NSE7_EFW-6.2 Online Practice Questions and Answers
Examine the IPsec configuration shown in the exhibit; then answer the question below. Questions and Answers PDF P-3
An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1 diagnose debug application ike -1 diagnose debug enable The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output.
Why isn't there any output?
A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.
B. The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.
C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
D. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.
Which of the following statements are true regarding the SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)
A. SIP session helper runs in the kernel; SIP ALG runs as a user space process.
B. SIP ALG supports SIP HA failover; SIP helper does not.
C. SIP ALG supports SIP over IPv6; SIP helper does not.
D. SIP ALG can create expected sessions for media traffic; SIP helper does not.
E. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.
An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?
A. TCP half open.
B. TCP half close.
C. TCP time wait.
D. TCP session time to live.
The logs in a FSSO collector agent (CA) are showing the following error: failed to connect to registry: PIKA1026 (192.168.12.232)
What can be the reason for this error?
A. The CA cannot resolve the name of the workstation.
B. The FortiGate cannot resolve the name of the workstation.
C. The remote registry service is not running in the workstation 192.168.12.232.
D. The CA cannot reach the FortiGate with the IP address 192.168.12.232.
A FortiGate is rebooting unexpectedly without any apparent reason. What troubleshooting tools could an administrator use to get more information about the problem? (Choose two.)
A. Firewall monitor.
B. Policy monitor.
C. Logs.
D. Crashlogs.
Examine the output from the `diagnose vpn tunnel list' command shown in the exhibit; then answer the question below.
Which command can be used to sniffer the ESP traffic for the VPN DialUP_0?
A. diagnose sniffer packet any `port 500'
B. diagnose sniffer packet any `esp'
C. diagnose sniffer packet any `host 10.0.10.10'
D. diagnose sniffer packet any `port 4500'
View the central management configuration shown in the exhibit, and then answer the question below.
Which server will FortiGate choose for antivirus and IPS updates if 10.0.1.243 is experiencing an outage?
A. 10.0.1.240
B. One of the public FortiGuard distribution servers
C. 10.0.1.244
D. 10.0.1.242
An administrator wants to capture ESP traffic between two FortiGates using the built-in sniffer. If the administrator knows that there is no NAT device located between both FortiGates, what command should the administrator execute?
A. diagnose sniffer packet any `udp port 500'
B. diagnose sniffer packet any `udp port 4500'
C. diagnose sniffer packet any `esp'
D. diagnose sniffer packet any `udp port 500 or udp port 4500'
An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.
Why didn't the script make any changes to the managed device?
A. Commands that start with the # sign are not executed.
B. CLI scripts will add objects only if they are referenced by policies.
C. Incomplete commands are ignored in CLI scripts.
D. Static routes can only be added using TCL scripts.
View the exhibit, which contains the partial output of an IKE real time debug, and then answer the question below. The administrator does not have access to the remote gateway. Based on the debug output, what configuration changes can the administrator make to the local gateway to resolve the phase 1 negotiation error?
A. Change phase 1 encryption to AESCBC and authentication to SHA128.
B. Change phase 1 encryption to 3DES and authentication to CBC.
C. Change phase 1 encryption to AES128 and authentication to SHA512.
D. Change phase 1 encryption to 3DES and authentication to SHA256.
Refer to exhibit, which contains the output of a BGP debug command.
Which statement explains why the state of the 10.200.3.1 peer is Connect?
A. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfirm yet.
B. The TCP session to 10.200.3.1 has not completed the 3-way handshake.
C. The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.
D. The local router has received the BGP prefixes from the remote peer.
View the exhibit, which contains the output of a debug command, and then answer the question below.
Which one of the following statements about this FortiGate is correct?
A. It is currently in system conserve mode because of high CPU usage.
B. It is currently in extreme conserve mode because of high memory usage.
C. It is currently in proxy conserve mode because of high memory usage.
D. It is currently in memory conserve mode because of high memory usage.
What is the diagnose test application ipsmonitor 99 command used for?
A. To enable IPS bypass mode
B. To provide information regarding IPS sessions
C. To disable the IPS engine
D. To restart all IPS engines and monitors
When using the SSL certificate inspection method to inspect HTTPS traffic, how does FortiGate filter web requests when the client browser does not provide the server name indication (SNI) extension?
A. FortiGate uses the requested URL from the user's web browser.
B. FortiGate uses the CN information from the Subject field in the server certificate.
C. FortiGate blocks the request without any further inspection.
D. FortiGate switches to the full SSL inspection method to decrypt the data.
Refer to the exhibit, which contains the output of get system ha status. Which two statements about the output are true? (Choose two.)
A. The slave configuration is synchronized with the master.
B. port7 is used as the HA heartbeat on all devices in the cluster.
C. Master is selected based on the priority configured under config system ha.
D. The HA management IP is 169.254.0.2.
Why select/choose certbus.com?
Millions of interested professionals can touch the destination of success in exams by certbus.com. products which would be available, affordable, updated and of really best quality to overcome the difficulties of any course outlines. Questions and Answers material is updated in highly outclass manner on regular basis and material is released periodically and is available in testing centers with whom we are maintaining our relationship to get latest material.
Copyright © 2004-2025 certbus.com, All Rights Reserved.