Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Fortinet > Fortinet Certifications > NSE7_EFW-7.2 > NSE7_EFW-7.2 Online Practice Questions and Answers

NSE7_EFW-7.2 Online Practice Questions and Answers

Questions 4

Refer to the exhibit, which shows a network diagram.

Which protocol should you use to configure the FortiGate cluster?

A. FGCP in active-passive mode

B. OFGSP

C. VRRP

D. FGCP in active-active mode

Buy Now

Correct Answer: A

Given the network diagram and the presence of two FortiGate devices, the Fortinet Gate Clustering Protocol (FGCP) in active-passive mode is the most appropriate for setting up a FortiGate cluster. FGCP supports high availability configurations and is designed to allow one FortiGate to seamlessly take over if the other fails, providing continuous network availability. This is supported by Fortinet documentation for high availability configurations using FGCP.

Questions 5

Which two statements about the neighbor-group command are true? (Choose two.)

A. You can configure it on the GUI.

B. It applies common settings in an OSPF area.

C. It is combined with the neighbor-range parameter.

D. You can apply it in Internal BGP (IBGP) and External BGP (EBGP).

Buy Now

Correct Answer: BD

The neighbor-group command in FortiOS allows for the application of common settings to a group of neighbors in OSPF, and can also be used to simplify configuration by applyingcommon settings to both IBGP and EBGP neighbors. This grouping functionality is a part of the FortiOS CLI and is documented in the Fortinet CLI reference.

Questions 6

Which two statements about the Security fabric are true? (Choose two.)

A. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnatyzer.

B. Only the root FortiGate sends logs to FortiAnalyzer

C. Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends

D. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer

Buy Now

Correct Answer: BC

In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices withconfiguration-syncenabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer. References: FortiOS Handbook - Security Fabric

Questions 7

Exhibit.

Refer to the exhibit, which shows a partial web filter profile conjuration

What can you cone udo from this configuration about access towww.facebook, com, which is categorized as Social Networking?

A. The access is blocked based on the Content Filter configuration

B. The access is allowed based on the FortiGuard Category Based Filter configuration

C. The access is blocked based on the URL Filter configuration

D. The access is hocked if the local or the public FortiGuard server does not reply

Buy Now

Correct Answer: C

The access to www.facebook.com is blocked based on the URL Filter configuration. In the exhibit, it shows that the URL "www.facebook.com" is specifically set to "Block" under the URL Filter section1. References := Fortigate: How to configure Web Filter function on Fortigate, Web filter | FortiGate / FortiOS 7.0.2 | Fortinet Document Library, FortiGate HTTPS web URL filtering ... - Fortinet ... - Fortinet Community

Questions 8

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

A. FortiManager provides FortiGuard.

B. fortiguard-anycast is set to enable.

C. You do not have the corresponding write access.

D. udp is not a protocol option.

Buy Now

Correct Answer: D

The reason for the command failure when trying to set the protocol to UDP in theconfig system fortiguardis likely that UDP is not a protocol option in this context. The command syntax might be incorrect or the option to set a protocol for FortiGuard updates might not exist in this manner. So the correct answer is D. udp is not a protocol option.

Questions 9

Exhibit.

Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.

Which two conclusions can you draw from this con figuration? (Choose two)

A. 10.1.5.254 is the default gateway of the internal network

B. On failover new primary device uses the same MAC address as the old primary

C. The VRRP domain uses the physical MAC address of the primary FortiGate

D. By default FortiGate B is the primary virtual router

Buy Now

Correct Answer: AB

The Virtual Router Redundancy Protocol (VRRP) configuration in the exhibit indicates that 10.1.5.254 is set as the virtual IP (VRIP), commonly serving as the default gateway for the internal network (A). Withvrrp-virtual-macenabled, both FortiGates would use the same virtual MAC address, ensuring a seamless transition during failover (B). The VRRP domain does not use the physical MAC address (C), and the priority settings indicate that FortiGate-A would be the primary router by default due to its higher priority (D).

Questions 10

Exhibit.

Refer to the exhibit, which provides information on BGP neighbors. Which can you conclude from this command output?

A. The router are in the number to match the remote peer.

B. You must change the AS number to match the remote peer.

C. BGP is attempting to establish a TCP connection with the BGP peer.

D. The bfd configuration to set to enable.

Buy Now

Correct Answer: C

The BGP state is "Idle", indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state will reset to either active or idle, depending on the configuration. References: You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents: Troubleshooting BGP How BGP works

Questions 11

Which ADVPN configuration must be configured using a script on fortiManager, when using VPN Manager to manage fortiGate VPN tunnels?

A. Enable AD-VPN in IPsec phase 1

B. Disable add-route on hub

C. Configure IP addresses on IPsec virtual interlaces

D. Set protected network to all

Buy Now

Correct Answer: A

To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager. References := ADVPN | FortiManager 7.2.0 - Fortinet Documentation

Questions 12

Exhibit.

Refer to the exhibit, which shows an ADVPN network.

The client behind Spoke-1 generates traffic to the device located behind Spoke-2.

Which first message floes the hub send to Spoke-110 bring up the dynamic tunnel?

A. Shortcut query

B. Shortcut reply

C. Shortcut offer

D. Shortcut forward

Buy Now

Correct Answer: A

In an ADVPN scenario, when traffic is initiated from a client behind one spoke to another spoke, the hub sends a shortcut query to the initiating spoke. This query is used to determine if there is a more direct path for the traffic, which can then trigger the establishment of a dynamic tunnel between the spokes.

Questions 13

Exhibit.

Refer to the exhibit, which contains a partial policy configuration.

Which setting must you configure to allow SSH?

A. Specify SSH in the Service field

B. Configure pot 22 in the Protocol Options field.

C. Include SSH in the Application field

D. Select an application control profile corresponding to SSH in the Security Profiles section

Buy Now

Correct Answer: A

Option A is correct because to allow SSH, you need to specify SSH in the Service field of the policy configuration. This is because the Service field determines which types of traffic are allowed by the policy1. By default, the Service field is set to App Default, which means that the policy will use the default ports defined by the applications. However, SSH is not one of the default applications, so you need to specify it manually or create a custom service for it2. Option B is incorrect because configuring port 22 in the Protocol Options field is not enough to allow SSH. The Protocol Options field allows you to customize the protocol inspection and anomaly protection settings for the policy3. However, this field does not override the Service field, which still needs to match the traffic type. Option C is incorrect because including SSH in the Application field is not enough to allow SSH. The Application field allows you to filter the traffic based on the application signatures and categories4. However, this field does not override the Service field, which still needs to match the traffic type. Option D is incorrect because selecting an application control profile corresponding to SSH in the Security Profiles section is not enough to allow SSH. The Security Profiles section allows you to apply various security features to the traffic, such as antivirus, web filtering, IPS, etc. However, this section does not override the Service field, which still needs to match the traffic type. References: =

1: Firewall policies

2: Services

3: Protocol options profiles

4: Application control

Exam Code: NSE7_EFW-7.2
Exam Name: Fortinet NSE 7 - Enterprise Firewall 7.2
Last Update: Jul 05, 2026
Questions: 80

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2026 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.