Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. NSE7_EFW-7.0

Fortinet NSE7_EFW-7.0 Exam Questions
Fortinet NSE 7 - Enterprise Firewall 7.0 (Page 5 )

Updated On: 21-Feb-2026
Page 5 of 34
PDF with 163 Questions

An administrator has been assigned the task of creating a set of firewall policies which must be evaluated before any custom policies defined within the policy packages of managed FortiGate devices, across all 25 ADOMSs in FortiManager.
How should the administrator accomplish this task?

  1. Create a footer policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this footer policy to all other ADOMs.
  2. Create a header policy in the Global ADOM containing the firewall policies that must be evaluated first, and then assign this header policy to all other ADOMs.
  3. Move the FortiGate devices into a single globally scoped ADOM, and merge policy packages, inserting the new firewall policies at the top.
  4. Use a CLI script from the root ADOM on FortiManager to push these new policies to all FortiGate devices, through the FGFM tunnel.

Answer(s): B

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 244



Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

  1. route-reflector enable
  2. route-reflector-server enable
  3. route-reflector-client enable
  4. route-reflector-peer enable

Answer(s): C

Explanation:

https://docs.fortinet.com/document/fortigate/7.0.11/cli-reference/572620/config-router-bgp set route-reflector-client [enable|disable]



Refer to the exhibit, which shows the output of a debug command.



What can be concluded from the debug command output?

  1. The OSPF router with the ID 0.0.0.69 has its OSPF priority set to 0.
  2. The local FortiGate has a different MTU value from the OSPF router with ID 0.0.0.2, based on the state information.
  3. There are more than two OSPF routers on the wan2 network.
  4. The interface ToRemote is a broadcast OSPF network.

Answer(s): C

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 296



Which two configuration commands change the default behavior for content-inspected traffic while FortiGate is in conserve mode? (Choose two.)

  1. set av-failopen off
  2. set av-failopen pass
  3. set fail-open enable
  4. set ips fail-open disable

Answer(s): A,C

Explanation:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/194558/conserve-mode



Refer to the exhibit, which shows the output of a diagnose command.



What can you conclude from the output shown in the exhibit? (Choose two.)

  1. This is a pinhole session created to allow traffic for a protocol that requires additional sessions to operate through FortiGate.
  2. This is an expected session created by the IPS engine.
  3. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.200.1.1.
  4. Traffic in the original direction (coming from the IP address 10.171.121.38) will be routed to the next-hop IP address 10.0.1.10.

Answer(s): A,D

Explanation:

Enterprise_Firewall_7.0_Study_Guide-Online.pdf p 110, 111, 115






Post your Comments and Discuss Fortinet NSE7_EFW-7.0 exam dumps with other Community members:

Join the NSE7_EFW-7.0 Discussion