Fortinet Fortinet Certifications NSE8_812 Questions & Answers

• Question 11:

  Refer to the exhibit.

  

  You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.

  You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.

  How should the initial connection be made?

  A. Connect the switch on any interface between ports 21 to 24

  B. Connect the switch on any interface between ports 25 to 28

  C. Connect the switch on any interface between ports 1 to 4

  D. Connect the switch on any interface between ports 5 to 8.

  Correct Answer: C

  Explanation: The FortiGate 6000F has 24 1/10/25-Gbps SFP28 data network interfaces (1 to 24). These interfaces are divided into the following interface groups: 1 to 4, 5 to 8, 9 to 12, 13 to 16, 17 to 20, and 21 to 24. The ports 25 to 28 are

  40/100-Gbps QSFP28 data network interfaces.

  The initial connection should be made to any interface between ports 1 to 4. This is because the ports 21 to 24 are part of the same interface group, and changing the speed of one of these ports will affect the speeds of all of the ports in the

  group. The ports 5 to 8 are also part of the same interface group, so they should not be used for the initial connection. The new hardware module that will be installed in the switch will provide higher speed ports. When this module is installed,

  the speed of the ports 21 to 24 will be increased. However, this will not affect the ports 1 to 4, because they are not part of the same interface group.

  Therefore, the initial connection should be made to any interface between ports 1 to 4, in order to ensure that the FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port

  speed is defined.

  Reference:

  FortiGate 6000F Front Panel Interfaces: https://docs.fortinet.com/document/fortigate- 6000/hardware/fortigate-6000f-system-guide/827055/front-panel-interfaces

• Question 12:

  Refer to the exhibit.

  

  A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.

  How will the sessions be load balanced between server 1 and server 2 during normal operation?

  A. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions

  B. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions

  C. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions

  D. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

  Correct Answer: A

  Explanation: The Server Pool in the exhibit is configured with a weight of 20 for server 1 and a weight of 60 for server 2. This means that server 1 will receive 20% of the sessions and server 2 will receive 75% of the sessions.

  The following formula is used to calculate the load balancing between servers in a Server Pool:

  weight_of_server_1 / (weight_of_server_1 + weight_of_server_2) In this case, the formula is:

  20 / (20 + 60) = 20 / 80 = 0.25 = 25%

  Therefore, server 1 will receive 25% of the sessions and server 2 will receive 75% of the sessions.

• Question 13:

  Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

  A. Report

  B. FTP

  C. API D. SCP

  Correct Answer: AC

  Explanation: FortiSIEM supports two methods for importing user defined Lookup Table Data:

  Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.

  API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.

  FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.

  Reference:https://help.fortinet.com/fsiem/6-7-4/Online- Help/HTML5_Help/importing_lookup_table_data.htm

• Question 14:

  Refer to the exhibit showing FortiGate configurations

  

  FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.

  The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A

  becomes primary.

  What change will correct HA functionality in this scenario?

  A. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

  B. Make the monitored IP to match on both FortiManager devices.

  C. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.

  D. Change the priority of FMG-A to be numerically lower for higher preference

  Correct Answer: B

  Explanation: B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. References: https://docs.fortinet.com/document/fortimanager/7.4.0/administration- guide/568591/highavailabilityhttps://docs.fortinet.com/document/fortimanager/7.4.0/administration- guide/568591/high-availability/568592/configuring-ha-options

• Question 15:

  Refer to the exhibit.

  

  A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.

  Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)

  A. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.

  B. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority

  C. You can only deploy initial installations to Windows clients.

  D. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express

  E. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy

  Correct Answer: AE

  A is correct because if no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. This is because the FortiClient EMS server will not force the installation on the client. E is correct

  because the Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy. This is because the Active Directory group policy will configure the Windows clients to automatically install

  FortiClient and the FortiClient EMS server will only need to push the initial configuration to the clients.

  The other options are incorrect. Option B is incorrect because a client can only be eligible for one enabled configuration on the EMS server. Option C is incorrect because you can deploy initial installations to both Windows and macOS clients.

  Option D is incorrect because you can use the included SQL Server Express to deploy FortiClient EMS.

  References:

  Deploying FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library Configuring FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library

  FortiClient EMS installation requirements | FortiClient / FortiOS 7.4.0 - Fortinet Document Library

• Question 16:

  A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

  A. Change the Adaptive Mode.

  B. Create an HA setup with a second FortiDDoS 200F

  C. Move the internet connection from the SFP interfaces to the LC interfaces

  D. Replace with a FortiDDoS 1500F

  Correct Answer: BD

  B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.

  D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.

  The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC

  interfaces will not change the throughput capacity of the device.

  References:

  FortiDDoS 200F Datasheet | Fortinet Document Library FortiDDoS 1500F Datasheet | Fortinet Document Library High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library

• Question 17:

  Refer to the exhibit.

  

  To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels. Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

  A. set net-device disable

  B. set mode-cfg enable

  C. set ike-version 1

  D. set add-route enable

  E. set mode-cfg-allow-client-selector enable

  Correct Answer: BDE

  B must be set to enable mode-cfg, which is required for injecting IKE routes on the ADVPN shortcut tunnels.

  D must be set to enable add-route, which is the command that actually injects the IKE routes.

  E must be set to enable mode-cfg-allow-client-selector, which allows custom phase 2 selectors to be configured.

  The other options are incorrect. Option A is incorrect because net-device disable is not required for injecting IKE routes on the ADVPN shortcut tunnels. Option C is incorrect because IKE version 1 is not supported for ADVPN.

  References:

  Phase 2 selectors and ADVPN shortcut tunnels | FortiGate / FortiOS 7.2.0 Configuring SD-WAN/ADVPN with FortiGate | FortiGate / FortiOS 7.2.0

• Question 18:

  Review the VPN configuration shown in the exhibit.

  

  What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

  A. 1 redundant packet for every 10 base packets

  B. 3 redundant packet for every 5 base packets

  C. 2 redundant packet for every 8 base packets

  D. 3 redundant packet for every 9 base packets

  Correct Answer: C

  Explanation: The FEC configuration in the exhibit specifies that if the packet loss is greater than 10%, then the FEC mapping will be 8 base packets and 2 redundant packets. The download bandwidth of 500 Mbps is not greater than 950

  Mbps, so the FEC mapping is not overridden by the bandwidth setting. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.

  Here is the explanation of the FEC mappings in the exhibit:

  Packet loss greater than 10%: 8 base packets and 2 redundant packets. Upload bandwidth greater than 950 Mbps: 9 base packets and 3 redundant packets.

  The mappings are matched from top to bottom, so the first mapping that matches the conditions will be used. In this case, the first mapping matches because the packet loss is greater than 10%. Therefore, the FEC behavior will be 2

  redundant packets for every 8 base packets.

  Reference: https://docs.fortinet.com/document/fortigate/7.0.0/new- features/169010/adaptive-forward-error-correction-7-0-2

• Question 19:

  Refer to the exhibits.

  

  The exhibits show a diagram of a requested topology and the base IPsec configuration.

  A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.

  In this scenario, which feature should be implemented to achieve this requirement?

  A. Use network-overlay id

  B. Change advpn2 to IKEv1

  C. Use local-id

  D. Use peer-id

  Correct Answer: A

  Explanation: A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. References: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration- guide/978793/advpn/978794/configuring-advpn

• Question 20:

  Refer to the exhibit showing the history logs from a FortiMail device.

  

  Which FortiMail email security feature can an administrator enable to treat these emails as spam?

  A. DKIM validation in a session profile

  B. Sender domain validation in a session profile

  C. Impersonation analysis in an antispam profile

  D. Soft fail SPF validation in an antispam profile

  Correct Answer: C

  Explanation: Impersonation analysis is a feature that detects emails that attempt to impersonate a trusted sender, such as a company executive or a well-known brand, by using spoofed or look-alike email addresses. This feature can help prevent phishing and business email compromise (BEC) attacks. Impersonation analysis can be enabled in an antispam profile and applied to a firewall policy. References:https://docs.fortinet.com/document/fortimail/6.4.0/administrationguide/103663/impersonation-analysis