Question No. 1

Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands:

diagnose vpn ike log-filter src-addr4 10.0.10.1

diagnose debug application ike -1

diagnose debug enable

The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

AThe IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.

BThe log-filter setting is set incorrectly. The VPN's traffic does not match this filter.

CThe IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.

DThe IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.

Show Answer

Correct Answer: B

Question No. 2

What is the diagnose test application ipsmonitor 99 command used for?

ATo enable IPS bypass mode

BTo provide information regarding IPS sessions

CTo disable the IPS engine

DTo restart all IPS engines and monitors

Show Answer

Correct Answer: D

Question No. 3

View the exhibit, which contains a partial web filter profile configuration, and then answer the question below.

Which action will FortiGate take if a user attempts to access www.dropbox.com, which is categorized as File Sharing and Storage?

AFortiGate will exempt the connection based on the Web Content Filter configuration.

BFortiGate will block the connection based on the URL Filter configuration.

CFortiGate will allow the connection based on the FortiGuard category based filter configuration.

DFortiGate will block the connection as an invalid URL.

Show Answer

Correct Answer: B

fortigate does it in order Static URL -> FortiGuard -- > Content -> Advanced (java, cookie removal..) so block it in first step

Question No. 4

View the exhibit, which contains the output of a BGP debug command, and then answer the question below.

Which of the following statements about the exhibit are true? (Choose two.)

AThe local router's BGP state is Established with the 10.125.0.60 peer.

BSince the counters were last reset; the 10.200.3.1 peer has never been down.

CThe local router has received a total of three BGP prefixes from all peers.

DThe local router has not established a TCP session with 100.64.3.1.

Show Answer

Correct Answer: A, D

Question No. 5

An administrator has configured a dial-up IPsec VPN with one phase 2, extended authentication (XAuth) and IKE mode configuration. The administrator has also enabled the IKE real time debug:

diagnose debug application ike-1

diagnose debug enable

In which order is each step and phase displayed in the debug output each time a new dial-up user is connecting to the VPN?

APhase1; IKE mode configuration; XAuth; phase 2.

BPhase1; XAuth; IKE mode configuration; phase2.

CPhase1; XAuth; phase 2; IKE mode configuration.

DPhase1; IKE mode configuration; phase 2; XAuth.

Show Answer

Correct Answer: B

https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/IPsec_VPN_Concepts/IKE_Packet_Processing.htm

Free Fortinet NSE7_EFW-6.4 Exam Actual Questions

The questions for NSE7_EFW-6.4 were last updated On Nov 19, 2024