• Home
  • Articles
  • NSE7_EFW-6.4 PDF Pass Leader, NSE7_EFW-6.4 Latest Real Test [Q58-Q83]

NSE7_EFW-6.4 PDF Pass Leader, NSE7_EFW-6.4 Latest Real Test [Q58-Q83]

Share

NSE7_EFW-6.4 PDF Pass Leader, NSE7_EFW-6.4 Latest Real Test

Valid NSE7_EFW-6.4 Test Answers & NSE7_EFW-6.4 Exam PDF

NEW QUESTION 58
An administrator cannot connect to the GIU of a FortiGate unit with the IP address 10.0.1.254. The administrator runs the debug flow while attempting the connection using HTTP. The output of the debug flow is shown in the exhibit:

Based on the error displayed by the debug flow, which are valid reasons for this problem? (Choose two.)

  • A. HTTP administrative access is configured with a port number different than 80.
  • B. The packet is denied because of reverse path forwarding check.
  • C. Redirection of HTTP to HTTPS administrative access is disabled.
  • D. HTTP administrative access is disabled in the FortiGate interface with the IP address 10.0.1.254.

Answer: A,D

 

NEW QUESTION 59
Refer to the exhibit, which contains the partial output of a diagnose command.

Based on the output, which two statements are correct? (Choose two.)

  • A. Anti-replay is enabled
  • B. Quick mode selectors are disabled.
  • C. DPD is disabled.
  • D. The remote gateway IP is 10.200.4.1.

Answer: A,D

 

NEW QUESTION 60
Examine the output of the 'diagnose debug rating' command shown in the exhibit; then answer the question below.

Which statement are true regarding the output in the exhibit? (Choose two.)

  • A. There are three FortiGuard servers that are not responding to the queries sent by the FortiGate.
  • B. A server's round trip delay (RTT) is not used to calculate its weight.
  • C. FortiGate will send the FortiGuard queries to the server with highest weight.
  • D. The TZ value represents the delta between each FortiGuard server's time zone and the FortiGate's time zone.

Answer: C,D

 

NEW QUESTION 61
Examine the output of the 'get router info bgp summary' command shown in the exhibit; then answer the question below.

Which statement can explain why the state of the remote BGP peer 10.200.3.1 is Connect?

  • A. The local peer has received the BGP prefixed from the remote peer.
  • B. The TCP session for the BGP connection to 10.200.3.1 is down.
  • C. The local peer is receiving the BGP keepalives from the remote peer but it has not received the OpenConfirm yet.
  • D. The local peer is receiving the BGP keepalives from the remote peer but it has not received any BGP prefix yet.

Answer: B

Explanation:
http://www.ciscopress.com/articles/article.asp?p=2756480&seqNum=4

 

NEW QUESTION 62
What configuration changes can reduce the memory utilization in a FortiGate? (Choose two.)

  • A. Reduce the session time to live.
  • B. Increase the FortiGuard cache time to live.
  • C. Increase the TCP session timers.
  • D. Reduce the maximum file size to inspect.

Answer: A,D

 

NEW QUESTION 63
What global configuration setting changes the behavior for content-inspected traffic while FortiGate is in system conserve mode?

  • A. mem-failopen
  • B. utm-failopen
  • C. av-failopen
  • D. ips-failopen

Answer: C

Explanation:
Explanation
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/Other_Profile_Consideration

 

NEW QUESTION 64
View the exhibit, which contains a session entry, and then answer the question below.

Which statement is correct regarding this session?

  • A. It is a TCP session in ESTABLISHED state from 10.1.10.10 to 10.200.5.1.
  • B. It is a TCP session in CLOSE_WAIT state from 10.1.10.10 to 10.200.1.1.
  • C. It is an ICMP session from 10.1.10.10 to 10.200.1.1.
  • D. It is an ICMP session from 10.1.10.10 to 10.200.5.1.

Answer: D

 

NEW QUESTION 65
View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

However, the IKE real time debug does not show any output. Why?

  • A. The log-filter setting was set incorrectly. The VPN's traffic does not match this filter.
  • B. The debug output shows phases 1 and 2 negotiations only. Once the tunnel is up, it does not show any more output.
  • C. The debug output shows phase 1 negotiation only. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.
  • D. The debug shows only error messages. If there is no output, then the tunnel is operating normally.

Answer: A

 

NEW QUESTION 66
View the exhibit, which contains the partial output of an IKE real-time debug, and then answer the question below.

Why didn't the tunnel come up?

  • A. The remote gateway's phase 2 configuration does not match the local gateway's phase 2 configuration.
  • B. The pre-shared keys do not match.
  • C. The remote gateway is using aggressive mode and the local gateway is configured to use man mode.
  • D. The remote gateway's phase 1 configuration does not match the local gateway's phase 1 configuration.

Answer: D

 

NEW QUESTION 67
Which of the following conditions must be met fora static route to be active in the routing table? (Choose three.)

  • A. There is no other route, to the same destination, with a higher distance.
  • B. The next-hop IP address is up.
  • C. The outgoing interface is up.
  • D. The link health monitor (if configured) is up.
  • E. The next-hop IP address belongs to one of the outgoing interface subnets.

Answer: C,D,E

Explanation:
Explanation
A configured static route only goes to routing table from routing database when all the following are met :
* The outgoing interface is up
* There isno other matching route with a lower distance
* The link health monitor (if configured) is successful
* The next-hop IP address belongs to one of the outgoing interface subnets

 

NEW QUESTION 68
An administrator has configured the following CLIscript on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn't the script make any changes to the managed device?

  • A. Static routes can only be added using TCL scripts.
  • B. CLI scripts will add objectsonly if they are referenced by policies.
  • C. Incomplete commands are ignored in CLI scripts.
  • D. Commands that start with the # sign are not executed.

Answer: D

Explanation:
Explanation
https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Scr A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.

 

NEW QUESTION 69
Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

  • A. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.
  • B. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.
  • C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.
  • D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

Answer: A,D

Explanation:
Explanation
CLI scripts can be run in three different ways:Device Database: By default, a script is executed on the device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard.
Policy Package, ADOM database: If a script contains changes related to ADOM level objects and policies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard.
Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don't need to install these changes using the installation wizard. As the changes are directly installed on the managed device, no option is provided to verify and check the configuration changes through FortiManager prior to executing it.

 

NEW QUESTION 70
View the global IPS configuration, and then answer the question below.

Which of the following statements is true regarding this configuration?

  • A. IPS will scan every byte in every session.
  • B. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.
  • C. FortiGate will spawn IPS engine instances based on the system load.
  • D. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.

Answer: A

 

NEW QUESTION 71
Which of the following statements are true regardingthe SIP session helper and the SIP application layer gateway (ALG)? (Choose three.)

  • A. SIP ALG supports SIP HA failover; SIP helper does not.
  • B. SIP ALG supports SIP over IPv6; SIP helper does not.
  • C. SIP session helper runs in the kernel; SIP ALG runs as a user space process.
  • D. SIP helper supports SIP over TCP and UDP; SIP ALG supports only SIP over UDP.
  • E. SIP ALG can create expected sessions for media traffic; SIP helper does not.

Answer: A,B,E

 

NEW QUESTION 72
Viewthe exhibit, which contains the output of a real-time debug, and then answer the question below.

Which of the following statements is true regarding this output? (Choose two.)

  • A. The requested URL belongs to category ID 52.
  • B. This web request was inspected using the root web filter profile.
  • C. The web request was allowed by FortiGate.
  • D. FortiGate found the requested URL in its local cache.

Answer: A,D

 

NEW QUESTION 73
The CLI command set intelligent-mode <enable | disable> controls the IPS engine's adaptivescanning behavior. Which of the following statements describes IPS adaptive scanning?

  • A. Determines when it is secure enough to stop scanning session traffic.
  • B. Downloads signatures on demand from FDS based on scanning requirements.
  • C. Choose a matching algorithm based on available memory and the type of inspection being performed.
  • D. Determines the optimal number of IPS engines required based on system load.

Answer: A

Explanation:
Explanation
Configuring IPS intelligenceStarting with FortiOS 5.2,intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU orkernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte.
config ips globalset intelligent-mode {enable|disable}

 

NEW QUESTION 74
Which two statements about an auxiliary session are true? (Choose two.)

  • A. With the auxiliary session setting enabled, two sessions will be created in case of routing change.
  • B. With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.
  • C. With the auxiliary session disabled, only auxiliary sessions will be offloaded.
  • D. With the auxiliary session setting disabled, for each traffic path, FortiGate will use the same auxiliary session.

Answer: C,D

 

NEW QUESTION 75
Refer to exhibit, which contains the output of a BGP debug command.

Which statement explains why the state of the 10.200.3.1 peer is Connect?

  • A. The local router has received the BGP prefixes from the remote peer.
  • B. The local router is receiving the BGP keepalives from the peer, but it has not received a BGP prefix yet.
  • C. The TCP session to 10.200.3.1 has not completed the 3-way handshake.
  • D. The local router is receiving BGP keepalives from the remote peer, but the local peer has not received the OpenConfirm yet.

Answer: C

Explanation:
BGP neighbor states and how they change: * Idle: Initial state * Connect: Waiting for a successful three-way TCP connection * Active: Unable to establish the TCP session * OpenSent: Waiting for an OPEN message from the peer * OpenConfirm: Waiting for the keepalive message from the peer * Established: Peers have successfully exchanged OPEN and keepalive messages

 

NEW QUESTION 76
Examine the following traffic log; then answer the question below.
date-20xx-02-01 time=19:52:01 devname=master device_id="xxxxxxx" log_id=0100020007 type=event subtype=system pri critical vd=root service=kemel status=failure msg="NAT port is exhausted." What does the log mean?

  • A. The limit for the maximum number of entries in the NAT port table has been reached.
  • B. The limit for the maximum number of simultaneous sessions sharing the same NAT port has been reached.
  • C. FortiGate does not have any available NAT port for a new connection.
  • D. There is not enough available memory in the system to create a new entry inthe NAT port table.

Answer: B

 

NEW QUESTION 77
An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration. The administrator has also enabled the IKE real time debug:
diagnose debug application ike-1
diagnose debug enable
In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN?

  • A. Phase1; XAuth; phase 2; IKE mode configuration.
  • B. Phase1; XAuth; IKE mode configuration; phase2.
  • C. Phase1; IKE mode configuration; phase 2; XAuth.
  • D. Phase1; IKE mode configuration; XAuth; phase 2.

Answer: B

Explanation:
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Concepts/IKE_Packet_Processing.htm

 

NEW QUESTION 78
A FortiGate has two default routes:

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the first default route (IDd1) were changed from 5 to 20?

  • A. Session would remain in the session table and its traffic would start using port2 as the outgoing interface.
  • B. Session would be deleted, so the client would need to start a new session.
  • C. Session would remain in the session table and its traffic would keep using port1 as the outgoing interface.
  • D. Session would remain in the session table and its traffic would be shared between port1 and port2.

Answer: C

 

NEW QUESTION 79
In which two states is a given session categorized as ephemeral? (Choose two.)

  • A. A TCP session waiting for FIN ACK.
  • B. A UDP session with only one packet received.
  • C. A UDP session with packets sent and received.
  • D. A TCP session waiting to complete the three-way handshake.

Answer: A,C

 

NEW QUESTION 80
A FortiGate has two default routes:

All Internet traffic is currently using port1. The exhibit shows partial information for one sample session of Internet traffic from an internal user:

What would happen with the traffic matching the above session if the priority on the firstdefault route (IDd1) were changed from 5 to 20?

  • A. Session would remain in the session table and its traffic would start using port2 as the outgoing interface.
  • B. Session would be deleted, so the client would need to start a new session.
  • C. Session would remain in the session table and its traffic would keep using port1 as the outgoing interface.
  • D. Session would remain in the session table and its traffic would be shared between port1 and port2.

Answer: C

 

NEW QUESTION 81
An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement about this setting is true?

  • A. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.
  • B. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.
  • C. It sends a link failed signal to all connected devices.
  • D. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.

Answer: B

 

NEW QUESTION 82
View the exhibit, which contains the output of a debug command, and then answer the question below.

What statement is correct about this FortiGate?

  • A. It is currently in kernel conserve mode because of high memory usage.
  • B. It is currently in FD conserve mode.
  • C. It iscurrently in system conserve mode because of high CPU usage.
  • D. It is currently in system conserve mode because of high memory usage.

Answer: D

 

NEW QUESTION 83
......

NSE7_EFW-6.4 Dumps Ensure Your Passing: https://www.ipassleader.com/Fortinet/NSE7_EFW-6.4-practice-exam-dumps.html

NSE7_EFW-6.4 exam dumps and online Test Engine: https://drive.google.com/open?id=1doAxe9Y-HWAktSQaU290Vm_L_1samFzE

Related Articles

more
Fortinet NSE7_EFW-6.4 Certification Practice Exam