Ask Question
Fortinet NSE8_812 Practice Test - Questions Answers, Page 5
List of questions
Question 41
A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the 'curl' utility:
Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)
Only users with the 'Full permission' role can access the REST API
This API call will fail because it requires that API version 2
If the REST API web service access key is lost, it cannot be retrieved and must be changed.
The syntax is incorrect because the API calls needs the get method.
To retrieve an SSO group called SalesGroup using the FortiAuthenticator REST API, the following issues need to be fixed in the API call:
The API version should be v2, not v1, as SSO groups are only supported in version 2 of the REST API.
The HTTP method should be GET, not POST, as GET is used to retrieve information from the server, while POST is used to create or update information on the server. Therefore, a correct API call would look like this: curl -X GET -H ''Authorization: Bearer <token>'' https://fac.example.com/api/v2/sso/groups/SalesGroup
Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api-solution-guide/927310/introduction https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api-solution-guide/927311/sso-groups
Question 42
Refer to the exhibit.
A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)
The private-data-encryption key entered on the primary did not match the value that the TPM expected.
Configuration for TPM is not synchronized between FortiGate HA cluster members.
The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
TPM functionality is not yet compatible with FortiGate HA.
The administrator needs to manually enter the hex private data encryption key in FortiManager.
https://docs.fortinet.com/document/fortimanager/7.4.2/administration-guide/30332/verifying-devices-with-private-data-encryption-enabled
Question 43
Refer to the exhibits.
The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.
You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.
All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.
Which three configuration tasks must be performed to meet these requirements? (Choose three.)
Change the scan order in FML-GW to antispam-sandbox-content.
Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN
Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe
Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.
Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.
Ais correct because the scan order must be changed to antispam-sandbox-content in order for FortiMail to scan the email for spam and viruses before forwarding it to the third-party service.
Bis correct because the Catch-All profile must be applied to the CFInbound profile in order for FortiMail to forward clean emails to the third-party service.
Eis correct because an IP policy must be created with a Source value of 100.64.0.72/32 in order to allow emails from the third-party service to be delivered to FortiMail.
The other options are not necessary to meet the requirements. Option C is not necessary because the access receive rule will already allow emails from the third-party service to be received by FortiMail. Option D is not necessary because the Catch-All profile already allows emails to be delivered to any destination.
Here are some additional details about integrating a third-party service into the FortiMail email processing path:
The third-party service must be able to receive emails from FortiMail and send them back to FortiMail.
The third-party service must be able to communicate with FortiMail using the SMTP protocol.
The third-party service must be able to authenticate with FortiMail using the SMTP AUTH protocol.
Once the third-party service is integrated into the FortiMail email processing path, all inbound emails will be processed by FortiMail as usual. If the email is clean, FortiMail will forward it to the third-party service. The third-party service will then send the email back to FortiMail for final delivery. FortiMail will not scan the email again.
Question 44
Refer to the exhibit showing a FortiSOAR playbook.
You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.
What should be your next step?
Go to the Incident Response tasks dashboard and run the pending actions
Click on the notification icon on FortiSOAR GUI and run the pending input action
Run the Mark Drive by Download playbook action
Reply to the e-mail with the requested Playbook action
The exhibited playbook requires intervention, which means that the playbook has reached a point where it needs a human operator to take action. The next step should be to go to the Incident Response tasks dashboard and run the pending actions. This will allow you to see the pending actions that need to be taken and to take those actions.
The other options are not correct. Option B will only show you the notification icon, but it will not allow you to run the pending input action. Option C will run the Mark Drive by Download playbook action, but this is not the correct action to take in this case. Option D is not a valid option.
Here are some additional details about pending actions in FortiSOAR:
Pending actions are actions that need to be taken by a human operator.
Pending actions are displayed in the Incident Response tasks dashboard.
Pending actions can be run by clicking on the action in the dashboard.
Question 45
Review the following FortiGate-6000 configuration excerpt:
Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?
It dynamically distributes SNAT source ports to operating FPCs or FPMs.
It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
It statically distributes SNAT source ports to operating FPCs or FPMs
It equally distributes SNAT source ports across chassis slots.
https://docs.fortinet.com/document/fortigate/7.4.1/fortigate-6000-administration-guide/81276/controlling-snat-port-partitioning-behavior
'chassis-slots this option statically allocates SNAT source ports to all FPCs that are enabled when you enter the command. If you disable an FPC from the CLI, the SNAT source ports assigned to that FPC will not be re-allocated to the remaining FPCs. All FPCs that are still operating will maintain the same SNAT source port allocation and active sessions being processed by the still operating FPCs will not be affected.'
Question 46
Refer to the exhibit.
You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)
After replacing the FortiSwitch unit, the automatically created trunk name does not change
CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
After replacing the FortiSwitch unit, the automatically created trunk name changes.
MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
Ais correct because the automatically created trunk name is based on the MAC address of the FortiSwitch unit. When the FortiSwitch unit is replaced, the MAC address will change, but the trunk name will not change.
Bis correct because CLAG-ICL is a manually configured link aggregation group. When the FortiSwitch unit is replaced, the CLAG-ICL configuration will need to be manually reconfigured on the new FortiSwitch unit.
The other options are incorrect. Option C is incorrect because the automatically created trunk name does not change when the FortiSwitch unit is replaced. Option D is incorrect because MCLAG-ICL is a manually configured link aggregation group and will not be automatically reconfigured when the FortiSwitch unit is replaced.
Configuring link aggregation on FortiSwitches | FortiSwitch / FortiOS 7.0.4 - Fortinet Document Library
Managing FortiLink | FortiGate / FortiOS 7.0.4 - Fortinet Document Library
https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/173284/replacing-a-managed-fortiswitch-unit
Question 47
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)
Change the Adaptive Mode.
Create an HA setup with a second FortiDDoS 200F
Move the internet connection from the SFP interfaces to the LC interfaces
Replace with a FortiDDoS 1500F
Bis correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
Dis correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
FortiDDoS 200F Datasheet | Fortinet Document Library
FortiDDoS 1500F Datasheet | Fortinet Document Library
High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library
Question 48
Refer to the exhibit.
The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.
Referring to the exhibit, which two actions will fix these errors? (Choose two.)
Verify that the CRL is accessible from the root FortiGate
Export and import the FortiClient EMS server certificate to the root FortiGate.
Install a new known CA on the Win2K16-EMS server.
Authorize the root FortiGate on the FortiClient EMS
Ais correct because the error message 'The CRL is not accessible' indicates that the root FortiGate cannot access the CRL for the FortiClient EMS server. Verifying that the CRL is accessible will fix this error.
Dis correct because the error message 'The FortiClient EMS server is not authorized' indicates that the root FortiGate is not authorized to connect to the FortiClient EMS server. Authorizing the root FortiGate on the FortiClient EMS server will fix this error.
The other options are incorrect. Option B is incorrect because exporting and importing the FortiClient EMS server certificate to the root FortiGate will not fix the CRL error. Option C is incorrect because installing a new known CA on the Win2K16-EMS server will not fix the authorization error.
Troubleshooting FortiClient EMS connectivity | FortiClient / FortiOS 7.0.0 - Fortinet Document Library
Authorizing FortiGates with FortiClient EMS | FortiClient / FortiOS 6.4.8 - Fortinet Document Library
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/185333/forticlient-ems%E2%80%9D
Question 49
An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.
Part of the FortiGate configuration is shown below:
Based on this configuration, which two statements are true? (Choose two.)
OCSP checks will always go to the configured FortiAuthenticator
The OCSP check of the certificate can be combined with a certificate revocation list.
OCSP certificate responses are never cached by the FortiGate.
If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.
Configuring SSL VPN authentication using digital certificates | FortiGate / FortiOS 7.2.0 - Fortinet Document Library
Online Certificate Status Protocol (OCSP) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library
Certificate Revocation Lists (CRLs) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library
Question 50
Refer to the exhibit.
To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.
Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)
set net-device disable
set mode-cfg enable
set ike-version 1
set add-route enable
set mode-cfg-allow-client-selector enable
Bmust be set to enable mode-cfg, which is required for injecting IKE routes on the ADVPN shortcut tunnels.
Dmust be set to enable add-route, which is the command that actually injects the IKE routes.
Emust be set to enable mode-cfg-allow-client-selector, which allows custom phase 2 selectors to be configured.
The other options are incorrect. Option A is incorrect because net-device disable is not required for injecting IKE routes on the ADVPN shortcut tunnels. Option C is incorrect because IKE version 1 is not supported for ADVPN.
Phase 2 selectors and ADVPN shortcut tunnels | FortiGate / FortiOS 7.2.0
Configuring SD-WAN/ADVPN with FortiGate | FortiGate / FortiOS 7.2.0
Related questions
Export
If you didn't receive an email within 5 minutes, you should submit a support request to [email protected].
|
BASIC - 1 Month
$
10
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PLUS - 2 Months
$
15
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PRO - 6 Months
$
40
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Selling illegal goods, money scams etc.
Serious attack on a group.
Harassing an individual (including doxing)
Threatening or glorifying violence or serious harm, including self-harm
Nudity/Sexual content
Sexually explicit or suggestive imagery or writing involving minors
Sexually explicit or suggestive imagery or writing involving non-consenting adults or non-humans
Reusing content without attribution (link and blockquotes)
Not in English or has very bad formatting, grammar, and spelling
Author's credential is offensive, spam, or impersonation
Ex. Illegal content, incomplete question...
Question