Free NSE7_EFW-7.0 Exam Braindumps (page: 17)

Page 4 of 42

Refer to the exhibit, which shows partial outputs from two routing debug commands.



Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?

  1. Set the priority of the static default route using port1 to 10. Most Voted
  2. Set the priority of the static default route using port2 to 1.
  3. Set preserve-session-route to enable.
  4. Set snat-route-change to enable.

Answer(s): A

Explanation:

ECMP pre-requisite is "routes must have the same destination and costs. In the case of static routes, costs include distance and priority". In this case traffic is routed through port 1 because of the lower priority. If we raise priority on port 1 to the value of 10 the traffic should be routed through both ports 1 and 2.
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/25967/equal-cost-multi- path



Refer to the exhibit, which shows a partial routing table.



Assuming all the appropriate firewall policies are configured, what two changes would an administrator need to make if they wanted to send traffic from a client directly connected to port3, to a server directly connected to port4? (Choose two.)

  1. Configure route leaking between VRF 12 and VRF 21.
  2. Disable auto-asic-offload as this is not supported between VRF instances.
  3. Configure RIPv2 to exchange route information between the VRF instances.
  4. Configure route leaking between port3 and port4.
  5. Enable SNAT on the relevant firewall policies to prevent RPF check drops.

Answer(s): A,E

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 148, 159



What is the diagnose test application ipsmenitor 5 command used for?

  1. To enable IPS bypass mode
  2. To disable the IPS engine
  3. To restart all IPS engines and monitors
  4. To provide information regarding IPS sessions

Answer(s): A

Explanation:

# diagnose test application ipsmonitor
5: Toggle bypass status
13: IPS session list
98: Stop all IPS engines
99: Restart all IPS engines and monitor



An administrator has configured two FortiGate devices for an HA cluster.
While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device.
What can the administrator do to fix this problem?

  1. Configure remote link monitoring to detect an issue in the forwarding path.
  2. Configure set send-garp-on-failover enable under config system ha on both cluster members.
  3. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.
  4. Configure set link-failed-signal enable under config system ha on both cluster members.

Answer(s): D

Explanation:

Virtual MAC Address and Failover - The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port. - Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces): #Config system ha set link-failed-signal enable end - This simulates a link failure that clears the related entries from MAC table of the switches.






Post your Comments and Discuss Fortinet NSE7_EFW-7.0 exam with other Community members:

NSE7_EFW-7.0 Exam Discussions & Posts