New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

NSE8_812 Network Security Expert 8 Written Exam Questions and Answers

Questions 4

Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.

Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

Options:

A.

172.16.204.128/25

B.

172.16.201.96/29

C.

172,620,64,27

D.

172.16.204.64/27

Buy Now
Questions 5

You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

Options:

A.

The configuration of the MTA Adapter Local Interface is different than on port1.

B.

The MTA adapter is only available in the primary node.

C.

The MTA adapter mode is only detection mode.

D.

The configuration is different than on a standalone device.

Buy Now
Questions 6

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

Options:

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Buy Now
Questions 7

You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

Options:

A.

Native ESXi Networking with E1000

B.

Virtual Function (VF) PCI Passthrough

C.

Native ESXi Networking with VMXNET3

D.

Physical Function (PF) PCI Passthrough

Buy Now
Questions 8

Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

Options:

A.

The FortiGuard VOS can be used only with proxy-base policy inspections.

B.

If third-party AV database returns a match the scanned file is deemed to be malicious.

C.

The antivirus database queries FortiGuard with the hash of a scanned file

D.

The AV engine scan must be enabled to use the FortiGuard VOS feature

E.

The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.

Buy Now
Questions 9

Refer to the exhibit showing the history logs from a FortiMail device.

Which FortiMail email security feature can an administrator enable to treat these emails as spam?

Options:

A.

DKIM validation in a session profile

B.

Sender domain validation in a session profile

C.

Impersonation analysis in an antispam profile

D.

Soft fail SPF validation in an antispam profile

Buy Now
Questions 10

You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.

After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments.

Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase?

Options:

A.

No change in design is needed as even small FortiGate devices have a large memory capacity.

B.

Acquire a FortiGate model with more capacity, considering the next 5 years growth.

C.

Implement network-id, neighbor-group and increase the advertisement-interval

D.

Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP

Buy Now
Questions 11

Refer to the exhibit.

You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.

Which two actions are correct regarding the replacement process? (Choose two.)

Options:

A.

After replacing the FortiSwitch unit, the automatically created trunk name does not change

B.

CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate

C.

After replacing the FortiSwitch unit, the automatically created trunk name changes.

D.

MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.

Buy Now
Questions 12

You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.

Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.

In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

Options:

A.

disable on ICL trunks

B.

enable on ICL trunks

C.

disable on the ISL and FortiLink trunks

D.

enable on the ISL and FortiLink trunks

Buy Now
Questions 13

On a FortiGate Configured in Transparent mode, which configuration option allows you to control Multicast traffic passing through the?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 14

Refer to the exhibit.

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.

You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.

How should the initial connection be made?

Options:

A.

Connect the switch on any interface between ports 21 to 24

B.

Connect the switch on any interface between ports 25 to 28

C.

Connect the switch on any interface between ports 1 to 4

D.

Connect the switch on any interface between ports 5 to 8.

Buy Now
Questions 15

Refer to the exhibits.

The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.

You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.

All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.

Which three configuration tasks must be performed to meet these requirements? (Choose three.)

Options:

A.

Change the scan order in FML-GW to antispam-sandbox-content.

B.

Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN

C.

Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe

D.

Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.

E.

Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

Buy Now
Questions 16

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

What are the two reasons for this behavior? (Choose two.)

Options:

A.

The private-data-encryption key entered on the primary did not match the value that the TPM expected.

B.

Configuration for TPM is not synchronized between FortiGate HA cluster members.

C.

The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

D.

TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager

Buy Now
Questions 17

A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.

They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.

Which two design options are true based on these requirements? (Choose two.)

Options:

A.

Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.

B.

Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.

C.

Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.

D.

Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge

Buy Now
Questions 18

Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)

• Public IP address (129.11.1.100) is assigned to portl

• Datacenter.acmecorp.com resolves to the public IP address assigned to portl

The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.

Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Exam Code: NSE8_812
Exam Name: Network Security Expert 8 Written Exam
Last Update: Dec 22, 2024
Questions: 60
NSE8_812 pdf

NSE8_812 PDF

$25.5  $84.99
NSE8_812 Engine

NSE8_812 Testing Engine

$30  $99.99
NSE8_812 PDF + Engine

NSE8_812 PDF + Testing Engine

$40.5  $134.99