Big Cyber Monday Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Certensure Logo
  1. Home
  2. Fortinet
  3. Fortinet Network Security Expert
  4. NSE8_812 - Network Security Expert 8 Written Exam

Fortinet NSE8_812 Network Security Expert 8 Written Exam Exam Practice Test

Demo: 31 questions
Total 105 questions
Get NSE8_812 Full Access Download NSE8_812 PDF

Network Security Expert 8 Written Exam Questions and Answers

Question 1

Refer to the exhibit.

You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection.

What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 2

On a FortiGate Configured in Transparent mode, which configuration option allows you to control Multicast traffic passing through the?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 3

Review the VPN configuration shown in the exhibit.

What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

Options:

A.

1 redundant packet for every 10 base packets

B.

3 redundant packet for every 5 base packets

C.

2 redundant packet for every 8 base packets

D.

3 redundant packet for every 9 base packets

Question 4

Refer to The exhibit showing a FortiEDR configuration.

Based on the exhibit, which statement is correct?

Options:

A.

The presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy.

B.

FortiEDR Collector will not collect OS Metadata.

C.

If a malicious file is executed and attempts to establish a connection it will generate duplicate events.

D.

If an unresolved file rule is triggered, by default the file is logged but not blocked.

Question 5

You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)

Options:

A.

The FortiMail access control rule to relay from Office 365 servers FQDN is missing.

B.

The FortiMail DKIM key was not set using the Auto Generation option.

C.

The FortiMail access control rules to relay from Office 365 servers public IPs are missing.

D.

A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.

Question 6

Refer to the exhibit.

You need to create a base SD-WAN configuration that includes SD-WAN rules and Performance SLAs for spoke sites with various connectivity types. It needs to be done in a way that can be easily applied to new sites with a minimum amount of change. How should you create the SD-WAN zones?

Options:

A.

With members and assign overlay interfaces

B.

With members without interface assignments

C.

With no members configured

D.

With members and assign interfaces but do not specify a gateway

Question 7

Which two types of interface have built-in active bypass in FortiDDoS devices? (Choose two.)

Options:

A.

SFP

B.

LC

C.

QSFP+

D.

Copper

E.

SFP+

Question 8

Refer to the exhibit showing the history logs from a FortiMail device.

Which FortiMail email security feature can an administrator enable to treat these emails as spam?

Options:

A.

DKIM validation in a session profile

B.

Sender domain validation in a session profile

C.

Impersonation analysis in an antispam profile

D.

Soft fail SPF validation in an antispam profile

Question 9

Refer to the exhibit.

To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.

Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

Options:

A.

set net-device disable

B.

set mode-cfg enable

C.

set ike-version 1

D.

set add-route enable

E.

set mode-cfg-allow-client-selector enable

Question 10

Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.

The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.

What change will correct HA functionality in this scenario?

Options:

A.

Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

B.

Make the monitored IP to match on both FortiManager devices.

C.

Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.

D.

Change the priority of FMG-A to be numerically lower for higher preference

Question 11

You deployed a fully loaded FG-7121F in the data center and enabled sslvpn-load-balance. Based on the behavior of this feature which statement is correct?

Options:

A.

You can use src-ip or dst-ip-dport on dp-load-distribution-method to make SSL VPN load balancing work as expected.

B.

If an FPM goes down, SSL VPN IP pool IP addresses will be re-allocated to the remaining FPMs.

C.

To have better traffic distribution you should use IP pools that increment in multiples of 12.

D.

Enabling SSL VPN load balancing will clear the session table.

Question 12

Refer to the exhibits.

A customer is trying to restore a VPN connection configured on a FortiGate. Exhibits show output during a troubleshooting session when the VPN was working and the current baseline VPN configuration.

Which configuration parameters will restore VPN connectivity based on the diagnostic output?

Options:

A.

B.

C.

D.

Question 13

A FortiGate is configured to perform outbound firewall authentication with Azure AD as a SAML IdP.

What are two valid interactions that occur when the client attempts to access the internet? (Choose two.)

Options:

A.

FortiGate SP sends a SAML request to the IdP.

B.

The Microsoft SAML IdP sends the SAML response to the FortiGate SP.

C.

The client browser forwards the SAML response received from Microsoft SAML IdP to the FortiGate SP.

D.

FortiGate SP redirects the client browser to the local captive portal and then redirects to the Microsoft SAML IdP.

Question 14

Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

Options:

A.

port16 and port1

B.

port1 and port1

C.

port16 and port15

D.

port1 and port15

Question 15

A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

Options:

A.

Change the Adaptive Mode.

B.

Create an HA setup with a second FortiDDoS 200F

C.

Move the internet connection from the SFP interfaces to the LC interfaces

D.

Replace with a FortiDDoS 1500F

Question 16

What is the benefit of using FortiGate NAC LAN Segments?

Options:

A.

It provides support for multiple DHCP servers within the same VLAN.

B.

It provides physical isolation without changing the IP address of hosts.

C.

It provides support for IGMP snooping between hosts within the same VLAN

D.

It allows for assignment of dynamic address objects matching NAC policy.

Question 17

A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.

They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.

Which two design options are true based on these requirements? (Choose two.)

Options:

A.

Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.

B.

Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.

C.

Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.

D.

Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge

Question 18

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the OCSP server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which authentication scenario will FortiGate deny?

Options:

A.

The user certificate does not contain the OCSP URL.

B.

FortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.

C.

FortiAuthenticator responds to an OCSP request that the user certificate status is unknown.

Question 19

Refer to the exhibit.

A customer wants to automate the creation and configuration of FortiGate VM instances in a VMware vCenter environment using Terraform. They have the creation part working with the code shown in the exhibit.

Which code snippet will allow Terraform to automatically connect to a newly deployed FortiGate if its IP was dynamically assigned by VMware NSX-T?

Options:

A.

B.

C.

D.

Question 20

Refer to the exhibits.

The exhibits show the configuration and debug output from a FortiGate Public SDN Connector.

What is a possible reason for this dynamic address object to be empty?

Options:

A.

The Application ID is incorrect.

B.

The Client secret is incorrect.

C.

The App registration does not have a role with necessary read permissions on the resource group.

D.

The resource group NSE8-Lab does not exist.

Question 21

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

What are the two reasons for this behavior? (Choose two.)

Options:

A.

The private-data-encryption key entered on the primary did not match the value that the TPM expected.

B.

Configuration for TPM is not synchronized between FortiGate HA cluster members.

C.

The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

D.

TPM functionality is not yet compatible with FortiGate HA.

E.

The administrator needs to manually enter the hex private data encryption key in FortiManager.

Question 22

A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.

Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

Options:

A.

Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

B.

Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

C.

Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.

D.

Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster

Question 23

You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

Options:

A.

Native ESXi Networking with E1000

B.

Virtual Function (VF) PCI Passthrough

C.

Native ESXi Networking with VMXNET3

D.

Physical Function (PF) PCI Passthrough

Question 24

Refer to the exhibit.

You are managing a FortiSwitch 3032E that is managed by FortiLink on a FortiGate 3960E. The 3032E is heavily utilized and there is only one port free.

The requirement is to add an additional three FortiSwitch 448E devices with 10Gbps SFP+ connectivity directly to the 3032E. The plan is to use split port (phy-mode) with QSFP28 mode to connect the new 448E switches.

In this scenario, which statement about the switch deployment is correct?

Options:

A.

Additional ports on Switch 1 can be split for a maximum of 128 interfaces.

B.

The port most of Switch 1 must be changed to QSFP.

C.

After enabling split ports and rebooting Switch 1, the new ports can be configured from the FortiGate.

D.

Switches 2-4 will connect successfully with Switch 1 split port in QSFP28 mode.

Question 25

You are performing a packet capture on a FortiGate 2600F with the hyperscale licensing installed. You need to display on screen all egress/ingress packets from the port16 interface that have been offloaded to the NP7.

Which three commands need to be run? (Choose three.)

Options:

A.

diagnose npu sniffer filter intf port16

B.

diagnose npu sniffer filter selector 0

C.

diagnose sniffer packet npudbg

D.

diagnose npu sniffer filter dir 2

E.

diagnose sniffer packet port16

Question 26

Refer to the exhibit.

A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.

How will the sessions be load balanced between server 1 and server 2 during normal operation?

Options:

A.

Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions

B.

Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions

C.

Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions

D.

Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

Question 27

A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.

Which two statements are true regarding the requirements? (Choose two.)

Options:

A.

FortiGate can perform SSH access proxy host-key validation.

B.

You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.

C.

SSH traffic is tunneled between the client and the access proxy over HTTPS

D.

Traffic is discarded as ZTNA does not support SSH connection rules

Question 28

Refer to the exhibit showing a FortiSOAR playbook.

You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.

What should be your next step?

Options:

A.

Go to the Incident Response tasks dashboard and run the pending actions

B.

Click on the notification icon on FortiSOAR GUI and run the pending input action

C.

Run the Mark Drive by Download playbook action

D.

Reply to the e-mail with the requested Playbook action

Question 29

Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

Options:

A.

The FortiGuard VOS can be used only with proxy-base policy inspections.

B.

If third-party AV database returns a match the scanned file is deemed to be malicious.

C.

The antivirus database queries FortiGuard with the hash of a scanned file

D.

The AV engine scan must be enabled to use the FortiGuard VOS feature

E.

The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.

Question 30

Refer to the exhibit.

A customer reports that they are not able to reach subnet 10.10.10.0/24 from their FortiGate device.

Based on the exhibit, what should you do to correct the situation?

Options:

A.

Enable iBGP multipath

B.

Enable recursive resolution for BGP routes

C.

Enable next-hop-self feature

D.

Enable additional-path feature

Question 31

Refer to the exhibits.

You are configuring a Let's Encrypt certificate to enable SSL protection to your website. When FortiWeb tries to retrieve the certificate, you receive a certificate status failed, as shown below.

Based on the Server Policy settings shown in the exhibit, which two configuration changes will resolve this issue? (Choose two.)

Options:

A.

Disable Redirect HTTP to HTTPS in the Server Policy.

B.

Remove the Web Protection Profile from this Server Policy.

C.

Enable HTTP service in the Server Policy.

D.

Configure a TXT record of the domain and point to the IP address of the Virtual Server.

Load More NSE8_812 Questions
Demo: 31 questions
Total 105 questions
Get NSE8_812 Full Access Download NSE8_812 PDF