Updated Free Fortinet NSE8_812 Test Engine Questions with 62 Q&As [Q19-Q42]

QUESTION 19
An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.
Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

OCSP checks will always go to the configured FortiAuthenticator

The OCSP check of the certificate can be combined with a certificate revocation list.

OCSP certificate responses are never cached by the FortiGate.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

QUESTION 20
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

* SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
* Public IP address (129.11.1.100) is assigned to portl
* Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let’s Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)

B)

C)

Option A

Option B

Option C

Option D

QUESTION 21
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

20:37:08

10:37:08

17:37:08

12.37:08

QUESTION 22
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?

Add a switch between the FortiGate and FEX.

Enable CAPWAP connectivity between the FortiGate and the FortiExtender.

Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode

Add a VLAN under the FEX-WAN interface on the FortiGate.

QUESTION 23
Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

FortiGate will fall-back to the default Fortinet_CA_SSL certificate.

FortiGate will reject the connection since no certificate is defined.

FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,

FortiGate will use the first certificate in the server-cert list-the abc.com certificate

QUESTION 24
Refer to the exhibit.

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?

Connect the switch on any interface between ports 21 to 24

Connect the switch on any interface between ports 25 to 28

Connect the switch on any interface between ports 1 to 4

Connect the switch on any interface between ports 5 to 8.

QUESTION 25
Refer to the exhibit.

A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)

You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode

Traffic on AccountVInk and SalesVInk will not be accelerated.

The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.

Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.

OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk

QUESTION 26
Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

172.16.204.128/25

172.16.201.96/29

172,620,64,27

172.16.204.64/27

QUESTION 27
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients’ mail What are two possible reasons for this problem? (Choose two.)

The FortiMail access control rule to relay from Office 365 servers FQDN is missing.

The FortiMail DKIM key was not set using the Auto Generation option.

The FortiMail access control rules to relay from Office 365 servers public IPs are missing.

A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.

QUESTION 28
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

disable on ICL trunks

enable on ICL trunks

disable on the ISL and FortiLink trunks

enable on the ISL and FortiLink trunks

QUESTION 29
Review the VPN configuration shown in the exhibit.

What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

1 redundant packet for every 10 base packets

3 redundant packet for every 5 base packets

2 redundant packet for every 8 base packets

3 redundant packet for every 9 base packets

QUESTION 30
Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

172.16.204.128/25

172.16.201.96/29

172,620,64,27

172.16.204.64/27

QUESTION 31
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

Change the persistence rule to LB_PERSIS_SSL_SESSJD.

Add more web servers to the real server poof

Disable SSL between the FortiADC and the web servers

Add a connection-pool to the FortiADC virtual server

QUESTION 32
Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.
The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.
Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.) A)

B)

Option A

Option B

Option C

Option D

QUESTION 33
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?

Add a switch between the FortiGate and FEX.

Enable CAPWAP connectivity between the FortiGate and the FortiExtender.

Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode

Add a VLAN under the FEX-WAN interface on the FortiGate.

QUESTION 34
A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the ‘curl’ utility:

Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)

Only users with the “Full permission” role can access the REST API

This API call will fail because it requires that API version 2

If the REST API web service access key is lost, it cannot be retrieved and must be changed.

The syntax is incorrect because the API calls needs the get method.

QUESTION 35
Refer to the exhibits.

An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?

On FG-1 port1, the ftm access protocol must be enabled.

FAC-1 must have an internet routable IP address for push notifications.

On FG-1 CLI, the ftm-push server setting must point to 100.64.141.

On FAC-1, the FortiToken public IP setting must point to 100.64.1 41

QUESTION 36
You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

The configuration of the MTA Adapter Local Interface is different than on port1.

The MTA adapter is only available in the primary node.

The MTA adapter mode is only detection mode.

The configuration is different than on a standalone device.

QUESTION 37
Refer to the exhibits.

The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate.
Given this information, which statement is correct?

The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892

The cluster mode can support a maximum of four (4) FortiGate VMs

The cluster members are on the same network and the IP addresses were statically assigned.

FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.

QUESTION 38
Wh.ch feature must you enable on the BGP neighbors to accomplish this goal?

Graceful-restart

Deterministic-med

Synchronization

Soft-reconfiguration

QUESTION 39
Refer to the exhibit.

FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)

The Jinja template will automatically map the interface with “WAN” role on the managed FortiGate.

The template will work if you change the variable format to $(WAN).

The template will work if you change the variable format to {{ WAN }}.

The administrator must first manually map the interface for each device with a meta field.

The template will fail because this configuration can only be applied with a CLI or TCL script.

QUESTION 40
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

disable on ICL trunks

enable on ICL trunks

disable on the ISL and FortiLink trunks

enable on the ISL and FortiLink trunks

QUESTION 41
Refer to the exhibit.

The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.
Referring to the exhibit, which two actions will fix these errors? (Choose two.)

Verify that the CRL is accessible from the root FortiGate

Export and import the FortiClient EMS server certificate to the root FortiGate.

Install a new known CA on the Win2K16-EMS server.

Authorize the root FortiGate on the FortiClient EMS

QUESTION 42
Refer to the exhibit.

FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)

The Jinja template will automatically map the interface with “WAN” role on the managed FortiGate.

The template will work if you change the variable format to $(WAN).

The template will work if you change the variable format to {{ WAN }}.

The administrator must first manually map the interface for each device with a meta field.

The template will fail because this configuration can only be applied with a CLI or TCL script.

Leave a Reply Cancel reply