[2024年08月] 最新のFortinet NSE7_EFW-7.2テスト問題集とオンライン試験エンジン [Q11-Q26]

Share

[2024年08月] 最新のFortinet NSE7_EFW-7.2テスト問題集とオンライン試験エンジン

Fortinet NSE7_EFW-7.2問題を提供していますNSE 7 Network Security Architect問題集と完璧な解答付き


Fortinet NSE7_EFW-7.2 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • 集中管理: 集中管理のトピックでは、集中管理の実装について説明します。
トピック 2
  • VPN: このトピックでは、IPsec VPN IKE バージョン 2 の実装について説明します。さらに、サイト間のオンデマンド VPN トンネルを可能にする自動検出 VPN (ADVPN) の実装についても詳しく説明します。
トピック 3
  • セキュリティ プロファイル: このトピックでは、FortiManager をローカル FortiGuard サーバーとして使用する方法について説明します。さらに、企業ネットワークにおける Web フィルタリング、アプリケーション制御、侵入防御システム (IPS) の構成についても詳しく説明します。
トピック 4
  • システム構成: このトピックでは、フォーティネット セキュリティ ファブリックとハードウェア アクセラレーションについて説明します。さらに、HA クラスターのさまざまな動作モードの構成についても詳しく説明します。
トピック 5
  • ルーティング: エンタープライズ トラフィックをルーティングするための OSPF と、エンタープライズ トラフィックをルーティングするためのボーダー ゲートウェイ プロトコル (BGP) の実装について説明します。

 

質問 # 11
Refer to the exhibit, which shows a network diagram.

Which IPsec phase 2 configuration should you impalement so that only one remote site is connected at any time?

  • A. Set single-source to enable
  • B. Set net-device to enable
  • C. Set route-overlap to either use-new or use-old
  • D. Set route-overlap to allow.

正解:A

解説:
The "single-source" option ensures that only one remote site is connected at any time, which aligns with the requirement in the question. This option prevents multiple VPN tunnels from being established between the same source and destination networks, and allows only the most recent tunnel to be active. This can be useful for scenarios where multiple remote sites have the same IP address range, as shown in the exhibit. Reference := Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 142.


質問 # 12
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

  • A. Only the last FortiGate that handled a session in the Security Fabric
  • B. The FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.
  • C. Only the root FortiGate.
  • D. Each FortiGate in the Security fabric.

正解:D

解説:
Option B is correct because each FortiGate in the Security Fabric can send logs to FortiAnalyzer for centralized logging and analysis12. This allows you to monitor and manage the entire Security Fabric from a single console and view aggregated reports and dashboards.
Option A is incorrect because the root FortiGate is not the only device that can send logs to FortiAnalyzer. The root FortiGate is the device that initiates the Security Fabric and acts as the central point of contact for other FortiGate devices3. However, it does not have to be the only log source for FortiAnalyzer.
Option C is incorrect because the FortiGate devices performing NAT or UTM are not the only devices that can send logs to FortiAnalyzer. These devices can perform additional security functions on the traffic that passes through them, such as firewall, antivirus, web filtering, etc4. However, they are not the only devices that generate logs in the Security Fabric.
Option D is incorrect because the last FortiGate that handled a session in the Security Fabric is not the only device that can send logs to FortiAnalyzer. The last FortiGate is the device that terminates the session and applies the final security policy5. However, it does not have to be the only device that reports the session information to FortiAnalyzer. Reference: =
1: Security Fabric - Fortinet Documentation1
2: FortiAnalyzer Demo6
3: Security Fabric topology
4: Security Fabric UTM features
5: Security Fabric session handling


質問 # 13
Which two statements about the BFD parameter in BGP are true? (Choose two.)

  • A. It allows failure detection in less than one second.
  • B. It is supported for neighbors over multiple hops.
  • C. It detects only two-way failures.
  • D. The two routers must be connected to the same subnet.

正解:A、B

解説:
Bidirectional Forwarding Detection (BFD) is a rapid protocol for detecting failures in the forwarding path between two adjacent routers, including interfaces, data links, and forwarding planes. BFD is designed to detect forwarding path failures in a very short amount of time, often less than one second, which is significantly faster than traditional failure detection mechanisms like hold-down timers in routing protocols.
Fortinet supports BFD for BGP, and it can be used over multiple hops, which allows the detection of failures even if the BGP peers are not directly connected. This functionality enhances the ability to maintain stable BGP sessions over a wider network topology and is documented in Fortinet's guides.


質問 # 14
You contoured an address object on the tool fortiGate in a Security Fabric. This object is not synchronized with a downstream device. Which two reasons could be the cause? (Choose two)

  • A. The downstream FortiGate has configuration-sync set to local
  • B. The root FortiGate has configuration-sync set to enable
  • C. The downstream TortiGate has fabric-object-unification set to local
  • D. The address object on the tool FortiGate has fabric-object set to disable

正解:C、D

解説:
Option A is correct because the address object on the tool FortiGate will not be synchronized with the downstream devices if it has fabric-object set to disable. This option controls whether the address object is shared with other FortiGate devices in the Security Fabric or not1.
Option C is correct because the downstream FortiGate will not receive the address object from the tool FortiGate if it has fabric-object-unification set to local. This option controls whether the downstream FortiGate uses the address objects from the root FortiGate or its own local address objects2.
Option B is incorrect because the root FortiGate has configuration-sync set to enable by default, which means that it will synchronize the address objects with the downstream devices unless they are disabled by the fabric-object option3.
Option D is incorrect because the downstream FortiGate has configuration-sync set to local by default, which means that it will receive the address objects from the root FortiGate unless they are overridden by the fabric-object-unification option4. Reference: =
1: Group address objects synchronized from FortiManager5
2: Security Fabric address object unification6
3: Configuration synchronization7
4: Configuration synchronization7
5: Security Fabric - Fortinet Documentation


質問 # 15
Which, three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

  • A. Authentication settings match
  • B. OSPF link costs match
  • C. OSPF interface priority settings are unique
  • D. OSPF router IDs are unique
  • E. OSPF interface network types match

正解:A、D、E

解説:
* Option A is correct because the OSPF interface network types determine how the routers form adjacencies and exchange LSAs on a network segment. The network types must match for the routers to become neighbors1.
* Option B is correct because the OSPF router IDs are used to identify each router in the OSPF domain and to establish adjacencies. The router IDs must be unique for the routers to become neighbors2.
* Option E is correct because the authentication settings control how the routers authenticate each other before exchanging OSPF packets. The authentication settings must match for the routers to become neighbors3.
* Option C is incorrect because the OSPF interface priority settings are used to elect the designated router (DR) and the backup designated router (BDR) on a broadcast or non-broadcast multi-access network. The priority settings do not have to be unique for the routers to become neighbors, but they affect the DR/BDR election process4.
* Option D is incorrect because the OSPF link costs are used to calculate the shortest path to a destination network based on the bandwidth of the links. The link costs do not have to match for the routers to become neighbors, but they affect the routing decisions5. References: =
* 1: OSPF network types
* 2: OSPF router ID
* 3: OSPF authentication
* 4: OSPF interface priority
* 5: OSPF link cost


質問 # 16
After enabling IPS you receive feedback about traffic being dropped.
What could be the reason?

  • A. IPS is configured to monitor
  • B. Traffic-submit is set to disable
  • C. Np-accel-mode is set to enable
  • D. Fail-open is set to disable

正解:D

解説:
Fail-open is a feature that allows traffic to pass through the IPS sensor without inspection when the sensor fails or is overloaded. If fail-open is set to disable, traffic will be dropped in such scenarios1. Reference: = IPS | FortiGate / FortiOS 7.2.3 - Fortinet Documentation


質問 # 17
You want to block access to the website ww.eicar.org using a custom IPS signature.
Which custom IPS signature should you configure?

  • A.
  • B.
  • C.
  • D.

正解:B

解説:
Option D is the correct answer because it specifically blocks access to the website "www.eicar.org" using TCP protocol and HTTP service, which are commonly used for web browsing. The other options either use the wrong protocol (UDP), the wrong service (DNS or SSL), or the wrong pattern ("eicar" instead of "www.eicar.org"). Reference := Configuring custom signatures | FortiGate / FortiOS 7.4.0 - Fortinet Document Library, section "Signature to block access to example.com".


質問 # 18
You want to configure faster failure detection for BGP.
Which parameter should you enable on both connected FortiGate devices?

  • A. Graceful-restart
  • B. Distribute-list-in
  • C. bfd
  • D. Ebgp-enforce-multihop

正解:C

解説:
BFD (Bidirectional Forwarding Detection) is a protocol that provides fast failure detection for BGP by sending periodic messages to verify the connectivity between two peers1. BFD can be enabled on both connected FortiGate devices by using the command set bfd enable under the BGP configuration2. References:
= Technical Tip : FortiGate BFD implementation and examples ..., Configure BGP | FortiGate / FortiOS 7.0.2
- Fortinet Documentation


質問 # 19
Winch two statements about ADVPN are true? (Choose two)

  • A. lt supports NAI for on-demand tunnels
  • B. Spoke to-spoke traffic never goes through the hub
  • C. Routing is configured by enabling add-advpn-route
  • D. auto-discovery receiver must be set to enable on the Spokes.

正解:A、D

解説:
ADVPN (Auto Discovery VPN) is a feature that allows to dynamically establish direct tunnels (called shortcuts) between the spokes of a traditional Hub and Spoke architecture. The auto-discovery receiver must be set to enable on the spokes to allow them to receive NHRP messages from the hub and other spokes. NHRP (Next Hop Resolution Protocol) is used for on-demand tunnels, which are established when there is traffic between spokes. Routing is configured by enabling add-nhrp-route, not add-advpn-route. Reference := ADVPN | FortiGate / FortiOS 7.2.0 | Fortinet Document Library, Technical Tip: Fortinet Auto Discovery VPN (ADVPN)


質問 # 20
Exhibit.

Refer to the exhibit, which shows the output from the webfilter fortiguard cache dump and webfilter categories commands.
Using the output, how can an administrator determine the category of the training.fortinet.com am website?

  • A. The administrator must convert the first two digits of the Domain hex value to a decimal value
  • B. The administrator must add both the Pima in and Iphex values of 34 to get the category number
  • C. The administrator must convert the first three digits of the IP hex value to binary
  • D. The administrator can look up the hex value of 34 in the second command output.

正解:D

解説:
Option B is correct because the administrator can determine the category of the training.fortinet.com website by looking up the hex value of 34 in the second command output. This is because the first command output shows that the domain and the IP of the website are both in category (Hex) 34, which corresponds to Information Technology in the second command output1.
Option A is incorrect because the administrator does not need to convert the first three digits of the IP hex value to binary. The IP hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2.
Option C is incorrect because the administrator does not need to add both the Pima in and Iphex values of 34 to get the category number. The Pima in and Iphex values are not related to the category number, but to the cache TTL and the database version respectively3.
Option D is incorrect because the administrator does not need to convert the first two digits of the Domain hex value to a decimal value. The Domain hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2. Reference: =
1: Technical Tip: Verify the webfilter cache content4
2: Hexadecimal to Decimal Converter5
3: FortiGate - Fortinet Community6
4: Web filter | FortiGate / FortiOS 7.2.0 - Fortinet Documentation7


質問 # 21
Exhibit.

Refer to the exhibit, which contains a partial VPN configuration.
What can you conclude from this configuration1?

  • A. The routing table shows a single IPSec virtual interface.
  • B. FortiGate creates separate virtual interfaces for each dial up client.
  • C. The VPN should use the dynamic routing protocol to exchange routing information Through the tunnels.
  • D. Dead peer detection s disabled.

正解:D

解説:
The configuration line "set dpd on-idle" indicates that dead peer detection (DPD) is set to trigger only when the tunnel is idle, not actively disabled1. Reference: FortiGate IPSec VPN User Guide - Fortinet Document Library


質問 # 22
Exhibit.

Refer to the exhibit, which shows the output from the webfilter fortiguard cache dump and webfilter categories commands.
Using the output, how can an administrator determine the category of the training.fortinet.comam website?

  • A. The administrator must convert the first two digits of the Domain hex value to a decimal value
  • B. The administrator must add both the Pima in and Iphex values of 34 to get the category number
  • C. The administrator must convert the first three digits of the IP hex value to binary
  • D. The administrator can look up the hex value of 34 in the second command output.

正解:D

解説:
* Option B is correct because the administrator can determine the category of the training.fortinet.com website by looking up the hex value of 34 in the second command output. This is because the first command output shows that the domain and the IP of the website are both in category (Hex) 34, which corresponds to Information Technology in the second command output1.
* Option A is incorrect because the administrator does not need to convert the first three digits of the IP hex value to binary. The IP hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2.
* Option C is incorrect because the administrator does not need to add both the Pima in and Iphex values of 34 to get the category number. The Pima in and Iphex values are not related to the category number, but to the cache TTL and the database version respectively3.
* Option D is incorrect because the administrator does not need to convert the first two digits of the Domain hex value to a decimal value. The Domain hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2. References:
=
* 1: Technical Tip: Verify the webfilter cache content4
* 2: Hexadecimal to Decimal Converter5
* 3: FortiGate - Fortinet Community6
* : Web filter | FortiGate / FortiOS 7.2.0 - Fortinet Documentation7


質問 # 23
Refer to the exhibit, which shows two configured FortiGate devices and peering over FGSP.

The main link directly connects the two FortiGate devices and is configured using the set session-syn-dev <interface> command.
What is the primary reason to configure the main link?

  • A. To have only configuration synchronization in layer 3
  • B. To load balance both sessions and configuration synchronization between layer 2 and 3
  • C. To have both sessions and configuration synchronization in layer 3
  • D. To have both sessions and configuration synchronization in layer 2

正解:C

解説:
The primary purpose of configuring a main link between the devices is to synchronize session information so that if one unit fails, the other can continue processing traffic without dropping active sessions.
A).To have both sessions and configuration synchronization in layer 2.This is incorrect because FGSP is used for session synchronization, not configuration synchronization.
B).To load balance both sessions and configuration synchronization between layer 2 and 3.FGSP does not perform load balancing and is not used for configuration synchronization.
C).To have only configuration synchronization in layer 3.The main link is not used solely for configuration synchronization.
D).To have both sessions and configuration synchronization in layer 3.The main link in an FGSP setup is indeed used to synchronize session information across the devices, and it operates at layer 3 since it uses IP addresses to establish the peering.


質問 # 24
Exhibit.

Refer to the exhibit, which provides information on BGP neighbors.
Which can you conclude from this command output?

  • A. The router are in the number to match the remote peer.
  • B. You must change the AS number to match the remote peer.
  • C. The bfd configuration to set to enable.
  • D. BGP is attempting to establish a TCP connection with the BGP peer.

正解:D

解説:
The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration. References: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents:
* Troubleshooting BGP
* How BGP works


質問 # 25
Which two statements about the neighbor-group command are true? (Choose two.)

  • A. It applies common settings in an OSPF area.
  • B. It is combined with the neighbor-range parameter.
  • C. You can configure it on the GUI.
  • D. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).

正解:A、D

解説:
The neighbor-group command in FortiOS allows for the application of common settings to a group of neighbors in OSPF, and can also be used to simplify configuration by applyingcommon settings to both IBGP and EBGP neighbors. This grouping functionality is a part of the FortiOS CLI and is documented in the Fortinet CLI reference.


質問 # 26
......

2024年最新のNSE7_EFW-7.2テスト解説(更新されたのは50問があります):https://jp.fast2test.com/NSE7_EFW-7.2-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어