Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: clap70

NSE8_812 Network Security Expert 8 Written Exam Questions and Answers

Questions 4

Refer to the exhibit.

A customer is trying to setup a Playbook automation using a FortiAnalyzer, FortiWeb and FortiGate. The intention is to have the FortiGate quarantine any source of SQL Injection detected by the FortiWeb. They got the automation stitch to trigger on the FortiGate when simulating an attack to their website, but the quarantine object was created with the IP 0.0.0.0. Referring to the configuration and logs in the exhibits, which two statements are true? (Choose two.)

Options:

A.

The Group By option in the handler should be different to src, so src can be used on the Playbook configuration.

B.

FortiSOC Playbooks combining FortiWeb and FortiGate are not supported.

C.

To diagnose this issue, you need to use the commanddiagnose test application oftpd 22.

D.

The FortiAnalyzer ADOM Type must be Fabric.

E.

To fix the issue the parameter for script on the Playbook configuration should be epip.

Buy Now
Questions 5

A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

Options:

A.

Change the Adaptive Mode.

B.

Create an HA setup with a second FortiDDoS 200F

C.

Move the internet connection from the SFP interfaces to the LC interfaces

D.

Replace with a FortiDDoS 1500F

Buy Now
Questions 6

Refer to the exhibit of a FortiNAC configuration.

In this scenario, which two statements are correct? (Choose two.)

Options:

A.

A device that is modeled in FortiNAC is connected on VLAN 4093.

B.

An unknown host is connected to port3.

C.

The IP address of the FortiSwitch is 10.12.240.2.

D.

Port8 is connected to a FortiGate in FortiLink mode.

Buy Now
Questions 7

A customer would like to improve the performance of a FortiGate VM running in an Azure D4s_v3 instance, but they already purchased a BYOL VM04 license.

Which two actions will improve performance the most without making a FortiGate license change? (Choose two.)

Options:

A.

Migrate the FortiGate to an Azure F4s_v2.

B.

Enable "Accelerated networking" on the Azure network interfaces.

C.

Enable SR-IOV on the FortiGate.

D.

Migrate the FortiGate to an Azure D8s_v3.

Buy Now
Questions 8

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 9

Refer to the exhibit.

Given the exhibit, which two statements about FortiGate FGSP HA cluster behavior are correct? (Choose two.)

Options:

A.

You can run FortiGate Virtual Router Redundancy Protocol (VRRP) high availability in addition to FGSP simultaneously.

B.

Session synchronization occurs over Layer 3 by default, and if unavailable it will then try Layer 2.

C.

You can selectively synchronize only specific sessions between FGSP cluster members.

D.

Cluster members will upgrade one at a time and failover during firmware upgrades.

Buy Now
Questions 10

Refer to the exhibit, which shows a Branch1 configuration and routing table.

In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.

In this scenario, which configuration change will meet this requirement?

Options:

A.

Change the load-balance-mode to source-ip-based.

B.

Create a new static route with the internet sdwan-zone only

C.

Configure the cost in each overlay member to 10.

D.

Configure the priority in each overlay member to 10.

Buy Now
Questions 11

Refer to the exhibit, which shows a FortiGate configuration snippet.

A customer in Costa Rica has a FortiGate with SD-WAN configured to use a VPN connection to the United States to browse the internet using a public IP from that country. They would like to enable the SD-WAN rule using a webhook.

Which configuration must be added to the FortiGate, and which type of HTTP request must be used to accomplish this? (Choose two.)

Options:

A.

B.

C.

D.

Buy Now
Questions 12

Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

Options:

A.

port16 and port1

B.

port1 and port1

C.

port16 and port15

D.

port1 and port15

Buy Now
Questions 13

Refer to the exhibit.

A customer needs to create a multi-tier MCLAG set up with the topology as shown in the exhibit.

A1/A2

B1/B2

C1/C2

Which command snippet should be applied to it, to allow active/active links in this topology?

Options:

A.

B.

C.

D.

Buy Now
Questions 14

Refer to the exhibit.

A customer wants to automate the creation and configuration of FortiGate VM instances in a VMware vCenter environment using Terraform. They have the creation part working with the code shown in the exhibit.

Which code snippet will allow Terraform to automatically connect to a newly deployed FortiGate if its IP was dynamically assigned by VMware NSX-T?

Options:

A.

B.

C.

D.

Buy Now
Questions 15

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

What are the two reasons for this behavior? (Choose two.)

Options:

A.

The private-data-encryption key entered on the primary did not match the value that the TPM expected.

B.

Configuration for TPM is not synchronized between FortiGate HA cluster members.

C.

The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

D.

TPM functionality is not yet compatible with FortiGate HA.

E.

The administrator needs to manually enter the hex private data encryption key in FortiManager.

Buy Now
Questions 16

You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

Options:

A.

The configuration of the MTA Adapter Local Interface is different than on port1.

B.

The MTA adapter is only available in the primary node.

C.

The MTA adapter mode is only detection mode.

D.

The configuration is different than on a standalone device.

Buy Now
Questions 17

Which two statements about bounce address tagging and verification (BATV) on FortiMail are true? (Choose two.)

Options:

A.

You must publish the BATV public key as a DNS TXT record.

B.

Emails with an empty sender address will be subjected to bounce verification.

C.

FortiMail will insert the BATV tag to the sender address in the envelope.

D.

BATV will use symmetric keys to verify the bounce address tag.

Buy Now
Questions 18

On a FortiGate Configured in Transparent mode, which configuration option allows you to control Multicast traffic passing through the?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 19

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

Options:

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Buy Now
Questions 20

Refer to the exhibit, which shows a multi-region SD-WAN architecture.

Given this scenario, which two statements are true? (Choose two.)

Options:

A.

If iBGP is used, cross-regional spoke-to-hub shortcuts can be established.

B.

If eBGP is used, ADVPN can be established for branch-to-branch traffic across regions.

C.

If eBGP is used, ADVPN can be established only for branch-to-branch traffic within each region.

D.

If iBGP is used, cross-regional spoke-to-hub shortcuts cannot be used.

Buy Now
Questions 21

A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.

Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

Options:

A.

Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

B.

Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

C.

Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.

D.

Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster

Buy Now
Questions 22

Which two types of interface have built-in active bypass in FortiDDoS devices? (Choose two.)

Options:

A.

SFP

B.

LC

C.

QSFP+

D.

Copper

E.

SFP+

Buy Now
Questions 23

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the OCSP server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which authentication scenario will FortiGate deny?

Options:

A.

The user certificate does not contain the OCSP URL.

B.

FortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.

C.

FortiAuthenticator responds to an OCSP request that the user certificate status is unknown.

Buy Now
Questions 24

Refer to the exhibits, which show a topology and diagnostic commands.

Which two statements about the path resolution are true? (Choose two.)

Options:

A.

Latency is the quality criteria.

B.

wan1 is currently used as an outgoing interface.

C.

wan2 is currently used as an outgoing interface.

D.

Packet-loss is the quality criteria.

Buy Now
Questions 25

A FortiGate running FortiOS 7.2.0 GA is configured in multi-vdom mode with a vdom set to vdom type Admin and another vdom set to vdom type Traffic.

Which two GUI sections are available on both VDOM types? (Choose two.)

Options:

A.

Interface configuration

B.

Packet capture

C.

Security Fabric topology and external connectors

D.

Certificates

E.

FortiClient configuration

Buy Now
Questions 26

You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.

Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.

In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

Options:

A.

disable on ICL trunks

B.

enable on ICL trunks

C.

disable on the ISL and FortiLink trunks

D.

enable on the ISL and FortiLink trunks

Buy Now
Questions 27

Refer to the exhibit.

FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.

Which two statements correctly describe the expected behavior when running this template? (Choose two.)

Options:

A.

The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.

B.

The template will work if you change the variable format to $(WAN).

C.

The template will work if you change the variable format to {{ WAN }}.

D.

The administrator must first manually map the interface for each device with a meta field.

E.

The template will fail because this configuration can only be applied with a CLI or TCL script.

Buy Now
Questions 28

Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 29

You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled

• The FortiGate is at GMT-1000.

• The FortiAnalyzer is at GMT-0800

• Your browser local time zone is at GMT-03.00

You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

Options:

A.

20:37:08

B.

10:37:08

C.

17:37:08

D.

12.37:08

Buy Now
Questions 30

Refer to the exhibit showing the history logs from a FortiMail device.

Which FortiMail email security feature can an administrator enable to treat these emails as spam?

Options:

A.

DKIM validation in a session profile

B.

Sender domain validation in a session profile

C.

Impersonation analysis in an antispam profile

D.

Soft fail SPF validation in an antispam profile

Buy Now
Questions 31

You are performing a packet capture on a FortiGate 2600F with the hyperscale licensing installed. You need to display on screen all egress/ingress packets from the port16 interface that have been offloaded to the NP7.

Which three commands need to be run? (Choose three.)

Options:

A.

diagnose npu sniffer filter intf port16

B.

diagnose npu sniffer filter selector 0

C.

diagnose sniffer packet npudbg

D.

diagnose npu sniffer filter dir 2

E.

diagnose sniffer packet port16

Buy Now
Exam Code: NSE8_812
Exam Name: Network Security Expert 8 Written Exam
Last Update: Apr 2, 2025
Questions: 105
NSE8_812 pdf

NSE8_812 PDF

$25.5  $84.99
NSE8_812 Engine

NSE8_812 Testing Engine

$30  $99.99
NSE8_812 PDF + Engine

NSE8_812 PDF + Testing Engine

$40.5  $134.99