ExamGecko
Search Search Login
Home Home / Fortinet / NSE8_812

Fortinet NSE8_812 Practice Test - Questions Answers, Page 4

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An HA topology is using the following configuration: Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?
Refer to the exhibit showing a firewall policy configuration. To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1. What change does the administrator need to make? A) B) C) D)
Refer to the exhibits. An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output: Given the information shown in the output, which two statements are true? (Choose two.)
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch. The current configuration is: Which configuration do you use for the Performance SLA members?
Refer to the exhibits. The exhibits show a diagram of a requested topology and the base IPsec configuration. A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate. In this scenario, which feature should be implemented to achieve this requirement?
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center. They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority. Which two design options are true based on these requirements? (Choose two.)
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high. You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure?

Question 31

Report
Export
Collapse

Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

A.
The FortiGuard VOS can be used only with proxy-base policy inspections.
A.
The FortiGuard VOS can be used only with proxy-base policy inspections.
Answers
B.
If third-party AV database returns a match the scanned file is deemed to be malicious.
B.
If third-party AV database returns a match the scanned file is deemed to be malicious.
Answers
C.
The antivirus database queries FortiGuard with the hash of a scanned file
C.
The antivirus database queries FortiGuard with the hash of a scanned file
Answers
D.
The AV engine scan must be enabled to use the FortiGuard VOS feature
D.
The AV engine scan must be enabled to use the FortiGuard VOS feature
Answers
E.
The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
E.
The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
Answers
Suggested answer: C, E

Explanation:

The FortiGuard Outbreak Prevention Service (VOS) is a feature that enhances the antivirus scanning capabilities of FortiGate by querying FortiGuard with the hash of a scanned file that is not found in the local antivirus database. If the hash matches a signature in the FortiGuard Global Threat Intelligence database, which contains information about known malware and zero-day threats, the file is deemed to be malicious and blocked by FortiGate. The VOS feature can be used with both proxy-based and flow-based policy inspections, and does not require the AV engine scan to be enabled. Reference:

https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/outbreak-preventionservice

Question 32

Report
Export
Collapse

A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.

Which two statements are true regarding the requirements? (Choose two.)

A.
FortiGate can perform SSH access proxy host-key validation.
A.
FortiGate can perform SSH access proxy host-key validation.
Answers
B.
You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
B.
You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
Answers
C.
SSH traffic is tunneled between the client and the access proxy over HTTPS
C.
SSH traffic is tunneled between the client and the access proxy over HTTPS
Answers
D.
Traffic is discarded as ZTNA does not support SSH connection rules
D.
Traffic is discarded as ZTNA does not support SSH connection rules
Answers
Suggested answer: A, C

Explanation:

ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs hostkey validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH. Reference:

https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/899992/configuring-ztnarules-to-control-access

Question 33

Report
Export
Collapse

On a FortiGate Configured in Transparent mode, which configuration option allows you to control Multicast traffic passing through the?

A)

B)

C)

D)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: C

Explanation:

To control multicast traffic passing through a FortiGate configured in transparent mode, you can use multicast policies. Multicast policies allow you to filter multicast traffic based on source and destination addresses, protocols, and interfaces. You can also apply security profiles to scan multicast traffic for threats and violations. Reference:

https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/configuring-multicastforwarding

Question 34

Report
Export
Collapse

Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:

Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?

A.
FortiGate will reject all HTTP/2 ALPN headers.
A.
FortiGate will reject all HTTP/2 ALPN headers.
Answers
B.
FortiGate will strip the ALPN header and forward the traffic.
B.
FortiGate will strip the ALPN header and forward the traffic.
Answers
C.
FortiGate will rewrite the ALPN header to request HTTP/1.
C.
FortiGate will rewrite the ALPN header to request HTTP/1.
Answers
D.
FortiGate will forward the traffic without modifying the ALPN header.
D.
FortiGate will forward the traffic without modifying the ALPN header.
Answers
Suggested answer: B

Explanation:

When an HTTP/2 request comes in, FortiGate will strip the Application-Layer Protocol Negotiation (ALPN) header and forward the traffic as HTTP/1.1 to the real server. This is because FortiGate does not support HTTP/2 inspection, and therefore cannot process ALPN headers that indicate HTTP/2 support. Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssloffloaded-traffic

Question 35

Report
Export
Collapse

Refer to the exhibits.

The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate.

Given this information, which statement is correct?

A.
The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892
A.
The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892
Answers
B.
The cluster mode can support a maximum of four (4) FortiGate VMs
B.
The cluster mode can support a maximum of four (4) FortiGate VMs
Answers
C.
The cluster members are on the same network and the IP addresses were statically assigned.
C.
The cluster members are on the same network and the IP addresses were statically assigned.
Answers
D.
FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.
D.
FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.
Answers
Suggested answer: D

Explanation:

The output of the status of high availability on the FortiGate shows that the cluster mode is activepassive, which means that only one FortiGate unit is active at a time, while the other unit is in standby mode. The active unit handles all traffic and also sends HA heartbeat packets to monitor the standby unit. The standby unit becomes active if it stops receiving heartbeat packets from the active unit, or if it receives a higher priority from another cluster unit. In active-passive mode, all cluster units share a virtual MAC address for each interface, which is used as the source MAC address for all packets forwarded by the cluster. Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/high-availability-with-twofortigates

Question 36

Report
Export
Collapse

Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

A.
port16 and port1
A.
port16 and port1
Answers
B.
port1 and port1
B.
port1 and port1
Answers
C.
port16 and port15
C.
port16 and port15
Answers
D.
port1 and port15
D.
port1 and port15
Answers
Suggested answer: A

Explanation:

According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. Reference:

https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-waninterface

Question 37

Report
Export
Collapse

A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.

Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

A.
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.
A.
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.
Answers
B.
Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters
B.
Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters
Answers
C.
Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
C.
Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
Answers
D.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
D.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
Answers
Suggested answer: A, D

Explanation:

To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:

Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.

Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. Reference:

https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administrationguide/ 506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn

https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-forenterprise/ 166334/sd-wan-configuration

Question 38

Report
Export
Collapse

Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)

• Public IP address (129.11.1.100) is assigned to portl

• Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.

Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?

A)

B)

C)

D)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: C

Explanation:

To resolve the issue of failing to renew the Let's Encrypt certificate, the configuration change that is needed is to enable the HTTP-to-HTTPS redirect option in the SSL-VPN settings. This option allows the FortiGate to redirect HTTP requests to HTTPS port 443, which is required for Let's Encrypt to validate the domain ownership and issue a new certificate. By enabling this option, the FortiGate will be able to respond to the HTTP challenge from Let's Encrypt and renew the certificate successfully.

Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-sslinspection

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/applicationdetection-on-ssl-offloaded-traffic

Question 39

Report
Export
Collapse

Refer to the exhibit.

The exhibit shows the forensics analysis of an event detected by the FortiEDR core In this scenario, which statement is correct regarding the threat?

A.
This is an exfiltration attack and has been stopped by FortiEDR.
A.
This is an exfiltration attack and has been stopped by FortiEDR.
Answers
B.
This is an exfiltration attack and has not been stopped by FortiEDR
B.
This is an exfiltration attack and has not been stopped by FortiEDR
Answers
C.
This is a ransomware attack and has not been stopped by FortiEDR.
C.
This is a ransomware attack and has not been stopped by FortiEDR.
Answers
D.
This is a ransomware attack and has been stopped by FortiEDR
D.
This is a ransomware attack and has been stopped by FortiEDR
Answers
Suggested answer: D

Explanation:

The exhibit shows the forensics analysis of an event detected by the FortiEDR core. The event graph indicates that a process named svchost.exe was launched by a malicious file named 1.exe, which was downloaded from a suspicious URL. The process then attempted to encrypt files in various folders, such as Documents, Pictures, and Desktop, which are typical targets of ransomware attacks.

However, FortiEDR was able to stop the process and prevent any file encryption by applying its realtime post-execution prevention feature. Therefore, this is a ransomware attack and has been stopped by FortiEDR. Reference: https://docs.fortinet.com/document/fortiedr/6.0.0/administrationguide/ 733983/forensics https://www.fortinet.com/content/dam/fortinet/assets/datasheets/ fortiedr.pdf

Question 40

Report
Export
Collapse

An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown:

A)

B)

C)

D)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: B

Explanation:

To execute the CLI script shown using an incoming webhook as the trigger, the correct syntax for the curl command is: curl -X POST -H "Content-Type: application/json" -d '{"trigger_name":"my_incoming_webhook"}' https://fortisoar.example.com/api/v1/trigger This command will send a POST request to the FortiSOAR API endpoint with the trigger name and the content type as JSON. The FortiSOAR API will then execute the automation stitch that matches the trigger name and run the CLI script on the FortiGate device. Reference:

https://docs.fortinet.com/document/fortisoar/7.0.0/administration-guide/103440/automationstitches

https://docs.fortinet.com/document/fortisoar/7.0.0/administrationguide/ 103441/incoming-webhook

Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms