Fortinet NSE 8 - Written Exam (NSE8_812) Practice Tests 2024 | Pass NSE8_812 with confidence!
Practice Fortinet Network Security Expert NSE8_812 exam. Online Exam Practice Tests with detailed explanations!
Fortinet NSE8_812 exam is the highest-level certification exam offered by Fortinet. It is designed to evaluate the skills and knowledge of cybersecurity professionals in advanced areas, such as cloud security, data center security, network security, and application security. NSE8_812 exam consists of approximately 60 multiple-choice and multiple-select questions that are designed to test the knowledge and experience of the candidate.
NEW QUESTION # 32
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?
- A. Native ESXi Networking with VMXNET3
- B. Native ESXi Networking with E1000
- C. Physical Function (PF) PCI Passthrough
- D. Virtual Function (VF) PCI Passthrough
Answer: A
Explanation:
The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. References: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/installing-fortigate-vm-on-vmware-esxi https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/networking
NEW QUESTION # 33
Refer to the exhibits.
An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?
- A. On FG-1 port1, the ftm access protocol must be enabled.
- B. On FG-1 CLI, the ftm-push server setting must point to 100.64.141.
- C. On FAC-1, the FortiToken public IP setting must point to 100.64.1 41
- D. FAC-1 must have an internet routable IP address for push notifications.
Answer: D
Explanation:
FortiToken push notifications require that the FortiAuthenticator has an internet routable IP address. This is because the FortiAuthenticator uses this IP address to send push notifications to the FortiGate.
The other options are not correct. Enabling the ftm access protocol on FG-1 port1 is not necessary for push notifications to work. The ftm-push server setting on FG-1 CLI should already point to the FortiAuthenticator's IP address. The FortiToken public IP setting on FAC-1 is not relevant to push notifications.
Here is a table that summarizes the different options:
NEW QUESTION # 34
Refer to the exhibit.
A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)
- A. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.
- B. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode
- C. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk
- D. Traffic on AccountVInk and SalesVInk will not be accelerated.
- E. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.
Answer: A,D
Explanation:
The FortiGate configuration shown in the exhibit is using virtual domains (VDOMs) enabled in multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode. One correct statement about VDOM behavior is that traffic on AccountVInk and SalesVInk will not be accelerated. This is because standard VDOM links do not support hardware acceleration features such as NP6 or CP9 offloading, which can improve performance and throughput for traffic between VDOMs. To enable hardware acceleration for inter-VDOM traffic, non-standard VDOM links such as NP6 or CP9 interfaces should be used instead of standard VDOM links. Another correct statement about VDOM behavior is that Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. This is because Admin type VDOMs are special VDOMs that can only be used for management purposes and cannot process any traffic other than management traffic (such as SSH, HTTPS, SNMP, etc.). Traffic type VDOMs are normal VDOMs that can process any kind of traffic (such as firewall policies, VPN tunnels, routing protocols, etc.). By default, Root VDOM is an Admin type VDOM that can manage other Traffic type VDOMs, unless it is converted to a Traffic type VDOM by using the set vdom-admin enable command. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/virtual-domains https://docs.fortinet.com/document/fortigate/7.0.0/hardware-acceleration-guide/19662/vdom-links
NEW QUESTION # 35
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)
- A. The AV engine scan must be enabled to use the FortiGuard VOS feature
- B. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
- C. The antivirus database queries FortiGuard with the hash of a scanned file
- D. The FortiGuard VOS can be used only with proxy-base policy inspections.
- E. If third-party AV database returns a match the scanned file is deemed to be malicious.
Answer: B,C
Explanation:
The FortiGuard Outbreak Prevention Service (VOS) is a feature that enhances the antivirus scanning capabilities of FortiGate by querying FortiGuard with the hash of a scanned file that is not found in the local antivirus database. If the hash matches a signature in the FortiGuard Global Threat Intelligence database, which contains information about known malware and zero-day threats, the file is deemed to be malicious and blocked by FortiGate. The VOS feature can be used with both proxy-based and flow-based policy inspections, and does not require the AV engine scan to be enabled. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/outbreak-prevention-service
NEW QUESTION # 36
Review the following FortiGate-6000 configuration excerpt:
Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?
- A. It statically distributes SNAT source ports to operating FPCs or FPMs
- B. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
- C. It equally distributes SNAT source ports across chassis slots.
- D. It dynamically distributes SNAT source ports to operating FPCs or FPMs.
Answer: D
Explanation:
The configuration excerpt shows that the SNAT source port partitioning behavior is set to dynamic. This means that the FortiGate will dynamically distribute SNAT source ports to operating FPCs or FPMs. This ensures that active sessions are not interrupted if an FPC or FPM goes down.
The other options are incorrect. Option B is incorrect because the default SNAT configuration is static. Option C is incorrect because the configuration excerpt does not specify that SNAT source ports are statically distributed. Option D is incorrect because the SNAT source ports are not evenly distributed across chassis slots.
Here are some additional details about SNAT source port partitioning behavior:
SNAT source port partitioning behavior can be set to dynamic or static.
The default SNAT configuration is static.
Dynamic SNAT source port partitioning ensures that active sessions are not interrupted if an FPC or FPM goes down.
Static SNAT source port partitioning can improve performance by reducing the number of SNAT lookups.
NEW QUESTION # 37
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)
- A. The FortiMail DKIM key was not set using the Auto Generation option.
- B. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
- C. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
- D. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.
Answer: C,D
Explanation:
FortiMail Cloud service is a cloud-based email security solution that integrates with Office 365 to provide protection against spam, malware, phishing, data loss, etc. To use FortiMail Cloud service with Office 365, users need to configure both FortiMail Cloud settings and Office 365 settings properly. One possible reason for outgoing emails not reaching the recipients' mailboxes is that the FortiMail access control rules to relay from Office 365 servers public IPs are missing. This means that FortiMail Cloud service does not recognize the Office 365 servers as authorized senders and rejects the outgoing emails. Users need to add the Office 365 servers public IPs to the FortiMail access control rules to allow relaying. Another possible reason for outgoing emails not reaching the recipients' mailboxes is that a Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN. This means that Office 365 does not route the outgoing emails to the FortiMail Cloud service for scanning and delivery. Users need to create a Mail Flow connector from the Exchange Admin Center and specify the FortiMail Cloud FQDN as the smart host. Reference: https://docs.fortinet.com/document/fortimail-cloud/6.4.0/administration-guide/19662/integrating-fortimail-cloud-with-office-365
NEW QUESTION # 38
Refer to the exhibits.

A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)
- A. Ports 3 and 4 can be part of different switch interfaces.
- B. Client devices must have 802 1X authentication enabled
- C. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
- D. Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
Answer: B,D
Explanation:
The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a single switch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "ssl-inspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switch-interfaces https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1x-authentication
NEW QUESTION # 39
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.
They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.
Which two design options are true based on these requirements? (Choose two.)
- A. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.
- B. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
- C. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge
- D. Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.
Answer: B,C
Explanation:
To secure the traffic between Azure and the main data center, a FortiGate VM can be deployed in Azure and configured to use IPSEC over ExpressRoute, as traffic is not encrypted by Azure by default. This also allows the use of Fortinet security features such as antivirus, IPS, web filtering, and application control. To implement SD-WAN between Azure and the main data center, two ExpressRoute services are required to provide redundant paths and load balancing. A FortiGate device at the data center edge can be configured to use SD-WAN rules to select the best path based on performance, availability, and cost. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103440/ipsec-vpn-between-fortigate-and-azure https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103441/sd-wan-between-fortigate-and-azure
NEW QUESTION # 40
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.
The current configuration is:
Which configuration do you use for the Performance SLA members?
- A. set members any
- B. set members all
- C. set members 0
- D. current configuration already fulfills the requirement
Answer: B
Explanation:
D is correct because using set members all allows you to apply the Performance SLA configuration to all available interfaces without specifying them individually. This way, you do not need to change the configuration in case more connections are added to the branch. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan/978795/configuring-sd-wan-performance-sla
NEW QUESTION # 41
An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown:
- A.

- B.

- C.

- D.

Answer: B
Explanation:
The CLI script in option A will send the log message to the webhook server. The webhook server can then be configured to take any desired action, such as storing the log message in a database or sending an email notification.
The other options are incorrect. Option B will not send the log message to the webhook server because it does not contain the curl command. Option C will send the log message to the webhook server, but it will also include the FortiGate's IP address and MAC address. This information is not necessary, and it could be used by an attacker to identify the FortiGate. Option D will not send the log message to the webhook server because it does not contain the webhook action.
References:
Automation webhook stitches: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/989735/webhook-action Webhooks: https://en.wikipedia.org/wiki/Webhook
NEW QUESTION # 42
Refer to the exhibit, which shows a VPN topology.
The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?
- A. The TCP port 21 must be allowed on the NAT Device2
- B. ADVPN is not supported when spokes are behind NAT
- C. Spoke1 will establish an ADVPN shortcut to Spoke2
- D. All the session traffic will pass through the Hub
Answer: C
Explanation:
D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698
NEW QUESTION # 43
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?
- A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
- B. Configure two DNS servers and use DNS servers recommended by the two internet providers.
- C. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
- D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.
Answer: D
Explanation:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan
NEW QUESTION # 44
Refer to the exhibit.
A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)
- A. TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager
- B. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
- C. Configuration for TPM is not synchronized between FortiGate HA cluster members.
- D. The private-data-encryption key entered on the primary did not match the value that the TPM expected.
Answer: C,D
Explanation:
The two reasons for the negative impact on the FortiGate HA status and FortiManager status after enabling TPM are:
The private-data-encryption key entered on the primary unit did not match the value that the TPM expected. This could happen if the TPM was previously enabled and then disabled, and the key was changed in between. The TPM will reject the new key and cause an error in the configuration synchronization.
Configuration for TPM is not synchronized between FortiGate HA cluster members. Each cluster member must have the same private-data-encryption key to form a valid HA cluster and synchronize their configurations. However, enabling TPM on one unit does not automatically enable it on the other units, and the key must be manually entered on each unit. To resolve these issues, the administrator should disable TPM on all units, clear the TPM data, and then enable TPM again with the same private-data-encryption key on each unit. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic
NEW QUESTION # 45
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)
- A. Disable SSL between the FortiADC and the web servers
- B. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
- C. Add a connection-pool to the FortiADC virtual server
- D. Add more web servers to the real server poof
Answer: C,D
Explanation:
Option B: Adding more web servers to the real server pool will increase the overall capacity of the load balancer, which should help to resolve the issue of users not being able to access the website.
Option D: Adding a connection-pool to the FortiADC virtual server will allow the load balancer to cache connections to the web servers, which can help to improve performance and reduce the number of dropped connections.
Option A: Changing the persistence rule to LB_PERSIS_SSL_SESSJD would only be necessary if the current persistence rule is not working properly. In this case, the CPU usage on the FortiADC and the web servers is low, so the persistence rule is likely not the issue.
Option C: Disabling SSL between the FortiADC and the web servers would reduce the load on the FortiADC, but it would also make the website less secure. Since the bandwidth utilization is under 30%, it is unlikely that disabling SSL would resolve the issue.
NEW QUESTION # 46
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)
- A. disable on ICL trunks
- B. enable on ICL trunks
- C. disable on the ISL and FortiLink trunks
- D. enable on the ISL and FortiLink trunks
Answer: A,C
Explanation:
A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference: https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding/381058/configuring-multicast-forwarding
NEW QUESTION # 47
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)
- A. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
- B. Disable SSL between the FortiADC and the web servers
- C. Add a connection-pool to the FortiADC virtual server
- D. Add more web servers to the real server poof
Answer: A,C
Explanation:
The FortiADC HA cluster is a load balancing solution that distributes traffic among multiple web servers in L7 Full NAT mode. L7 Full NAT mode means that FortiADC terminates both client and server SSL connections and performs full NAT for both source and destination IP addresses and ports. One possible reason for users not being able to access the website during a sale event is that the persistence rule is not configured properly. Persistence rule is a feature that ensures that subsequent requests from the same client are sent to the same web server, which is important for maintaining session continuity and avoiding errors or data loss. The default persistence rule for L7 Full NAT mode is LB_PERSIS_SRC_IP, which uses the source IP address of the client as the persistence key. However, this rule may not work well if there are many clients behind a proxy or NAT device that share the same source IP address, or if there are clients that change their source IP address frequently due to roaming or switching networks. Therefore, to resolve this situation, one option is to change the persistence rule to LB_PERSIS_SSL_SESSJD, which uses the SSL session ID of the client as the persistence key. This rule can provide more accurate and reliable persistence for SSL connections than LB_PERSIS_SRC_IP. Another possible reason for users not being able to access the website during a sale event is that there are too many TCP connections being established and terminated between FortiADC and the web servers, which consumes CPU resources and causes performance degradation. Therefore, to resolve this situation, another option is to add a connection-pool to the FortiADC virtual server. Connection-pool is a feature that allows FortiADC to reuse existing TCP connections between FortiADC and the web servers, instead of creating new ones for each request. This can reduce CPU overhead, improve response time, and increase throughput. Reference: https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/load-balancing-methods-and-persistence https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/connection-pool
NEW QUESTION # 48
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)
- A. disable on ICL trunks
- B. enable on ICL trunks
- C. disable on the ISL and FortiLink trunks
- D. enable on the ISL and FortiLink trunks
Answer: A,C
Explanation:
A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference: https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding/381058/configuring-multicast-forwarding
NEW QUESTION # 49
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?
- A. Add a switch between the FortiGate and FEX.
- B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
- C. Add a VLAN under the FEX-WAN interface on the FortiGate.
- D. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
Answer: B
Explanation:
The FortiExtender (FEX) is a device that provides wireless WAN connectivity for FortiGate devices by using 3G/4G/LTE cellular networks. The FEX can be managed by the FortiGate device that it connects to, or by a FortiManager device in a centralized management scenario. The FEX can use either Ethernet or CAPWAP connectivity to communicate with the FortiGate device. Ethernet connectivity means that the FEX uses a standard Ethernet connection to send and receive data packets from the FortiGate device. CAPWAP connectivity means that the FEX uses a Control And Provisioning of Wireless Access Points (CAPWAP) tunnel to encapsulate data packets and send them over an IP network to the FortiGate device. If the requirement is to minimize the overhead on the device for WAN traffic, one option is to enable CAPWAP connectivity between the FortiGate and the FEX. This option can reduce the overhead on the device by offloading some of the processing tasks from the CPU to the NP6 processor, which can handle CAPWAP traffic more efficiently than Ethernet traffic. This option can also provide more flexibility and scalability for WAN traffic by allowing multiple FEX devices to connect to a single FortiGate device over an IP network. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/configuring-fortigate-with-fortiextender https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/capwap-connectivity
NEW QUESTION # 50
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?
- A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
- B. Configure two DNS servers and use DNS servers recommended by the two internet providers.
- C. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
- D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.
Answer: D
Explanation:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan
NEW QUESTION # 51
Refer to the exhibit.
The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.
Referring to the exhibit, which two actions will fix these errors? (Choose two.)
- A. Install a new known CA on the Win2K16-EMS server.
- B. Authorize the root FortiGate on the FortiClient EMS
- C. Verify that the CRL is accessible from the root FortiGate
- D. Export and import the FortiClient EMS server certificate to the root FortiGate.
Answer: B,C
Explanation:
A is correct because the error message "The CRL is not accessible" indicates that the root FortiGate cannot access the CRL for the FortiClient EMS server. Verifying that the CRL is accessible will fix this error.
D is correct because the error message "The FortiClient EMS server is not authorized" indicates that the root FortiGate is not authorized to connect to the FortiClient EMS server. Authorizing the root FortiGate on the FortiClient EMS server will fix this error.
The other options are incorrect. Option B is incorrect because exporting and importing the FortiClient EMS server certificate to the root FortiGate will not fix the CRL error. Option C is incorrect because installing a new known CA on the Win2K16-EMS server will not fix the authorization error.
References:
Troubleshooting FortiClient EMS connectivity | FortiClient / FortiOS 7.0.0 - Fortinet Document Library Authorizing FortiGates with FortiClient EMS | FortiClient / FortiOS 6.4.8 - Fortinet Document Library
NEW QUESTION # 52
A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.
Which two statements are true regarding the requirements? (Choose two.)
- A. SSH traffic is tunneled between the client and the access proxy over HTTPS
- B. Traffic is discarded as ZTNA does not support SSH connection rules
- C. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
- D. FortiGate can perform SSH access proxy host-key validation.
Answer: A,D
Explanation:
ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/899992/configuring-ztna-rules-to-control-access
NEW QUESTION # 53
Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).
Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?
- A. The FortiToken license will need to be installed on the FAC2.
- B. FAC2 can have its HA interface on a different network than FAC1.
- C. FAC2 can only process requests when FAC1 fails.
- D. FSSO sessions from FAC1 will be synchronized to FAC2.
Answer: D
Explanation:
When FortiAuthenticator operates in cluster mode, it provides active-passive failover and synchronization of all configuration and data, including FSSO sessions, between the cluster members. Therefore, if FAC1 is the active unit and FAC2 is the standby unit, any FSSO sessions from FAC1 will be synchronized to FAC2. If FAC1 fails, FAC2 will take over the active role and continue to process the FSSO sessions. References: https://docs.fortinet.com/document/fortiauthenticator/6.1.2/administration-guide/122076/high-availability
NEW QUESTION # 54
Refer to the exhibit showing FortiGate configurations
FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?
- A. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
- B. Make the monitored IP to match on both FortiManager devices.
- C. Change the priority of FMG-A to be numerically lower for higher preference
- D. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.
Answer: B
Explanation:
B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. References: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options
NEW QUESTION # 55
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?
- A. Use network-overlay id
- B. Use peer-id
- C. Use local-id
- D. Change advpn2 to IKEv1
Answer: A
Explanation:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. References: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn
NEW QUESTION # 56
......
Fortinet NSE8_812, also known as the Fortinet NSE 8 - Written Exam, is a certification exam designed to test the knowledge and skills of experienced network security professionals. NSE8_812 exam is intended for individuals who have a deep understanding of Fortinet's security solutions and are looking to become certified experts in the field. The Fortinet NSE8_812 exam is a rigorous, comprehensive test that covers a wide range of topics related to network security, including advanced threat protection, network design, and security policies.
Get instant access to NSE8_812 practice exam questions: https://drive.google.com/open?id=1S-uD62IdRe3JPs54LJDpMKI-65xdolGy
The best NSE8_812 exam study material and preparation tool is here: https://www.troytecdumps.com/NSE8_812-troytec-exam-dumps.html