ExamGecko
Search Search Login
Home Home / Fortinet / NSE8_812

Fortinet NSE8_812 Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An HA topology is using the following configuration: Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?
Refer to the exhibit showing a firewall policy configuration. To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1. What change does the administrator need to make? A) B) C) D)
Refer to the exhibits. An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch. The current configuration is: Which configuration do you use for the Performance SLA members?
Refer to the exhibits. The exhibits show a diagram of a requested topology and the base IPsec configuration. A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate. In this scenario, which feature should be implemented to achieve this requirement?
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output: Given the information shown in the output, which two statements are true? (Choose two.)
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center. They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority. Which two design options are true based on these requirements? (Choose two.)
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high. You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure?
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

Question 41

Report
Export
Collapse

A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup.

The following API call is being made with the 'curl' utility:

Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API?

(Choose two.)

A.
Only users with the "Full permission" role can access the REST API
A.
Only users with the "Full permission" role can access the REST API
Answers
B.
This API call will fail because it requires that API version 2
B.
This API call will fail because it requires that API version 2
Answers
C.
If the REST API web service access key is lost, it cannot be retrieved and must be changed.
C.
If the REST API web service access key is lost, it cannot be retrieved and must be changed.
Answers
D.
The syntax is incorrect because the API calls needs the get method.
D.
The syntax is incorrect because the API calls needs the get method.
Answers
Suggested answer: B, D

Explanation:

To retrieve an SSO group called SalesGroup using the FortiAuthenticator REST API, the following issues need to be fixed in the API call:

The API version should be v2, not v1, as SSO groups are only supported in version 2 of the REST API.

The HTTP method should be GET, not POST, as GET is used to retrieve information from the server, while POST is used to create or update information on the server. Therefore, a correct API call would look like this: curl -X GET -H "Authorization: Bearer <token>"

https://fac.example.com/api/v2/sso/groups/SalesGroup Reference:

https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api-solutionguide/ 927310/introduction https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-apisolution-guide/927311/sso-groups

Question 42

Report
Export
Collapse

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip.

The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

What are the two reasons for this behavior? (Choose two.)

A.
The private-data-encryption key entered on the primary did not match the value that the TPM expected.
A.
The private-data-encryption key entered on the primary did not match the value that the TPM expected.
Answers
B.
Configuration for TPM is not synchronized between FortiGate HA cluster members.
B.
Configuration for TPM is not synchronized between FortiGate HA cluster members.
Answers
C.
The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
C.
The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
Answers
D.
TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager
D.
TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager
Answers
Suggested answer: A, B

Explanation:

The two reasons for the negative impact on the FortiGate HA status and FortiManager status after enabling TPM are:

The private-data-encryption key entered on the primary unit did not match the value that the TPM expected. This could happen if the TPM was previously enabled and then disabled, and the key was changed in between. The TPM will reject the new key and cause an error in the configuration synchronization.

Configuration for TPM is not synchronized between FortiGate HA cluster members. Each cluster member must have the same private-data-encryption key to form a valid HA cluster and synchronize their configurations. However, enabling TPM on one unit does not automatically enable it on the other units, and the key must be manually entered on each unit. To resolve these issues, the administrator should disable TPM on all units, clear the TPM data, and then enable TPM again with the same private-data-encryption key on each unit. Reference:

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection

https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssloffloaded-traffic

Question 43

Report
Export
Collapse

Refer to the exhibits.

The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.

You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.

All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.

Which three configuration tasks must be performed to meet these requirements? (Choose three.)

A.
Change the scan order in FML-GW to antispam-sandbox-content.
A.
Change the scan order in FML-GW to antispam-sandbox-content.
Answers
B.
Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN
B.
Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN
Answers
C.
Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of*@acme.com, and action value of Safe
C.
Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of*@acme.com, and action value of Safe
Answers
D.
Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.
D.
Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.
Answers
E.
Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.
E.
Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.
Answers
Suggested answer: B, C

Explanation:

To integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path, while ensuring that all inbound e-mails are scanned by FortiMail antispam and antivirus with FortiSandbox integration, and then forwarded to the third-party service and back to FortiMail for final delivery, the following configuration tasks must be performed:

Apply the Catch-All profile to the CFInbound profile and configure a content action profile to deliver to the srv.thirdparty.com FQDN. This will ensure that all inbound e-mails that pass the antispam and antivirus scanning are forwarded to the third-party service for further processing.

Create an access receive rule with a Sender value of srv.thirdparty.com, Recipient value of

*@acme.com, and action value of Safe. This will ensure that all e-mails that are sent back from the third-party service to FortiMail are accepted without any further scanning or filtering. Reference:

https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/921588/configuringcontent-profiles-and-content-action-profiles

https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/629994/configuringsession-profiles

Question 44

Report
Export
Collapse

Refer to the exhibit showing a FortiSOAR playbook.

You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.

What should be your next step?

A.
Go to the Incident Response tasks dashboard and run the pending actions
A.
Go to the Incident Response tasks dashboard and run the pending actions
Answers
B.
Click on the notification icon on FortiSOAR GUI and run the pending input action
B.
Click on the notification icon on FortiSOAR GUI and run the pending input action
Answers
C.
Run the Mark Drive by Download playbook action
C.
Run the Mark Drive by Download playbook action
Answers
D.
Reply to the e-mail with the requested Playbook action
D.
Reply to the e-mail with the requested Playbook action
Answers
Suggested answer: B

Explanation:

To intervene in a suspicious e-mail alert on FortiSOAR, after reviewing the executed playbook, the next step is to click on the notification icon on FortiSOAR GUI and run the pending input action. The notification icon will show a badge with the number of pending input actions that require manual intervention from the user. The user can click on the notification icon and see a list of pending input actions, along with their details, such as playbook name, step name, record ID, and trigger time. The user can then click on the Run button to execute the pending input action and resume the playbook execution. Reference: https://docs.fortinet.com/document/fortisoar/7.0.0/administrationguide/ 103440/automation-stitches

https://docs.fortinet.com/document/fortisoar/7.0.0/administration-guide/103441/incomingwebhook

Question 45

Report
Export
Collapse

Review the following FortiGate-6000 configuration excerpt:

Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?

A.
It dynamically distributes SNAT source ports to operating FPCs or FPMs.
A.
It dynamically distributes SNAT source ports to operating FPCs or FPMs.
Answers
B.
It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
B.
It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
Answers
C.
It statically distributes SNAT source ports to operating FPCs or FPMs
C.
It statically distributes SNAT source ports to operating FPCs or FPMs
Answers
D.
It equally distributes SNAT source ports across chassis slots.
D.
It equally distributes SNAT source ports across chassis slots.
Answers
Suggested answer: C

Explanation:

Based on the configuration, the statement that is correct regarding SNAT source port partitioning behavior is that it statically distributes SNAT source ports to operating FPCs or FPMs. This is because the nat-source-port option is set to chassis-slots, which means that the FortiGate-6000 will allocate SNAT source ports to all FPCs or FPMs that are enabled when the command is entered. If an FPC or FPM is disabled from the CLI, the SNAT source ports assigned to that FPC or FPM will not be reallocated to the remaining FPCs or FPMs. This option preserves active sessions when an FPC or FPM goes down, but does not dynamically re-distribute SNAT source ports if an FPC or FPM is powered off.

Reference: https://docs.fortinet.com/document/fortigate/7.2.5/fortigate-6000-administrationguide/ 81276/controlling-snat-port-partitioning-behavior

Question 46

Report
Export
Collapse

Refer to the exhibit.

You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.

Which two actions are correct regarding the replacement process? (Choose two.)

A.
After replacing the FortiSwitch unit, the automatically created trunk name does not change
A.
After replacing the FortiSwitch unit, the automatically created trunk name does not change
Answers
B.
CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
B.
CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
Answers
C.
After replacing the FortiSwitch unit, the automatically created trunk name changes.
C.
After replacing the FortiSwitch unit, the automatically created trunk name changes.
Answers
D.
MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
D.
MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
Answers
Suggested answer: A, D

Explanation:

Based on the exhibit, the two correct actions regarding the replacement process are:

After replacing the FortiSwitch unit, the automatically created trunk name does not change. This is because the trunk name is based on the slot number and port number of the FortiGate unit that connects to the FortiSwitch unit, which remain the same after the replacement. If a different trunk name is desired, the trunk must be deleted and a new trunk will be created automatically with an updated name.

MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.

This is because the MCLAG-ICL configuration is stored on the FortiGate unit and applied to the FortiSwitch unit when it is authorized. The replacement FortiSwitch unit will inherit the MCLAG-ICL configuration of the failed FortiSwitch unit after it is replaced using the replace-device command in

FortiOS. Reference: https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-byfortios/ 173284/replacing-a-managed-fortiswitch-unit

Question 47

Report
Export
Collapse

A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

A.
Change the Adaptive Mode.
A.
Change the Adaptive Mode.
Answers
B.
Create an HA setup with a second FortiDDoS 200F
B.
Create an HA setup with a second FortiDDoS 200F
Answers
C.
Move the internet connection from the SFP interfaces to the LC interfaces
C.
Move the internet connection from the SFP interfaces to the LC interfaces
Answers
D.
Replace with a FortiDDoS 1500F
D.
Replace with a FortiDDoS 1500F
Answers
Suggested answer: A, B

Explanation:

To prevent the situation where all the traffic was dropped by the FortiDDoS 200F even though there was no DoS attack, the following options can be considered:

Change the Adaptive Mode. The Adaptive Mode is a feature that allows the FortiDDoS 200F to automatically adjust its detection and prevention thresholds based on the traffic patterns and behavior. However, if the Adaptive Mode is not configured properly, it may cause false positives and drop legitimate traffic. Therefore, changing the Adaptive Mode settings or disabling it may help to avoid this situation.

Create an HA setup with a second FortiDDoS 200F. The HA setup is a feature that allows two FortiDDoS 200F devices to work together as a cluster and provide redundancy and load balancing. If one device fails or drops traffic, the other device can take over and continue to protect the network.

Therefore, creating an HA setup with a second FortiDDoS 200F may help to avoid this situation.

Reference: https://docs.fortinet.com/document/fortiddos-f/6.2.0/handbook/380639/understandingfortiddos-adaptive-mode https://docs.fortinet.com/document/fortiddosf/ 6.2.0/handbook/380639/configuring-fortiddos-ha

Question 48

Report
Export
Collapse

Refer to the exhibit.

The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.

Referring to the exhibit, which two actions will fix these errors? (Choose two.)

A.
Verify that the CRL is accessible from the root FortiGate
A.
Verify that the CRL is accessible from the root FortiGate
Answers
B.
Export and import the FortiClient EMS server certificate to the root FortiGate.
B.
Export and import the FortiClient EMS server certificate to the root FortiGate.
Answers
C.
Install a new known CA on the Win2K16-EMS server.
C.
Install a new known CA on the Win2K16-EMS server.
Answers
D.
Authorize the root FortiGate on the FortiClient EMS
D.
Authorize the root FortiGate on the FortiClient EMS
Answers
Suggested answer: B, D

Explanation:

Based on the exhibit, the two actions that will fix the errors when trying to configure a new connection to a FortiClient EMS server are:

Export and import the FortiClient EMS server certificate to the root FortiGate. This will resolve the error message that says "The server certificate is not trusted". The root FortiGate needs to have the FortiClient EMS server certificate in its trusted CA list in order to establish a secure connection with it. The administrator can export the server certificate from the FortiClient EMS web UI and import it to the root FortiGate using the CLI or GUI.

Authorize the root FortiGate on the FortiClient EMS. This will resolve the error message that says "The device is not authorized". The FortiClient EMS needs to have the root FortiGate in its authorized device list in order to allow it to connect and receive configuration information. The administrator can authorize the root FortiGate on the FortiClient EMS web UI by entering its serial number and IP address. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administrationguide/ 185333/forticlient-ems https://docs.fortinet.com/document/forticlient/6.0.3/administrationguide/ 936332/fortigate-and-ems-integration

Question 49

Report
Export
Collapse

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

A.
OCSP checks will always go to the configured FortiAuthenticator
A.
OCSP checks will always go to the configured FortiAuthenticator
Answers
B.
The OCSP check of the certificate can be combined with a certificate revocation list.
B.
The OCSP check of the certificate can be combined with a certificate revocation list.
Answers
C.
OCSP certificate responses are never cached by the FortiGate.
C.
OCSP certificate responses are never cached by the FortiGate.
Answers
D.
If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.
D.
If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.
Answers
Suggested answer: A, D

Explanation:

A is correct because the OCSP server is configured as the FortiAuthenticator in the config vpn certificate ocsp-server section. D is correct because the config vpn ssl settings section has set ocspoption to allow. This means that if the OCSP server is unreachable, authentication will succeed if the certificate matches the CA. Reference:

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/ssl-vpnauthentication

https://docs.fortinet.com/document/fortigate/7.4.0/administrationguide/ 266506/ssl-vpn-with-certificate-authentication

Question 50

Report
Export
Collapse

Refer to the exhibit.

To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.

Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phaseiinterface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

A.
set net-device disable
A.
set net-device disable
Answers
B.
set mode-cfg enable
B.
set mode-cfg enable
Answers
C.
set ike-version 1
C.
set ike-version 1
Answers
D.
set add-route enable
D.
set add-route enable
Answers
E.
set mode-cfg-allow-client-selector enable
E.
set mode-cfg-allow-client-selector enable
Answers
Suggested answer: A, D, E

Explanation:

A is correct because net-device disable prevents the VPN interface from being added to the routing table as a connected route. This allows IKE routes to be injected instead. D is correct because addroute enable enables IKE route injection on the VPN interface. E is correct because mode-cfg-allowclient-selector enable allows the VPN interface to accept IKE routes from any peer that matches the phase 1 configuration. Reference:

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490352/advpn

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490352/advpnconfiguration

Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms