Summer Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: ecus65

Fortinet NSE8_812 - Network Security Expert 8 Written Exam

Page: 3 / 4
Total 105 questions

A FortiGate deployment contains the following configuration:

What is the result of this configuration?

A.

Route-maps are not configurable in VDOM SERVICES

B.

Route-maps from the Root VDOM configuration are available in VDOM SERVICES

C.

Route-maps from VDOM SERVICES are available in all other VDOMs

D.

Route-maps for VDOM SERVICES are excluded from HA configuration synchronization

SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.

You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.

What should you configure?

A.

Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.

B.

Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.

C.

Configure two DNS servers and use DNS servers recommended by the two internet providers.

D.

Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)

• Public IP address (129.11.1.100) is assigned to portl

• Datacenter.acmecorp.com resolves to the public IP address assigned to portl

The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.

Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

A customer has FortiAP devices in three branch offices managed from a FortiGate in the HQ. Each FortiAP is connected to a dedicated management VLAN.

The customer wants the users connected to the FortiAP SSIDs to use the branch local internet connection, but each branch uses a different VLAN ID for the bridge. HQ users travel to different branches and connect to the same SSID.

Which configuration option will solve this requirement?

A.

Set each FortiAP to a wtp-group and use set vlan-pooling wtp-group on the VAP configuration with the corresponding VLAN ID configuration for each group.

B.

Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN and use set dynamic-vlan enable on the VAP configuration.

C.

Use set vlan-pooling round-robin on the VAP configuration with the corresponding vlan-pool.

D.

Use set vlan-pooling hash on the VAP configuration with the corresponding vlan-pool.

Refer to The exhibit, which shows a topology diagram.

A customer wants to use SD-WAN for traffic generated from the data center towards Branches. SD-WAN on HUB should follow the underlay condition on each Branch and the solution should be scalable for hundreds of Branches.

Which SD WAN-Rules strategy should be used?

A.

Manual based on route-tags

B.

Lowest Cost SLA

C.

Auto based on link quality

D.

Best Quality based on route-tags

A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.

They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.

Which two design options are true based on these requirements? (Choose two.)

A.

Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.

B.

Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.

C.

Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.

D.

Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge

Refer to the exhibits, which show a topology and diagnostic commands.

Which two statements about the path resolution are true? (Choose two.)

A.

Latency is the quality criteria.

B.

wan1 is currently used as an outgoing interface.

C.

wan2 is currently used as an outgoing interface.

D.

Packet-loss is the quality criteria.

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.

CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.

Which two options can resolve this situation? (Choose two.)

A.

Change the persistence rule to LB_PERSIS_SSL_SESSJD.

B.

Add more web servers to the real server poof

C.

Disable SSL between the FortiADC and the web servers

D.

Add a connection-pool to the FortiADC virtual server

Refer to the exhibits.

The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.

You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.

All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.

Which three configuration tasks must be performed to meet these requirements? (Choose three.)

A.

Change the scan order in FML-GW to antispam-sandbox-content.

B.

Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN

C.

Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe

D.

Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.

E.

Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.