Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:
Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?
A. FortiGate will reject all HTTP/2 ALPN headers.
B. FortiGate will strip the ALPN header and forward the traffic.
C. FortiGate will rewrite the ALPN header to request HTTP/1.
D. FortiGate will forward the traffic without modifying the ALPN header.
Correct Answer: A
Explanation: Thesupported-alpnparameter is set tohttp1.1in the SSL inspection profile. This means that the FortiGate will only accept HTTP/1.1 traffic. Any HTTP/2 traffic will be rejected.
The following is the relevant documentation from Fortinet:
Thesupported-alpnparameter specifies the list of ALPN protocols that the FortiGate will accept. If the client requests a protocol that is not in this list, the FortiGate will reject the connection.
The default value for thesupported-alpnparameter isall. This means that the FortiGate will accept any ALPN protocol that the client requests. To reject all HTTP/2 traffic, set thesupported-alpnparameter tohttp1.1. Source: https://
A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.
The exhibit below shows what the IT Team provided while troubleshooting this issue:
Which statement explains why the FortiGate did not install its configuration from the FortiManager?
A. The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager
B. The DHCP server was not configured with the FQDN of the FortiManager
C. The DHCP server used the incorrect option type for the FortiManager IP address.
D. The configuration was modified on the FortiGate prior to connecting to the FortiManager
Correct Answer: C
Explanation: C is correct because the DHCP server used the incorrect option type for the FortiManager IP address. The option type should be 43 instead of 15, as shown in the FortiManager Administration Guide under Zero-Touch Provisioning > Configuring DHCP options for ZTP. References: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high- availabilityhttps://docs.fortinet.com/document/fortimanager/7.4.0/administration- guide/568591/high-availability/568592/configuring-ha-options
Question 33:
Refer to the exhibits.
A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)
A. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
B. Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
C. Ports 3 and 4 can be part of different switch interfaces.
D. Client devices must have 802 1X authentication enabled
Correct Answer: BD
Explanation: The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a singleswitch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "sslinspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. References: https:// docs.fortinet.com/document/fortigate/7.0.0/administration- guide/19662/hardware-switchinterfaceshttps://docs.fortinet.com/document/fortigate/7.0.0/administration- guide/19662/802-1x-authentication
Question 34:
An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown:
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: A
Explanation: The CLI script in option A will send the log message to the webhook server. The webhook server can then be configured to take any desired action, such as storing the log message in a database or sending an email notification.
The other options are incorrect. Option B will not send the log message to the webhook server because it does not contain thecurlcommand. Option C will send the log message to the webhook server, but it will also include the FortiGate's IP
address and MAC address. This information is not necessary, and it could be used by an attacker to identify the FortiGate. Option D will not send the log message to the webhook server because it does not contain thewebhookaction.
What is the benefit of using FortiGate NAC LAN Segments?
A. It provides support for multiple DHCP servers within the same VLAN.
B. It provides physical isolation without changing the IP address of hosts.
C. It provides support for IGMP snooping between hosts within the same VLAN
D. It allows for assignment of dynamic address objects matching NAC policy.
Correct Answer: D
Explanation: FortiGate NAC LAN Segments are a feature that allows users to assign different VLANs to different LAN segments without changing the IP address of hosts or bouncing the switch port. This provides physical isolation while maintaining firewall sessions and avoiding DHCP issues. One benefit of using FortiGate NAC LAN Segments is that it allows for assignment of dynamic address objects matching NAC policy. This means that users can create firewall policies based on dynamic address objects that match the NAC policy criteria, such as device type, OS type, MAC address, etc. This simplifies firewall policy management and enhances security byapplying different security profiles to different types of devices. References: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/856212/nac-lan-segments- 7-0-1
Question 36:
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main
data center.
They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.
Which two design options are true based on these requirements? (Choose two.)
A. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.
B. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
C. Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.
D. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge
Correct Answer: AC
A. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud. This is because the Oracle Cloud is not directly connected to the Azure Cloud. The traffic will need to go through the main
data center in order to reach the Oracle Cloud.
C. Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs. This is because the Oracle Cloud does not allow direct connections from the
internet. The traffic will need to go through the FortiGate devices in order to reach the Oracle Cloud.
The other options are not correct.
B. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure. This is not necessary. Azure does encrypt traffic over ExpressRoute. D. Two ExpressRoute services to the main data center are required to implement
SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge. This is not necessary. A single ExpressRoute service can be used to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at
the data center edge.
Question 37:
Refer to the exhibit.
You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:
FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?
A. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
B. Objects from the root FortiGate will only be synchronized to FGT__2.
C. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.
D. Objects from the root FortiGate will only be synchronized to FGT_3.
Correct Answer: C
Explanation: The fabric-object-unification setting on FGT_2 is set to local, which means that objects will not be synchronized to any other FortiGate devices in the security fabric. The default setting for fabric-object-unification is default, which
means that objects will be synchronized from the root FortiGate to all downstream FortiGate devices. Since FGT_2 is not the root FortiGate and the fabric-object-unification setting is set to local, objects from the root FortiGate will not be
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?
A. Add a switch between the FortiGate and FEX.
B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
C. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
D. Add a VLAN under the FEX-WAN interface on the FortiGate.
Correct Answer: C
Explanation: VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate than CAPWAP Mode. This is because VLAN Mode does not require the FortiExtender to send additional control traffic to the FortiGate. The other options are not correct.
A. Add a switch between the FortiGate and FEX. This will add overhead to the network, as the switch will need to process the traffic. B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender. This will increase the overhead on the FortiGate, as it will need to process additional control traffic.
D. Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect the overhead on the FortiGate.
Question 39:
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements: SSLVPN Portal must be accessible on standard HTTPS port (TCP/443) Public IP address (129.11.1.100) is assigned to portl Datacenter.acmecorp.com resolves to the public IP address assigned to portl
The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: B
Explanation: The customer's SSLVPN Portal is currently configured to use a self-signed certificate. This means that the certificate is not trusted by any browsers, and users will have to accept a security warning before they can connect to the
portal. To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt certificate for the SSLVPN Portal. This will allow users to connect to the portal without having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will configure the FortiGate to use a different port for the SSLVPN Portal, but this will not resolve the issue with the self-signed certificate. Option C will
configure the FortiGate to use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue with the self-signed certificate. Option D will configure the FortiGate to use a different certificate authority for the SSLVPN
Portal, but this will also not resolve the issue because the customer still needs to use a trusted certificate.
An HA topology is using the following configuration:
Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?
A. 600ms
B. 200ms
C. 300ms
D. 100ms
Correct Answer: B
Explanation: The HA heartbeat interval is 100ms, and the number of lost heartbeats before a failover is detected is 2. So, it will take 2 * 100ms = 200ms for a failover to be detected by the secondary cluster member.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Fortinet exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your NSE8_812 exam preparations and Fortinet certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
