Fortinet NSE7_EFW-7.2 Practice Questions

A.   Automation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified thresholds.

D.   An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

A.   Enable AD-VPN in IPsec phase 1

Explanation:

To enable AD-VPN, you need to edit an SD-WAN overlay template and enable the Auto-Discovery VPN toggle. This will automatically add the required settings to the IPsec template and the BGP template. You cannot enable AD-VPN directly in the IPsec phase 1 settings using VPN Manager.

References := ADVPN | FortiManager 7.2.0 - Fortinet Documentation

B.   It supports the extensible authentication protocol (EAP)

D.   It exchanges a minimum of four messages to establish a secure tunnel

Explanation:

IKE version 2 supports the extensible authentication protocol (EAP), which allows for more flexible and secure authentication methods1. IKE version 2 also exchanges a minimum of four messages to establish a secure tunnel, which is more efficient than IKE version 12. References: = IKE settings | FortiClient 7.2.2 - Fortinet Documentation, Technical Tip: How to configure IKE version 1 or 2 … - Fortinet Community

C.   fragmentation and fragmentation-mtu

Explanation:

For improving reliability over a lossy IPSec tunnel, the fragmentation and fragmentation-mtu parameters should be configured. In scenarios where there might be issues with packet size or an unreliable network, setting the IPsec phase 1 to allow for fragmentation will enable large packets to be broken down, preventing them from being dropped due to size or poor network quality. The fragmentation-mtu specifies the size of the fragments. This is aligned with Fortinet's recommendations for handling IPsec VPN over networks with potential packet loss or size limitations.

B.   Only the root FortiGate sends logs to FortiAnalyzer

C.   Only FortiGate devices with configuration-sync receive and synchronize global CMDB objects that the toot FortiGate sends

Explanation:

In the Security Fabric, only the root FortiGate sends logs to FortiAnalyzer (B). Additionally, only FortiGate devices withconfiguration-syncenabled receive and synchronize global Central Management Database (CMDB) objects that the root FortiGate sends (C). FortiGate uses the FortiTelemetry protocol to communicate with other FortiGates, not FortiAnalyzer (A). The last option (D) is incorrect as all FortiGates can collect and forward network topology information to FortiAnalyzer.
References:

FortiOS Handbook - Security Fabric

A.   You create them on FortiGate

D.   They can be used as variables in scripts

Explanation:

Metadata variables in FortiGate are created to store metadata associated with different FortiGate features. These variables can be used in various configurations and scripts to dynamically replace the variable with its actual value during processing. A: You create metadata variables on FortiGate. They are used to store metadata for FortiGate features and can be called upon in different configurations. D: They can be used as variables in scripts. Metadata variables are utilized within the scripts to dynamically insert values as per the context when the script runs.

Fortinet FortiOS Handbook: CLI Reference

B.   bfd

Explanation:

BFD (Bidirectional Forwarding Detection) is a protocol that provides fast failure detection for BGP by sending periodic messages to verify the connectivity between two peers1. BFD can be enabled on both connected FortiGate devices by using the command set bfd enable under the BGP configuration2.

References: = Technical Tip : FortiGate BFD implementation and examples …, Configure BGP | FortiGate / FortiOS 7.0.2 - Fortinet Documentation