Special Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Fortinet NSE8_812 Network Security Expert 8 Written Exam Exam Practice Test

Demo: 31 questions
Total 105 questions

Network Security Expert 8 Written Exam Questions and Answers

Question 1

A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

Options:

A.

Change the Adaptive Mode.

B.

Create an HA setup with a second FortiDDoS 200F

C.

Move the internet connection from the SFP interfaces to the LC interfaces

D.

Replace with a FortiDDoS 1500F

Question 2

Refer to the exhibit, which shows an SD-WAN configuration.

You configured the SD-WAN from Branch1 to the HUB and enabled packet duplication. You later notice that the traffic is not being duplicated. In this scenario, what is causing this problem?

Options:

A.

There is a mismatch in the FortiOS version between Branch1 and HUB.

B.

Traffic cannot be duplicated over multiple zones.

C.

Packet duplication is not enabled on the HUB side.

D.

Packet duplication did not occur because an interface is out of SLA.

Question 3

Refer to the exhibits, which show a network topology and VPN configuration.

A network administrator has been tasked with modifying the existing dial-up IPsec VPN infrastructure to detect the path quality to the remote endpoints.

After applying the configuration shown in the configuration exhibit, the VPN clients can still connect and access the protected 172.16.205.0/24 network, but no SLA information shows up for the client tunnels when issuing the diagnose sys link-monitor tunnel all command on the FortiGate CLI.

What is wrong with the configuration?

Options:

A.

SLA link monitoring does not work with the net-device setting.

B.

The admin needs to disable the mode-cfg setting.

C.

IPsec Phase1 Interface has to be configured in IPsec main mode.

D.

It is necessary to use the IKEv2 protocol in this situation.

Question 4

Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 5

Refer to the exhibit.

A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.

Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)

Options:

A.

You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode

B.

Traffic on AccountVInk and SalesVInk will not be accelerated.

C.

The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.

D.

Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.

E.

OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk

Question 6

Refer to the exhibit.

You need to create a base SD-WAN configuration that includes SD-WAN rules and Performance SLAs for spoke sites with various connectivity types. It needs to be done in a way that can be easily applied to new sites with a minimum amount of change. How should you create the SD-WAN zones?

Options:

A.

With members and assign overlay interfaces

B.

With members without interface assignments

C.

With no members configured

D.

With members and assign interfaces but do not specify a gateway

Question 7

Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)

• Public IP address (129.11.1.100) is assigned to portl

• Datacenter.acmecorp.com resolves to the public IP address assigned to portl

The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.

Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 8

An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown:

Options:

A.

data: ‘{ “hostname”: “bad_host_1”, “ip”: [“1.1.1.1”]}’

url: http://192.168.226.129/api/v2/monitor/system/automation-stitch/webhook/my_incoming_webhook

B.

data: ‘{ “hostname”: “bad_host_1”, “ip”: “1.1.1.1”}’

url: http://192.168.226.129/api/v2/monitor/system/automation-stitch/webhook/my_incoming_webhook

C.

data: ‘{ “hostname”: “bad_host_1”, “ip”: [“1.1.1.1”]}’

url: http://192.168.226.129/api/v2/cmdb/system/automation-stitch/webhook/my_incoming_webhook

D.

data: ‘{ “hostname”: “bad_host_1”, “ip”: “1.1.1.1”}’

url:http://192.168.226.129/api/v2/cmdb/system/automation-stitch/webhook/my_incoming_webhook

Question 9

Refer to the exhibits.

You must integrate a FortiMail and FortiSandbox Enhanced Cloud solution for a customer who is concerned about the e-mails being delayed for too long.

According to the configuration shown in the exhibits, which would be an expected behavior?

Options:

A.

FortiMail will relay valid e-mails to the mail server as soon as it is done with other local inspections.

B.

If an attachment is sent to the FortiSandbox while the job queue is full, the e-mail might be delayed for up to 30 minutes, then e-mail will be relayed to the mail server.

C.

FortiMail will not wait for results but only for attachments that have been already submitted to the FortiSandbox in the last 60 minutes.

D.

FortiMail will ignore the timeout value if content disarm and reconstruction (CDR) is enabled.

Question 10

Refer to the exhibit.

The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.

Referring to the exhibit, which two actions will fix these errors? (Choose two.)

Options:

A.

Verify that the CRL is accessible from the root FortiGate

B.

Export and import the FortiClient EMS server certificate to the root FortiGate.

C.

Install a new known CA on the Win2K16-EMS server.

D.

Authorize the root FortiGate on the FortiClient EMS

Question 11

Refer to the exhibits.

The exhibits show a diagram of a requested topology and the base IPsec configuration.

A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.

In this scenario, which feature should be implemented to achieve this requirement?

Options:

A.

Use network-overlay id

B.

Change advpn2 to IKEv1

C.

Use local-id

D.

Use peer-id

Question 12

You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:

Given the information shown in the output, which two statements are true? (Choose two.)

Options:

A.

Enabling bandwidth control between the ISF and the NP will change the output

B.

The output is showing a packet descriptor queue accumulated counter

C.

Enable HPE shaper for the NP6 will change the output

D.

Host-shortcut mode is enabled.

E.

There are packet drops at the XAUI.

Question 13

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

Options:

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Question 14

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

What are the two reasons for this behavior? (Choose two.)

Options:

A.

The private-data-encryption key entered on the primary did not match the value that the TPM expected.

B.

Configuration for TPM is not synchronized between FortiGate HA cluster members.

C.

The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

D.

TPM functionality is not yet compatible with FortiGate HA.

E.

The administrator needs to manually enter the hex private data encryption key in FortiManager.

Question 15

You have configured a Site-to-Site IPsec VPN tunnel between a FortiGate and a third-party device but notice that one of the error counters on the tunnel interface keeps increasing.

Which two configuration options can resolve this problem? (Choose two.)

Options:

A.

Enable Forward Error Correction (FEC) on the VPN interface for egress traffic.

B.

Adjust the MTU of the physical interface to which the IPsec tunnel is bound.

C.

Enable DF-bit honoring in the global settings.

D.

Adjust the MTU of the IPsec interface.

Question 16

Refer to the exhibit showing a firewall policy configuration.

To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.

What change does the administrator need to make?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 17

Refer to the exhibits.

A customer is trying to restore a VPN connection configured on a FortiGate. Exhibits show output during a troubleshooting session when the VPN was working and the current baseline VPN configuration.

Which configuration parameters will restore VPN connectivity based on the diagnostic output?

Options:

A.

B.

C.

D.

Question 18

Refer to the exhibit.

FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.

Which two statements correctly describe the expected behavior when running this template? (Choose two.)

Options:

A.

The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.

B.

The template will work if you change the variable format to $(WAN).

C.

The template will work if you change the variable format to {{ WAN }}.

D.

The administrator must first manually map the interface for each device with a meta field.

E.

The template will fail because this configuration can only be applied with a CLI or TCL script.

Question 19

Which feature must you enable on the BGP neighbors to accomplish this goal?

Options:

A.

Graceful-restart

B.

Deterministic-med

C.

Synchronization

D.

Soft-reconfiguration

Question 20

Refer to the exhibit.

The exhibit shows the topology a customer wants to implement using a flexible authentication scheme. Users connecting from trusted remote locations are authenticated using only their username/password when connecting to the SSLVPN FortiGate in the data center.

When connecting from the Untrusted Clients, users must authenticate using 2-factor authentication.

In this scenario, which RADIUS attribute can be used as a RADIUS policy selector on the FortiAuthenticator to accomplish this goal?

Options:

A.

Calling-Station-Id

B.

Framed-IP-Address

C.

Tunnel-Client-Auth-Id

D.

Login-IP-Host

Question 21

Refer to The exhibit showing a FortiEDR configuration.

Based on the exhibit, which statement is correct?

Options:

A.

The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy.

B.

FortiEDR Collector will not collect OS Metadata.

C.

If a malicious file is executed and attempts to establish a connection it will generate duplicate events.

D.

If an unresolved file rule is triggered, by default the file is logged but not blocked.

Question 22

Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).

Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?

Options:

A.

FAC2 can only process requests when FAC1 fails.

B.

FAC2 can have its HA interface on a different network than FAC1.

C.

The FortiToken license will need to be installed on the FAC2.

D.

FSSO sessions from FAC1 will be synchronized to FAC2.

Question 23

Refer to the exhibit.

What is happening in this scenario?

Options:

A.

The user status changed at FortiClient EMS to off-net.

B.

The user is authenticating against a FortiGate Captive Portal.

C The user is authenticating against an IdP.

C.

The user has not authenticated on their external browser.

Question 24

You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.

The current configuration is:

Which configuration do you use for the Performance SLA members?

Options:

A.

set members any

B.

set members 0

C.

current configuration already fulfills the requirement

D.

set members all

Question 25

Refer to the exhibit.

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.

You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.

How should the initial connection be made?

Options:

A.

Connect the switch on any interface between ports 21 to 24

B.

Connect the switch on any interface between ports 25 to 28

C.

Connect the switch on any interface between ports 1 to 4

D.

Connect the switch on any interface between ports 5 to 8.

Question 26

Refer to the exhibits.

You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below.

Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.)

Options:

A.

Disable Redirect HTTP to HTTPS in the Server Policy.

B.

Remove the Web Protection Profile from this Server Policy.

C.

Enable HTTP service in the Server Policy.

D.

Configure a TXT record of the domain and point to the IP address of the Virtual Server.

Question 27

Refer to the exhibits.

During the implementation of a Fortinet Security Fabric configuration, CLI commands were issued in the order shown in the exhibit. On the next day, the local admin for FGTC issues the following command:

FGTC # config system csf

set configuration-sync default

end

In this scenario, which outcome is true regarding the "subnet_1" firewall address object on FGTC?

Options:

A.

The object will only be automatically created on FGTC if it is modified on FGTA-1.

B.

The object needs to be recreated on FGTA-1 before it is automatically created on FGTC.

C.

The object is not automatically created.

D.

The object is automatically created.

Question 28

Refer to the exhibit.

You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection.

What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 29

You deployed a fully loaded FG-7121F in the data center and enabled sslvpn-load-balance. Based on the behavior of this feature which statement is correct?

Options:

A.

You can use src-ip or dst-ip-dport on dp-load-distribution-method to make SSL VPN load balancing work as expected.

B.

If an FPM goes down, SSL VPN IP pool IP addresses will be re-allocated to the remaining FPMs.

C.

To have better traffic distribution you should use IP pools that increment in multiples of 12.

D.

Enabling SSL VPN load balancing will clear the session table.

Question 30

A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.

Which two actions will improve performance the most without making a FortiGate license change? (Choose two.)

Options:

A.

Migrate the FortiGate to an Azure F4s_v2.

B.

Enable "Accelerated networking" on the Azure network interfaces.

C.

Enable SR-IOV on the FortiGate.

D.

Migrate the FortiGate to an Azure D8s_v3.

Question 31

Refer to the exhibit.

A customer needs to create a multi-tier MCLAG set up with the topology as shown in the exhibit.

A1/A2

B1/B2

C1/C2

Which command snippet should be applied to it, to allow active/active links in this topology?

Options:

A.

B.

C.

D.

Demo: 31 questions
Total 105 questions