Refer to the exhibit. A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.What are the two reasons for this behavior? (Choose two.)

Configuration for TPM is not synchronized between FortiGate HA cluster members.

The administrator needs to manually enter the hex private data encryption key in FortiManager.

The private-data-encryption key entered on the primary did not match the value that the TPM expected.

Configuration for TPM is not synchronized between FortiGate HA cluster members.

The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

TPM functionality is not yet compatible with FortiGate HA.

The administrator needs to manually enter the hex private data encryption key in FortiManager.

Refer to the exhibits. The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.Which three configuration tasks must be performed to meet these requirements? (Choose three.)

Change the scan order in FML-GW to antispam-sandbox-content.

Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN

Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

Change the scan order in FML-GW to antispam-sandbox-content.

Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN

Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe

Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.

Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

Refer to the exhibit showing a FortiSOAR playbook. You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.What should be your next step?

Go to the Incident Response tasks dashboard and run the pending actions

Click on the notification icon on FortiSOAR GUI and run the pending input action

Run the Mark Drive by Download playbook action

Reply to the e-mail with the requested Playbook action

Review the following FortiGate-6000 configuration excerpt: Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?

It statically distributes SNAT source ports to operating FPCs or FPMs

It dynamically distributes SNAT source ports to operating FPCs or FPMs.

It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.

It statically distributes SNAT source ports to operating FPCs or FPMs

It equally distributes SNAT source ports across chassis slots.

Refer to the exhibit. You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.Which two actions are correct regarding the replacement process? (Choose two.)

After replacing the FortiSwitch unit, the automatically created trunk name does not change

CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate

After replacing the FortiSwitch unit, the automatically created trunk name does not change

CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate

After replacing the FortiSwitch unit, the automatically created trunk name changes.

MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.

A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

Create an HA setup with a second FortiDDoS 200F

Move the internet connection from the SFP interfaces to the LC interfaces

Refer to the exhibit. The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.Referring to the exhibit, which two actions will fix these errors? (Choose two.)

Export and import the FortiClient EMS server certificate to the root FortiGate.

Authorize the root FortiGate on the FortiClient EMS

Verify that the CRL is accessible from the root FortiGate

Export and import the FortiClient EMS server certificate to the root FortiGate.

Install a new known CA on the Win2K16-EMS server.

Authorize the root FortiGate on the FortiClient EMS

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.Part of the FortiGate configuration is shown below: Based on this configuration, which two statements are true? (Choose two.)

OCSP checks will always go to the configured FortiAuthenticator

The OCSP check of the certificate can be combined with a certificate revocation list.

OCSP checks will always go to the configured FortiAuthenticator

The OCSP check of the certificate can be combined with a certificate revocation list.

OCSP certificate responses are never cached by the FortiGate.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Refer to the exhibit. To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

set mode-cfg-allow-client-selector enable

Refer to the exhibit. A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)

A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority

You can only deploy initial installations to Windows clients.

If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.

A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority

You can only deploy initial installations to Windows clients.

You must use Standard or Enterprise SQL Server rather than the included SQL Server Express

The Windows clients only require 'File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy

Refer to the exhibit showing FortiGate configurations FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.What change will correct HA functionality in this scenario?

Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

Make the monitored IP to match on both FortiManager devices.

Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.

Change the priority of FMG-A to be numerically lower for higher preference

A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.The exhibit below shows what the IT Team provided while troubleshooting this issue: Which statement explains why the FortiGate did not install its configuration from the FortiManager?

The configuration was modified on the FortiGate prior to connecting to the FortiManager

The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager

The DHCP server was not configured with the FQDN of the FortiManager

The DHCP server used the incorrect option type for the FortiManager IP address.

The configuration was modified on the FortiGate prior to connecting to the FortiManager

Refer to the exhibit. A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.How will the sessions be load balanced between server 1 and server 2 during normal operation?

Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions

Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions

Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions

Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

Refer to the exhibit, which shows a VPN topology. The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

Spoke1 will establish an ADVPN shortcut to Spoke2

All the session traffic will pass through the Hub

The TCP port 21 must be allowed on the NAT Device2

ADVPN is not supported when spokes are behind NAT

Spoke1 will establish an ADVPN shortcut to Spoke2

You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.The current configuration is: Which configuration do you use for the Performance SLA members?

current configuration already fulfills the requirement

You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

disable on the ISL and FortiLink trunks

enable on the ISL and FortiLink trunks

Refer to the exhibit. Given the exhibit, which two statements about FortiGate FGSP HA cluster behavior are correct? (Choose two.)

You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously.

Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2.

You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously.

Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2.

You can selectively synchronize only specific sessions between FGSP cluster members.

Cluster members will upgrade one at a time and failover during firmware upgrades.

Refer to the exhibit showing a FortiView monitor screen. After a Secure SD-WAN implementation a customer reports that in FortiAnalyzer under FortiView Secure SD-WAN Monitor there is No Device for selection.What can cause this issue?

Upload option from FortiGate to FortiAnalyzer is not set as a real time.

Extended logging is not enabled on FortiGate.

ADOM 1 is set as a Fabric ADOM.

sla-fail-log-period and sla-pass-log-period on FortiGate health check is not set.

Refer to the exhibit. You are managing a FortiSwitch 3032E that is managed by FortiLink on a FortiGate 3960E. The 3032E is heavily utilized and there is only one port free.The requirement is to add an additional three FortiSwitch 448E devices with 10Gbps SFP+ connectivity directly to the 3032E. The plan is to use split port (phy-mode) with QSFP28 mode to connect the new 448E switches.In this scenario, which statement about the switch deployment is correct?

The port most of Switch 1 must be changed to QSFP.

Additional ports on Switch 1 can be split for a maximum of 128 interfaces.

The port most of Switch 1 must be changed to QSFP.

After enabling split ports and rebooting Switch 1, the new ports can be configured from the FortiGate.

Switches 2-4 will connect successfully with Switch 1 split port in QSFP28 mode.

A customer has FortiAP devices in three branch offices managed from a FortiGate in the HQ. Each FortiAP is connected to a dedicated management VLAN.The customer wants the users connected to the FortiAP SSIDs to use the branch local internet connection, but each branch uses a different VLAN ID for the bridge. HQ users travel to different branches and connect to the same SSID.Which configuration option will solve this requirement?

Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN and use set dynamic-vlan enable on the VAP configuration.

Set each FortiAP to a wtp-group and use set vlan-pooling wtp-group on the VAP configuration with the corresponding VLAN ID configuration for each group.

Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN and use set dynamic-vlan enable on the VAP configuration.

Use set vlan-pooling round-robin on the VAP configuration with the corresponding vlan-pool.

Use set vlan-pooling hash on the VAP configuration with the corresponding vlan-pool.

Refer to The exhibit showing a FortiEDR configuration. Based on the exhibit, which statement is correct?

If an unresolved file rule is triggered, by default the file is logged but not blocked.

The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy.

FortiEDR Collector will not collect OS Metadata.

If a malicious file is executed and attempts to establish a connection it will generate duplicate events.

If an unresolved file rule is triggered, by default the file is logged but not blocked.

You are performing a packet capture on a FortiGate 2600F with the hyperscale licensing installed. You need to display on screen all egress/ingress packets from the port16 interface that have been offloaded to the NP7.Which three commands need to be run? (Choose three.)

diagnose npu sniffer filter intf port16

diagnose npu sniffer filter dir 2

diagnose npu sniffer filter intf port16

diagnose npu sniffer filter selector 0

diagnose npu sniffer filter dir 2

Refer to the exhibits. The exhibits show the configuration and debug output from a FortiGate Public SDN Connector.What is a possible reason for this dynamic address object to be empty?

The App registration does not have a role with necessary read permissions on the resource group.

The Application ID is incorrect.

The Client secret is incorrect.

The App registration does not have a role with necessary read permissions on the resource group.

The resource group NSE8-Lab does not exist.

You deployed a fully loaded FG-7121F in the data center and enabled sslvpn-load-balance. Based on the behavior of this feature which statement is correct?

You can use src-ip or dst-ip-dport on dp-load-distribution-method to make SSL VPN load balancing work as expected.

If an FPM goes down, SSL VPN IP pool IP addresses will be re-allocated to the remaining FPMs.

To have better traffic distribution you should use IP pools that increment in multiples of 12.

Enabling SSL VPN load balancing will clear the session table.

A customer is operating a FortiWeb cluster in a high volume active-active HA group consisting of eight FortiWeb appliances. One of the secondary members is handling traffic for one specific VIP.What will happen with the traffic if that secondary FortiWeb appliance fails?

Traffic will be redirected to the next appliance in the same traffic group.

Traffic will be redistributed by the primary appliance to the remaining secondary appliances.

Traffic will be redistributed by the primary appliance to the remaining secondary appliances that are configured to handle traffic for that specific VIP.

Traffic will be redirected to the secondary member with the least number of sessions.

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the OCSP server.Part of the FortiGate configuration is shown below: Based on this configuration, which authentication scenario will FortiGate deny?

FortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.

The user certificate does not contain the OCSP URL.

FortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.

FortiAuthenticator responds to an OCSP request that the user certificate status is unknown.

An administrator discovers that CPU utilization of a FortiGate-200F is high and determines that no traffic is being accelerated by hardware.Why is no traffic being accelerated by hardware?

check-protocol-header is set to strict in the global config.

Oper-session-accounting is enabled under np6xlite config.

strict-dirty-session-check is enabled in global config.

check-protocol-header is set to strict in the global config.

delay-tcp-npu-session is enabled under the firewall policy.

A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.Which two actions will improve performance the most without making a FortiGate license change? (Choose two.)

Migrate the FortiGate to an Azure F4s_v2.

Enable 'Accelerated networking' on the Azure network interfaces.

Migrate the FortiGate to an Azure F4s_v2.

Enable 'Accelerated networking' on the Azure network interfaces.

Enable SR-IOV on the FortiGate.

Migrate the FortiGate to an Azure D8s_v3.

Refer to the exhibit. An HTTPS access proxy is configured to demonstrate its function as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context, before granting access to the protected source. It is assumed that the FortiGate EMS fabric connector has already been successfully connected.You need to ensure that ZTNA access through the FortiGate will redirect users to the FortiAuthenticator to perform username/password and multifactor authentication to validate access prior to accessing resources behind the FortiGate.In this scenario, which two further steps need to be taken on the FortiGate? (Choose two.)

Create a SAML user/server object referring to the FortiAuthenticator.

Create an authentication scheme with the 'method' as SAML.

Create a SAML user/server object referring to the FortiAuthenticator.

Create an authentication rule that sets the sso-auth-method to the FortiAuthenticator.

Create an authentication scheme with the 'method' as SAML.

Create a firewall rule that allows access from the remote endpoint to the resources behind the FortiGate.

Refer to the exhibits. You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below. Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.)

Disable Redirect HTTP to HTTPS in the Server Policy.

Remove the Web Protection Profile from this Server Policy.

Disable Redirect HTTP to HTTPS in the Server Policy.

Remove the Web Protection Profile from this Server Policy.

Enable HTTP service in the Server Policy.

Configure a TXT record of the domain and point to the IP address of the Virtual Server.

Refer to the exhibit that shows VPN debugging output. The VPN tunnel between headquarters and the branch office is not being established.What is causing the problem?

The Phase-1 encryption algorithms are not matching.

There is no matching Diffie-Hellman Group.

HQ is using IKE v1 and the branch office is using with IKE v2.

There is a mismatch in the ISAKMP SA lifetime.

Fortinet NSE8_812 Practice Test 2 - Free Online Exam Prep & Questions

Question 1 / 40

A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the 'curl' utility:

Fortinet NSE8_812 image Question 11 63877670141628566235946

Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)

Only users with the 'Full permission' role can access the REST API

This API call will fail because it requires that API version 2

If the REST API web service access key is lost, it cannot be retrieved and must be changed.

The syntax is incorrect because the API calls needs the get method.

Comment (0)

Fortinet NSE8_812 Practice Test 2

Question

Fortinet NSE8_812 Practice Tests

Practice Tests