最新的NSE 7 Network Security Architect認證 NSE7_EFW-6.2考試題庫

問題1

An administrator has decreased all the TCP session timers to optimize the FortiGate memory usage. However, after the changes, one network application started to have problems. During the troubleshooting, the administrator noticed that the FortiGate deletes the sessions after the clients send the SYN packets, and before the arrival of the SYN/ACKs. When the SYN/ACK packets arrive to the FortiGate, the unit has already deleted the respective sessions. Which TCP session timer must be increased to fix this problem?

A. TCP time wait.

B. TCP session time to live.

C. TCP half close.

D. TCP half open.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題2

View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

A. FortiGate will block the connection based on the URL Filter configuration.

B. FortiGate will allow the connection based on the FortiGuard category based filter configuration.

C. FortiGate will block the connection as an invalid URL.

D. FortiGate will exempt the connection based on the Web Content Filter configuration.

正確答案: A

說明：（僅 VCESoft 成員可見）

問題3

Examine the partial output from the IKE real time debug shown in the exhibit; then answer the question below.

Why didn't the tunnel come up?

A. The remote gateway's Phase-2 configuration does not match the local gateway's phase-2 configuration.

B. IKE mode configuration is not enabled in the remote IPsec gateway.

C. The remote gateway's Phase-1 configuration does not match the local gateway's phase-1 configuration.

D. One IPsec gateway is using main mode, while the other IPsec gateway is using aggressive mode.

正確答案: C

問題4

An administrator has configured two FortiGate devices for an HA cluster. While testing the HA failover, the administrator noticed that some of the switches in the network continue to send traffic to the former primary unit. The administrator decides to enable the setting link-failed-signal to fix the problem. Which statement is correct regarding this command?

A. Sends a link failed signal to all connected devices.

B. Forces the former primary device to shut down all its non-heartbeat interfaces for one second while the failover occurs.

C. Disables all the non-heartbeat interfaces in all the HA members for two seconds after a failover.

D. Sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.

正確答案: B

問題5

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

A. The local router's BGP state is Established with the 10.125.0.60 peer.

B. Since the counters were last reset; the 10.200.3.1 peer has never been down.

C. The local router has not established a TCP session with 100.64.3.1.

D. The local router has received a total of three BGP prefixes from all peers.

正確答案: A,C

問題6

An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn't the script make any changes to the managed device?

A. Static routes can only be added using TCL scripts.

B. CLI scripts will add objects only if they are referenced by policies.

C. Incomplete commands are ignored in CLI scripts.

D. Commands that start with the # sign are not executed.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題7

An administrator added the following Ipsec VPN to a FortiGate configuration:
configvpn ipsec phasel -interface
edit "RemoteSite"
set type dynamic
set interface "portl"
set mode main
set psksecret ENC LCVkCiK2E2PhVUzZe
next
end
config vpn ipsec phase2-interface
edit "RemoteSite"
set phasel name "RemoteSite"
set proposal 3des-sha256
next
end
However, the phase 1 negotiation is failing. The administrator executed the IKF real time debug while attempting the Ipsec connection. The output is shown in the exhibit.

What is causing the IPsec problem in the phase 1 ?

A. The pre-shared key is wrong

B. The incoming IPsec connection is matching the wrong VPN configuration

C. NAT-T settings do not match

D. The phrase-1 mode must be changed to aggressive

正確答案: A

問題8

Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:
diagnose vpn ike log-filter src-addr4 10.0.10.1
diagnose debug application ike -1
diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

A. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

B. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

C. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

D. The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.

正確答案: D

問題9

Which two statements about FortiManager is true when it is deployed as a local FDS? (Choose two.)

A. It provides VM license validation services.

B. It can be configured as an update server, or a rating server, but not both.

C. It supports rating requests from both managed and unmanaged devices.

D. It caches available firmware updates for unmanaged devices.

正確答案: A,D

問題10

Which of the following statements is true regarding a FortiGate configured as an explicit web proxy?

A. FortiGate limits the total number of simultaneous explicit web proxy users.

B. FortiGate limits the number of workstations that authenticate using the same web proxy user credentials. This limit CANNOT be modified by the administrator.
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-WAN-opt-52/web_proxy.htm#Explicit2 The explicit proxy does not limit the number of active sessions for each user. As a result the actual explicit proxy session count is usually much higher than the number of explicit web proxy users. If an excessive number of explicit web proxy sessions is compromising system performance you can limit the amount of users if the FortiGate unit is operating with multiple VDOMs.

C. FortiGate limits the number of simultaneous sessions per explicit web proxy user. This limit CANNOT be modified by the administrator.

D. FortiGate limits the number of simultaneous sessions per explicit web proxy user The limit CAN be modified by the administrator

正確答案: A

最新的Fortinet NSE 7 - Enterprise Firewall 6.2 - NSE7_EFW-6.2免費考試真題

最新更新

站內鏈接

聯系我們