ExamGecko
Search Search Login
Home Home / Fortinet / NSE8_812

Fortinet NSE8_812 Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An HA topology is using the following configuration: Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?
Refer to the exhibit showing a firewall policy configuration. To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1. What change does the administrator need to make? A) B) C) D)
Refer to the exhibits. An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch. The current configuration is: Which configuration do you use for the Performance SLA members?
Refer to the exhibits. The exhibits show a diagram of a requested topology and the base IPsec configuration. A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate. In this scenario, which feature should be implemented to achieve this requirement?
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output: Given the information shown in the output, which two statements are true? (Choose two.)
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center. They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority. Which two design options are true based on these requirements? (Choose two.)
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high. You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure?

Question 21

Report
Export
Collapse

Refer to the exhibits.

A customer wants to deploy 12 FortiAP 431F devices on high density conference center, but they do not currently have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy

From the FortiSwitch models and sample retail prices shown in the exhibit, which build of materials would have the lowest cost, while fulfilling the customer's requirements?

A.
1x FortiSwitch 248EFPOE
A.
1x FortiSwitch 248EFPOE
Answers
B.
2x FortiSwitch 224E-POE
B.
2x FortiSwitch 224E-POE
Answers
C.
2x FortiSwitch 248E-FPOE
C.
2x FortiSwitch 248E-FPOE
Answers
D.
2x FortiSwitch 124E-FPOE
D.
2x FortiSwitch 124E-FPOE
Answers
Suggested answer: C

Explanation:

The customer wants to deploy 12 FortiAP 431F devices on a high density conference center, but they do not have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy. PoE switches are switches that can provide both data and power to connected devices over Ethernet cables, eliminating the need for separate power adapters or outlets. PoE switches are useful for deploying devices such as wireless access points, IP cameras, and VoIP phones in locations where power outlets are scarce or inconvenient. The FortiAP 431F is a wireless access point that supports PoE+ (IEEE 802.3at) standard, which can deliver up to 30W of power per port. The FortiAP 431F has a maximum power consumption of 25W when running at full power. Therefore, to run 12 FortiAP 431F devices at full power, the customer needs PoE switches that can provide at least 300W of total PoE power budget (25W x 12). The customer also needs network redundancy, which means that they need at least two PoE switches to connect the FortiAP devices in case one switch fails or loses power. From the FortiSwitch models and sample retail prices shown in the exhibit, the build of materials that has the lowest cost while fulfilling the customer's requirements is 2x FortiSwitch 248E-FPOE. The FortiSwitch 248E-FPOE is a PoE switch that has 48 GE ports with PoE+ capability and a total PoE power budget of 370W. It also has 4x 10 GE SFP+ uplink ports for high-speed connectivity. The sample retail price of the FortiSwitch 248E-FPOE is $1,995, which means that two units will cost $3,990. This is the lowest cost among the other options that can meet the customer's requirements. Option A is incorrect because the FortiSwitch 248EFPOE is a non-PoE switch that has no PoE capability or power budget. It cannot provide power to the FortiAP devices over Ethernet cables. Option B is incorrect because the FortiSwitch 224E-POE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Option D is incorrect because the FortiSwitch 124E-FPOE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Reference: https://www.fortinet.com/content/dam/fortinet/assets/datasheets/ FortiSwitch_Secure_Access_Series.pdf

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiAP_400_Series.pdf

Question 22

Report
Export
Collapse

Refer to the exhibits.

A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.

Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)

A.
FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
A.
FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
Answers
B.
Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
B.
Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
Answers
C.
Ports 3 and 4 can be part of different switch interfaces.
C.
Ports 3 and 4 can be part of different switch interfaces.
Answers
D.
Client devices must have 802 1X authentication enabled
D.
Client devices must have 802 1X authentication enabled
Answers
Suggested answer: B, D

Explanation:

The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a single switch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources.

One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "ssl-inspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device.

The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. Reference:

https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switchinterfaces

https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1xauthentication

Question 23

Report
Export
Collapse

You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

A.
The configuration of the MTA Adapter Local Interface is different than on port1.
A.
The configuration of the MTA Adapter Local Interface is different than on port1.
Answers
B.
The MTA adapter is only available in the primary node.
B.
The MTA adapter is only available in the primary node.
Answers
C.
The MTA adapter mode is only detection mode.
C.
The MTA adapter mode is only detection mode.
Answers
D.
The configuration is different than on a standalone device.
D.
The configuration is different than on a standalone device.
Answers
Suggested answer: B

Explanation:

The MTA adapter feature on FortiSandbox is a feature that allows FortiSandbox to act as a mail transfer agent (MTA) that can receive, inspect, and forward email messages from external sources. The MTA adapter feature can be used to integrate FortiSandbox with third-party email security solutions that do not support direct integration with FortiSandbox, such as Microsoft Exchange Server or Cisco Email Security Appliance (ESA). The MTA adapter feature can also be used to enhance email security by adding an additional layer of inspection and filtering before delivering email messages to the final destination. The MTA adapter feature can be enabled on FortiSandbox in an HA-Cluster, which is a configuration that allows two FortiSandbox units to synchronize their settings and data and provide high availability and load balancing for sandboxing services. However, one statement about this solution that is true is that the MTA adapter is only available in the primary node. This means that only one FortiSandbox unit in the HA-Cluster can act as an MTA and receive email messages from external sources, while the other unit acts as a backup node that can take over the MTA role if the primary node fails or loses connectivity. This also means that only one IP address or FQDN can be used to configure the external sources to send email messages to the FortiSandbox MTA, which is the IP address or FQDN of the primary node. Reference:

https://docs.fortinet.com/document/fortisandbox/3.2.0/administration-guide/19662/mail-transferagent-mta https://docs.fortinet.com/document/fortisandbox/3.2.0/administrationguide/ 19662/high-availability-ha

Question 24

Report
Export
Collapse

Refer to the exhibit showing the history logs from a FortiMail device.

Which FortiMail email security feature can an administrator enable to treat these emails as spam?

A.
DKIM validation in a session profile
A.
DKIM validation in a session profile
Answers
B.
Sender domain validation in a session profile
B.
Sender domain validation in a session profile
Answers
C.
Impersonation analysis in an antispam profile
C.
Impersonation analysis in an antispam profile
Answers
D.
Soft fail SPF validation in an antispam profile
D.
Soft fail SPF validation in an antispam profile
Answers
Suggested answer: C

Explanation:

Impersonation analysis is a feature that detects emails that attempt to impersonate a trusted sender, such as a company executive or a well-known brand, by using spoofed or look-alike email addresses. This feature can help prevent phishing and business email compromise (BEC) attacks.

Impersonation analysis can be enabled in an antispam profile and applied to a firewall policy.

Reference: https://docs.fortinet.com/document/fortimail/6.4.0/administrationguide/ 103663/impersonation-analysis

Question 25

Report
Export
Collapse

Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

A.
FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
A.
FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
Answers
B.
FortiGate will reject the connection since no certificate is defined.
B.
FortiGate will reject the connection since no certificate is defined.
Answers
C.
FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
C.
FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
Answers
D.
FortiGate will use the first certificate in the server-cert list—the abc.com certificate
D.
FortiGate will use the first certificate in the server-cert list—the abc.com certificate
Answers
Suggested answer: A

Explanation:

When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection

Question 26

Report
Export
Collapse

Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

A)

B)

C)

D)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: B, C

Explanation:

To enable application detection on plain-text traffic that has been decrypted by FortiADC, the administrator must perform two configuration tasks on CL-1:

Enable SSL offloading in the firewall policy and select the SSL-Offload protocol options profile.

Enable application control in the firewall policy and select the SSL-Offload-App-Detect application list. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/applicationdetection-on-ssl-offloaded-traffic

Question 27

Report
Export
Collapse

You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.

After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments.

Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase?

A.
No change in design is needed as even small FortiGate devices have a large memory capacity.
A.
No change in design is needed as even small FortiGate devices have a large memory capacity.
Answers
B.
Acquire a FortiGate model with more capacity, considering the next 5 years growth.
B.
Acquire a FortiGate model with more capacity, considering the next 5 years growth.
Answers
C.
Implement network-id, neighbor-group and increase the advertisement-interval
C.
Implement network-id, neighbor-group and increase the advertisement-interval
Answers
D.
Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP
D.
Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP
Answers
Suggested answer: D

Explanation:

Using multiple VPN tunnels and BGP sessions for each internal segment is not scalable and efficient, especially when the number of segments, DCs or internet links per DC increases. A better solution is to use a single VPN tunnel per branch and segment traffic using virtual routing and forwarding (VRF) instances on BGP. This way, each VRF can have its own routing table and BGP session, while sharing the same VPN tunnel. Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/sd-wan-with-vrf-and-bgp

Question 28

Report
Export
Collapse

You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled

• The FortiGate is at GMT-1000.

• The FortiAnalyzer is at GMT-0800

• Your browser local time zone is at GMT-03.00

You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

A.
20:37:08
A.
20:37:08
Answers
B.
10:37:08
B.
10:37:08
Answers
C.
17:37:08
C.
17:37:08
Answers
D.
12.37:08
D.
12.37:08
Answers
Suggested answer: C

Explanation:

To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is 20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08.

Reference: https://docs.fortinet.com/document/fortianalyzer/6.4.0/administrationguide/ 103664/time-zone-and-daylight-saving-time

Question 29

Report
Export
Collapse

A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.

They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.

Which two design options are true based on these requirements? (Choose two.)

A.
Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.
A.
Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.
Answers
B.
Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
B.
Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
Answers
C.
Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.
C.
Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.
Answers
D.
Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge
D.
Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge
Answers
Suggested answer: B, D

Explanation:

To secure the traffic between Azure and the main data center, a FortiGate VM can be deployed in

Azure and configured to use IPSEC over ExpressRoute, as traffic is not encrypted by Azure by default.

This also allows the use of Fortinet security features such as antivirus, IPS, web filtering, and application control. To implement SD-WAN between Azure and the main data center, two ExpressRoute services are required to provide redundant paths and load balancing. A FortiGate device at the data center edge can be configured to use SD-WAN rules to select the best path based on performance, availability, and cost. Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103440/ipsec-vpn-betweenfortigate-and-azure https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103441/sd-wanbetween-fortigate-and-azure

Question 30

Report
Export
Collapse

Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).

Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?

A.
FAC2 can only process requests when FAC1 fails.
A.
FAC2 can only process requests when FAC1 fails.
Answers
B.
FAC2 can have its HA interface on a different network than FAC1.
B.
FAC2 can have its HA interface on a different network than FAC1.
Answers
C.
The FortiToken license will need to be installed on the FAC2.
C.
The FortiToken license will need to be installed on the FAC2.
Answers
D.
FSSO sessions from FAC1 will be synchronized to FAC2.
D.
FSSO sessions from FAC1 will be synchronized to FAC2.
Answers
Suggested answer: D

Explanation:

When FortiAuthenticator operates in cluster mode, it provides active-passive failover and synchronization of all configuration and data, including FSSO sessions, between the cluster members.

Therefore, if FAC1 is the active unit and FAC2 is the standby unit, any FSSO sessions from FAC1 will be synchronized to FAC2. If FAC1 fails, FAC2 will take over the active role and continue to process the FSSO sessions. Reference:

https://docs.fortinet.com/document/fortiauthenticator/6.1.2/administration-guide/122076/highavailability

Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms