Fortinet Fortinet Certifications NSE8_812 Questions & Answers

• Question 1:

  Refer to the exhibits.

  

  The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.

  You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.

  All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.

  Which three configuration tasks must be performed to meet these requirements? (Choose three.)

  A. Change the scan order in FML-GW to antispam-sandbox-content.

  B. Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN

  C. Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe

  D. Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.

  E. Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

  Correct Answer: ABE

  A is correct because the scan order must be changed to antispam-sandbox- content in order for FortiMail to scan the email for spam and viruses before forwarding it to the third-party service.

  B is correct because the Catch-All profile must be applied to the CFInbound profile in order for FortiMail to forward clean emails to the third-party service. E is correct because an IP policy must be created with a Source value of 100.64.0.72/32

  in order to allow emails from the third-party service to be delivered to FortiMail.

  The other options are not necessary to meet the requirements. Option C is not necessary because the access receive rule will already allow emails from the third-party service to be received by FortiMail. Option D is not necessary because

  the Catch-All profile already allows emails to be delivered to any destination. Here are some additional details about integrating a third-party service into the FortiMail email processing path:

  The third-party service must be able to receive emails from FortiMail and send them back to FortiMail.

  The third-party service must be able to communicate with FortiMail using the SMTP protocol.

  The third-party service must be able to authenticate with FortiMail using the SMTP AUTH protocol.

  Once the third-party service is integrated into the FortiMail email processing path, all inbound emails will be processed by FortiMail as usual. If the email is clean, FortiMail will forward it to the third-party service. The third-party service will then

  send the email back to FortiMail for final delivery. FortiMail will not scan the email again.

• Question 2:

  Refer to the exhibit.

  

  The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.

  Referring to the exhibit, which two actions will fix these errors? (Choose two.)

  A. Verify that the CRL is accessible from the root FortiGate

  B. Export and import the FortiClient EMS server certificate to the root FortiGate.

  C. Install a new known CA on the Win2K16-EMS server.

  D. Authorize the root FortiGate on the FortiClient EMS

  Correct Answer: AD

  A is correct because the error message "The CRL is not accessible" indicates that the root FortiGate cannot access the CRL for the FortiClient EMS server. Verifying that the CRL is accessible will fix this error.

  D is correct because the error message "The FortiClient EMS server is not authorized" indicates that the root FortiGate is not authorized to connect to the FortiClient EMS server. Authorizing the root FortiGate on the FortiClient EMS server will

  fix this error.

  The other options are incorrect. Option B is incorrect because exporting and importing the FortiClient EMS server certificate to the root FortiGate will not fix the CRL error. Option C is incorrect because installing a new known CA on the

  Win2K16-EMS server will not fix the authorization error.

  References:

  Troubleshooting FortiClient EMS connectivity | FortiClient / FortiOS 7.0.0 - Fortinet Document Library

  Authorizing FortiGates with FortiClient EMS | FortiClient / FortiOS 6.4.8 - Fortinet Document Library

• Question 3:

  Refer to the exhibit.

  

  You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology. Which two actions are correct regarding the replacement process? (Choose two.)

  A. After replacing the FortiSwitch unit, the automatically created trunk name does not change

  B. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate

  C. After replacing the FortiSwitch unit, the automatically created trunk name changes.

  D. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.

  Correct Answer: AB

  A is correct because the automatically created trunk name is based on the MAC address of the FortiSwitch unit. When the FortiSwitch unit is replaced, the MAC address will change, but the trunk name will not change. B is correct because CLAG-ICL is a manually configured link aggregation group. When the FortiSwitch unit is replaced, the CLAG-ICL configuration will need to be manually reconfigured on the new FortiSwitch unit. The other options are incorrect. Option C is incorrect because the automatically created trunk name does not change when the FortiSwitch unit is replaced. Option D is incorrect because MCLAG-ICL is a manually configured link aggregation group and will not be automatically reconfigured when the FortiSwitch unit is replaced. References: Configuring link aggregation on FortiSwitches | FortiSwitch / FortiOS 7.0.4 - Fortinet Document Library Managing FortiLink | FortiGate / FortiOS 7.0.4 - Fortinet Document Library

• Question 4:

  You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.

  The current configuration is:

  

  Which configuration do you use for the Performance SLA members?

  A. set members any

  B. set members 0

  C. current configuration already fulfills the requirement

  D. set members all

  Correct Answer: A

  Explanation: The set members any option will ensure that all of the SD-WAN interfaces are included in the Performance SLA. This is the best option if you want to be sure that the Performance SLA will be triggered even if more connections are added to the branch in the future. The set members 0 option will exclude all of the SD-WAN interfaces from the Performance SLA. This is not a good option because it will prevent the Performance SLA from being triggered even if there is a problem with the network. The current configuration already fulfills the requirement option is incorrect because it does not ensure that all of the SD-WAN interfaces will be included in the Performance SLA. The set members all option will include all of the SD-WAN interfaces in the Performance SLA, but it is not the best option because it is not scalable. If you have a large number of SD-WAN interfaces, this option will cause the Performance SLA to be triggered too often. References: Performance SLA | FortiGate / FortiOS 7.4.0 Configuring Performance SLA | FortiGate / FortiOS 7.4.0

• Question 5:

  You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

  

  The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled The FortiGate is at GMT-1000. The FortiAnalyzer is at GMT-0800 Your browser local time zone is at GMT-03.00

  You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

  A. 20:37:08

  B. 10:37:08

  C. 17:37:08

  D. 12.37:08

  Correct Answer: C

  Explanation: To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is

  20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. References:https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration- guide/103664/time-zone-and-daylight-saving-time

• Question 6:

  You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.

  Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.

  In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

  A. disable on ICL trunks

  B. enable on ICL trunks

  C. disable on the ISL and FortiLink trunks

  D. enable on the ISL and FortiLink trunks

  Correct Answer: AD

  Explanation: To ensure that unnecessary multicast traffic is pruned from links that do not have a multicast listener, you must disable IGMP flood traffic on the ICL trunks and enable IGMP flood reports on the ISL and FortiLink trunks. Disabling

  IGMP flood traffic will prevent the FortiSwitch units from flooding multicast traffic to all ports on the ICL trunks. This will help to reduce unnecessary multicast traffic on the network.

  Enabling IGMP flood reports will allow the FortiSwitch units to learn which ports are interested in receiving multicast traffic. This will help the FortiSwitch units to prune multicast traffic from links that do not have a multicast listener.

• Question 7:

  Refer to the exhibits.

  

  A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.

  Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

  A. 172.16.204.128/25

  B. 172.16.201.96/29

  C. 172,620,64,27

  D. 172.16.204.64/27

  Correct Answer: AD

  Explanation: The prefix list in the exhibit is configured to match prefixes that are either in the 172.16.204.0/24 subnet or in the 172.62.0.0/16 subnet. The routes that match these prefixes will be active in the routing table on the HQ firewall. The

  routes that match the following prefixes will not be active in the routing table:

  172.16.201.96/29

  These routes do not match the criteria set by the prefix list.

  References:

  Prefix lists | FortiGate / FortiOS 7.4.0 - Fortinet Document Library Configuring BGP | FortiGate / FortiOS 7.4.0 - Fortinet Document Library

• Question 8:

  Refer to the exhibit.

  

  A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains and TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

  Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

  What are the two reasons for this behavior? (Choose two.)

  A. The private-data-encryption key entered on the primary did not match the value that the TPM expected.

  B. Configuration for TPM is not synchronized between FortiGate HA cluster members.

  C. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

  D. TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager

  Correct Answer: AB

  Explanation: The two reasons for the negative impact on the FortiGate HA status and FortiManager status after enabling TPM are: The private-data-encryption key entered on the primary unit did not match the value that the TPM expected. This could happen if the TPM was previously enabled and then disabled, and the key was changed in between. The TPM will reject the new key and cause an error in the configuration synchronization. Configuration for TPM is not synchronized between FortiGate HA cluster members. Each cluster member must have the same private-data-encryption key to form a valid HA cluster and synchronize their configurations. However, enabling TPM on one unit does not automatically enable it on the other units, and the key must be manually entered on each unit. To resolve these issues, the administrator should disable TPM on all units, clear the TPM data, and then enable TPM again with the same private-data-encryption key on each unit. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl- inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application- detection-on-ssl-offloaded-traffic

• Question 9:

  Refer to the exhibit.

  

  A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.

  Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)

  A. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode

  B. Traffic on AccountVInk and SalesVInk will not be accelerated.

  C. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.

  D. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.

  E. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk

  Correct Answer: AD

  A. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode. This is because VDOM links can be configured in either PPP or Ethernet mode, and OSPF routing can be configured on both types of links. D. Root VDOM is

  an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. This is because the Root VDOM is the default VDOM, and it is used for management and internet access. VDOM 1 and VDOM 2 are traffic type VDOMs, which are

  used for segregating internal traffic.

  The other options are not correct.

  B. Traffic on AccountVInk and SalesVInk will not be accelerated. This is because VDOM links are not accelerated by default. However, you can configure acceleration on VDOM links if you want.

  C. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides. This is not necessarily true. The VDOM links could be in PPP mode even if they have IP addresses assigned on both sides. E. OSPF routing

  can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk. This is correct. OSPF routing can be configured between any two VDOMs, even if they are not directly connected. In this case, the

  OSPF routing would be configured on the AccountVInk link.

• Question 10:

  Refer to the exhibits.

  

  A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1,

  perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

  The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

  Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: BC

  Explanation: To enable application detection on plain-text traffic that has been decrypted by FortiADC, the administrator must perform two configuration tasks on CL-1:

  Enable SSL offloading in the firewall policy and select the SSL-Offload protocol options profile.

  Enable application control in the firewall policy and select the SSL-Offload-App- Detect application list. References:

  https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application- detection-on-ssl-offloaded-traffic