However, this section does not override the Service field, which still needs to match the traffic type.Reference: =

1: Firewall policies

2: Services

3: Protocol options profiles

4: Application control

Option D is the correct answer because it specifically blocks access to the website ''www.eicar.org'' using TCP protocol and HTTP service, which are commonly used for web browsing. The other options either use the wrong protocol (UDP), the wrong service (DNS or SSL), or the wrong pattern (''eicar'' instead of ''www.eicar.org'').Reference:=Configuring custom signatures | FortiGate / FortiOS 7.4.0 - Fortinet Document Library, section ''Signature to block access to example.com''.

In an ADVPN scenario, when traffic is initiated from a client behind one spoke to another spoke, the hub sends a shortcut query to the initiating spoke. This query is used to determine if there is a more direct path for the traffic, which can then trigger the establishment of a dynamic tunnel between the spokes.

The configuration line ''set dpd on-idle'' indicates that dead peer detection (DPD) is set to trigger only when the tunnel is idle, not actively disabled1.Reference:FortiGate IPSec VPN User Guide - Fortinet Document Library

From the given VPN configuration, dead peer detection (DPD) is set to 'on-idle', indicating that DPD is enabled and will be used to detect if the other end of the VPN tunnel is still alive when no traffic is detected. Hence, option C is incorrect. The configuration shows the tunnel set to type 'dynamic', which does not create separate virtual interfaces for each dial-up client (A), and it is not specified that dynamic routing will be used (B). Since this is a phase 1 configuration snippet, the routing table aspect (D) cannot be concluded from this alone.

Option A is correct because the address object on the tool FortiGate will not be synchronized with the downstream devices if it has fabric-object set to disable.This option controls whether the address object is shared with other FortiGate devices in the Security Fabric or not1.

Option C is correct because the downstream FortiGate will not receive the address object from the tool FortiGate if it has fabric-object-unification set to local.This option controls whether the downstream FortiGate uses the address objects from the root FortiGate or its own local address objects2.

Option B is incorrect because the root FortiGate has configuration-sync set to enable by default, which means that it will synchronize the address objects with the downstream devices unless they are disabled by the fabric-object option3.

Option D is incorrect because the downstream FortiGate has configuration-sync set to local by default, which means that it will receive the address objects from the root FortiGate unless they are overridden by the fabric-object-unification option4.Reference: =

1: Group address objects synchronized from FortiManager5

2: Security Fabric address object unification6

3: Configuration synchronization7

4: Configuration synchronization7

: Security Fabric - Fortinet Documentation

The commands that start with the # sign did not run because they are treated as comments in the CLI script. Incomplete commands can cause CLI scripts to fail because they are not recognized by the FortiGate device. The other options are incorrect because static routes can be added using CLI or GUI, and CLI scripts do not need to start with #!.Reference:=Configuring custom scripts | FortiManager 7.2.0 - Fortinet Documentation, section ''CLI script syntax''.

To use the VPN interfaces in a policy, you need to install the VPN community and gateway configuration on the FortiGate devices first. This will create the VPN interfaces on the FortiGate and sync them with FortiManager.Reference:

Creating IPsec VPN communities

VPN | FortiGate / FortiOS 7.2.0