ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE7 All Questions

View all questions & answers for the NSE7 exam
Go to Exam

Exam NSE7 topic 1 question 1 discussion

Actual exam question from Fortinet's NSE7
Question #: 1
Topic #: 1
[All NSE7 Questions]

Examine the IPsec configuration shown in the exhibit; then answer the question below.

An administrator wants to monitor the VPN by enabling the IKE real time debug using these commands: diagnose vpn ike log-filter src-addr4 10.0.10.1 diagnose debug application ike -1 diagnose debug enable
The VPN is currently up, there is no traffic crossing the tunnel and DPD packets are being interchanged between both IPsec gateways. However, the IKE real time debug does NOT show any output. Why isn't there any output?

  • A. The IKE real time shows the phases 1 and 2 negotiations only. It does not show any more output once the tunnel is up.
  • B. The log-filter setting is set incorrectly. The VPN's traffic does not match this filter.
  • C. The IKE real time debug shows the phase 1 negotiation only. For information after that, the administrator must use the IPsec real time debug instead: diagnose debug application ipsec -1.
  • D. The IKE real time debug shows error messages only. If it does not provide any output, it indicates that the tunnel is operating normally.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by simobell at Aug. 25, 2021, 9 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dsticht
1 year, 6 months ago
The questions on this are almost completely absent from the current NSE7 test being given. Fortinet's own training doesn't cover the material. Heavy focus on ADVPN/Community VPN, OSPF/BGP and central management.
upvoted 1 times
...
Power_Shell
1 year, 6 months ago
Tested in my lab, this is A
upvoted 1 times
...
akukaracia
2 years, 2 months ago
A correct dst-addr4 usualy is used because if you have one phase1-int with many phase2, you will get a lot of spam in the output, but it is good filter for p2p connection. In this case "Remote" is just name, it is a "local" device and it has correct ip for the src filter.
upvoted 2 times
...
ni
2 years, 11 months ago
B correct
upvoted 2 times
...
FortiSherlock
3 years, 8 months ago
I also say it is probably B) according to 6.4 Study Guide p435. dst-addr4 is used in combination with the remote gateway to filter. If we use the src-addr4 option, we should use the local value instead.
upvoted 2 times
...
simobell
3 years, 8 months ago
B correct.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago