Fortinet Fortinet Certifications NSE8_812 Questions & Answers

• Question 21:

  You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)

  A. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.

  B. The FortiMail DKIM key was not set using the Auto Generation option.

  C. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.

  D. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.

  Correct Answer: AD

  Explanation: A. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.

  If the access control rule to relay from Office 365 servers FQDN is missing, then FortiMail will not be able to send emails to Office 365. This is because the access control rule specifies which IP addresses or domains are allowed to relay

  emails through FortiMail. D. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.

  If the Mail Flow connector from the Exchange Admin Center is not set properly to the FortiMail Cloud FQDN, then Office 365 will not be able to send emails to FortiMail. This is because the Mail Flow connector specifies which SMTP server is

  used to send emails to external recipients.

• Question 22:

  Refer to the exhibit, which shows a Branch1 configuration and routing table. In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.

  

  In this scenario, which configuration change will meet this requirement?

  A. Change the load-balance-mode to source-ip-based.

  B. Create a new static route with the internet sdwan-zone only

  C. Configure the cost in each overlay member to 10.

  D. Configure the priority in each overlay member to 10.

  Correct Answer: D

  Explanation: The default load balancing mode for the SD-WAN implicit rule is source IP based. This means that traffic will be load balanced evenly between the overlay members, regardless of the member's priority. To prevent traffic from being load balanced, you can configure the priority of each overlay member to 10. This will make the member ineligible for load balancing. The other options are not correct. Changing the load balancing mode to source-IP based will still result in traffic being load balanced. Creating a new static route with the internet sdwan-zone only will not affect the load balancing of the overlay interface. Configuring the cost in each overlay member to 10 will also not affect the load balancing, as the cost is only used when the implicit rule cannot find a match for the destination IP address.

  

• Question 23:

  A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.

  CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.

  Which two options can resolve this situation? (Choose two.)

  A. Change the persistence rule to LB_PERSIS_SSL_SESSJD.

  B. Add more web servers to the real server poof

  C. Disable SSL between the FortiADC and the web servers

  D. Add a connection-pool to the FortiADC virtual server

  Correct Answer: BD

  Option B: Adding more web servers to the real server pool will increase the overall capacity of the load balancer, which should help to resolve the issue of users not being able to access the website.

  Option D: Adding a connection-pool to the FortiADC virtual server will allow the load balancer to cache connections to the web servers, which can help to improve performance and reduce the number of dropped connections. Option A:

  Changing the persistence rule to LB_PERSIS_SSL_SESSJD would only be necessary if the current persistence rule is not working properly. In this case, the CPU usage on the FortiADC and the web servers is low, so the persistence rule is

  likely not the issue.

  Option C: Disabling SSL between the FortiADC and the web servers would reduce the load on the FortiADC, but it would also make the website less secure. Since the bandwidth utilization is under 30%, it is unlikely that disabling SSL would

  resolve the issue. Reference: https://docs.fortinet.com/document/fortiadc/7.2.1/handbook/970956/configuring- virtual-servers

• Question 24:

  A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the 'curl' utility:

  

  Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)

  A. Only users with the "Full permission" role can access the REST API

  B. This API call will fail because it requires that API version 2

  C. If the REST API web service access key is lost, it cannot be retrieved and must be changed.

  D. The syntax is incorrect because the API calls needs the get method.

  Correct Answer: BD

  Explanation: To retrieve an SSO group called SalesGroup using the FortiAuthenticator REST API, the following issues need to be fixed in the API call:

  The API version should be v2, not v1, as SSO groups are only supported in version 2 of the REST API.

  The HTTP method should be GET, not POST, as GET is used to retrieve information from the server, while POST is used to create or update information on the server. Therefore, a correct API call would look like this: curl -X GET -H

  "Authorization: Bearer "

  https://fac.example.com/api/v2/sso/groups/SalesGroup References:https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api- solution-guide/927310/introduction

  https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api-solution- guide/927311/sso-groups

• Question 25:

  A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic. Which two statements are true regarding the requirements? (Choose two.)

  A. FortiGate can perform SSH access proxy host-key validation.

  B. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.

  C. SSH traffic is tunneled between the client and the access proxy over HTTPS

  D. Traffic is discarded as ZTNA does not support SSH connection rules

  Correct Answer: AC

  Explanation: ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH. References:https://docs.fortinet.com/document/fortigate/7.0.0/ztna- deployment/899992/configuring-ztna-rules-to-control-access

• Question 26:

  Refer to the exhibits.

  

  The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate. Given this information, which statement is correct?

  A. The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892

  B. The cluster mode can support a maximum of four (4) FortiGate VMs

  C. The cluster members are on the same network and the IP addresses were statically assigned.

  D. FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.

  Correct Answer: D

  Explanation: The output of the status of high availability on the FortiGate shows that the cluster mode is active-passive, which means that only one FortiGate unit is active at a time, while the other unit is in standby mode. The active unit handles all traffic and also sends HA heartbeat packets to monitor the standby unit. The standby unit becomes active if it stops receiving heartbeat packets from the active unit, or if it receives a higher priority from another cluster unit. In active-passive mode, all cluster units share a virtual MAC address for each interface, which is used as the source MAC address for all packets forwarded by the cluster. References:https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/high- availability-with-two-fortigates

• Question 27:

  Review the following FortiGate-6000 configuration excerpt:

  

  Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?

  A. It dynamically distributes SNAT source ports to operating FPCs or FPMs.

  B. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.

  C. It statically distributes SNAT source ports to operating FPCs or FPMs

  D. It equally distributes SNAT source ports across chassis slots.

  Correct Answer: A

  Explanation: The configuration excerpt shows that the SNAT source port partitioning behavior is set to dynamic. This means that the FortiGate will dynamically distribute SNAT source ports to operating FPCs or FPMs. This ensures that active

  sessions are not interrupted if an FPC or FPM goes down.

  The other options are incorrect. Option B is incorrect because the default SNAT configuration is static. Option C is incorrect because the configuration excerpt does not specify that SNAT source ports are statically distributed. Option D is

  incorrect because the SNAT source ports are not evenly distributed across chassis slots. Here are some additional details about SNAT source port partitioning behavior:

  SNAT source port partitioning behavior can be set to dynamic or static.

  The default SNAT configuration is static.

  Dynamic SNAT source port partitioning ensures that active sessions are not interrupted if an FPC or FPM goes down.

  Static SNAT source port partitioning can improve performance by reducing the number of SNAT lookups.

• Question 28:

  You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

  A. The configuration of the MTA Adapter Local Interface is different than on port1.

  B. The MTA adapter is only available in the primary node.

  C. The MTA adapter mode is only detection mode.

  D. The configuration is different than on a standalone device.

  Correct Answer: B

  Explanation: The MTA adapter feature on FortiSandbox is a feature that allows FortiSandbox to act as a mail transfer agent (MTA) that can receive, inspect, and forward email messages from externalsources. The MTA adapter feature can be used to integrate FortiSandbox with third-party email security solutions that do not support direct integration with FortiSandbox, such as Microsoft Exchange Server or Cisco Email Security Appliance (ESA). The MTA adapter feature can also be used to enhance email security by adding an additional layer of inspection and filtering before delivering email messages to the final destination. The MTA adapter feature can be enabled on FortiSandbox in an HA-Cluster, which is a configuration that allows two FortiSandbox units to synchronize their settings and data and provide high availability and load balancing for sandboxing services. However, one statement about this solution that is true is that the MTA adapter is only available in the primary node. This means that only one FortiSandbox unit in the HA- Cluster can act as an MTA and receive email messages from external sources, while the other unit acts as a backup node that can take over the MTA role if the primary node fails or loses connectivity. This also means that only one IP address or FQDN can be used to configure the external sources to send email messages to the FortiSandbox MTA, which is the IP address or FQDN of the primary node. References: https://docs.fortinet.com/document/fortisandbox/3.2.0/administration-guide/19662/mail- transfer-agent-mtahttps://docs.fortinet.com/document/fortisandbox/3.2.0/administration- guide/19662/high-availability-ha

• Question 29:

  Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

  A. The FortiGuard VOS can be used only with proxy-base policy inspections.

  B. If third-party AV database returns a match the scanned file is deemed to be malicious.

  C. The antivirus database queries FortiGuard with the hash of a scanned file

  D. The AV engine scan must be enabled to use the FortiGuard VOS feature

  E. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.

  Correct Answer: CE

  C. The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuard with the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.

  E. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.

• Question 30:

  SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.

  You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work. What should you configure?

  A. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.

  B. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.

  C. Configure two DNS servers and use DNS servers recommended by the two internet providers.

  D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

  Correct Answer: D

  Explanation: SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD- WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd- wan/19662/sd-wan