Fortinet NSE7_NST-7.2 Exam Dumps & Practice Test Questions
Question 1
Which statements are true about making bulk configuration changes using FortiManager CLI scripts? (Select two.)
A. Changes made in the Policy Package ADOM database are applied instantly to FortiGate devices.
B. Changes in the Device Database require the use of the Install Wizard to apply them to FortiGate devices.
C. Applying changes to all FortiGates in an ADOM triggers an automatic install without creating a new revision.
D. Changes made directly on a remote FortiGate cannot be reviewed before they are implemented.
Answer: B, D
Explanation:
When making bulk configuration changes through FortiManager, understanding how these changes are applied and reviewed is crucial to maintaining network integrity and avoiding unwanted configurations. Here’s how the options break down:
Option A is incorrect. Changes made in the Policy Package ADOM database are not applied instantly to the FortiGate devices. They must first be staged, reviewed, and then pushed to the devices. FortiManager uses a revision-based system, where configuration changes are tested and reviewed before being installed.
Option B is correct. Changes made in the Device Database on FortiManager do require the use of the Install Wizard to apply them to FortiGate devices. The Install Wizard is an essential tool in FortiManager that ensures the changes are installed correctly by guiding administrators through the installation process, allowing for proper configuration deployment to managed devices.
Option C is incorrect. Applying changes to all FortiGates in an ADOM does not trigger an automatic install without creating a new revision. FortiManager is designed to track and maintain configuration changes via revisions, so whenever changes are applied to multiple devices, a new revision is created for review and tracking purposes.
Option D is correct. Changes made directly on a remote FortiGate device, particularly when they are pushed or made without using FortiManager, cannot be reviewed beforehand. This creates the risk of misconfiguration, which is why FortiManager is often used to enforce a more controlled approach to device configuration management.
In conclusion, the correct answers are B and D, as they accurately describe how changes are applied and reviewed using FortiManager CLI scripts.
Question 2
Which of the following tasks are performed automatically by the Install Wizard in FortiManager? (Select two.)
A. Display a preview of pending configuration changes for managed devices.
B. Add new FortiGate devices to the FortiManager.
C. Retrieve policy packages from existing FortiGate devices.
D. Deploy configuration updates to managed FortiGate units.
E. Sync interface mappings from FortiGate devices to FortiManager.
Answer: A, D
Explanation:
The Install Wizard in FortiManager is a powerful tool that automates certain tasks in the configuration deployment process, helping administrators efficiently manage and deploy settings across their FortiGate devices. Here’s an overview of the tasks performed by the Install Wizard:
Option A is correct. The Install Wizard does indeed display a preview of pending configuration changes before they are applied to managed devices. This preview is essential for ensuring that all changes are reviewed and approved before they are implemented. This functionality reduces the chances of errors and misconfigurations in the network.
Option B is incorrect. Adding new FortiGate devices to FortiManager is not a task automatically performed by the Install Wizard. While the Install Wizard helps in configuring and deploying changes to managed devices, adding new devices to the FortiManager requires separate processes, typically through device registration or importation into the device database.
Option C is incorrect. The Install Wizard does not automatically retrieve policy packages from existing FortiGate devices. This task is usually performed manually through other configuration management tools in FortiManager or during device setup.
Option D is correct. The Install Wizard automatically deploys configuration updates to managed FortiGate units. After reviewing and confirming the changes, the Install Wizard handles the deployment process, ensuring that the correct configurations are applied to the selected devices.
Option E is incorrect. While syncing interface mappings from FortiGate devices to FortiManager can be done, it is not a task that the Install Wizard performs automatically. Interface mapping typically happens during the device setup or through configuration synchronization tools, but not as part of the Install Wizard's functionality.
In conclusion, the correct answers are A and D, as they reflect the primary tasks that the Install Wizard automates: displaying pending configuration changes and deploying them to managed FortiGate units.
Question 3
An administrator needs to capture ESP packets between two FortiGate units with no NAT devices between them. Which command should be used?
A. diagnose sniffer packet any "udp port 500"
B. diagnose sniffer packet any "udp port 4500"
C. diagnose sniffer packet any "esp"
D. diagnose sniffer packet any "udp port 500 or udp port 4500"
Answer: C
Explanation:
ESP (Encapsulating Security Payload) is the protocol used in IPsec VPNs to provide encryption and integrity for the data being transmitted between two devices. To capture ESP traffic, the correct filter would be based on the ESP protocol itself, which operates on IP protocol number 50.
Option A is incorrect. UDP port 500 is used for the IKE (Internet Key Exchange) phase of an IPsec VPN connection, which is used for key negotiation, not for carrying the encrypted data. ESP traffic, which is the actual encrypted data traffic, does not use UDP port 500.
Option B is incorrect. UDP port 4500 is used for IPsec NAT-Traversal (NAT-T), which allows IPsec traffic to pass through NAT devices by encapsulating the ESP traffic in UDP. However, if there are no NAT devices between the FortiGate units, capturing traffic on UDP port 4500 is unnecessary for the ESP traffic itself.
Option C is correct. ESP is the correct protocol to capture when the goal is to monitor the actual encrypted data traffic between two FortiGate devices. Using the filter diagnose sniffer packet any "esp" allows you to capture the ESP packets directly.
Option D is incorrect. The command udp port 500 or udp port 4500 would only capture IKE and NAT-T related traffic, not the ESP packets. Since no NAT devices exist between the FortiGate units in this scenario, filtering on these UDP ports does not help capture the actual encrypted data packets.
Thus, the correct command to capture ESP traffic is C — diagnose sniffer packet any "esp".
Question 4
What are the requirements for a static route to be considered active in the FortiGate routing table? (Select three.)
A. The next-hop IP must be reachable and working.
B. No alternative route exists with a lower administrative distance.
C. If configured, the link health check must pass.
D. The next-hop IP address must be within the outgoing interface's subnet.
E. The outgoing interface must be up and operational.
Answer: A, B, E
Explanation:
For a static route to become active in the FortiGate routing table, several conditions must be met to ensure that the route is both valid and optimal. Below is the breakdown of each requirement:
Option A is correct. For a static route to be considered active, the next-hop IP must be reachable. This means that the FortiGate device needs to be able to successfully communicate with the next-hop IP address. If the next-hop IP is not reachable (for example, if there is a network issue or the next-hop device is down), the route will not be considered valid and will not be added to the routing table.
Option B is correct. If there are multiple routes to the same destination, the administrative distance is a key factor in determining which route is chosen. A static route will only be active if no alternative route exists with a lower administrative distance. Routes with lower administrative distance are preferred over those with higher values. For example, dynamic routing protocols like OSPF or RIP typically have lower administrative distances than static routes.
Option C is incorrect. The link health check is optional and only relevant if configured. If configured, it is used to ensure that the link to the next-hop is operational and healthy. However, if the health check fails, the static route will be considered inactive. This is not a strict requirement for all static routes to become active, but a necessary condition when link health checks are enabled.
Option D is incorrect. The next-hop IP address does not necessarily need to be within the same subnet as the outgoing interface. As long as the route points to a reachable next-hop and the correct routing path exists, the route can still be active. The outgoing interface is responsible for directing traffic to the correct next-hop, but the next-hop IP can be outside of the local subnet of the interface.
Option E is correct. The outgoing interface must be up and operational for a static route to be considered active. If the interface is down, even if the route points to a reachable next-hop IP, the static route will not be valid, and traffic will not be routed through that interface.
In summary, the three main requirements for a static route to be considered active are A (next-hop reachability), B (administrative distance), and E (outgoing interface status).
Question 5
While testing HA failover between two FortiGates, the admin sees traffic still being sent to the old primary device. What does enabling the link-failed-signal setting do?
A. Causes the previous primary to shut down all non-heartbeat ports for one second during failover.
B. Broadcasts an ARP message telling network devices that the virtual MAC now belongs to the new master.
C. Sends a "link failure" alert to all connected switches and routers.
D. Temporarily disables non-heartbeat interfaces on all HA members for two seconds after failover.
Answer: B
Explanation:
The link-failed-signal setting is a feature in FortiGate HA clusters designed to address issues where traffic continues to flow to the old primary unit after a failover. This setting helps ensure that the network traffic is properly directed to the new primary unit by informing other network devices about the change in the virtual MAC address.
Option A is incorrect. This statement is related to non-heartbeat ports, but the action of shutting them down for one second is not the purpose of enabling the link-failed-signal setting. The link-failed-signal setting is specifically related to broadcasting an ARP message to inform the network about the virtual MAC address change, not shutting down ports.
Option B is correct. When link-failed-signal is enabled, FortiGate devices in the HA cluster broadcast an ARP message to notify other devices in the network that the virtual MAC address, which is used for traffic forwarding, is now associated with the new primary unit. This ensures that traffic is routed to the new primary device, preventing traffic from continuing to be sent to the old unit.
Option C is incorrect. While a "link failure" alert may be useful for monitoring purposes, it does not solve the issue of traffic being sent to the old primary device. The link-failed-signal setting specifically targets informing other devices about the MAC address change via ARP.
Option D is incorrect. Disabling interfaces for two seconds after failover would not address the issue of traffic being directed to the old primary. The link-failed-signal setting is focused on ensuring the proper MAC address is communicated to the network, not disabling interfaces.
In summary, B is the correct answer because enabling link-failed-signal broadcasts an ARP message to ensure that the network devices are aware of the virtual MAC address now belonging to the new master FortiGate unit.
Question 6
You are investigating intermittent traffic loss through an FGCP active-passive HA pair running FortiOS 7.2. Which two diagnostic commands most quickly reveal synchronization gaps in session tables between the nodes? (Choose 2.)
A. diagnose sys session list | grep dirty
B. diagnose sys ha dump-by vcluster
C. diagnose sys ha checksum cluster
D. diagnose sys ha status
E. execute ha manage <slave-id> "diag sys session stat"
Answer: A, C
Explanation:
In an FGCP (FortiGate Cluster Protocol) active-passive HA configuration, session synchronization between the active and passive nodes is crucial for maintaining continuous traffic flow, especially during failover scenarios. If there is a synchronization issue or a gap in session tables between the two nodes, it can cause traffic loss or disruptions.
Option A is correct. The command diagnose sys session list | grep dirty helps identify sessions that have not been properly synchronized between the active and passive nodes. Sessions marked as dirty are those that have not been replicated to the passive unit, and these can cause traffic disruptions when the passive unit becomes active. This command provides a quick view of session synchronization issues.
Option B is incorrect. The command diagnose sys ha dump-by vcluster is used to dump cluster-related information based on the virtual cluster, but it does not specifically focus on session synchronization gaps. It's more relevant for general cluster status than for troubleshooting session synchronization issues.
Option C is correct. The command diagnose sys ha checksum cluster checks the consistency of session data between the nodes. It can reveal if there are discrepancies or synchronization gaps between the session tables of the active and passive nodes. This is an important diagnostic step to identify any session synchronization issues.
Option D is incorrect. The diagnose sys ha status command provides the overall status of the HA cluster, such as which unit is the primary and which is the secondary, and the state of the HA synchronization. While useful for general HA health, it does not directly indicate session synchronization gaps between the nodes.
Option E is incorrect. The execute ha manage <slave-id> "diag sys session stat" command allows you to manage a specific HA node (typically the slave) and run diagnostics on it, but it does not specifically reveal synchronization issues between the session tables of the active and passive units.
In conclusion, the most useful commands for identifying session synchronization issues between nodes in an FGCP HA setup are A (diagnose sys session list | grep dirty) and C (diagnose sys ha checksum cluster). These commands provide direct insights into session data gaps between the nodes.
Question 7
A site-to-site IPsec VPN breaks after a remote peer upgrades to IKEv2 with multiple subnets behind each side. Which two FortiGate CLI settings should you verify first to restore Phase 2 negotiation? (Choose 2.)
A. set keylife-type both under the phase2-interface
B. set proposal aes256-sha256 under phase1-interface
C. set src-subnet / dst-subnet wildcarding with 0.0.0.0/0
D. set auto-nego enable and set protocol 17
E. set phase1-name <name> linkage inside the corresponding phase2
Answer: B, E
Explanation:
When a VPN connection fails after an upgrade to IKEv2, there are several possible causes related to the Phase 1 and Phase 2 settings. In this case, the FortiGate needs to ensure compatibility with the remote peer's new configuration.
Option B is correct. The proposal in Phase 1, which defines the encryption and hashing algorithms used during the key exchange, must match between both peers. If the remote peer upgraded to IKEv2 and changed its encryption proposal, you need to verify that the proposal in the phase1-interface matches the one used by the remote peer. Setting the proposal to aes256-sha256 is a common and secure setting for IKEv2 VPNs. This setting ensures that both peers are using the same encryption and hashing algorithms.
Option E is correct. The phase1-name setting links the Phase 2 configuration to the corresponding Phase 1 configuration. If the remote peer upgraded and changed its Phase 1 settings (including its name or linkage), ensuring the Phase 1 name is correctly referenced in the Phase 2 configuration will restore the negotiation. The linkage should match the peer's Phase 1 settings to allow the Phase 2 negotiation to succeed.
Option A is incorrect. The keylife-type setting defines how the key lifetime is handled (either per-peer or global), but it is unlikely to be the cause of a Phase 2 negotiation failure related to IKEv2 upgrades. While important for other aspects of VPN security, it is not the first setting to check in this scenario.
Option C is incorrect. Wildcarding 0.0.0.0/0 in the source and destination subnets in the Phase 2 configuration would allow any source or destination address to be used, which might make the VPN more flexible but is not directly related to resolving Phase 2 negotiation issues after an IKEv2 upgrade. The subnets should be correctly specified to match the ones used by the peer.
Option D is incorrect. The auto-nego enable and protocol 17 settings are used for certain types of automatic negotiation and are unrelated to the Phase 2 negotiation process for an IPsec VPN. They are more relevant in cases involving other types of protocols, such as network protocols.
In conclusion, the correct options are B and E, which ensure the Phase 1 settings match the remote peer and the Phase 2 configuration is linked correctly to the Phase 1 configuration.
Question 8
Users report slow web browsing after enabling SSL deep inspection. CPU usage on the NP6XLite is low. Which two FortiGate subsystems are likeliest bottlenecks and should be inspected next? (Choose 2.)
A. ipsengine processes in proxy-based inspection mode
B. Content Processor (CP8) – check diag sys cpusage
C. wad workers handling full SSL proxy handshakes
D. npu interface counters for packet-requeue events
E. Hardware crypto engine (NPU) offload statistics in npu-stat tls
Answer: C, B
Explanation:
When SSL deep inspection is enabled, web traffic can be significantly slowed down due to the additional processing required to decrypt and inspect the SSL traffic. If the CPU usage on the NP6XLite (the network processor) is low, then the bottleneck may lie elsewhere in the system. The following subsystems are likely candidates for inspection:
Option C is correct. The WAD (Web Application Delivery) workers are responsible for handling the SSL proxy handshakes when SSL deep inspection is enabled. This includes the initial decryption and re-encryption of SSL traffic. If there is a high volume of traffic or a large number of SSL handshakes, these workers can become overwhelmed, leading to slow web browsing. Inspecting WAD workers and ensuring they are functioning optimally is a key step in troubleshooting SSL inspection performance issues.
Option B is correct. The Content Processor (CP8) handles the deep inspection of traffic, including SSL traffic. When SSL deep inspection is enabled, the CP8 is responsible for processing the decrypted traffic for content filtering, intrusion prevention, antivirus scanning, etc. If the CP8 is overloaded or not performing efficiently, it can create a bottleneck in the system, resulting in slow web browsing. Checking the diagnostics for CP8 usage (diag sys cpusage) will provide insight into whether the Content Processor is the limiting factor.
Option A is incorrect. While the IPS engine (Intrusion Prevention System) can impact performance when running in proxy-based inspection mode, it is more commonly associated with inspecting traffic for threats rather than SSL traffic handling itself. If the issue is primarily slow browsing due to SSL inspection, the bottleneck is likely in the decryption and re-encryption process, not in IPS detection.
Option D is incorrect. NPU interface counters for packet-requeue events are useful for identifying packet drops or retransmissions, but they are not directly related to the SSL deep inspection bottleneck. The NP6XLite is responsible for packet forwarding and offloading network processing tasks, but SSL inspection involves other components, such as WAD workers and the Content Processor.
Option E is incorrect. The Hardware crypto engine (NPU) offload statistics show the usage of hardware-accelerated cryptographic operations, which are relevant for offloading SSL operations. However, if the NP6XLite is not being heavily utilized, this is less likely to be the primary cause of slow browsing in this scenario. The focus should be on the WAD workers and CP8, as these are directly involved in SSL decryption and inspection.
In summary, C (WAD workers handling SSL proxy handshakes) and B (Content Processor) are the most likely bottlenecks in this scenario and should be inspected for performance issues.
Question 9
After importing a large address list from FortiManager, policies referencing that object fail to match traffic. Which two FortiGate troubleshooting steps pinpoint object-database corruption? (Choose 2.)
A. Run diagnose sys top to look for persistent cmdbsrv high CPU utilization
B. Execute diagnose test application cmdb 3 to validate checksum integrity
C. Review diag debug config-error-log read for unknown attribute errors
D. Perform diag debug cli 8 while re-installing policy from FortiManager
E. Issue diagnose pm2 logls to inspect process-manager restarts
Answer: B, C
Explanation:
When troubleshooting issues related to object-database corruption, such as the failure of policies referencing an imported address list, there are specific diagnostic steps to identify potential database corruption:
Option B is correct. The diagnose test application cmdb 3 command validates the checksum integrity of the configuration database. If there is corruption in the object database, this test can help reveal errors by verifying the integrity of the database objects.
Option C is correct. The diag debug config-error-log read command helps you identify configuration errors in the system. If there is corruption in the object database, you may find errors related to the corrupted objects in the config-error-log. These errors often contain references to issues with object integrity, which is crucial for identifying database corruption.
Option A is incorrect. diagnose sys top can provide information about resource utilization, but it does not specifically target object database corruption. It could show high CPU utilization by the cmdbsrv process, but this is not directly related to identifying object corruption in the database.
Option D is incorrect. diag debug cli 8 is a debug command that shows detailed debug information during policy reinstallation, but it is unlikely to directly pinpoint object database corruption. It is more useful for analyzing traffic flow or policy application issues, not database corruption.
Option E is incorrect. diagnose pm2 logls helps in inspecting process manager logs for restarts of specific processes. While restarts could indicate issues, this command is not directly related to diagnosing object-database corruption, which is more focused on configuration and object integrity.
In conclusion, B and C are the best troubleshooting steps to diagnose potential object-database corruption, as they directly address database integrity and configuration errors.
Question 10
You must trace packet drops on a FortiGate in NAT mode without disrupting production traffic. Which two tools or commands allow targeted, low-impact capture and drop analysis? (Choose 2.)
A. diagnose sniffer packet any "host <ip> and port 443" 4 0 a
B. Flow trace using diagnose debug flow filter addr + diag debug flow with level 5
C. NP6 packet capture via diagnose npu np6lite-sess-capture
D. tcpdump executed in the underlying shell (maintainer access)
E. GUI Packet Capture widget with “Stage = Drop” filter enabled
Answer: A, B
Explanation:
To trace packet drops in NAT mode on a FortiGate without disrupting production traffic, there are several tools and commands that can be used for low-impact capture and analysis:
Option A is correct. Using diagnose sniffer packet any "host <ip> and port 443" 4 0 a is a low-impact sniffer command that allows you to capture specific traffic (in this case, traffic to/from a specific IP and port) without affecting the entire network. The packet capture will focus on the traffic of interest and won't interfere with production traffic.
Option B is correct. The Flow trace using diagnose debug flow filter addr combined with diag debug flow with level 5 allows you to trace packets that are being processed through the FortiGate in NAT mode. It’s a detailed method that lets you focus on particular flows and can provide insights into why packets are being dropped (e.g., due to misconfigurations or incorrect firewall policies). This method is low-impact as it doesn’t involve interrupting traffic flow and helps pinpoint drop causes without disruptions.
Option C is incorrect. NP6 packet capture (via diagnose npu np6lite-sess-capture) is more suitable for capturing traffic offloaded to the NPU (Network Processing Unit). While this is useful for certain types of traffic, it may not directly apply to tracing packet drops in NAT mode, and its use could potentially introduce some overhead.
Option D is incorrect. tcpdump executed from the underlying shell can provide packet-level capture, but it requires maintainer access and could introduce risks if improperly used. Also, it can be more invasive and might interfere with the production traffic, so it’s not ideal for low-impact analysis.
Option E is incorrect. The GUI Packet Capture widget with the “Stage = Drop” filter is helpful for analyzing dropped packets, but it relies on the GUI interface. While it can give a useful overview of dropped packets, using the CLI-based diagnostic tools like sniffer and debug flow (as in options A and B) is often more efficient and flexible for detailed analysis without disrupting traffic.
In summary, A (sniffer packet capture) and B (debug flow trace) are the most effective and low-impact methods for tracing packet drops without disrupting production traffic on the FortiGate device.
