4/3/25, 0:04 NSE7_EFW-7.

2 Exam - Free Actual Q&As, Page 1 | ExamTopics

Topic 1 - Exam A

Question #1 Topic 1

Refer to the exhibit, which contains a TCL script configuration on FortiManager.

An administrator has configured the TCL script on FortiManager, but the TCL script failed to apply any changes to the managed device after being

run.

Why did the TCL script fail to make any changes to the managed device?

A. The TCL procedure run_cmd has not been created. Most Voted

B. The TCL script must start with #include.

C. There is no corresponding #! to signify the end of the script.

D. The TCL procedure lacks the required loop statements to iterate through the changes.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/ 1/3
4/3/25, 0:04 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #2 Topic 1

You want to improve reliability over a lossy IPSec tunnel.

Which combination of IPSec phase 1 parameters should you configure?

A. fec-ingress and fsc-egrsss Most Voted

B. dpd and dpd-retryinterval

C. fragmentation and fragmentation-mtu

D. keepalive and keylive

Correct Answer: A

Community vote distribution

A (100%)

Question #3 Topic 1

How are bulk configuration changes made using FortiManager CLI scripts? (Choose two.)

A. When run on the Device Database, changes are applied directly to the managed FortiGate device.

B. When run on the Remote FortiGate directly, administrators do not have the option to review the changes prior to installation. Most Voted

C. When run on the All FortiGate in ADOM, changes are automatically installed without the creation of a new revision history.

D. When run on the Policy Package, ADOM database, you must use the installation wizard to apply the changes to the managed FortiGate

device. Most Voted

Correct Answer: BD

Community vote distribution

BD (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/ 2/3
4/3/25, 0:04 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 1 | ExamTopics

Question #4 Topic 1

Refer to the exhibit, which contains a partial configuration of the global system.

What can you conclude from this output?

A. Only NPs are disabled

B. Only CPs are disabled

C. NPs and CPs are enabled Most Voted

D. NPs and CPs are disabled

Correct Answer: C

Community vote distribution

C (96%) 4%

Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 1 out of 19 pages.

Viewing questions 1-4 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/ 3/3
4/3/25, 0:05 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 2 | ExamTopics

Question #5 Topic 1

Refer to the exhibits, which show the configurations of two address objects from the same FortiGate.

Engineering address object -

Finance address object -

Why can you modify the Engineering address object, but not the Finance address object?

A. You have read-only access.

B. Another user is editing the Finance address object in workspace mode.

C. FortiGate joined the Security Fabric and the Finance address object was configured on the root FortiGate. Most Voted

D. FortiGate is registered on FortiManager.

Correct Answer: C

Community vote distribution

C (76%) B (20%) 5%

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/2/ 1/3
4/3/25, 0:05 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 2 | ExamTopics

Question #6 Topic 1

Which two statements about the neighbor-group command are true? (Choose two.)

A. It applies common settings in an OSPF area

B. You can apply it in Internal BGP (IBGP) and External BGP (EBGP) Most Voted

C. You can configure it on the GUI Most Voted

D. It is combined with the neighbor-range parameter

Correct Answer: BC

Community vote distribution

BC (73%) BD (27%)

Question #7 Topic 1

Refer to the exhibit, which contains information about an IPsec VPN tunnel.

What two conclusions can you draw from the command output? (Choose two.)

A. Dead peer detection is set to enable

B. The IKE version is 2 Most Voted

C. Both IPsec SAs are loaded on the kernel Most Voted

D. Forward error correction in phase 2 is set to enable

Correct Answer: BC

Community vote distribution

BC (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/2/ 2/3
4/3/25, 0:05 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 2 | ExamTopics

Question #8 Topic 1

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

A. Only some IKE version 2 packets are considered fragmentable Most Voted

B. The reassembly timeout default value is 30 seconds

C. It is performed at the IP layer Most Voted

D. The maximum number of IKE version 2 fragments is 128

Correct Answer: AC

Community vote distribution

AC (89%) 5%

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 2 out of 19 pages.

Viewing questions 5-8 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/2/ 3/3
4/3/25, 0:06 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 3 | ExamTopics

Question #9 Topic 1

An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the

switches in the network continue to send traffic to the former primary device.

What can the administrator do to fix this problem?

A. Configure set link-failed-signal enable under config system ha on both cluster members Most Voted

B. Configure set send-garp-on-failover enable under config system ha on both cluster members.

C. Configure remote link monitoring to detect an issue in the forwarding path.

D. Verify that the speed and duplex settings match between the FortiGate interfaces and the connected switch ports.

Correct Answer: A

Community vote distribution

A (100%)

Question #10 Topic 1

Refer to the exhibit, which shows the output of a BGP summary.

What two conclusions can you draw from this BGP summary? (Choose two.)

A. The BGP session with peer 10.127.0.75 is established. Most Voted

B. External BGP (EBGP) exchanges routing information. Most Voted

C. The router 100.64.3.1 has the parameter bfd set to enable.

D. The neighbors displayed are linked to a local router with the neighbor-range set to a value of 4.

Correct Answer: AB

Community vote distribution

AB (91%) 9%

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/3/ 1/2
4/3/25, 0:06 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 3 | ExamTopics

Question #11 Topic 1

Refer to the exhibit, which shows a custom signature.

Which two modifications must you apply to the configuration of this custom signature so that you can save it on FortiGate? (Choose two.)

A. Ensure that the header syntax is F-SBID. Most Voted

B. Add severity.

C. Add attack_id.

D. Start options with --. Most Voted

Correct Answer: AD

Community vote distribution

AD (100%)

Question #12 Topic 1

What are two functions of automation stitches? (Choose two.)

A. Automation stitches can be created to run diagnostic commands and email the results when CPU or memory usage exceeds specified

thresholds. Most Voted

B. An automation stitch configured to execute actions in parallel can be set to insert a specific delay between actions.

C. Automation stitches can be configured on any FortiGate device in a Security Fabric environment.

D. An automation stitch configured to execute actions sequentially can take parameters from previous actions as input for the current action.

Most Voted

Correct Answer: AD

Community vote distribution

AD (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 3 out of 19 pages.

Viewing questions 9-12 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/3/ 2/2
4/3/25, 0:07 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 4 | ExamTopics

Question #13 Topic 1

Refer to the exhibit which shows config system central-management information.

Which setting must you configure for the web filtering feature to function?

A. Set update-server-location to automatic

B. Add server.fortiguard.net to the Server list

C. Configure securewf.fortiguard.net on the default servers

D. Configure server-type with the rating option Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #14 Topic 1

Which two statements about the Security Fabric are true? (Choose two.)

A. FortiGate uses the FortiTelemetry protocol to communicate with FortiAnalyzer

B. Only the root FortiGate sends logs to FortiAnalyzer

C. Only FortiGate devices with configuration-sync set to default receive and synchronize global CMDB objects that the root FortiGate sends

Most Voted

D. Only the root FortiGate collects network topology information and forwards it to FortiAnalyzer Most Voted

Correct Answer: CD

Community vote distribution

CD (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/4/ 1/3
4/3/25, 0:07 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 4 | ExamTopics

Question #15 Topic 1

Refer to the exhibit which shows two configured FortiGate devices and peering over

FGSP.

The main link directly connects the two FortiGate devices and is configured using the set session-syn-dev <interface> command.

What is the primary reason to configure the main link?

A. To have only configuration synchronization in layer 3

B. To load balance both sessions and configuration synchronization between layer 2 and 3

C. To have both sessions and configuration synchronization in layer 3

D. To have both sessions and configuration synchronization in layer 2 Most Voted

Correct Answer: D

Community vote distribution

D (79%) A (18%) 4%

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/4/ 2/3
4/3/25, 0:07 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 4 | ExamTopics

Question #16 Topic 1

Refer to the exhibit, which shows a network diagram.

Which protocol should you use to configure the FortiGate cluster?

A. FGCP in active-passive mode

B. FGCP in active-active mode

C. FGSP Most Voted

D. VRRP

Correct Answer: C

Community vote distribution

C (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 4 out of 19 pages.

Viewing questions 13-16 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/4/ 3/3
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 5 | ExamTopics

Question #17 Topic 1

After enabling IPS, you receive feedback about traffic being dropped.

What could be the reason?

A. IPS is configured to monitor.

B. np-accel-node is set to enable.

C. fail-open is set to disable. Most Voted

D. traffic-submit is set to disable.

Correct Answer: C

Community vote distribution

C (100%)

Question #18 Topic 1

Refer to the exhibit which shows an ADVPN network.

Which VPN phase 1 parameters must you configure on the hub for the ADVPN feature to function? (Choose two.)

A. set auto-discovery-sender enable Most Voted

B. set auto-discovery-receiver enable

C. set add-route enable

D. set auto-discovery-forwarder enable Most Voted

Correct Answer: AD

Community vote distribution

AD (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/5/ 1/4
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 5 | ExamTopics

Question #19 Topic 1

Which two statements about metadata variables are true? (Choose two.)

A. The metadata format is $<metadata_variable_name>. Most Voted

B. You create them on FortiGate.

C. They can be used as variables in scripts. Most Voted

D. They apply only to non-firewall objects.

Correct Answer: AC

Community vote distribution

AC (78%) C (22%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/5/ 2/4
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 5 | ExamTopics

Question #20 Topic 1

Refer to the exhibits, which contain the network topology and BGP configuration for a hub.

Exhibit A.

Exhibit B.

An administrator is trying to configure ADVPN with a hub and spoke VPN setup using iBGP. All the VPNs are up and connected to the hub. The hub

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/5/ 3/4
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 5 | ExamTopics

is receiving route information from both spokes over iBGP; however the spokes are not receiving route information from each other.

What change must the administrator make to the hub BGP configuration so that the routes learned from one spoke are forwarded to the other

spoke?

A. Configure the hub as a route reflector Most Voted

B. Configure auto-discovery-sender on the hub

C. Add a prefix list to the hub that permits routes to be shared between the spokes

D. Enable route redistribution under config router bgp

Correct Answer: A

Community vote distribution

A (92%) 8%

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 5 out of 19 pages.

Viewing questions 17-20 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/5/ 4/4
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 6 | ExamTopics

Question #21 Topic 1

Refer to the exhibit, which contains a partial VPN configuration.

What can you conclude from this configuration?

A. FortiGate creates separate virtual interfaces for each dial-up client

B. The VPN should use the dynamic routing protocol to exchange routing information through the tunnels

C. Dead peer detection is disabled

D. The routing table shows a single IPSec virtual interface Most Voted

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/6/ 1/3
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 6 | ExamTopics

Question #22 Topic 1

Refer to the exhibit which shows information about an OSPF interface.

What two conclusions can you draw from this command output? (Choose two.)

A. The interfaces of the OSPF routers match the MTU value that is configured as 1500. Most Voted

B. NGFW-1 is the designated router.

C. The port3 network has more than one OSPF router. Most Voted

D. The OSPF routers are in the area ID of 0.0.0.1.

Correct Answer: AC

Community vote distribution

AC (100%)

Question #23 Topic 1

Which two statements about the BFD parameter in BGP are true? (Choose two.)

A. It detects only two-way failures.

B. The two routers must be connected to the same subnet.

C. It allows failure detection in less than one second. Most Voted

D. It is supported for neighbors over multiple hops. Most Voted

Correct Answer: CD

Community vote distribution

CD (73%) BC (27%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/6/ 2/3
4/3/25, 0:08 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 6 | ExamTopics

Question #24 Topic 1

You created a VPN community using VPN Manager on FortiManager. You also added gateways to the VPN community. Now you are trying to

create firewall policies to permit traffic over the tunnel; however, the VPN interfaces do not appear as available options.

What step must you take to resolve this issue?

A. Refresh the device status using the Device Manager so that FortiGate populates the IPSec interfaces.

B. Install the VPN community and gateway configuration on the FortiGate devices so that the VPN interfaces appear on the Policy Objects on

FortiManager. Most Voted

C. Configure the phase 1 settings in the VPN community that you didn’t initially configure. FortiGate automatically generates the interfaces

after you configure the required settings.

D. Create interface mappings for the IPsec VPN interfaces before you use them in a policy.

Correct Answer: B

Community vote distribution

B (60%) D (40%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 6 out of 19 pages.

Viewing questions 21-24 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/6/ 3/3
4/3/25, 0:14 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 7 | ExamTopics

Question #25 Topic 1

Refer to the exhibit, which shows a central management configuration.

Which server will FortiGate choose for web filter rating requests, if 10.0.1.240 is experiencing an outage?

A. 10.0.1.244 Most Voted

B. 10.0.1.242

C. Public FortiGuard servers

D. 10.0.1.243

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/7/ 1/4
4/3/25, 0:14 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 7 | ExamTopics

Question #26 Topic 1

Which statement about the designated router (DR) and backup designated router (BDR) in an OSPF multi-access network is true?

A. Only the DR receives link state information from non-DR routers.

B. Non-DR and non-BDR routers form full adjacencies to DR only.

C. FortiGate first checks the OSPF ID to elect a DR.

D. Non-DR and non-BDR routers send link state updates and acknowledgements to 224.0.0.6. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/7/ 2/4
4/3/25, 0:14 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 7 | ExamTopics

Question #27 Topic 1

Refer to the exhibit, which contains a partial policy configuration.

Which setting must you configure to allow SSH?

A. Specify SSH in the Service field.

B. Select an application control profile corresponding to SSH in the Security Profiles section.

C. Include SSH in the Application field. Most Voted

D. Configure port 22 in the Protocol Options field.

Correct Answer: C

Community vote distribution

C (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/7/ 3/4
4/3/25, 0:14 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 7 | ExamTopics

Question #28 Topic 1

Refer to the exhibit, which shows an SSL certification inspection configuration.

Which action does FortiGate take if the server name indication (SNI) does not match either the common name (CN) or any of the subject

alternative names (SAN) in the server certificate?

A. FortiGate uses the first entry listed in the SAN field in the server certificate

B. FortiGate uses the CN information from the Subject field in the server certificate Most Voted

C. FortiGate uses the SNI from the user's web browser.

D. FortiGate closes the connection because this represents an invalid SSL/TLS configuration

Correct Answer: B

Community vote distribution

B (76%) D (24%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 7 out of 19 pages.

Viewing questions 25-28 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/7/ 4/4
4/3/25, 0:15 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 8 | ExamTopics

Question #29 Topic 1

Refer to the exhibit, which contains a partial OSPF configuration.

What can you conclude from this output?

A. Neighbors maintain communication with the restarting router.

B. The restarting router sends gratuitous ARP for 30 seconds.

C. FortiGate restarts if the topology changes.

D. The router sends grace LSAs before it restarts. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/8/ 1/3
4/3/25, 0:15 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 8 | ExamTopics

Question #30 Topic 1

Refer to the exhibit, which contains an ADVPN network diagram and a partial BGP configuration.

Network diagram -

Partial BGP configuration -

Which two parameters should you configure in config neighbor-range? (Choose two.)

A. set neighbor-group advpn Most Voted

B. set route-reflector-client enable

C. set prefix 10.1.0 255.255.254.0

D. set prefix 172.16.1.0 255.255.255.0 Most Voted

Correct Answer: AD

Community vote distribution

AD (90%) 10%

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/8/ 2/3
4/3/25, 0:15 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 8 | ExamTopics

Question #31 Topic 1

You want to have faster detection for OSPF.

Which parameter should you enable on both connected FortiGate devices?

A. distribute-list-in

B. rfc1583-compatible

C. restart-on-topology-change

D. bfd Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #32 Topic 1

Refer to the exhibit, which provides information on BGP neighbors.

What can you conclude from this command output?

A. You must change the AS number to match the remote peer.

B. BGP is attempting to establish a TCP connection with the BGP peer. Most Voted

C. The bfd configuration is set to enable.

D. The routers are in the same area ID of 0.0.0.0.

Correct Answer: B

Community vote distribution

B (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 8 out of 19 pages.

Viewing questions 29-32 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/8/ 3/3
4/3/25, 0:15 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 9 | ExamTopics

Question #33 Topic 1

Which two statements about ADVPN are true? (Choose two.)

A. The hub adds routes based on IKE negotiations.

B. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0. Most Voted

C. All FortiGate devices must be in the same autonomous system (AS).

D. You must disable add-route in the hub. Most Voted

Correct Answer: BD

Community vote distribution

BD (92%) 8%

Question #34 Topic 1

Which statement about network processor (NP) offloading is true?

A. The NP checks the session key or IPSec SA. Most Voted

B. The NP provides IPS signature matching.

C. You can disable the NP for each firewall policy using the command np-acceleration set to loose.

D. For TCP traffic, FortiGate CPU offloads the first packets of SYN/ACK and ACK of the three-way handshake to NP.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/9/ 1/3
4/3/25, 0:15 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 9 | ExamTopics

Question #35 Topic 1

Refer to the exhibit, which shows an error in system fortiguard configuration.

What is the reason you cannot set the protocol to udp in config system fortiguard?

A. udp is not a protocol option.

B. fortiguard-anycast is set to enable. Most Voted

C. You do not have the corresponding write access.

D. FortiManager provides FortiGuard.

Correct Answer: B

Community vote distribution

B (100%)

Question #36 Topic 1

Refer to the exhibit, which contains an active-active load balancing scenario.

During the traffic flow, the primary FortiGate forwards the SYN packet to the secondary FortiGate.

What is the destination MAC address or addresses when packets are forwarded from the primary FortiGate to the secondary FortiGate?

A. Secondary virtual MAC port1 then physical MAC port1

B. Secondary virtual MAC port1

C. Secondary physical MAC port1 Most Voted

D. Secondary physical MAC port1 then virtual MAC port2

Correct Answer: C

Community vote distribution

C (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/9/ 2/3
4/3/25, 0:15 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 9 | ExamTopics

Viewing page 9 out of 19 pages.

Viewing questions 33-36 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/9/ 3/3
4/3/25, 0:16 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 10 | ExamTopics

Question #37 Topic 1

Which configuration can be used to reduce the number of BGP sessions in an IBGP network?

A. route-reflector-peer enable

B. route-reflector-server enable

C. route-reflector-client enable Most Voted

D. route-reflector enable

Correct Answer: C

Community vote distribution

C (100%)

Question #38 Topic 1

In which two ways does FortiManager function when it is deployed as a local FDS? (Choose two.)

A. It can be configured as an update server, a rating server, or both. Most Voted

B. It caches available firmware updates for unmanaged devices.

C. It supports rating requests from non-FortiGate devices.

D. It provides VM license validation services. Most Voted

Correct Answer: AD

Community vote distribution

AD (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/10/ 1/3
4/3/25, 0:16 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 10 | ExamTopics

Question #39 Topic 1

Refer to the exhibit, which shows a partial web filter profile configuration.

What can you conclude from this configuration about access to www.facebook.com, which is categorized as Social Networking?

A. The access is blocked, based on the URL Filter configuration. Most Voted

B. The access is blocked, based on the Content Filter configuration.

C. The access is allowed, based on the FortiGuard Category Based Filter configuration.

D. The access is blocked if the local or the public FortiGuard server does not reply.

Correct Answer: A

Community vote distribution

A (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/10/ 2/3
4/3/25, 0:16 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 10 | ExamTopics

Question #40 Topic 1

Refer to the exhibit, which shows an ADVPN network.

The client behind Spoke-1 generates traffic to the device located behind Spoke-2.

Which first message does the hub send to Spoke-1 to bring up the dynamic tunnel?

A. Shortcut forward

B. Shortcut reply

C. Shortcut query

D. Shortcut offer Most Voted

Correct Answer: D

Community vote distribution

D (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 10 out of 19 pages.

Viewing questions 37-40 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/10/ 3/3
4/3/25, 0:17 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 11 | ExamTopics

Question #41 Topic 1

Which three conditions are required for two FortiGate devices to form an OSPF adjacency? (Choose three.)

A. OSPF interface network types match. Most Voted

B. OSPF interface priority settings are unique.

C. OSPF router IDs are unique. Most Voted

D. OSPF link costs match.

E. Authentication settings match. Most Voted

Correct Answer: ACE

Community vote distribution

ACE (100%)

Question #42 Topic 1

Refer to the exhibit, which shows a partial routing table.

What two conclusions can you draw from the corresponding FortiGate configuration? (Choose two.)

A. OSPF is configured to run over IPSec.

B. net-device is enabled in the tunnel IPSec phase 1 configuration. Most Voted

C. IPSec tunnel aggregation is configured.

D. add-route is disabled in the tunnel IPSec phase 1 configuration. Most Voted

Correct Answer: BD

Community vote distribution

BD (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/11/ 1/2
4/3/25, 0:17 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 11 | ExamTopics

Question #43 Topic 1

Which two statements about bfd are true? (Choose two.)

A. You must configure it globally only.

B. You can disable it at the protocol level. Most Voted

C. It can support neighbors only over the next hop in BGP.

D. It works for OSPF and BGP. Most Voted

Correct Answer: BD

Community vote distribution

BD (100%)

Question #44 Topic 1

Refer to the exhibit, which contains a partial BGP configuration.

You want to configure a loopback as the BGP source.

Which two parameters must you set in the BGP configuration? (Choose two.)

A. ebgp-enforce-multihop Most Voted

B. recursive-next-hop

C. ibgp-enforce-multihop

D. update-source Most Voted

Correct Answer: AD

Community vote distribution

AD (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 11 out of 19 pages.

Viewing questions 41-44 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/11/ 2/2
4/3/25, 0:18 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 12 | ExamTopics

Question #45 Topic 1

You want to configure faster failure detection for BGP.

Which parameter should you enable on both connected FortiGate devices?

A. graceful-restart

B. distribute-list-in

C. ebgp-enforce-multihop

D. bfd Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #46 Topic 1

You configured an address object on the root FortiGate in a Security Fabric. This object is not synchronized with a downstream device.

Which two reasons could be the cause? (Choose two.)

A. The downstream FortiGate has fabric-object-unification set to local.

B. The root FortiGate has configuration-sync set to enable.

C. The address object on the root FortiGate has fabric-object set to disable. Most Voted

D. The downstream FortiGate has configuration-sync set to local. Most Voted

Correct Answer: CD

Community vote distribution

CD (53%) AC (27%) AD (20%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/12/ 1/3
4/3/25, 0:18 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 12 | ExamTopics

Question #47 Topic 1

Refer to the exhibit, which contains a CLI script configuration on FortiManager. An administrator configured the CLI script on FortiManager, but the

script failed to apply any changes to the managed device after being executed.

What are two reasons why the script did not make any changes to the managed device? (Choose two.)

A. CLI scripts must start with #!.

B. Static routes can be added using only TCL scripts.

C. Incomplete commands can cause CLI scripts to fail. Most Voted

D. The commands that start with the # sign did not run. Most Voted

Correct Answer: CD

Community vote distribution

CD (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/12/ 2/3
4/3/25, 0:18 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 12 | ExamTopics

Question #48 Topic 1

Refer to the exhibit, which shows the output from the webfilter fortiguard cache dump and webfilter categories commands.

Using the output, how can an administrator determine the category of the training.fortinet.com website?

A. The administrator can look up the hex value of 34 in the second command output.

B. The administrator must convert the first two digits of the Domain hex value to a decimal value. Most Voted

C. The administrator must convert the first three digits of the IP hex value to binary.

D. The administrator must add both the Domain and IPhex values of 34 to get the category number.

Correct Answer: B

Community vote distribution

B (80%) A (20%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 12 out of 19 pages.

Viewing questions 45-48 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/12/ 3/3
4/3/25, 0:18 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 13 | ExamTopics

Question #49 Topic 1

Refer to the exhibit, which contains the partial ADVPN configuration of a spoke.

Which two parameters must you configure on the corresponding single hub? (Choose two.)

A. set auto-discovery-receiver enable

B. set auto-discovery-sender enable Most Voted

C. set ike-version 2 Most Voted

D. set auto-discovery-forwarder enable

Correct Answer: BC

Community vote distribution

BC (100%)

Question #50 Topic 1

You want to block access to the website www.eicar.org using a custom IPS signature.

Which custom IPS signature should you configure?

A. F-SBID ( --name “detect_eicar”; --protocol udp; --service ssl; --flow from_client; --pattern “www.eicar.org”; --no_case; --context host;)

B. F-SBID ( --name “eicar”; --protocol udp; --flow from_server; --pattern “eicar”; --context host;)

C. F-SBID ( --name “detect_eicar”; --protocol tcp; --service dns; --flow from_server; --pattern “eicar”; --no_case;)

D. F-SBID ( --name “eicar”; --protocol tcp; --service HTTP; --flow from_client; --pattern “www.eicar.org”; --no_case; --context host;) Most Voted

Correct Answer: D

Community vote distribution

D (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/13/ 1/2
4/3/25, 0:18 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 13 | ExamTopics

Question #51 Topic 1

Refer to the exhibit, which shows a network diagram.

Which IPSec phase 2 configuration should you implement so that only one remote site is connected at any time?

A. Set net-device to enable.

B. Set route-overlap to allow.

C. Set single-source to enable.

D. Set route-overlap to either use-new or use-old. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #52 Topic 1

Which ADVPN configuration must be configured using a script on FortiManager, when using VPN Manager to manage FortiGate VPN tunnels?

A. Enable AD-VPN in IPsec phase 1 Most Voted

B. Configure IP addresses on IPsec virtual interfaces

C. Set protected network to all

D. Disable add-route on hub

Correct Answer: A

Community vote distribution

A (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 13 out of 19 pages.

Viewing questions 49-52 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/13/ 2/2
4/3/25, 0:19 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 14 | ExamTopics

Question #53 Topic 1

Refer to the exhibit, which contains the partial interface configuration of two FortiGate devices.

Which two conclusions can you draw from this configuration? (Choose two.)

A. The VRRP domain uses the physical MAC address of the primary FortiGate.

B. On failover, new primary device uses the same MAC address as the old primary. Most Voted

C. 10.1.5.254 is the default gateway of the internal network. Most Voted

D. By default, FortiGate-B is the primary virtual router.

Correct Answer: BC

Community vote distribution

BC (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/14/ 1/3
4/3/25, 0:19 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 14 | ExamTopics

Question #54 Topic 1

Which two statements about IKE version 2 are true? (Choose two.)

A. It supports the XAuth protocol.

B. Phase 1 includes main mode.

C. It exchanges a minimum of four messages to establish a secure tunnel. Most Voted

D. It supports the extensible authentication protocol (EAP). Most Voted

Correct Answer: CD

Community vote distribution

CD (100%)

Question #55 Topic 1

Which FortiGate in a Security Fabric sends logs to FortiAnalyzer?

A. Only the root FortiGate.

B. Each FortiGate in the Security Fabric. Most Voted

C. The FortiGate devices performing network address translation (NAT) or unified threat management (UTM), if configured.

D. Only the last FortiGate that handled a session in the Security Fabric.

Correct Answer: B

Community vote distribution

B (78%) C (22%)

Question #56 Topic 1

Refer to the exhibit, which shows a routing table.

What two options can you configure in OSPF to block the advertisement of the 10.1.10.0 prefix? (Choose two.)

A. Configure a route-map-out.

B. Disable Redistribute Connected. Most Voted

C. Configure a distribute-list-out.

D. Remove the 10.1.10.0 prefix from the OSPF network. Most Voted

Correct Answer: BD

Community vote distribution

BD (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/14/ 2/3
4/3/25, 0:19 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 14 | ExamTopics

Viewing page 14 out of 19 pages.

Viewing questions 53-56 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/14/ 3/3
4/3/25, 0:19 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 15 | ExamTopics

Question #57 Topic 1

Which two statements about ADVPN are true? (Choose two.)

A. auto-discovery-receiver must be set to enable on the spokes. Most Voted

B. Spoke-to-spoke traffic never goes through the hub.

C. It supports NAT for on-demand tunnels. Most Voted

D. Routing is configured by enabling add-advpn-route.

Correct Answer: AC

Community vote distribution

AC (100%)

Question #58 Topic 1

Refer to the exhibit.

An administrator wants to expand the network by adding two additional FortiGate devices into AS 6500.

Which configuration is the most effective way to improve BGP convergence in this scenario?

A. Prefix list

B. Route reflector

C. BFD

D. Neighbor group

Correct Answer: B

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/15/ 1/3
4/3/25, 0:19 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 15 | ExamTopics

Question #59 Topic 1

Refer to the exhibit, which shows device registration on FortiManager.

What can you conclude about the Spoke-1 and Spoke-2 configurations with respect to the information cond: Modified (recent auto-updated)?

A. On both Spoke-1 and Spoke.2, the configuration was changed directly on the FortiGate device, and the changes were automatically

retrieved by the device database.

B. On NGFW-1, the configuration was changed and spokes are waiting for an autoupdate.

C. Spoke-1 and Spoke-2 are sharing the same security policy configuration and the same policy package.

D. Based on the policy configuration on NGFW-1, the configuration on both spokes is modified and automatically updated.

Correct Answer: A

Community vote distribution

A (50%) D (50%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/15/ 2/3
4/3/25, 0:19 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 15 | ExamTopics

Question #60 Topic 1

Which two configurations are mandatory for an auto-discovery VPN (ADVPN) implementation on a hub? (Choose two.)

A. The remote-ip must be on a different IP address from the overlay subnet.

B. set net-device must be disabled to avoid dynamic interface creation.

C. set add-route must be enabled to add routes.

D. An overlay IP address with a mask of /32 must be assigned to the IPsec virtual interface.

Correct Answer: CD

Community vote distribution

BD (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 15 out of 19 pages.

Viewing questions 57-60 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/15/ 3/3
4/3/25, 0:21 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 16 | ExamTopics

Question #61 Topic 1

Refer to the exhibit, which shows an OSPF network.

Which types of link-state advertisements (LSA) will NGFW-1 send, if it is a backup designated router (BDR)?

A. NGFW-1 will send type 1 and type 2 LSAs.

B. NGFW-1 will send type 1 and type 4 LSAs.

C. NGFW-1 will send type 1 and type 5 LSAs.

D. NGFW-1 will send type 1 and type 3 LSAs. Most Voted

Correct Answer: D

Community vote distribution

D (86%) 14%

Question #62 Topic 1

An administrator is configuring application control with FortiGate running in next-generation firewall (NGFW) policy-based mode.

Which two actions must the administrator take? (Choose two.)

A. Configure the action as quarantine, if an application requires feedback to prevent instability.

B. Configure central source network address translation (SNAT), if NAT is required.

C. Create an application control profile and apply the profile to a firewall policy.

D. Specify an SSLISSH inspection profile on a consolidated policy.

Correct Answer: CD

Community vote distribution

BD (67%) CD (33%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/16/ 1/2
4/3/25, 0:21 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 16 | ExamTopics

Question #63 Topic 1

Which statement about network processor (NP) offloading is true?

A. When NP acceleration is enabled, firewall sessions may not offload if proxy-based security profiles are included in the firewall policy.

Most Voted

B. You can disable the NP for each firewall policy using the command np-acceleration set to loose.

C. The FortiGate CPU offloads all firewall sessions that require FortiOS session helper to the network processing unit (NPU).

D. For UDP traffic, the FortiGate CPU offloads the first packet to identify it as fast-path traffic.

Correct Answer: A

Community vote distribution

A (100%)

Question #64 Topic 1

An administrator is configuring two FortiGate devices in an HA cluster. While configuring the devices, the administrator issues the following

commands on both HA cluster members:

config system ha

set link-failed-signal enable

In which two ways do these commands impact the HA cluster? (Choose two.)

A. They force the switches to update their MAC forwarding tables, when failover happens. Most Voted

B. They force the former primary to send gratuitous ARP packets when the failover happens to indicate that the virtual MAC address is now

using a different device.

C. They force both HA devices for remote link monitoring to detect an issue in the forwarding path.

D. They force the former primary to shut down all its interfaces for one second when failover happens, excluding the heartbeat and reserved

management interfaces. Most Voted

Correct Answer: AD

Community vote distribution

AD (86%) 14%

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 16 out of 19 pages.

Viewing questions 61-64 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/16/ 2/2
4/3/25, 0:21 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 17 | ExamTopics

Question #65 Topic 1

Refer to the exhibits.

Network topology -

Output from the command config system ha

A network diagram and the output from the command config system ha are shown.

The administrator has configured the cluster with the commands shown in the exhibit.

Why is the HA cluster not forming?

A. The administrator must reconfigure the monitor interface.

B. The administrator must reconfigure the cluster in active-active mode.

C. The administrator must reconfigure the cluster in FGSP mode.

D. The administrator must reconfigure the heartbeat interface.

Correct Answer: D

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/17/ 1/3
4/3/25, 0:21 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 17 | ExamTopics

Question #66 Topic 1

How would fec-ingress and fec-egress IPsec configuration affect an IPsec tunnel?

A. FortiGate will consider all IKEv2 packets as fragmentable.

B. When an FGSP member in FortiGate fails, FortiGate flushes the corresponding tunnels and sends out dead peer detection probes to find

unavailable remote peers.

C. If fragmentation occurs, FortiGate will allow the packets at the IKE layer.

D. FortiGate will add additional redundant information to reconstruct any lost or erratically received packets.

Correct Answer: D

Community vote distribution

D (100%)

Question #67 Topic 1

You want to know which content processor (CP) model FortiGate contains.

Which command should you enter?

A. get hardware status Most Voted

B. diagnose hardware deviceinfo

C. get hardware cp

D. diagnose hardware lspci | grep 4e36

Correct Answer: A

Community vote distribution

A (100%)

Question #68 Topic 1

An administrator must optimize the performance of real-time voice and video applications across a WAN link with high packet loss.

Which combination of IPSec phase 1 parameters must the administrator configure to reduce errors and boost application reliability?

A. fec-ingress and fsc-egrsss Most Voted

B. dpd and dpd-retryinterval

C. fragmentation and fragmentation-mtu

D. keepalive and keylive

Correct Answer: A

Community vote distribution

A (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/17/ 2/3
4/3/25, 0:21 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 17 | ExamTopics

Viewing page 17 out of 19 pages.

Viewing questions 65-68 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/17/ 3/3
4/3/25, 0:22 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 18 | ExamTopics

Question #69 Topic 1

An administrator must improve the resiliency of a link by minimizing data loss within the enterprise network that has full path redundancy.

What should the administrator enable on the FortiGate devices that use BGP as dynamic routing protocol between two separate autonomous

systems? (Choose two.)

A. graceful-restart Most Voted

B. ibgp-multipath

C. bfd Most Voted

D. route-reflector-client

Correct Answer: AC

Community vote distribution

AC (100%)

Question #70 Topic 1

While configuring the BGP protocol, an administrator applies the set network-import-check disable command under config network.

What will FortiGate do as a result of this command?

A. FortiGate will advertise only the corresponding prefixes in the BGP network table to its BGP neighbor, even if it is not in the routing table.

Most Voted

B. FortiGate will advertise all the prefixes in the BGP network table to its BGP neighbor, even if it is not in the routing table.

C. FortiGate will not advertise any imported routes received from one BGP neighbor to another.

D. FortiGate will not advertise the prefixes, if it is not in the routing table.

Correct Answer: A

Community vote distribution

A (67%) B (33%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/18/ 1/3
4/3/25, 0:22 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 18 | ExamTopics

Question #71 Topic 1

Which statement about meta fields is true?

A. Meta fields must be set to required.

B. Meta field changes are applied only at the ADOM level.

C. Meta fields are useful for creating multiple objects with the same logical name but different values. Most Voted

D. Meta fields can be used as variables in scripts or provisioning templates.

Correct Answer: C

Community vote distribution

C (100%)

Question #72 Topic 1

Refer to the exhibit, which shows an ADVPN network.

ADVPN Network topology -

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.

What must the administrator configure in the phase 1 VPN IPSEC configuration of the Hub2Hub tunnels?

A. set auto-discovery-receiver enable

B. set auto-discovery-sender enable

C. set auto-discovery-forwarder enable Most Voted

D. set add-route enable

Correct Answer: C

Community vote distribution

C (100%)

 Previous Questions Next Questions 

Browse atleast 50% to increase passing rate

Viewing page 18 out of 19 pages.

Viewing questions 69-72 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/18/ 2/3
4/3/25, 0:22 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 18 | ExamTopics

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/18/ 3/3
4/3/25, 0:23 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 19 | ExamTopics

Question #73 Topic 1

Refer to the exhibit, which shows information about an OSPF interface of hub router NGFW-1.

How would you change the interface state of NGFW.1 to a Designated router, if the spoke routers have the default OSPF parameters?

A. Change the network type to point-to-multipoint

B. Change the router ID to 0.0.0.65.

C. Change the router ID to 0.0.0.95

D. Change the router priority to 200. Most Voted

Correct Answer: D

Community vote distribution

D (100%)

Question #74 Topic 1

An administrator configured the following command on FortiGate.

config router ospf

set restart-mode graceful-restart

Which two statements correctly describe the result of the above command? (Choose two.)

A. In an HA cluster, FortiGate devices will keep the OSPF routes in their routing table to avoid traffic interruption during an HA failover.

Most Voted

B. The OSPF neighbor that receives the grace link-state advertisement (LSA) will enter into helper mode. Most Voted

C. After the default 40 seconds wait time, the OSPF neighbors will resume communication with the restarting router.

D. FortiGate is configured with graceful restart, and will exit graceful mode, if the network topology changes.

Correct Answer: AB

Community vote distribution

AB (100%)

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/19/ 1/2
4/3/25, 0:23 NSE7_EFW-7.2 Exam - Free Actual Q&As, Page 19 | ExamTopics

Question #75 Topic 1

Refer to the exhibit, which shows an SSL certification inspection configuration.

SSL certification inspection configuration

While testing, the administrator updated the ssl-ssh-profile configuration with the command set sni-server-cert-check strict.

The administrator found that the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative

names (SAN) in the server certificate.

With respect to the set sni-server-cert-check strict command, which action does FortiGate take?

A. FortiGate uses the first entry listed in the SAN field in the server certificate.

B. FortiGate closes the connection because this represents an invalid SSL/TLS header. Most Voted

C. FortiGate uses the CN information from the Subject field in the server certificate.

D. FortiGate uses the SNI from the user’s web browser.

Correct Answer: B

Community vote distribution

B (100%)

Question #76 Topic 1

Which two statements about IKE version 2 fragmentation are true? (Choose two.)

A. IKEv2 fragmentation is performed at IP layer.

B. The reassembly timeout default value is 30 seconds.

C. Only some IKE version 2 packets are considered fragmentable. Most Voted

D. The maximum number of IKE version 2 fragments are 64. Most Voted

Correct Answer: CD

Community vote distribution

CD (100%)

Browse atleast 50% to increase passing rate

 Previous Questions

Viewing page 19 out of 19 pages.

Viewing questions 73-76 out of 76 questions

https://www.examtopics.com/exams/fortinet/nse7-efw-7-2/view/19/ 2/2