1. Home
  2. Fortinet
  3. NSE8_811

Fortinet NSE 8 Written Exam (NSE8_811)

Exam Details

  • Exam Code
    :NSE8_811
  • Exam Name
    :Fortinet NSE 8 Written Exam (NSE8_811)
  • Certification
    :Fortinet Certifications
  • Vendor
    :Fortinet
  • Total Questions
    :60 Q&As
  • Last Updated
    :Dec 30, 2024

Fortinet Fortinet Certifications NSE8_811 Questions & Answers

  • Question 1:

    Refer to the exhibit.

    An administrator wants to implement a multi-chassis link aggregation (MCLAG) solution using two FortiSwitch 448D devices and one FortiGate 3700D. As described in the network topology shown in the exhibit, two links are already connected from the FortiGate to each FortiSwitch.

    What is required to implement this solution? (Choose two.)

    A. Replace the FortiGate as this one does not have an ISF.

    B. Create two separate link aggregated (LAG) interfaces on the FortiGate side for each FortiSwitch.

    C. Add set fortilink-split-interface disable on the FortiLink interface.

    D. An ICL link between both FortiSwitch devices needs to be added.

  • Question 2:

    Refer to the exhibit.

    Only users authenticated in FortiGate-B can reach the server. A customer wants to deploy a single sign-on solution for IPsec VPN users. Once a user is connected and authenticated to the VPN in FortiGate-A, the user does not need to authenticate again in FortiGate-B to reach the server.

    Referring to the exhibit, which two actions satisfy this requirement? (Choose two.)

    A. Use Kerberos authentication.

    B. Use the Collector Agent.

    C. Use FortiAuthenticator.

    D. FortiGate-A must generate a RADIUS accounting packet.

  • Question 3:

    A FortiGate is used as a VPN hub for a number of remote spoke VPN units (Group A) spokes using a phase 1 main mode dial-up tunnel and pre-shared keys. You are asked to establish VPN connectivity for a newly acquired organization's sites for which new devices will be provisioned Group B spokes.

    Both existing Group A and new Group B spoke units are dynamically addressed through a single public IP Address on the hub. You are asked to ensure that spokes from Group B have different access permissions than the existing VPN spokes units Group A.

    Which two solutions meet the requirements for the new spoke group? (Choose two.)

    A. Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spokes.

    B. Implement a new phase 1 dial-up main mode tunnel with certificate authentication.

    C. Implement a new phase 1 dial-up main mode tunnel with pre-shared keys and XAuth.

    D. Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer ID.

  • Question 4:

    You configured a firewall policy with only a Web filter profile for accessing the Internet. Access to websites belonging to the "Information Technology" category are blocked and to the "Business" category are allowed. SSL deep inspection is not enabled on this policy.

    A user wants to access the website https://www.it-acme.com which presents a certificate with CN=www.acme.com. The it-acme.com domain is categorized as "Information Technology" and the acme.com domain is categorized as "Business".

    Which statement regarding this scenario is correct?

    A. The FortiGate is able to read the URL within HTTPS sessions when using SSL certificate inspection so the website will be blocked by the "Information Technology".

    B. The website will be blocked by category "Information Technology" as the SNI takes precedence over the certificate name.

    C. The website will be allowed by category "Business" as the certificate name takes precedence over the URL.

    D. Only with SSL deep inspection enabled will the FortiGate be able to categorized this website.

  • Question 5:

    Refer to the exhibit.

    Central NAT was configured on a FortiGate firewall. A sniffer shows ICMP packets out to a host on the Internet egresses with the port1 IP address instead of the virtual IP (VIP) that was configured

    Referring to the exhibit, which configuration change will ensure that ICMP traffic is also translated?

    A. Option A

    B. Option B

    C. Option C

    D. Option D

  • Question 6:

    A company has just rolled out new remote sites and now you need to deploy a single firewall policy to all of these sites to allow Internet access using FortiManager. For this particular firewall policy, the source address object is called LAN, but its value will change according to the site the policy is being installed.

    Which statement about creating the object LAN is correct?

    A. Create a new object called LAN and enable per-device mapping.

    B. Create a new object called LAN and promote it to the global database.

    C. Create a new object called LAN and use it as a variable on a TCL script.

    D. Create a new object called LAN and set meta-fields per remote site.

  • Question 7:

    Refer to the exhibit.

    You are working on FortiGate 61E operating in flow-based inspection mode with various settings optimized for performance. The main Internet firewall policy is using the "default" antivirus profile. You found that some executable virus samples files downloaded over HTTP are not being blocked by the FortiGate.

    Referring to the exhibit, how can this be fixed?

    A. Change the set scan-mode configuration to full.

    B. Disable the emulator feature.

    C. Change the set default-db configuration to extreme.

    D. Add set content-disarm enable to the configuration.

  • Question 8:

    Refer to the exhibit.

    An organization has a FortiGate cluster that is connected to two independent ISPs. You must configure the FortiGate failover for a single ISP failure to occur without disruption.

    Referring to the exhibit, which two FortiGate BGP features are enabled to accomplish this task? (Choose two.)

    A. EBGP multipath

    B. Graceful restart

    C. Synchronization

    D. BFD

  • Question 9:

    A legacy router has been replaced by a FortiGate device. The FortiGate has inherited the management IP address of the router and now the network administrator needs to remove the router from the FortiSIEM configuration.

    Which two statements about this operation are true? (Choose two.)

    A. FortiSIEM will move the router device into the Decommission folder.

    B. The router will be completely deleted from the FortiSIEM database.

    C. By default, FortiSIEM can only parser event logs for FortiGate devices.

    D. FortiSIEM will discover a new device for the FortiGate with the same IP.

  • Question 10:

    You have configured an HA cluster with two FortiGate devices. You want to make sure that you are able to manage the individual cluster members directly using port3.

    Referring to the configuration shown, in which two ways can you accomplish this task? (Choose two.)

    A. Create a management VDOM and disable the HA synchronization for this VDOM, assign port3 to this VDOM, then configure specific IPs for port3 on both cluster members.

    B. Configure port3 to be a dedicated HA management interface; then configure specific IPs for port3 on both cluster members.

    C. Allow administrative access in the HA heartbeat interfaces.

    D. Disable the sync feature on port3; then configure specific IPs for port3 on both cluster members.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Fortinet exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your NSE8_811 exam preparations and Fortinet certification application, do not hesitate to visit our Vcedump.com to find your solutions here.