Fortinet Fortinet Certifications NSE8_811 Questions & Answers

• Question 51:

  Refer to the exhibit.

  

  A FortiGate device is configured to authenticate SSL VPN users using digital certificates. A partial FortiGate configuration is shown in the exhibit.

  Referring to the exhibit, which two statements about this configuration are true? (Choose two.)

  A. The authentication will fail if the user certificate does not contain the user principal name (UPN) information.

  B. The authentication will fail if the user certificate does not contain the CA_Cert string in the CA field.

  C. The authentication will fail if the OCSP server is down.

  D. OCSP is used to verify that the user-signed certificate has not expired.

  Correct Answer: AC

• Question 52:

  Consider the following FortiGate configuration: Which command-line option for deep inspection SSL would have the FortiGate re-sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSL certificate?

  

  A. block

  B. inspect

  C. allow

  D. ignore

  Correct Answer: D

• Question 53:

  Refer to the exhibit.

  

  A FortiGate is configured for a dial-up IPsec VPN to allow multiple remote FortiGate devices to connect to it. However, FortiGate A and B have problems connecting to the VPN. Only one of them can be connected at a time. If site B tries to connect while site A is connected, site A is disconnected. The IKE real-time debug shows the output in the exhibit when site A is disconnected.

  Referring to the exhibit, which configuration setting should be executed in the dial-up configuration to allow both VPNs to be connected at the same time?

  A. set route-overlap allow

  B. set single-source disable

  C. set enforce-unique-id disable

  D. set add-route enable

  Correct Answer: A

• Question 54:

  A customer wants to enable SYN flood mitigation in a FortiDDoS device. The FortiDDoS must reply with one SYN/ACK packet per SYN packet from a new source IP address. Which SYN flood mitigation mode must the customer use?

  A. SYN retransmission

  B. SYN/ACK cookie

  C. SYN cookie

  D. ACK cookie

  Correct Answer: C

• Question 55:

  Refer to the exhibit.

  

  You configured AV and Web filtering for your outgoing Internet connections. You later notice that not all Web sessions are being inspected and you start troubleshooting the problem.

  Referring to the exhibit, what can be causing this problem?

  A. The Web session is using QUIC which is not inspected by the FortiGate.

  B. There are problems with the connection to the Web filter servers, therefore the Web session cannot be categorized.

  C. The SSL inspection options are not set to deep inspection.

  D. Web filtering is not licensed; therefore, no inspection occurs.

  Correct Answer: A

• Question 56:

  You are asked to add a FortiDDoS to the network to combat detected slow connection attacks such as

  Slowloris.

  Which prevention mode on FortiDDoS will protect you against this specific type of attack?

  A. asymmetric mode

  B. aggressive aging mode

  C. rate limiting mode

  D. blocking mode

  Correct Answer: B

• Question 57:

  You are building a FortiGate cluster which is stretched over two locations. The HA connections for the cluster are terminated on the local switches in the data centers. Once the FortiGate devices have booted, they do not form a cluster. The network operators inform you that CRC errors are present on the switches where the FortiGate devices are connected.

  What should you do to solve this problem?

  A. Set the speed/duplex setting to 1 Gbps / Full Duplex.

  B. Replace the cables where the CRC errors occur.

  C. Place the HA interfaces in dedicated VLANs.

  D. Change the ethertype for the HA packets.

  Correct Answer: D

• Question 58:

  Refer to the exhibit.

  

  The exhibit shows the steps for creating a URL rewrite policy on a FortiWeb. Which statement represents the purpose of this policy?

  A. The policy redirects all HTTPS URLs to HTTP.

  B. The policy redirects all HTTP URLs to HTTPS.

  C. The policy redirects only HTTP URLs containing the ^/(.*)$ string to HTTPS.

  D. The policy redirects only HTTPS URLs containing the ^/(.*)$ string to HTTP.

  Correct Answer: B

• Question 59:

  You want to manage a FortiGate with the FortiCloud service. The FortiGate shows up in your list of devices on the FortiCloud Web site, but all management functions are either missing or grayed out.

  Which statement is correct in this scenario?

  A. The management tunnel mode on the managed FortiGate must be changed to normal.

  B. The managed FortiGate is running a version of FortiOS that is either too new or too old for FortiCloud.

  C. The managed FortiGate requires that a FortiCloud management license be purchased and applied.

  D. You must manually configure system central-management on the FortiGate CLI and set the management type to fortiguard.

  Correct Answer: D

• Question 60:

  Refer to the exhibit.

  

  The exhibit shows a full-mesh topology between FortiGate and FortiSwitch devices. To deploy this configuration, two requirements must be met:

  20 Gbps full duplex connectivity is available between each FortiGate and the FortiSwitch devices The FortiGate HA must be in AP mode

  Referring to the exhibit, what are two actions that will fulfill the requirements? (Choose two.)

  A. Configure the master FortiGate with one LAG and FortiLink split interface disabled on ports connected to cables A and C and make sure the same ports are used for cables B and D on the slave.

  B. Configure the master FortiGate with one LAG and FortiLink split interface enabled on ports connected to cables A and C and make sure the same ports are used for cables B and D on the slave.

  C. Configure both FortiSwitch devices as peers with ICL over cable E, create one MCLAG on ports connected to cables A and C, and create another MCLAG on ports connected to cables B and D.

  D. Configure both FortiSwitch devices as peers with ISL over cable E, create one MCLAG on ports connected to cables A and C, and create another MCLAG on ports connected to cables B and D.

  Correct Answer: AC