Special Summer Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

NSE8_812 Exam Dumps - Fortinet Network Security Expert Questions and Answers

Question # 14

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.

Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.

What are the two reasons for this behavior? (Choose two.)

Options:

A.

The private-data-encryption key entered on the primary did not match the value that the TPM expected.

B.

Configuration for TPM is not synchronized between FortiGate HA cluster members.

C.

The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

D.

TPM functionality is not yet compatible with FortiGate HA.

E.

The administrator needs to manually enter the hex private data encryption key in FortiManager.

Buy Now
Question # 15

Refer to the exhibits.

The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.

You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.

All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.

Which three configuration tasks must be performed to meet these requirements? (Choose three.)

Options:

A.

Change the scan order in FML-GW to antispam-sandbox-content.

B.

Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN

C.

Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe

D.

Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.

E.

Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

Buy Now
Question # 16

A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.

Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

Options:

A.

Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

B.

Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

C.

Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.

D.

Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster

Buy Now
Question # 17

A customer has FortiAP devices in three branch offices managed from a FortiGate in the HQ. Each FortiAP is connected to a dedicated management VLAN.

The customer wants the users connected to the FortiAP SSIDs to use the branch local internet connection, but each branch uses a different VLAN ID for the bridge. HQ users travel to different branches and connect to the same SSID.

Which configuration option will solve this requirement?

Options:

A.

Set each FortiAP to a wtp-group and use set vlan-pooling wtp-group on the VAP configuration with the corresponding VLAN ID configuration for each group.

B.

Set a FortiAuthenticator for 802.1x authentication with the Tunnel-Type attribute set to VLAN and use set dynamic-vlan enable on the VAP configuration.

C.

Use set vlan-pooling round-robin on the VAP configuration with the corresponding vlan-pool.

D.

Use set vlan-pooling hash on the VAP configuration with the corresponding vlan-pool.

Buy Now
Question # 18

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Question # 19

Refer to the exhibit, which shows a VPN topology.

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50

Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

Options:

A.

All the session traffic will pass through the Hub

B.

The TCP port 21 must be allowed on the NAT Device2

C.

ADVPN is not supported when spokes are behind NAT

D.

Spoke1 will establish an ADVPN shortcut to Spoke2

Buy Now
Question # 20

Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.

The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.

Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.)

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Question # 21

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

Options:

A.

OCSP checks will always go to the configured FortiAuthenticator

B.

The OCSP check of the certificate can be combined with a certificate revocation list.

C.

OCSP certificate responses are never cached by the FortiGate.

D.

If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

Buy Now
Question # 22

Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:

Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?

Options:

A.

FortiGate will reject all HTTP/2 ALPN headers.

B.

FortiGate will strip the ALPN header and forward the traffic.

C.

FortiGate will rewrite the ALPN header to request HTTP/1.

D.

FortiGate will forward the traffic without modifying the ALPN header.

Buy Now
Question # 23

You are designing a setup where the FortiGate device is connected to two upstream ISPs using BGP. Part of the requirement is that you must be able to refresh the route advertisements manually without disconnecting the BGP neighborships.

Which feature must you enable on the BGP neighbors to accomplish this goal?

Options:

A.

Synchronization

B.

Deterministic-med

C.

Graceful-restart

D.

Soft-reconfiguration

Buy Now
Exam Code: NSE8_812
Exam Name: Network Security Expert 8 Written Exam
Last Update: Apr 1, 2025
Questions: 105
NSE8_812 pdf

NSE8_812 PDF

$25.5  $84.99
NSE8_812 Engine

NSE8_812 Testing Engine

$28.5  $94.99
NSE8_812 PDF + Engine

NSE8_812 PDF + Testing Engine

$40.5  $134.99