Special Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

Fortinet NSE8_812 Dumps

Page: 1 / 11
Total 105 questions

Network Security Expert 8 Written Exam Questions and Answers

Question 1

Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

as

• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)

• Public IP address (129.11.1.100) is assigned to portl

• Datacenter.acmecorp.com resolves to the public IP address assigned to portl

The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.

Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?

A)

as

B)

as

C)

as

D)

as

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 2

A customer has FortiAP devices in three branch offices managed from a FortiGate in the HQ. Each FortiAP is connected to a dedicated management VLAN.

The customer wants the users connected to the FortiAP SSIDs to use the branch local internet connection, but each branch uses a different VLAN ID for the bridge. HQ users travel to different branches and connect to the same SSID.

Which configuration option will solve this requirement?

Options:

A.

Set each FortiAP to a wtp-group and use set vlan-pooling wtp-group on the VAP configuration with the corresponding VLAN ID configuration for each group.

B.

Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN and use set dynamic-vlan enable on the VAP configuration.

C.

Use set vlan-pooling round-robin on the VAP configuration with the corresponding vlan-pool.

D.

Use set vlan-pooling hash on the VAP configuration with the corresponding vlan-pool.

Question 3

Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

Options:

A.

The FortiGuard VOS can be used only with proxy-base policy inspections.

B.

If third-party AV database returns a match the scanned file is deemed to be malicious.

C.

The antivirus database queries FortiGuard with the hash of a scanned file

D.

The AV engine scan must be enabled to use the FortiGuard VOS feature

E.

The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.

Question 4

You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:

as

Given the information shown in the output, which two statements are true? (Choose two.)

Options:

A.

Enabling bandwidth control between the ISF and the NP will change the output

B.

The output is showing a packet descriptor queue accumulated counter

C.

Enable HPE shaper for the NP6 will change the output

D.

Host-shortcut mode is enabled.

E.

There are packet drops at the XAUI.

Question 5

Which feature must you enable on the BGP neighbors to accomplish this goal?

Options:

A.

Graceful-restart

B.

Deterministic-med

C.

Synchronization

D.

Soft-reconfiguration

Question 6

You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.

After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments.

Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase?

Options:

A.

No change in design is needed as even small FortiGate devices have a large memory capacity.

B.

Acquire a FortiGate model with more capacity, considering the next 5 years growth.

C.

Implement network-id, neighbor-group and increase the advertisement-interval

D.

Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP

Question 7

Refer to the exhibit.

as

You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:

as

FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?

Options:

A.

Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.

B.

Objects from the root FortiGate will only be synchronized to FGT__2.

C.

Objects from the root FortiGate will not be synchronized to any downstream FortiGate.

D.

Objects from the root FortiGate will only be synchronized to FGT_3.

Question 8

Refer to the exhibit.

as

You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection.

What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?

A)

as

B)

as

C)

as

D)

as

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 9

What is the benefit of using FortiGate NAC LAN Segments?

Options:

A.

It provides support for multiple DHCP servers within the same VLAN.

B.

It provides physical isolation without changing the IP address of hosts.

C.

It provides support for IGMP snooping between hosts within the same VLAN

D.

It allows for assignment of dynamic address objects matching NAC policy.

Question 10

Review the VPN configuration shown in the exhibit.

as

What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

Options:

A.

1 redundant packet for every 10 base packets

B.

3 redundant packet for every 5 base packets

C.

2 redundant packet for every 8 base packets

D.

3 redundant packet for every 9 base packets

Question 11

You deployed a fully loaded FG-7121F in the data center and enabled sslvpn-load-balance. Based on the behavior of this feature which statement is correct?

Options:

A.

You can use src-ip or dst-ip-dport on dp-load-distribution-method to make SSL VPN load balancing work as expected.

B.

If an FPM goes down, SSL VPN IP pool IP addresses will be re-allocated to the remaining FPMs.

C.

To have better traffic distribution you should use IP pools that increment in multiples of 12.

D.

Enabling SSL VPN load balancing will clear the session table.

Question 12

A FortiGate must be configured to accept VoIP traffic which will include session initiation protocol (SIP) traffic. Which statement about the VoIP configuration options is correct?

Options:

A.

Restricting SIP requests is only possible when using the SIP Session Helper.

B.

Rate tracking of SIP requests is only possible when the application layer gateway (ALG) is set to Flow mode.

C.

FortiOS cannot accept SIP traffic if both the SIP Session Helper and the application layer gateway (ALG) are disabled.

D.

By default, VoIP traffic will be processed using the SIP Session Helper.

Question 13

Refer to the exhibits.

as

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

A)

as

B)

as

C)

as

D)

as

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 14

A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.

Which two actions will improve performance the most without making a FortiGate license change? (Choose two.)

Options:

A.

Migrate the FortiGate to an Azure F4s_v2.

B.

Enable "Accelerated networking" on the Azure network interfaces.

C.

Enable SR-IOV on the FortiGate.

D.

Migrate the FortiGate to an Azure D8s_v3.

Question 15

Refer to the exhibit showing a FortiSOAR playbook.

as

You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.

What should be your next step?

Options:

A.

Go to the Incident Response tasks dashboard and run the pending actions

B.

Click on the notification icon on FortiSOAR GUI and run the pending input action

C.

Run the Mark Drive by Download playbook action

D.

Reply to the e-mail with the requested Playbook action

Question 16

Refer to The exhibit, which shows a topology diagram.

as

A customer wants to use SD-WAN for traffic generated from the data center towards Branches. SD-WAN on HUB should follow the underlay condition on each Branch and the solution should be scalable for hundreds of Branches.

Which SD WAN-Rules strategy should be used?

Options:

A.

Manual based on route-tags

B.

Lowest Cost SLA

C.

Auto based on link quality

D.

Best Quality based on route-tags

Question 17

Refer to the exhibit.

as

A customer reports that they are not able to reach subnet 10.10.10.0/24 from their FortiGate device.

Based on the exhibit, what should you do to correct the situation?

Options:

A.

Enable iBGP multipath

B.

Enable recursive resolution for BGP routes

C.

Enable next-hop-self feature

D.

Enable additional-path feature

Question 18

Refer to the exhibit.

as

The Company Corp administrator has enabled Workflow mode in FortiManager and has assigned approval roles to the current administrators. However, workflow approval does not function as expected. The CTO is currently unable to approve submitted changes.

Given the exhibit, which two possible solutions will resolve the workflow approval problems with the Workflow_72 ADOM? (Choose two.)

Options:

A.

The CTO must have a defined email address for their admin user account.

B.

The CTO and CISO need to swap Approval Groups so that the highest authority is in Group #1.

C.

The CTO must have Standard access level or higher for FortiManager.

D.

The CISO must have a higher access level than "Read_Only_User" in FortiManager.

E.

The CTO needs to be added to "Email Notification" in the Workflow_72 ADOM.

Question 19

Refer to the exhibit.

as

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.

You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.

How should the initial connection be made?

Options:

A.

Connect the switch on any interface between ports 21 to 24

B.

Connect the switch on any interface between ports 25 to 28

C.

Connect the switch on any interface between ports 1 to 4

D.

Connect the switch on any interface between ports 5 to 8.

Question 20

Which two types of interface have built-in active bypass in FortiDDoS devices? (Choose two.)

Options:

A.

SFP

B.

LC

C.

QSFP+

D.

Copper

E.

SFP+

Question 21

Refer to the exhibit.

as

A customer wants to automate the creation and configuration of FortiGate VM instances in a VMware vCenter environment using Terraform. They have the creation part working with the code shown in the exhibit.

Which code snippet will allow Terraform to automatically connect to a newly deployed FortiGate if its IP was dynamically assigned by VMware NSX-T?

Options:

A.

B.

C.

D.

Question 22

A FortiGate is configured to perform outbound firewall authentication with Azure AD as a SAML IdP.

What are two valid interactions that occur when the client attempts to access the internet? (Choose two.)

Options:

A.

FortiGate SP sends a SAML request to the IdP.

B.

The Microsoft SAML IdP sends the SAML response to the FortiGate SP.

C.

The client browser forwards the SAML response received from Microsoft SAML IdP to the FortiGate SP.

D.

FortiGate SP redirects the client browser to the local captive portal and then redirects to the Microsoft SAML IdP.

Question 23

You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

Options:

A.

Native ESXi Networking with E1000

B.

Virtual Function (VF) PCI Passthrough

C.

Native ESXi Networking with VMXNET3

D.

Physical Function (PF) PCI Passthrough

Question 24

Refer to the exhibit.

as

A customer is trying to setup a Playbook automation using a FortiAnalyzer, FortiWeb and FortiGate. The intention is to have the FortiGate quarantine any source of SQL Injection detected by the FortiWeb. They got the automation stitch to trigger on the FortiGate when simulating an attack to their website, but the quarantine object was created with the IP 0.0.0.0. Referring to the configuration and logs in the exhibits, which two statements are true? (Choose two.)

Options:

A.

The Group By option in the handler should be different to src, so src can be used on the Playbook configuration.

B.

FortiSOC Playbooks combining FortiWeb and FortiGate are not supported.

C.

To diagnose this issue, you need to use the commanddiagnose test application oftpd 22.

D.

The FortiAnalyzer ADOM Type must be Fabric.

E.

To fix the issue the parameter for script on the Playbook configuration should be epip.

Question 25

Refer to the exhibits.

as

You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below.

as

Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.)

Options:

A.

Disable Redirect HTTP to HTTPS in the Server Policy.

B.

Remove the Web Protection Profile from this Server Policy.

C.

Enable HTTP service in the Server Policy.

D.

Configure a TXT record of the domain and point to the IP address of the Virtual Server.

Question 26

A FortiGate running FortiOS 7.2.0 GA is configured in multi-vdom mode with a vdom set to vdom type Admin and another vdom set to vdom type Traffic.

Which two GUI sections are available on both VDOM types? (Choose two.)

Options:

A.

Interface configuration

B.

Packet capture

C.

Security Fabric topology and external connectors

D.

Certificates

E.

FortiClient configuration

Question 27

Refer to the exhibit of a FortiNAC configuration.

as

In this scenario, which two statements are correct? (Choose two.)

Options:

A.

A device that is modeled in FortiNAC is connected on VLAN 4093.

B.

An unknown host is connected to port3.

C.

The IP address of the FortiSwitch is 10.12.240.2.

D.

Port8 is connected to a FortiGate in FortiLink mode.

Question 28

Review the Application Control log.

as

Which configuration caused the IPS engine to generate this log?

Options:

A.

B.

C.

D.

Question 29

Refer to the exhibit, which shows diagnostic output.

as

A customer reports that ICMP traffic flow from 192.168.1.11 to 93.190.134.171 is not corresponding to the SD-WAN setup.

What is the problem in this scenario?

Options:

A.

SD-WAN Rule is matching only DNS traffic.

B.

Port1 is used because it has more available bandwidth.

C.

Traffic is matched by policy route.

D.

Route for the destination IP is missing in the routing table.

Question 30

Refer to the exhibits, which show a topology and diagnostic commands.

as

Which two statements about the path resolution are true? (Choose two.)

Options:

A.

Latency is the quality criteria.

B.

wan1 is currently used as an outgoing interface.

C.

wan2 is currently used as an outgoing interface.

D.

Packet-loss is the quality criteria.

Question 31

Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

Options:

A.

Report

B.

FTP

C.

API

D.

SCP

Page: 1 / 11
Total 105 questions