Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Fortinet NSE8_812 Network Security Expert 8 Written Exam Exam Practice Test

Page: 1 / 11
Total 105 questions

Network Security Expert 8 Written Exam Questions and Answers

Question 1

Refer to the exhibit.

Question # 1

To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.

Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

Options:

A.

set net-device disable

B.

set mode-cfg enable

C.

set ike-version 1

D.

set add-route enable

E.

set mode-cfg-allow-client-selector enable

Question 2

Which two types of interface have built-in active bypass in FortiDDoS devices? (Choose two.)

Options:

A.

SFP

B.

LC

C.

QSFP+

D.

Copper

E.

SFP+

Question 3

Refer to the exhibit.

Question # 3

The exhibit shows the forensics analysis of an event detected by the FortiEDR core

In this scenario, which statement is correct regarding the threat?

Options:

A.

This is an exfiltration attack and has been stopped by FortiEDR.

B.

This is an exfiltration attack and has not been stopped by FortiEDR

C.

This is a ransomware attack and has not been stopped by FortiEDR.

D.

This is a ransomware attack and has been stopped by FortiEDR

Question 4

A FortiGate running FortiOS 7.2.0 GA is configured in multi-vdom mode with a vdom set to vdom type Admin and another vdom set to vdom type Traffic.

Which two GUI sections are available on both VDOM types? (Choose two.)

Options:

A.

Interface configuration

B.

Packet capture

C.

Security Fabric topology and external connectors

D.

Certificates

E.

FortiClient configuration

Question 5

Refer to the exhibits, which show a topology and diagnostic commands.

Question # 5

Which two statements about the path resolution are true? (Choose two.)

Options:

A.

Latency is the quality criteria.

B.

wan1 is currently used as an outgoing interface.

C.

wan2 is currently used as an outgoing interface.

D.

Packet-loss is the quality criteria.

Question 6

An HA topology is using the following configuration:

Question # 6

Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?

Options:

A.

600ms

B.

200ms

C.

300ms

D.

100ms

Question 7

Refer to the exhibits.

Question # 7

The exhibits show a diagram of a requested topology and the base IPsec configuration.

A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.

In this scenario, which feature should be implemented to achieve this requirement?

Options:

A.

Use network-overlay id

B.

Change advpn2 to IKEv1

C.

Use local-id

D.

Use peer-id

Question 8

You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

Options:

A.

Native ESXi Networking with E1000

B.

Virtual Function (VF) PCI Passthrough

C.

Native ESXi Networking with VMXNET3

D.

Physical Function (PF) PCI Passthrough

Question 9

An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown:

Question # 9

Options:

A.

data: ‘{ “hostname”: “bad_host_1”, “ip”: [“1.1.1.1”]}’

url: http://192.168.226.129/api/v2/monitor/system/automation-stitch/webhook/my_incoming_webhook

B.

data: ‘{ “hostname”: “bad_host_1”, “ip”: “1.1.1.1”}’

url: http://192.168.226.129/api/v2/monitor/system/automation-stitch/webhook/my_incoming_webhook

C.

data: ‘{ “hostname”: “bad_host_1”, “ip”: [“1.1.1.1”]}’

url: http://192.168.226.129/api/v2/cmdb/system/automation-stitch/webhook/my_incoming_webhook

D.

data: ‘{ “hostname”: “bad_host_1”, “ip”: “1.1.1.1”}’

url:http://192.168.226.129/api/v2/cmdb/system/automation-stitch/webhook/my_incoming_webhook

Question 10

Refer to The exhibit showing a FortiEDR configuration.

Question # 10

Based on the exhibit, which statement is correct?

Options:

A.

The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy.

B.

FortiEDR Collector will not collect OS Metadata.

C.

If a malicious file is executed and attempts to establish a connection it will generate duplicate events.

D.

If an unresolved file rule is triggered, by default the file is logged but not blocked.

Question 11

Refer to the exhibits.

Question # 11

An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work

Based on the information given in the exhibits, what must be done to fix this?

Options:

A.

On FG-1 port1, the ftm access protocol must be enabled.

B.

FAC-1 must have an internet routable IP address for push notifications.

C.

On FG-1 CLI, the ftm-push server setting must point to 100.64.141.

D.

On FAC-1, the FortiToken public IP setting must point to 100.64.1 41

Question 12

A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.

CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.

Which two options can resolve this situation? (Choose two.)

Options:

A.

Change the persistence rule to LB_PERSIS_SSL_SESSJD.

B.

Add more web servers to the real server poof

C.

Disable SSL between the FortiADC and the web servers

D.

Add a connection-pool to the FortiADC virtual server

Question 13

SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.

You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.

What should you configure?

Options:

A.

Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.

B.

Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.

C.

Configure two DNS servers and use DNS servers recommended by the two internet providers.

D.

Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

Question 14

Refer to the exhibits.

Question # 14

Question # 14

The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate.

Given this information, which statement is correct?

Options:

A.

The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892

B.

The cluster mode can support a maximum of four (4) FortiGate VMs

C.

The cluster members are on the same network and the IP addresses were statically assigned.

D.

FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.

Question 15

Review the Application Control log.

Question # 15

Which configuration caused the IPS engine to generate this log?

Options:

A.

Option A15

B.

Option B15

C.

Option C15

D.

Option D15

Question 16

Refer to the exhibits, which show a network topology and VPN configuration.

Question # 16

A network administrator has been tasked with modifying the existing dial-up IPsec VPN infrastructure to detect the path quality to the remote endpoints.

After applying the configuration shown in the configuration exhibit, the VPN clients can still connect and access the protected 172.16.205.0/24 network, but no SLA information shows up for the client tunnels when issuing the diagnose sys link-monitor tunnel all command on the FortiGate CLI.

What is wrong with the configuration?

Options:

A.

SLA link monitoring does not work with the net-device setting.

B.

The admin needs to disable the mode-cfg setting.

C.

IPsec Phase1 Interface has to be configured in IPsec main mode.

D.

It is necessary to use the IKEv2 protocol in this situation.

Question 17

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Question # 17

Based on this configuration, which two statements are true? (Choose two.)

Options:

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Question 18

You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

Options:

A.

The configuration of the MTA Adapter Local Interface is different than on port1.

B.

The MTA adapter is only available in the primary node.

C.

The MTA adapter mode is only detection mode.

D.

The configuration is different than on a standalone device.

Question 19

Refer to the exhibit, which shows a VPN topology.

Question # 19

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50

Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

Options:

A.

All the session traffic will pass through the Hub

B.

The TCP port 21 must be allowed on the NAT Device2

C.

ADVPN is not supported when spokes are behind NAT

D.

Spoke1 will establish an ADVPN shortcut to Spoke2

Question 20

Refer to the exhibit of a FortiNAC configuration.

Question # 20

In this scenario, which two statements are correct? (Choose two.)

Options:

A.

A device that is modeled in FortiNAC is connected on VLAN 4093.

B.

An unknown host is connected to port3.

C.

The IP address of the FortiSwitch is 10.12.240.2.

D.

Port8 is connected to a FortiGate in FortiLink mode.

Question 21

A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.

Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

Options:

A.

Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

B.

Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

C.

Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.

D.

Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster

Question 22

Refer to the exhibit.

Question # 22

The exhibit shows the topology a customer wants to implement using a flexible authentication scheme. Users connecting from trusted remote locations are authenticated using only their username/password when connecting to the SSLVPN FortiGate in the data center.

When connecting from the Untrusted Clients, users must authenticate using 2-factor authentication.

In this scenario, which RADIUS attribute can be used as a RADIUS policy selector on the FortiAuthenticator to accomplish this goal?

Options:

A.

Calling-Station-Id

B.

Framed-IP-Address

C.

Tunnel-Client-Auth-Id

D.

Login-IP-Host

Question 23

Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

Question # 23

• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)

• Public IP address (129.11.1.100) is assigned to portl

• Datacenter.acmecorp.com resolves to the public IP address assigned to portl

The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.

Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?

A)

Question # 23

B)

Question # 23

C)

Question # 23

D)

Question # 23

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 24

Refer to the exhibit.

Question # 24

A customer wants to automate the creation and configuration of FortiGate VM instances in a VMware vCenter environment using Terraform. They have the creation part working with the code shown in the exhibit.

Which code snippet will allow Terraform to automatically connect to a newly deployed FortiGate if its IP was dynamically assigned by VMware NSX-T?

Options:

A.

Option A24

B.

Option B24

C.

Option C24

D.

Option D24

Question 25

A FortiGate must be configured to accept VoIP traffic which will include session initiation protocol (SIP) traffic. Which statement about the VoIP configuration options is correct?

Options:

A.

Restricting SIP requests is only possible when using the SIP Session Helper.

B.

Rate tracking of SIP requests is only possible when the application layer gateway (ALG) is set to Flow mode.

C.

FortiOS cannot accept SIP traffic if both the SIP Session Helper and the application layer gateway (ALG) are disabled.

D.

By default, VoIP traffic will be processed using the SIP Session Helper.

Question 26

Refer to the exhibits.

Question # 26

Question # 26

A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.

Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)

Options:

A.

FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.

B.

Devices connected directly to ports 3 and 4 can perform 802 1X authentication.

C.

Ports 3 and 4 can be part of different switch interfaces.

D.

Client devices must have 802 1X authentication enabled

Question 27

Refer to the exhibit, which shows diagnostic output.

Question # 27

A customer reports that ICMP traffic flow from 192.168.1.11 to 93.190.134.171 is not corresponding to the SD-WAN setup.

What is the problem in this scenario?

Options:

A.

SD-WAN Rule is matching only DNS traffic.

B.

Port1 is used because it has more available bandwidth.

C.

Traffic is matched by policy route.

D.

Route for the destination IP is missing in the routing table.

Question 28

A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.

Which two actions will improve performance the most without making a FortiGate license change? (Choose two.)

Options:

A.

Migrate the FortiGate to an Azure F4s_v2.

B.

Enable "Accelerated networking" on the Azure network interfaces.

C.

Enable SR-IOV on the FortiGate.

D.

Migrate the FortiGate to an Azure D8s_v3.

Question 29

Refer to the exhibits.

Question # 29

A customer is trying to restore a VPN connection configured on a FortiGate. Exhibits show output during a troubleshooting session when the VPN was working and the current baseline VPN configuration.

Question # 29

Which configuration parameters will restore VPN connectivity based on the diagnostic output?

Options:

A.

Option A29

B.

Option B29

C.

Option C29

D.

Option D29

Question 30

Refer to the exhibit showing a firewall policy configuration.

Question # 30

To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.

What change does the administrator need to make?

Question # 30

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 31

Refer to the exhibit showing an SD-WAN configuration.

Question # 31

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

Options:

A.

port16 and port1

B.

port1 and port1

C.

port16 and port15

D.

port1 and port15

Page: 1 / 11
Total 105 questions