[2024年03月14日] NSE7_EFW-7.2のPDF問題集にはあなたに不可欠なNSE7_EFW-7.2試験解答を合格に繋ぐ！ [Q23-Q47]

[2024年03月14日] NSE7_EFW-7.2のPDF問題集にはあなたに不可欠なNSE7_EFW-7.2試験解答を合格に繋ぐ！

NSE7_EFW-7.2のPDF解答で完璧な予見NSE7_EFW-7.2練習試験問題

Fortinet NSE7_EFW-7.2 認定試験の出題範囲：

トピック	出題範囲
トピック 1	エンタープライズトラフィックをルーティングするためのボーダーゲートウェイプロトコル (BGP) の実装ハードウェアアクセラレーションの構成
トピック 2	OSPF を実装してエンタープライズトラフィックをルーティングする HA クラスターのさまざまな動作モードを構成する
トピック 3	エンタープライズネットワークでの侵入防御システム (IPS) の構成フォーティネットセキュリティファブリックの実装
トピック 4	自動検出 VPN (ADVPN) を実装して、サイト間のオンデマンド VPN トンネルを有効にするアプリケーション制御を構成する
トピック 5	集中管理の実装 FortiManager をローカル FortiGuard サーバーとして使用 IPsec VPN IKE バージョン 2 の実装

質問 # 23
Exhibit.

Refer to exhibit, which shows a central management configuration
Which server will FortiGate choose for web filler rating requests if 10.0.1.240 is experiencing an outage?

A. Public FortiGuard servers
B. 10.0.1.243
C. 10.0.1.244
D. 10.0.1.242

正解：C

解説：
In the event of an outage at 10.0.1.240, the FortiGate will choose the next server in the sequence for web filter rating requests, which is 10.0.1.244 according to the configuration shown in the exhibit. This is because the server list is ordered by priority, and the server with the lowest priority number is chosen first. If that server is unavailable, the next server with the next lowest priority number is chosen, and so on. The public FortiGuard servers are only used if the include-default-servers option is enabled and all the custom servers are unavailable. Reference := Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 132.

質問 # 24
Which two statements about metadata variables are true? (Choose two.)

A. The metadata format is $<metadata_variabie_name>.
B. They can be used as variables in scripts
C. You create them on FortiGate
D. They apply only to non-firewall objects.

正解：B、D

解説：
Metadata variables are custom fields that you can create on FortiManager to store additional information about objects or devices. They can be used as variables in Jinja2 CLI templates or scripts to apply configurations to multiple devices or objects. They do not apply only to non-firewall objects, but also to firewall objects such as addresses, services, policies, etc. The metadata format is not $<metadata_variable_name>, but @<metadata_variable_name>@. Reference := Using meta field variables, Metadata Variables are supported in Firewall Objects configuration, Technical Tip: New Meta Variables and their usage including Jinja Templates, Technical Tip: Firewall objects use as metadata variable

質問 # 25
Exhibit.

Refer to the exhibit, which provides information on BGP neighbors.
Which can you conclude from this command output?

A. The bfd configuration to set to enable.
B. The router are in the number to match the remote peer.
C. You must change the AS number to match the remote peer.
D. BGP is attempting to establish a TCP connection with the BGP peer.

正解：D

解説：
The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration. Reference: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents:
Troubleshooting BGP
How BGP works

質問 # 26
Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration What can you cone udo from this configuration about access to www.facebook, com, which is categorized as Social Networking?

A. The access is blocked based on the URL Filter configuration
B. The access is allowed based on the FortiGuard Category Based Filter configuration
C. The access is blocked based on the Content Filter configuration
D. The access is hocked if the local or the public FortiGuard server does not reply

正解：A

解説：
The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it shows that the URL "www.facebook.com" is specifically set to "Block" under the URL Filter section1. Reference := Fortigate: How to configure Web Filter function on Fortigate, Web filter | FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering ... - Fortinet ... - Fortinet Community

質問 # 27
An administrator has configured two fortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device What can the administrator do to fix this problem?

A. Configure remote Iink monitoring to detect an issue in the forwarding path
B. Configure set send-garp-on-failover enables under config system ha on both cluster members
C. Configure set link -failed signal enable under-config system ha on both Cluster members
D. Verify that the speed and duplex settings match between me FortiGate interfaces and the connected switch ports

正解：C

解説：
Virtual MAC Address and Failover
- The new primary broadcasts Gratuitous ARP packets to notify the network that each virtual MAC is now reachable through a different switch port.
- Some high-end switches might not clear their MAC table correctly after a failover - Solution: Force former primary to shut down all its interfaces for one second when the failover happens (excluding heartbeat and reserved management interfaces):
#Config system ha
set link-failed-signal enable
end
- This simulates a link failure that clears the related entries from MAC table of the switches.

質問 # 28
Refer to the exhibit, which shows a custom signature.

Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (Choose two.)

A. Start options with --.
B. Add attack_id.
C. Ensure that the header syntax is F-SBID.
D. Add severity.

正解：B、D

解説：
For a custom signature to be valid and savable on a FortiGate device, it must include certain mandatory fields.
Severity is used to specify the level of threat that the signature represents, and attack_id is a unique identifier for the signature. Without these, the signature would not be complete and could not be correctly utilized by the FortiGate's Intrusion Prevention System (IPS).

質問 # 29
Refer to the exhibit, which shows a network diagram.

Which IPsec phase 2 configuration should you impalement so that only one remote site is connected at any time?

A. Set net-device to enable
B. Set route-overlap to allow.
C. Set route-overlap to either use-new or use-old
D. Set single-source to enable

正解：D

解説：
The "single-source" option ensures that only one remote site is connected at any time, which aligns with the requirement in the question. This option prevents multiple VPN tunnels from being established between the same source and destination networks, and allows only the most recent tunnel to be active. This can be useful for scenarios where multiple remote sites have the same IP address range, as shown in the exhibit. Reference := Fortinet Enterprise Firewall Study Guide for FortiOS 7.2, page 142.

質問 # 30
Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

A. Configure IP addresses on IPsec virtual interlaces
B. Disable add-route on hub
C. Enable AD-VPN in IPsec phase 1
D. Set protected network to all

正解：C

解説：
To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. Reference := ADVPN | FortiManager 7.2.0 - Fortinet Documentation

質問 # 31
Which two statements about the BFD parameter in BGP are true? (Choose two.)

A. It allows failure detection in less than one second.
B. It detects only two-way failures.
C. It is supported for neighbors over multiple hops.
D. The two routers must be connected to the same subnet.

正解：A、C

解説：
Bidirectional Forwarding Detection (BFD) is a rapid protocol for detecting failures in the forwarding path between two adjacent routers, including interfaces, data links, and forwarding planes. BFD is designed to detect forwarding path failures in a very short amount of time, often less than one second, which is significantly faster than traditional failure detection mechanisms like hold-down timers in routing protocols.
Fortinet supports BFD for BGP, and it can be used over multiple hops, which allows the detection of failures even if the BGP peers are not directly connected. This functionality enhances the ability to maintain stable BGP sessions over a wider network topology and is documented in Fortinet's guides.

質問 # 32
Exhibit.

Refer to the exhibit, which shows an ADVPN network.
The client behind Spoke-1 generates traffic to the device located behind Spoke-2.
Which first message floes the hub send to Spoke-110 bring up the dynamic tunnel?

A. Shortcut reply
B. Shortcut forward
C. Shortcut offer
D. Shortcut query

正解：D

解説：
In an ADVPN scenario, when traffic is initiated from a client behind one spoke to another spoke, the hub sends a shortcut query to the initiating spoke. This query is used to determine if there is a more direct path for the traffic, which can then trigger the establishment of a dynamic tunnel between the spokes.

質問 # 33
Which two statements about the Security fabric are true? (Choose two.)

A. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer
B. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends
C. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.
D. Only the root FortiGate sends logs to FortiAnalyzer

正解：B、D

解説：
In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices withconfiguration-syncenabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer.
References:
* FortiOS Handbook - Security Fabric

質問 # 34
Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)

A. ebgp-enforce-multihop
B. recursive-next-hop
C. ibgp-enfoce-multihop
D. update-source

正解：A、D

解説：
To configure a loopback as the BGP source, you need to set the "ebgp-enforce-multihop" and "update-source" parameters in the BGP configuration. The "ebgp-enforce-multihop" allows EBGP connections to neighbor routers that are not directly connected, while "update-source" specifies the IP address that should be used for the BGP session1. References := BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update source

質問 # 35
Which statement about network processor (NP) offloading is true?

A. For TCP traffic FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP
B. The NP checks the session key or IPSec SA
C. The NP provides IPS signature matching
D. You can disable the NP for each firewall policy using the command np-acceleration st to loose.

正解：A

解説：
Option A is correct because the FortiGate CPU offloads the first packets of TCP sessions to the NP for faster connection establishment and reduced CPU load1. This feature is called TCP offloading and it is enabled by default on FortiGate models with NP6 or higher2.
Option B is incorrect because the NP does not provide IPS signature matching. The NP only handles the packet forwarding and encryption/decryption functions, while the IPS signature matching is performed by the content processor (CP) or the CPU3.
Option C is incorrect because the command to disable the NP for each firewall policy is set np-acceleration disable, not set np-acceleration st to loose4. This command can be used to prevent certain traffic types from being offloaded to the NP, such as multicast, broadcast, or non-IP packets5.
Option D is incorrect because the NP does not check the session key or IPSec SA. The NP only offloads the IPSec encryption/decryption and tunneling functions, while the session key and IPSec SA are managed by the CPU. Reference: =
1: TCP offloading
2: Network processors (NP6, NP6XLite, NP6Lite, and NP4)
3: Content processors (CP9, CP9XLite, CP9Lite)
4: Disabling NP offloading for firewall policies
5: NP hardware acceleration alters packet flow
6: IPSec VPN concepts

質問 # 36
Which two statements about the neighbor-group command are true? (Choose two.)

A. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).
B. You can configure it on the GUI.
C. It is combined with the neighbor-range parameter.
D. It applies common settings in an OSPF area.

正解：A、D

解説：
The neighbor-group command in FortiOS allows for the application of common settings to a group of neighbors in OSPF, and can also be used to simplify configuration by applyingcommon settings to both IBGP and EBGP neighbors. This grouping functionality is a part of the FortiOS CLI and is documented in the Fortinet CLI reference.

質問 # 37
Which configuration can be used to reduce the number of BGP sessions in on IBGP network?

A. Route-reflector-server enable
B. Route-reflector-client enable
C. Route-reflector-peer enable
D. Route-reflector enable

正解：B

解説：
To reduce the number of BGP sessions in an IBGP network, you can use a route reflector, which acts as a focal point for IBGP sessions and readvertises the prefixes to all other peers. To configure a route reflector, you need to enable the route-reflector-client option on the neighbor-group settings of the hub device. This will make the hub device act as a route reflector server and the other devices as route reflector clients. References := Route exchange | FortiGate / FortiOS 7.2.0 - Fortinet Documentation

質問 # 38
Refer to the exhibit, which contains a partial BGP combination.

You want to configure a loopback as the OGP source.
Which two parameters must you set in the BGP configuration? (Choose two)

A. ebgp-enforce-multihop
B. recursive-next-hop
C. ibgp-enfoce-multihop
D. update-source

正解：A、D

解説：
To configure a loopback as the BGP source, you need to set the "ebgp-enforce-multihop" and "update-source" parameters in the BGP configuration. The "ebgp-enforce-multihop" allows EBGP connections to neighbor routers that are not directly connected, while "update-source" specifies the IP address that should be used for the BGP session1. Reference := BGP on loopback, Loopback interface, Technical Tip: Configuring EBGP Multihop Load-Balancing, Technical Tip: BGP routes are not installed in routing table with loopback as update source

質問 # 39
Exhibit.

Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.
Which two conclusions can you draw from this con figuration? (Choose two)

A. The VRRP domain uses the physical MAC address of the primary FortiGate
B. By default FortiGate B is the primary virtual router
C. On failover new primary device uses the same MAC address as the old primary
D. 10.1.5.254 is the default gateway of the internal network

正解：C、D

解説：
The Virtual Router Redundancy Protocol (VRRP) configuration in the exhibit indicates that 10.1.5.254 is set as the virtual IP (VRIP), commonly serving as the default gateway for the internal network (A). With vrrp-virtual-macenabled, both FortiGates would use the same virtual MAC address, ensuring a seamless transition during failover (B). The VRRP domain does not use the physical MAC address (C), and the priority settings indicate that FortiGate-A would be the primary router by default due to its higher priority (D).

質問 # 40
You contoured an address object on the tool fortiGate in a Security Fabric. This object is not synchronized with a downstream device. Which two reasons could be the cause? (Choose two)

A. The address object on the tool FortiGate has fabric-object set to disable
B. The root FortiGate has configuration-sync set to enable
C. The downstream TortiGate has fabric-object-unification set to local
D. The downstream FortiGate has configuration-sync set to local

正解：A、C

解説：
Option A is correct because the address object on the tool FortiGate will not be synchronized with the downstream devices if it has fabric-object set to disable. This option controls whether the address object is shared with other FortiGate devices in the Security Fabric or not1.
Option C is correct because the downstream FortiGate will not receive the address object from the tool FortiGate if it has fabric-object-unification set to local. This option controls whether the downstream FortiGate uses the address objects from the root FortiGate or its own local address objects2.
Option B is incorrect because the root FortiGate has configuration-sync set to enable by default, which means that it will synchronize the address objects with the downstream devices unless they are disabled by the fabric-object option3.
Option D is incorrect because the downstream FortiGate has configuration-sync set to local by default, which means that it will receive the address objects from the root FortiGate unless they are overridden by the fabric-object-unification option4. Reference: =
1: Group address objects synchronized from FortiManager5
2: Security Fabric address object unification6
3: Configuration synchronization7
4: Configuration synchronization7
5: Security Fabric - Fortinet Documentation

質問 # 41
You want to configure faster failure detection for BGP.
Which parameter should you enable on both connected FortiGate devices?

A. Distribute-list-in
B. Ebgp-enforce-multihop
C. bfd
D. Graceful-restart

正解：C

解説：
BFD (Bidirectional Forwarding Detection) is a protocol that provides fast failure detection for BGP by sending periodic messages to verify the connectivity between two peers1. BFD can be enabled on both connected FortiGate devices by using the command set bfd enable under the BGP configuration2. References:
= Technical Tip : FortiGate BFD implementation and examples ..., Configure BGP | FortiGate / FortiOS 7.0.2
- Fortinet Documentation

質問 # 42
Exhibit.

Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP con figuration Which two parameters Should you configure in config neighbor range? (Choose two.)

A. set prefix 10.1.0 255.255.255.0
B. set neighbor-group advpn
C. set prefix 172.16.1.0 255.255.255.0
D. set route reflector-client enable

正解：B、C

解説：
In the ADVPN configuration for BGP, you should specify the prefix that the neighbors can advertise. Option A is correct as you would configure the BGP network prefix that should be advertised to the neighbors, which matches the BGP network in the diagram. Option C is also correct since you should reference the neighbor group configured for the ADVPN setup within the BGP configuration.

質問 # 43
Which two statements about the Security fabric are true? (Choose two.)

A. Only the root FortiGate sends logs to FortiAnalyzer
B. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.
C. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer
D. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends

正解：B、C

解説：
FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer and other Security Fabric devices to exchange information such as device status, network topology, and security events1. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer, where it can be viewed and analyzed2. Reference: = Security Fabric - Fortinet Documentation, Fortinet Security Fabric for Securing Digital Innovations

質問 # 44
Exhibit.

Refer to the exhibit, which shows the output from the webfilter fortiguard cache dump and webfilter categories commands.
Using the output, how can an administrator determine the category of the training.fortinet.comam website?

A. The administrator must add both the Pima in and Iphex values of 34 to get the category number
B. The administrator must convert the first three digits of the IP hex value to binary
C. The administrator must convert the first two digits of the Domain hex value to a decimal value
D. The administrator can look up the hex value of 34 in the second command output.

正解：D

解説：
* Option B is correct because the administrator can determine the category of the training.fortinet.com website by looking up the hex value of 34 in the second command output. This is because the first command output shows that the domain and the IP of the website are both in category (Hex) 34, which corresponds to Information Technology in the second command output1.
* Option A is incorrect because the administrator does not need to convert the first three digits of the IP hex value to binary. The IP hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2.
* Option C is incorrect because the administrator does not need to add both the Pima in and Iphex values of 34 to get the category number. The Pima in and Iphex values are not related to the category number, but to the cache TTL and the database version respectively3.
* Option D is incorrect because the administrator does not need to convert the first two digits of the Domain hex value to a decimal value. The Domain hex value is already in the same format as the category hex value, so the administrator can simply compare them without any conversion2. References:
=
* 1: Technical Tip: Verify the webfilter cache content4
* 2: Hexadecimal to Decimal Converter5
* 3: FortiGate - Fortinet Community6
* : Web filter | FortiGate / FortiOS 7.2.0 - Fortinet Documentation7

質問 # 45
Which FortiGate in a Security I auric sends togs to FortiAnalyzer?

A. Only the root FortiGate.
B. The FortiGate devices performing network address translation (NAT) or unified threat management (UTM). if configured.
C. Only the last FortiGate that handled a session in the Security Fabric
D. Each FortiGate in the Security fabric.

正解：D

解説：
Option B is correct because each FortiGate in the Security Fabric can send logs to FortiAnalyzer for centralized logging and analysis12. This allows you to monitor and manage the entire Security Fabric from a single console and view aggregated reports and dashboards.
Option A is incorrect because the root FortiGate is not the only device that can send logs to FortiAnalyzer. The root FortiGate is the device that initiates the Security Fabric and acts as the central point of contact for other FortiGate devices3. However, it does not have to be the only log source for FortiAnalyzer.
Option C is incorrect because the FortiGate devices performing NAT or UTM are not the only devices that can send logs to FortiAnalyzer. These devices can perform additional security functions on the traffic that passes through them, such as firewall, antivirus, web filtering, etc4. However, they are not the only devices that generate logs in the Security Fabric.
Option D is incorrect because the last FortiGate that handled a session in the Security Fabric is not the only device that can send logs to FortiAnalyzer. The last FortiGate is the device that terminates the session and applies the final security policy5. However, it does not have to be the only device that reports the session information to FortiAnalyzer. Reference: =
1: Security Fabric - Fortinet Documentation1
2: FortiAnalyzer Demo6
3: Security Fabric topology
4: Security Fabric UTM features
5: Security Fabric session handling

質問 # 46
Exhibit.

Refer to the exhibit, which shows information about an OSPF interlace
What two conclusions can you draw from this command output? (Choose two.)

A. NGFW-1 is the designated router
B. The interfaces of the OSPF routers match the MTU value that is configured as 1500.
C. The OSPF routers are in the area ID of 0.0.0.1.
D. The port3 network has more man one OSPF router

正解：B、D

解説：
From the OSPF interface command output, we can conclude that the port3 network has more than one OSPF router because the Neighbor Count is 2, indicating the presence of another OSPF router besides NGFW-1.
Additionally, we can deduce that the interfaces of the OSPF routers match the MTU value configured as 1500, which is necessary for OSPF neighbors to form adjacencies. The MTU mismatch would prevent OSPF from forming a neighbor relationship.
References:
* Fortinet FortiOS Handbook: OSPF Configuration

質問 # 47
......

NSE7_EFW-7.2リアル試験問題と正確なFortinet NSE 7 - Enterprise Firewall 7.2のPDF解答：https://www.jpntest.com/shiken/NSE7_EFW-7.2-mondaishu