Fortinet NSE8 Free Practice Questions

Q1. Which VPN protocol is supported by FortiGate units?

A. E-LAN

B. PPTP

C. DMVPN

D. OpenVPN

View Answer

Q2. There is an interface-mode IPsec tunnel configured between FortiGate1 and FortiGate2. You want to run OSPF over the IPsec tunnel. On both FortiGates. the IPsec tunnel is based on physical interface port1. Port1 has the default MTU setting on both FortiGate units.

Which statement is true about this scenario?

A. A multicast firewall policy must be added on FortiGate1 and FortiGate2 to allow protocol 89.

B. The MTU must be set manually in the OSPF interface configuration.

C. The MTU must be set manually on the IPsec interface.

D. An IP address must be assigned to the IPsec interface on FortiGate1 and FortiGate2.

View Answer

Q3.  

Given the following error message:

FortiManager fails to import policy ID 1. What is the problem?

A. FortiManager already has Address LAN which has interface mapping set to “internal” in its database, it is contradicting with the STUDENT-2 FortiGate device which has address LAN mapped to “any”.

B. FortiManager already has address LAN which has interface mapping set to “any” in its database; this conflicts with the STUDENT-2 FortiGate device which has address “LAN”

mapped to “internal”.

C. Policy ID 1 for this managed FortiGate device already exists on the FortiManager policy package named STUDENT-2.

D. Policy ID 1 does not have interface mapping on FortiManager.

View Answer

Q4. Which Fortinet product is used for antispam protection?

A. FortiSwitch

B. FortiGate

C. FortiWeb

D. FortiDB

View Answer

Q5. An administrator wants to assign static IP addresses to users connecting tunnel-mode SSL VPN. Each SSL VPN user must always get the same unique IP address which is never assigned to any other user.

Which solution accomplishes this task?

A. TACACS+ authentication with an attribute-value (AV) pair containing each user’s IP address.

B. RADIUS authentication with each user’s IP address stored in a Vendor Specific Attribute (VSA).

C. LDAP authentication with an LDAP attribute containing each user’s IP address.

D. FSSO authentication with an LDAP attribute containing each user’s IP address.

View Answer

Q6. A customer wants to implement a RADIUS Single Sign On (RSSO) solution for multiple FortiGate devices. The customer’s network already includes a RADIUS server that can generate the logon and logoff accounting records. However, the RADIUS server can send those records to only one destination.

What should the customer do to overcome this limitation?

A. Send the RADIUS records to an LDAP server and add the LDAP server to the FortiGate configuration.

B. Send the RADIUS records to an RSSO Collector Agent.

C. Send the RADIUS records to one of the FortiGate devices, which can replicate them to the other FortiGate units.

D. Use the RADIUS accounting proxy feature available in FortiAuthenticator devices.

View Answer

Q7. A customer wants to implement a RADIUS Single Sign On (RSSO) solution for multiple FortiGate devices. The customer’s network already includes a RADIUS server that can generate the logon and logoff accounting records. However, the RADIUS server can send those records to only one destination.

What should the customer do to overcome this limitation?

A. Send the RADIUS records to an LDAP server and add the LDAP server to the FortiGate configuration.

B. Send the RADIUS records to an RSSO Collector Agent.

C. Send the RADIUS records to one of the FortiGate devices, which can replicate them to the other FortiGate units.

D. Use the RADIUS accounting proxy feature available in FortiAuthenticator devices.

View Answer

Q8. Referring to the exhibit, you want to know if aggregating port7 and port22 will work. Which statement is correct?

A. Yes, LACP is supported on all ports regardless if they are connected to the same NP6.

B. No, LACP is not supported on NP6 platforms.

C. No, LACP is only supported on ports connected to the same NP6.

D. Yes, LACP is supported on ports that are linked together with integrated Switch Fabric.

View Answer

Q9. You verified that application control is working from previous configured categories. You just added Skype on blocked signatures. However, after applying the profile to your firewall policy, clients running Skype can still connect and use the application.

What are two causes of this problem? (Choose two.)

A. The application control database is not updated.

B. SSL inspection is not enabled.

C. A client on the network was already connected to the Skype network and serves as relay prior to configuration changes to block Skype

D. The FakeSkype.botnet signature is included on your application control sensor.

View Answer

Q10. There is an interface-mode IPsec tunnel configured between FortiGate1 and FortiGate2. You want to run OSPF over the IPsec tunnel. On both FortiGates. the IPsec tunnel is based on physical interface port1. Port1 has the default MTU setting on both FortiGate units.

Which statement is true about this scenario?

A. A multicast firewall policy must be added on FortiGate1 and FortiGate2 to allow protocol 89.

B. The MTU must be set manually in the OSPF interface configuration.

C. The MTU must be set manually on the IPsec interface.

D. An IP address must be assigned to the IPsec interface on FortiGate1 and FortiGate2.

View Answer

Q11. Referring to the exhibit, users are reporting that their FortiFones ring but when they pick up, the cannot hear each other. The FortiFones use SIP to communicate with the SIP Proxy Server and RTP between the phones.

Which configuration change will resolve the problem?

A.  

B.  

C.  

D.  

View Answer

Q12. You implemented FortiGate in transparent mode with 10 different VLAN interfaces in the same forwarding domain. You have defined a policy to allow traffic from any interface to any interface.

Which statement about your implementation is true?

A. FortiGate populates the MAC address table based on destination addresses of frames received from all 10 VLANs.

B. There will be no impact on the STP protocol.

C. All 10 VLANs will become a single broadcast domain for the ARP request.

D. The ARP request will not be forwarded across the different VLANs domains.

View Answer

Q13. You notice that your FortiGate’s memory usage is very high and that the unit’s performance is adversely affected. You want to reduce memory usage.

Which three commands would meet this requirement? (Choose three.)

A.  

B.  

C.  

D.  

E.  

View Answer

Q14. An administrator wants to assign static IP addresses to users connecting tunnel-mode SSL VPN. Each SSL VPN user must always get the same unique IP address which is never assigned to any other user.

Which solution accomplishes this task?

A. TACACS+ authentication with an attribute-value (AV) pair containing each user’s IP address.

B. RADIUS authentication with each user’s IP address stored in a Vendor Specific Attribute (VSA).

C. LDAP authentication with an LDAP attribute containing each user’s IP address.

D. FSSO authentication with an LDAP attribute containing each user’s IP address.

View Answer

Q15. Your NOC contracts the security team due to a problem with a new application flow. You are instructed to disable hardware acceleration for the policy shown in the exhibit for troubleshooting purposes.

Which command will disable hardware acceleration for the new application policy?

A.  

B.  

C.  

D.  

View Answer

Q16. The SECOPS team in your company has started a new project to store all logging data in a disaster recovery center. All FortiGates will log to a secondary FortiAnalyzer and establish a TCP session to send logs to the syslog server.

Which two configurations will achieve this goal? (Choose two.)

A.  

B.  

C.  

D.  

View Answer