ExamGecko
Search Search Login
Home Home / Fortinet / NSE7_NST-7.2

Fortinet NSE7_NST-7.2 Practice Test - Questions Answers, Page 2

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which exchange lakes care of DoS protection in IKEv2?
Refer to the exhibit, which shows the omitted output of a real-time OSPF debug Which statement is false?
Exhibit. Refer to the exhibit, which shows partial outputs from two routing debug commands. Why is the port 2 default route not in the second command output?
Which two conditions would prevent a static route from being added to the routing table? (Choose two.)
Refer to the exhibit, which shows the omitted output of FortiOS kernel slabs. Which statement is true?
Refer to the exhibit, which shows a truncated output of a real-time LDAP debug. What two conclusions can you draw from the output? (Choose two.)
There are four exchanges during IKEv2 negotiation. Which sequence is correct?
Refer to the exhibits, which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network. If the priority on route ID _ were changed from 10 to 0, what would happen to traffic matching that user session?
Exhibit. Refer to the exhibit, which shows the omitted output of diagnose npu np6 port-list on a FortiGate1500D. An administrator is unable to analyze traffic flowing between port1 and port7 using the diagnose sniffer command. Which two commands allow the administrator to view the traffic? (Choose two.) A) B) C) D)
Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

Question 11

Report
Export
Collapse

Refer to the exhibits, which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network.

If the priority on route ID _ were changed from 10 to 0, what would happen to traffic matching that user session?

A.
The session would be deleted, and the client would need to start a new session.
A.
The session would be deleted, and the client would need to start a new session.
Answers
B.
The session would remain in the session table, but its traffic would now egress from both port1. andport2.
B.
The session would remain in the session table, but its traffic would now egress from both port1. andport2.
Answers
C.
The session would remain in the session table, and its traffic would egress from port2.
C.
The session would remain in the session table, and its traffic would egress from port2.
Answers
D.
The session would remain in the session table, and its traffic would egress from port1.
D.
The session would remain in the session table, and its traffic would egress from port1.
Answers
Suggested answer: C

Explanation:

The exhibits show the configuration of static routes and a session table entry for an active session. The static routes are configured with different priorities:

Route through port1 with a gateway of 10.200.1.254 and priority 5.

Route through port2 with a gateway of 10.200.2.254 and priority 10.

If the priority of the route through port2 is changed from 10 to 0, this route will become more preferred than the route through port1 because lower priority values indicate higher preference. As a result, the traffic for the existing session will switch to using the more preferred route:

The session would remain active in the session table, as FortiGate does not immediately clear sessions upon route changes unless explicitly configured to do so.

The traffic for the session would then start egressing from port2, which now has the higher priority route due to its lower priority value.

Fortinet Documentation on Routing Configuration

Fortinet Community on Session Handling

Question 12

Report
Export
Collapse

Refer to the exhibit, which shows oneway communication of the downstream FortiGate with the upstream FortiGate within a Security Fabric.

What three actions must you take to ensure successful communication? (Choose three.)

A.
Ensure the port for Neighbor Discovery has been changed.
A.
Ensure the port for Neighbor Discovery has been changed.
Answers
B.
FortiGate must not be in NAT mode.
B.
FortiGate must not be in NAT mode.
Answers
C.
Ensure TCP port 8013 is not blocked along the way
C.
Ensure TCP port 8013 is not blocked along the way
Answers
D.
You must authorize the downstream FortiGate on the root FortiGate.
D.
You must authorize the downstream FortiGate on the root FortiGate.
Answers
E.
You must enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate.
E.
You must enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate.
Answers
Suggested answer: C, D, E

Explanation:

The exhibit shows a sniffer capture where TCP port 8013 is being used for communication. The communication appears one-way, indicating potential issues with the upstream FortiGate receiving the necessary packets or being able to respond.

To ensure successful communication in a Security Fabric setup:

Ensure TCP port 8013 is not blocked along the way: Verify that no firewalls or network devices between the downstream and upstream FortiGates are blocking TCP port 8013. This port is crucial for Security Fabric communication.

Authorize the downstream FortiGate on the root FortiGate: In the Security Fabric, the root FortiGate must recognize and authorize the downstream FortiGate to allow proper communication and management.

Enable Security Fabric/Fortitelemetry on the receiving interface of the upstream FortiGate: The upstream FortiGate must have the Security Fabric or Fortitelemetry enabled on the interface that receives the communication from the downstream FortiGate. This enables proper data exchange and monitoring within the Security Fabric.

Fortinet Documentation on Security Fabric Configuration

Fortinet Community Discussion on Port Requirements

Question 13

Report
Export
Collapse

Refer to the exhibit, which shows the output of a BGP debug command.

Which statement explains why the state of the 10.200.3.1 peer is Connect?

A.
The local router initiated the BGP session to 10.200.3.1 but did not receive a response.
A.
The local router initiated the BGP session to 10.200.3.1 but did not receive a response.
Answers
B.
The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConf inn yet.
B.
The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConf inn yet.
Answers
C.
The router 10.200.3.1 has authentication configured for BGP and the local router does not.
C.
The router 10.200.3.1 has authentication configured for BGP and the local router does not.
Answers
D.
The local router has a different AS number than the remote peer.
D.
The local router has a different AS number than the remote peer.
Answers
Suggested answer: A

Explanation:

The BGP summary output shows the state of the 10.200.3.1 peer as 'Connect.' This state indicates that the local router has attempted to initiate a BGP session with the peer, but the peer has not yet responded to the initial connection request.

State Explanation: The 'Connect' state in BGP indicates that the TCP connection has been initiated but is waiting for a response. If the peer does not respond within the configured timers, the session will transition to the 'Active' state and retry the connection.

Possible Causes: This can occur due to network issues preventing the peer from responding, a misconfiguration on the peer device, or issues like access control lists (ACLs) blocking the BGP traffic.

To troubleshoot, check the connectivity between the routers, ensure that the BGP configurations on both sides match, and verify that there are no firewalls or ACLs blocking the BGP packets.

Fortinet Documentation on BGP Troubleshooting

Fortinet Community Discussion on BGP State Issues

Question 14

Report
Export
Collapse

Refer to the exhibit, which shows two entries that were generated in the FSSO collector agent logs.

What three conclusions can you draw from these log entries? (Choose three.)

A.
Remote registry is not running on the workstation.
A.
Remote registry is not running on the workstation.
Answers
B.
The FortiGate firmware version is not compatible with that of the collector agent
B.
The FortiGate firmware version is not compatible with that of the collector agent
Answers
C.
DNS resolution is unable to resolve the workstation name.
C.
DNS resolution is unable to resolve the workstation name.
Answers
D.
The user's status shows as 'not verified' in the collector agent
D.
The user's status shows as 'not verified' in the collector agent
Answers
E.
A firewall is blocking traffic to port 139 and 445.
E.
A firewall is blocking traffic to port 139 and 445.
Answers
Suggested answer: A, C, E

Explanation:

The exhibit shows log entries from the FSSO (Fortinet Single Sign-On) collector agent logs. These logs provide insights into why there might be issues with the collector agent connecting to workstations or the registry.

Remote registry is not running on the workstation: The failure to connect to the workstation registry can occur if the remote registry service on the workstation is not running. This service needs to be active to allow the FSSO collector agent to query the workstation for user login information.

DNS resolution is unable to resolve the workstation name: The logs indicate a failure in connecting to a workstation by name, which can happen if the DNS server is unable to resolve the workstation's name to an IP address. This is a common issue when the DNS settings are incorrect or the workstation name is not properly registered in the DNS.

A firewall is blocking traffic to port 139 and 445: Communication issues to the workstation or registry are often caused by firewall rules blocking essential ports. Ports 139 (NetBIOS) and 445 (SMB) are critical for these operations. Ensure these ports are open on both the workstation and any intermediate firewalls.

Fortinet Community Documentation on FSSO Troubleshooting

Fortinet Community on FSSO Collector Agent Issues

Question 15

Report
Export
Collapse

Refer to the exhibit, which shows the output of a real-time debug.

Which statement about this output is true?

A.
The server hostname was extracted from the SNI in the client request, or from the CN in the server certificate
A.
The server hostname was extracted from the SNI in the client request, or from the CN in the server certificate
Answers
B.
FortiGate found the requested URL in its local cache.
B.
FortiGate found the requested URL in its local cache.
Answers
C.
This web request was inspected using the rtgd-allow web filter profile.
C.
This web request was inspected using the rtgd-allow web filter profile.
Answers
D.
The requested URL belongs to category ID 255.
D.
The requested URL belongs to category ID 255.
Answers
Suggested answer: A

Explanation:

The exhibit displays the output of a real-time debug of the URL filtering process on a FortiGate device. The debug output includes various details about a web request being processed.

SNI (Server Name Indication): This is part of the SSL/TLS handshake where the client specifies the hostname it is trying to connect to. FortiGate can use this information to apply appropriate web filtering rules based on the server name.

CN (Common Name): This is a field in the server's SSL certificate that typically contains the server's hostname. FortiGate can extract this information to verify the identity of the server and apply security policies accordingly.

Given that the debug output includes the hostname 'training.fortinet.com,' it is likely derived from the SNI in the client's request or the CN in the server's certificate, indicating that FortiGate is using this information to process the web request.

Fortinet Community Documentation on Real-time Debugging

Question 16

Report
Export
Collapse

Exhibit.

Refer to the exhibit, which shows the output of get router info bgp neighbors 100.64.2.254.

What can you conclude from the output?

A.
The BGP neighbor is advertising the 10.20.30.40/24 network to the local router.
A.
The BGP neighbor is advertising the 10.20.30.40/24 network to the local router.
Answers
B.
The router ID of the neighbor is 100.64.2.254.
B.
The router ID of the neighbor is 100.64.2.254.
Answers
C.
The BGP state of the two BGP participants is OpenConfirm.
C.
The BGP state of the two BGP participants is OpenConfirm.
Answers
D.
The local router is adverting the 10.20.30.40/24 network to its BGP neighbor.
D.
The local router is adverting the 10.20.30.40/24 network to its BGP neighbor.
Answers
Suggested answer: D

Explanation:

BGP Advertisement: The output from the command get router info bgp neighbors 100.64.2.254 advertised-routes shows the routes that the local router is advertising to its BGP neighbor.

Output Analysis:

The Network column lists the networks being advertised.

The Next Hop column indicates the next-hop IP address for these routes.

The line *> 10.20.30.40/24 100.64.2.1 indicates that the 10.20.30.40/24 network is being advertised with a next-hop of 100.64.2.1.

Local Router's Role: Since the output lists the advertised routes, it means that the local router (with router ID 172.16.1.254) is advertising the 10.20.30.40/24 network to its neighbor 100.64.2.254.

This confirms that the local router is indeed advertising the specified network to its BGP neighbor.

Fortinet Documentation: Understanding BGP Route Advertisements (Fortinet Document Library) (Fortinet Docs).

Question 17

Report
Export
Collapse

Which three common FortiGate-to-collector-agent connectivity issues can you identify using the FSSO real-time debug? (Choose three.)

A.
Refused connection. Potential mismatch of TCP port.
A.
Refused connection. Potential mismatch of TCP port.
Answers
B.
Mismatched pre-shared password.
B.
Mismatched pre-shared password.
Answers
C.
Inability to reach IP address of the collector agent.
C.
Inability to reach IP address of the collector agent.
Answers
D.
Log is full on the collector agent.
D.
Log is full on the collector agent.
Answers
E.
Incompatible collector agent software version.
E.
Incompatible collector agent software version.
Answers
Suggested answer: A, B, C

Explanation:

Refused Connection: A refused connection typically indicates a mismatch in the TCP port configuration between the FortiGate and the collector agent. Ensuring both are configured to use the same TCP port is crucial for proper connectivity.

Mismatched Pre-Shared Password: If the pre-shared password configured on the FortiGate does not match the one set on the collector agent, authentication will fail, leading to connectivity issues.

Inability to Reach IP Address: This can occur due to network issues such as incorrect routing, firewall rules blocking traffic, or the collector agent being down. Verifying network connectivity and the status of the collector agent is necessary to resolve this issue.

Fortinet Community: Troubleshooting FSSO Connectivity Issues (Welcome to the Fortinet Community!) (Welcome to the Fortinet Community!) (Welcome to the Fortinet Community!).

Question 18

Report
Export
Collapse

Refer to the exhibit.

Refer to the exhibit, which shows a partial output of the fssod daemon real-time debug command

What two conclusions can you draw from the output? (Choose two.)

A.
FSSO is using agentless polling mode to detect logon events.
A.
FSSO is using agentless polling mode to detect logon events.
Answers
B.
The workstation with IP 10.124.2.90 will be polled frequently using TCP port 445 to see if the user is still logged on
B.
The workstation with IP 10.124.2.90 will be polled frequently using TCP port 445 to see if the user is still logged on
Answers
C.
The logon event can be seen on the collector agent installed on Windows.
C.
The logon event can be seen on the collector agent installed on Windows.
Answers
D.
FSSO is using DC agent mode to detect logon events.
D.
FSSO is using DC agent mode to detect logon events.
Answers
Suggested answer: C, D

Explanation:

Logon Event on Collector Agent: The debug output indicates that the logon event is recorded, showing that the collector agent on Windows is logging user activities and transmitting this data to the FortiGate.

DC Agent Mode: The presence of detailed logon events and their corresponding metadata, such as the domain and workstation information, suggests that the FortiGate is using DC agent mode. This mode involves an agent installed on the Domain Controller (DC) to capture and forward logon events.

Fortinet Community: How FSSO Works and Troubleshooting Steps (Welcome to the Fortinet Community!) (Fortinet GURU).

Question 19

Report
Export
Collapse

Consider the scenario where the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate. Which action will FortiGate take when using the default settings for SSL certificate inspection?

A.
FortiGate closes the connection because this represents an invalid SSL/TLS configuration
A.
FortiGate closes the connection because this represents an invalid SSL/TLS configuration
Answers
B.
FortiGate uses the 31 information from the Subject field in the server certificate.
B.
FortiGate uses the 31 information from the Subject field in the server certificate.
Answers
C.
FortiGate uses the first entry listed in the SAN field in the server certificate.
C.
FortiGate uses the first entry listed in the SAN field in the server certificate.
Answers
D.
FortiGate uses the SNI from the user's web browser.
D.
FortiGate uses the SNI from the user's web browser.
Answers
Suggested answer: A

Explanation:

SNI and Certificate Mismatch: When the Server Name Indication (SNI) does not match either the Common Name (CN) or any of the Subject Alternative Names (SAN) in the server certificate, FortiGate's default behavior is to consider this as an invalid SSL/TLS configuration.

Default Action: FortiGate, under default settings for SSL certificate inspection, will close the connection to prevent potential security risks associated with mismatched certificates.

Fortinet Community: SSL Certificate Inspection Configuration and Behavior (Welcome to the Fortinet Community!).

Question 20

Report
Export
Collapse

Exhibit.

Refer to the exhibit, which contains the partial output of the get vpn ipsec tunnel details command. Based on the output, which two statements are correct? (Choose two.)

A.
Anti-replay is enabled.
A.
Anti-replay is enabled.
Answers
B.
The npu_flag for this tunnel is 03.
B.
The npu_flag for this tunnel is 03.
Answers
C.
The npu_flag for this tunnel is 02
C.
The npu_flag for this tunnel is 02
Answers
D.
Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.
D.
Different SPI values are a result of auto-negotiation being disabled for phase 2 selectors.
Answers
Suggested answer: A, C

Explanation:

Anti-replay Enabled:

The exhibit shows replay: enabled, which confirms that anti-replay is enabled for this IPsec tunnel. Anti-replay is a security feature that prevents replay attacks by ensuring that packets are not duplicated or reused.

NPU Acceleration:

The NPU acceleration: encryption (outbound) decryption (inbound) line indicates that Network Processing Unit (NPU) acceleration is used.

The npu_flag for this tunnel is 02. This indicates that encryption and decryption are handled by the NPU, improving the performance of the VPN tunnel.

Fortinet Community: Troubleshooting IPsec VPN Tunnels (Welcome to the Fortinet Community!) (Welcome to the Fortinet Community!).

Fortinet Documentation: Verifying IPsec VPN Tunnels (Fortinet Docs) (Fortinet Docs).

Total 40 questions
Go to page: of 4
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms