ExamGecko
Search Search Login
Home Home / Fortinet / NSE8_812

Fortinet NSE8_812 Practice Test - Questions Answers, Page 6

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An HA topology is using the following configuration: Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?
Refer to the exhibit showing a firewall policy configuration. To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1. What change does the administrator need to make? A) B) C) D)
Refer to the exhibits. An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output: Given the information shown in the output, which two statements are true? (Choose two.)
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch. The current configuration is: Which configuration do you use for the Performance SLA members?
Refer to the exhibits. The exhibits show a diagram of a requested topology and the base IPsec configuration. A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate. In this scenario, which feature should be implemented to achieve this requirement?
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center. They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority. Which two design options are true based on these requirements? (Choose two.)
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high. You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure?

Question 51

Report
Export
Collapse

Refer to the exhibit showing a firewall policy configuration.

To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.

What change does the administrator need to make?

A)

B)

C)

D)

A.
Option A
A.
Option A
Answers
B.
Option B
B.
Option B
Answers
C.
Option C
C.
Option C
Answers
D.
Option D
D.
Option D
Answers
Suggested answer: B

Explanation:

B is correct because it adds an identity-based policy with SSL-VPN as the source interface and requires authentication using a user group. This will enforce authentication on firewall policy ID 1 for SSL-VPN users. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administrationguide/ 490351/ssl-vpn-authentication

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/configuring-sslvpn-access-for-local-users

Question 52

Report
Export
Collapse

Refer to the exhibit.

A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.

Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)

A.
If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
A.
If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
Answers
B.
A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
B.
A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
Answers
C.
You can only deploy initial installations to Windows clients.
C.
You can only deploy initial installations to Windows clients.
Answers
D.
You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
D.
You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
Answers
E.
The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
E.
The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
Answers
Suggested answer: B, C

Explanation:

B is correct because a client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority. This is explained in the FortiClient EMS Administration Guide under Deployment & Installers > Manage Deployment > Managing deployment configuration priority levels. C is correct because you can only deploy initial installations to Windows clients using FortiClient EMS. This is also explained in the FortiClient EMS Administration Guide under Deployment & Installers > Deploying FortiClient software to endpoints. Reference:

https://docs.fortinet.com/document/forticlient/7.0.7/ems-administrationguide/ 278884/deployment-installers https://docs.fortinet.com/document/forticlient/7.0.7/emsadministration-guide/374506/deploying-forticlient-software-to-endpoints

Question 53

Report
Export
Collapse

Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.

The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.

What change will correct HA functionality in this scenario?

A.
Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.
A.
Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.
Answers
B.
Make the monitored IP to match on both FortiManager devices.
B.
Make the monitored IP to match on both FortiManager devices.
Answers
C.
Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
C.
Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
Answers
D.
Change the priority of FMG-A to be numerically lower for higher preference
D.
Change the priority of FMG-A to be numerically lower for higher preference
Answers
Suggested answer: B

Explanation:

B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. Reference:

https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/highavailability

https://docs.fortinet.com/document/fortimanager/7.4.0/administrationguide/ 568591/high-availability/568592/configuring-ha-options

Question 54

Report
Export
Collapse

A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.

The exhibit below shows what the IT Team provided while troubleshooting this issue:

Which statement explains why the FortiGate did not install its configuration from the FortiManager?

A.
The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager
A.
The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager
Answers
B.
The DHCP server was not configured with the FQDN of the FortiManager
B.
The DHCP server was not configured with the FQDN of the FortiManager
Answers
C.
The DHCP server used the incorrect option type for the FortiManager IP address.
C.
The DHCP server used the incorrect option type for the FortiManager IP address.
Answers
D.
The configuration was modified on the FortiGate prior to connecting to the FortiManager
D.
The configuration was modified on the FortiGate prior to connecting to the FortiManager
Answers
Suggested answer: C

Explanation:

C is correct because the DHCP server used the incorrect option type for the FortiManager IP address.

The option type should be 43 instead of 15, as shown in the FortiManager Administration Guide under Zero-Touch Provisioning > Configuring DHCP options for ZTP. Reference:

https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/highavailability

https://docs.fortinet.com/document/fortimanager/7.4.0/administrationguide/ 568591/high-availability/568592/configuring-ha-options

Question 55

Report
Export
Collapse

Refer to the exhibit.

A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.

How will the sessions be load balanced between server 1 and server 2 during normal operation?

A.
Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
A.
Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
Answers
B.
Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
B.
Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
Answers
C.
Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
C.
Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
Answers
D.
Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions
D.
Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions
Answers
Suggested answer: D

Explanation:

D is correct because server 1 has a weight of 0, which means it will not receive any sessions from the load balancer. Server 2 has a weight of 100, which means it will receive all sessions from the load balancer. This is explained in the FortiWeb Administration Guide under Server Load Balancing > Server pools > Weighted round robin. Reference:

https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/381057/server-loadbalancing

https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/381057/serverload-balancing/381058/server-pools

Question 56

Report
Export
Collapse

Refer to the exhibit, which shows a VPN topology.

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

A.
All the session traffic will pass through the Hub
A.
All the session traffic will pass through the Hub
Answers
B.
The TCP port 21 must be allowed on the NAT Device2
B.
The TCP port 21 must be allowed on the NAT Device2
Answers
C.
ADVPN is not supported when spokes are behind NAT
C.
ADVPN is not supported when spokes are behind NAT
Answers
D.
Spoke1 will establish an ADVPN shortcut to Spoke2
D.
Spoke1 will establish an ADVPN shortcut to Spoke2
Answers
Suggested answer: D

Explanation:

D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events. Reference:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/tap/ 195698

Question 57

Report
Export
Collapse

Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that

BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.

Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

A.
172.16.204.128/25
A.
172.16.204.128/25
Answers
B.
172.16.201.96/29
B.
172.16.201.96/29
Answers
C.
172,620,64,27
C.
172,620,64,27
Answers
D.
172.16.204.64/27
D.
172.16.204.64/27
Answers
Suggested answer: A, C

Explanation:

A is correct because 172.16.204.128/25 matches the prefix list entry 172.16.204.0/24 ge 25 le 25. C is correct because 172.16.204.64/27 matches the prefix list entry 172.16.204.0/24 ge 27 le 27.

Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/bgp

Question 58

Report
Export
Collapse

Refer to the exhibits.

The exhibits show a diagram of a requested topology and the base IPsec configuration.

A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.

In this scenario, which feature should be implemented to achieve this requirement?

A.
Use network-overlay id
A.
Use network-overlay id
Answers
B.
Change advpn2 to IKEv1
B.
Change advpn2 to IKEv1
Answers
C.
Use local-id
C.
Use local-id
Answers
D.
Use peer-id
D.
Use peer-id
Answers
Suggested answer: A

Explanation:

A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub.

Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn

https://docs.fortinet.com/document/fortigate/7.4.0/administrationguide/ 978793/advpn/978794/configuring-advpn

Question 59

Report
Export
Collapse

You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.

The current configuration is:

Which configuration do you use for the Performance SLA members?

A.
set members any
A.
set members any
Answers
B.
set members 0
B.
set members 0
Answers
C.
current configuration already fulfills the requirement
C.
current configuration already fulfills the requirement
Answers
D.
set members all
D.
set members all
Answers
Suggested answer: D

Explanation:

D is correct because using set members all allows you to apply the Performance SLA configuration to all available interfaces without specifying them individually. This way, you do not need to change the configuration in case more connections are added to the branch. Reference:

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sdwan/ 978795/configuring-sd-wan-performance-sla

Question 60

Report
Export
Collapse

You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.

Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.

In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings?

(Choose two.)

A.
disable on ICL trunks
A.
disable on ICL trunks
Answers
B.
enable on ICL trunks
B.
enable on ICL trunks
Answers
C.
disable on the ISL and FortiLink trunks
C.
disable on the ISL and FortiLink trunks
Answers
D.
enable on the ISL and FortiLink trunks
D.
enable on the ISL and FortiLink trunks
Answers
Suggested answer: A, C

Explanation:

A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference:

https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicastforwarding

https://docs.fortinet.com/document/fortiswitches/6.4.0/administrationguide/ 381057/multicast-forwarding/381058/configuring-multicast-forwarding


Total 60 questions
Go to page: of 6
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms