A Review Of High Quality NSE7_EFW-6.4 Exam Dumps

NEW QUESTION 1
Examine the output of the ‘get router info bgp summary’ command shown in the exhibit; then answer the question below.

Which statements are true regarding the output in the exhibit? (Choose two.)

• A. BGP state of the peer 10.125.0.60 is Established.
• B. BGP peer 10.200.3.1 has never been down since the BGP counters were cleared.
• C. Local BGP peer has not received an OpenConfirm from 10.200.3.1.
• D. The local BGP peer has received a total of 3 BGP prefixes.

Answer: AC

NEW QUESTION 2
View the exhibit, which contains a screenshot of some phase-1 settings, and then answer the question below.

The VPN is up, and DPD packets are being exchanged between both IPsec gateways; however, traffic cannot pass through the tunnel. To diagnose, the administrator enters these CLI commands:

However, the IKE real time debug does not show any output. Why?

• A. The debug output shows phases 1 and 2 negotiations onl
• B. Once the tunnel is up, it does not show any more output.
• C. The log-filter setting was set incorrectl
• D. The VPN’s traffic does not match this filter.
• E. The debug shows only error message
• F. If there is no output, then the tunnel is operating normally.
• G. The debug output shows phase 1 negotiation onl
• H. After that, the administrator must enable the following real time debug: diagnose debug application ipsec -1.

Answer: B

NEW QUESTION 3
The CLI command set intelligent-mode <enable | disable> controls the IPS engine’s adaptive scanning behavior. Which of the following statements describes IPS adaptive scanning?

• A. Determines the optimal number of IPS engines required based on system load.
• B. Downloads signatures on demand from FDS based on scanning requirements.
• C. Determines when it is secure enough to stop scanning session traffic.
• D. Choose a matching algorithm based on available memory and the type of inspection being performed.

Answer: C

Explanation:
Configuring IPS intelligenceStarting with FortiOS 5.2, intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte. config ips globalset intelligent-mode {enable|disable}end

NEW QUESTION 4
When using the SSL certificate inspection method for HTTPS traffic, how does FortiGate filter web requests when the browser client does not provide the server name indication (SNI) extension?

• A. FortiGate uses CN information from the Subject field in the server’s certificate.
• B. FortiGate switches to the full SSL inspection method to decrypt the data.
• C. FortiGate blocks the request without any further inspection.
• D. FortiGate uses the requested URL from the user’s web browser.

Answer: A

NEW QUESTION 5
View the exhibit, which contains the output of a debug command, and then answer the question below.

What statement is correct about this FortiGate?

• A. It is currently in system conserve mode because of high CPU usage.
• B. It is currently in FD conserve mode.
• C. It is currently in kernel conserve mode because of high memory usage.
• D. It is currently in system conserve mode because of high memory usage.

Answer: D

NEW QUESTION 6
View the exhibit, which contains the output of diagnose sys session list, and then answer the question below.

If the HA ID for the primary unit is zero (0), which statement is correct regarding the output?

• A. This session is for HA heartbeat traffic.
• B. This session is synced with the slave unit.
• C. The inspection of this session has been offloaded to the slave unit.
• D. This session cannot be synced with the slave unit.

Answer: B

NEW QUESTION 7
Which two statements about an auxiliary session are true? (Choose two.)

• A. With the auxiliary session setting enabled, ECMP traffic is accelerated to the NP6 processor.
• B. With the auxiliary session setting enabled, two sessions will be created in case of routing change.
• C. With the auxiliary session setting disabled, for each traffic path, FortiGate will use the same auxiliary session.
• D. With the auxiliary session disabled, only auxiliary sessions will be offloaded.

Answer: CD

NEW QUESTION 8
A FortiGate device has the following LDAP configuration:

The LDAP user student cannot authenticate. The exhibit shows the output of the authentication real time debug while testing the student account:

Based on the above output, what FortiGate LDAP settings must the administer check? (Choose two.)

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: BC

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=13141

NEW QUESTION 9
Which statements about bulk configuration changes using FortiManager CLI scripts are correct? (Choose two.)

• A. When executed on the Policy Package, ADOM database, changes are applied directly to the managed FortiGate.
• B. When executed on the Device Database, you must use the installation wizard to apply the changes to the managed FortiGate.
• C. When executed on the All FortiGate in ADOM, changes are automatically installed without creating a new revision history.
• D. When executed on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation.

Answer: BD

Explanation:
CLI scripts can be run in three different ways:Device Database: By default, a script is executed on the device database. It is recommend you run the changes on the device database (default setting), as this allows you to check what configuration changes you will send to the managed device. Once scripts are run on the device database, you can install these changes to a managed device using the installation wizard.
Policy Package, ADOM database: If a script contains changes related to ADOM level objects and policies, you can change the default selection to run on Policy Package, ADOM database and can then be installed using the installation wizard.
Remote FortiGate directly (through CLI): A script can be executed directly on the device and you don’t need to install these changes using the installation wizard. As the changes are directly installed on the managed device, no option is provided to verify and check the configuration changes through FortiManager prior to executing it.

NEW QUESTION 10
Which real time debug should an administrator enable to troubleshoot RADIUS authentication problems?

• A. Diagnose debug application radius -1.
• B. Diagnose debug application fnbamd -1.
• C. Diagnose authd console –log enable.
• D. Diagnose radius console –log enable.

Answer: B

Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD32838

NEW QUESTION 11
An administrator has configured the following CLI script on FortiManager, which failed to apply any changes to the managed device after being executed.

Why didn’t the script make any changes to the managed device?

• A. Commands that start with the # sign are not executed.
• B. CLI scripts will add objects only if they are referenced by policies.
• C. Incomplete commands are ignored in CLI scripts.
• D. Static routes can only be added using TCL scripts.

Answer: A

Explanation:
https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FortiManager_Admin_Guide/1000_Device%20Manager/2400_Sc
A sequence of FortiGate CLI commands, as you would type them at the command line. A comment line starts with the number sign (#). A comment line will not be executed.

NEW QUESTION 12
View the exhibit, which contains the output of a diagnose command, and then answer the question below.

What statements are correct regarding the output? (Choose two.)

• A. This is an expected session created by a session helper.
• B. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.0.1.10.
• C. Traffic in the original direction (coming from the IP address 10.171.122.38) will be routed to the next-hop IP address 10.200.1.1.
• D. This is an expected session created by an application control profile.

Answer: AC

NEW QUESTION 13
Examine the partial output from two web filter debug commands; then answer the question below:

Based on the above outputs, which is the FortiGuard web filter category for the web site www.fgt99.com?

• A. Finance and banking
• B. General organization.
• C. Business.
• D. Information technology.

Answer: C

NEW QUESTION 14
A FortiGate device has the following LDAP configuration:

The administrator executed the ‘dsquery’ command in the Windows LDAp server 10.0.1.10, and got the following output:
>dsquery user –samid administrator
“CN=Administrator, CN=Users, DC=trainingAD, DC=training, DC=lab” Based on the output, what FortiGate LDAP setting is configured incorrectly?

• A. cnid.
• B. username.
• C. password.
• D. dn.

Answer: B

Explanation:
https://kb.fortinet.com/kb/viewContent.do?externalId=FD37516

NEW QUESTION 15
View the exhibit, which contains a partial output of an IKE real-time debug, and then answer the question below.

Based on the debug output, which phase-1 setting is enabled in the configuration of this VPN?

• A. auto-discovery-sender
• B. auto-discovery-forwarder
• C. auto-discovery-shortcut
• D. auto-discovery-receiver

Answer: B

NEW QUESTION 16
View the global IPS configuration, and then answer the question below.

Which of the following statements is true regarding this configuration?

• A. IPS will scan every byte in every session.
• B. FortiGate will spawn IPS engine instances based on the system load.
• C. New packets will be passed through without inspection if the IPS socket buffer runs out of memory.
• D. IPS will use the faster matching algorithm which is only available for units with more than 4 GB memory.

Answer: A

NEW QUESTION 17
Refer to the exhibit, which contains the output of get system ha status.

Which two statements about the output are true? (Choose two.)

• A. The slave configuration is synchronized with the master.
• B. port7 is used as the HA heartbeat on all devices in the cluster.
• C. Master is selected based on the priority configured under config system ha.
• D. The HA management IP is 169.254.0.2.

Answer: BC

NEW QUESTION 18
......