Fortinet NSE8_812 Exam Questions Free Practice Test

Viewing page 2 out of 4 pages

Viewing questions 11-20 out of questions

Questions # 11:

Refer to the exhibit, which shows diagnostic output.

Question # 11

A customer reports that ICMP traffic flow from 192.168.1.11 to 93.190.134.171 is not corresponding to the SD-WAN setup.

What is the problem in this scenario?

Options:

SD-WAN Rule is matching only DNS traffic.

Port1 is used because it has more available bandwidth.

Traffic is matched by policy route.

Route for the destination IP is missing in the routing table.

Expert Solution

Questions # 12:

Refer to the exhibit, which shows a Branch1 configuration and routing table.

Question # 12

In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.

In this scenario, which configuration change will meet this requirement?

Options:

Change the load-balance-mode to source-ip-based.

Create a new static route with the internet sdwan-zone only

Configure the cost in each overlay member to 10.

Configure the priority in each overlay member to 10.

Expert Solution

Questions # 13:

A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.

Which two statements are true regarding the requirements? (Choose two.)

Options:

FortiGate can perform SSH access proxy host-key validation.

You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.

SSH traffic is tunneled between the client and the access proxy over HTTPS

Traffic is discarded as ZTNA does not support SSH connection rules

Expert Solution

Questions # 14:

Refer to the exhibit, which shows a VPN topology.

Question # 14

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50

Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

Options:

All the session traffic will pass through the Hub

The TCP port 21 must be allowed on the NAT Device2

ADVPN is not supported when spokes are behind NAT

Spoke1 will establish an ADVPN shortcut to Spoke2

Expert Solution

Questions # 15:

A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with the 'curl' utility:

Question # 15

Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)

Options:

Only users with the "Full permission" role can access the REST API

This API call will fail because it requires that API version 2

If the REST API web service access key is lost, it cannot be retrieved and must be changed.

The syntax is incorrect because the API calls needs the get method.

Expert Solution

Questions # 16:

Refer to the exhibit.

Question # 16

You need to create a base SD-WAN configuration that includes SD-WAN rules and Performance SLAs for spoke sites with various connectivity types. It needs to be done in a way that can be easily applied to new sites with a minimum amount of change. How should you create the SD-WAN zones?

Options:

With members and assign overlay interfaces

With members without interface assignments

With no members configured

With members and assign interfaces but do not specify a gateway

Expert Solution

Questions # 17:

Refer to the exhibit that shows VPN debugging output.

Question # 17

The VPN tunnel between headquarters and the branch office is not being established.

What is causing the problem?

Options:

The Phase-1 encryption algorithms are not matching.

There is no matching Diffie-Hellman Group.

HQ is using IKE v1 and the branch office is using with IKE v2.

There is a mismatch in the ISAKMP SA lifetime.

Expert Solution

Questions # 18:

Refer to the exhibit showing FortiGate configurations

Question # 18

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.

The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.

What change will correct HA functionality in this scenario?

Options:

Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

Make the monitored IP to match on both FortiManager devices.

Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.

Change the priority of FMG-A to be numerically lower for higher preference

Expert Solution

Questions # 19:

Which two statements about bounce address tagging and verification (BATV) on FortiMail are true? (Choose two.)

Options:

You must publish the BATV public key as a DNS TXT record.

Emails with an empty sender address will be subjected to bounce verification.

FortiMail will insert the BATV tag to the sender address in the envelope.

BATV will use symmetric keys to verify the bounce address tag.

Expert Solution

Questions # 20:

A customer is operating a FortiWeb cluster in a high volume active-active HA group consisting of eight FortiWeb appliances. One of the secondary members is handling traffic for one specific VIP.

What will happen with the traffic if that secondary FortiWeb appliance fails?

Options:

Traffic will be redirected to the next appliance in the same traffic group.

Traffic will be redistributed by the primary appliance to the remaining secondary appliances.

Traffic will be redistributed by the primary appliance to the remaining secondary appliances that are configured to handle traffic for that specific VIP.

Traffic will be redirected to the secondary member with the least number of sessions.

Expert Solution

Viewing page 2 out of 4 pages

Viewing questions 11-20 out of questions

Pass the Fortinet Fortinet Network Security Expert NSE8_812 Questions and answers with CertsForce