Fortinet NSE8 Free Practice Questions

Q1. You are investigating a problem related to FTP active mode. You use a test PC with IP address 10.100.60.5 to connect to the FTP server at 172.16.133.50 and transfer a large file. The FortiGate translates source address (SNAT) in network 10.100.60.0/24 to the IP address 172.16.133.1.

Which two groups of CLI commands allow you to see information related to this FTP connection (Choose two.)

A.  

B.  

C.  

D.  

View Answer

Q2. A customer is authenticating users using a FortiGate and an external LDAP server. The LDAP user, John Smith, cannot authenticate. The administrator runs the debug command diagnose debug application fnbamd 255 while John Smith attempts the authentication:

Based on the output shown in the exhibit, what is causing the problem?

A. The LDAP administrator password in the FortiGate configuration is incorrect.

B. The user, John Smith, does have an account in the LDAP server.

C. The user, John Smith, does not belong to any allowed user group.

D. The user, John Smith, is using an incorrect password.

View Answer

Q3. The output shown in the exhibit from FortiManager is displayed during an import of the device configuration.

Which statement describes the correct action taken for these duplicate objects?

A. The import fails because of the duplicate entries detected which exist in the ADOM database.

B. FortiManager installs these duplicate objects to the managed device from the ADOM database.

C. FortiManager does not import these duplicate entries into the ADOM database because they already exist in the ADOM database.

D. FortiManager creates indexed duplicate entries for these objects in the ADOM database.

View Answer

Q4. Given the following FortiOS 5.2 commands:

Which vulnerability is being addresses when managing FortiGate through an encrypted management protocol?

A. Remote Exploit Vulnerability in Bash (ShellShock)

B. Information Disclosure Vulnerability in OpenSSL (Heartbleed)

C. SSL v3 POODLE Vulnerability

D. SSL/TLS MITM vulnerability (CVE-2014-0224)

View Answer

Q5. You are asked to implement a wireless network for a conference center and need to provision a high number of access points to support a large number of wireless client

connections.

Which statement describes a valid solution for this requirement?

A. Use a captive portal for guest access. Use both 2.4 GHz and 5 GHz bands. Enable frequency and access point hand-off. Use more channels, thereby supporting more clients.

B. Use an open wireless network with no portal. Use both 2.4 GHz and 5 GHz bands. Use 802.11ac capable access points and configure channel bonding to support greater throughput for wireless clients.

C. Use a pre-shared key only for wireless client security. Use the 5 GHz band only for greater security. Use 802.11ac capable access points and configure channel bonding to support greater throughput for wireless clients.

D. Use a captive portal for guest access. Use both the 2.4 GHz and 5 GHz bands, and configure frequency steering. Configure rogue access point detection in order to automatically control the transmit power of each AP.

View Answer

Q6. Referring to the diagram shown in the exhibit, you deployed VRRP load balancing using two FortiGate units and two VRRP groups with a VRRP virtual MAC address enabled on both FortiGate’s port2 interface. During normal operation, both FortiGate units are processing traffic and the VRRP groups are used to load balance the traffic between the two FortiGate units.

If FortiGate unit A fails, what would happen?

A. The FortiGate Unit B port2 interface sends gratuitous ARPs to associate the VRRP

virtual router IP address with its own MAC address, and all traffic fails over to it.

B. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-00-5e-00-01- 05 and 00-00-5e-00-01-0a, and all traffic fails over to it.

C. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-a0-5e-00-01- 05 and 00-a0-5e-00-01-0a, and all traffic fails over to it.

D. The FortiGate Unit B port2 interface will use the physical MAC addresses of the FortiGate Unit A port2 interface, and all traffic fails over to it.

View Answer

Q7. Which command detects where a routing path is broken?

A. exec traceroute <destination>

B. exec route ping <destination>

C. diag route null

D. diag debug route <destination>

View Answer

Q8. You want to enable traffic between 2001:db8:1::/64 and 2001:db8:2::/64 over the public IPv4 Internet.

Given the CLI configuration shown in the exhibit, which two additional settings are required on this device to implement tunneling for the IPv6 transition? (Choose two.)

A. IPv4 firewall policies to allow traffic between the local and remote IPv6 subnets.

B. IPv6 static route to the destination phase2 destination subnet.

C. IPv4 static route to the destination phase2 destination subnet.

D. IPv6 firewall policies to allow traffic between the local and remote IPv6 subnets.

View Answer

Q9.  

Given the following error message:

FortiManager fails to import policy ID 1. What is the problem?

A. FortiManager already has Address LAN which has interface mapping set to “internal” in its database, it is contradicting with the STUDENT-2 FortiGate device which has address LAN mapped to “any”.

B. FortiManager already has address LAN which has interface mapping set to “any” in its database; this conflicts with the STUDENT-2 FortiGate device which has address “LAN”

mapped to “internal”.

C. Policy ID 1 for this managed FortiGate device already exists on the FortiManager policy package named STUDENT-2.

D. Policy ID 1 does not have interface mapping on FortiManager.

View Answer

Q10. Which command syntax would you use to configure the serial number of a FortiGate as its host name?

A.  

B.  

C.  

D.  

View Answer

Q11. Your company uses a cluster of two FortiGate 3600C units in active-passive mode to protect the corporate network. The FortiGate cluster sends its logs to a FortiAnalyzer and you have configured scheduled weekly reports for the Internet bandwidth usage of each corporate VLAN. During a scheduled maintenance window, you make a series of configuration changes. When the next FortiAnalyzer weekly report is generated, you notice that Internet bandwidth usage reported by the FortiAnalyzer is far less than expected.

What is the reason for this discrepancy?

A. You applied an antivirus profile on some of the policies, and no traffic can be accelerated.

B. You disabled all security profiles on some of the firewall policies, and the traffic matching those policies is now accelerated.

C. You enabled HA session-pickup, which is turn disabled session accounting.

D. You changed from active-passive to active-active, causing the session traffic counters to become inaccurate.

View Answer

Q12. Referring to the exhibit, you want to know if aggregating port7 and port22 will work. Which statement is correct?

A. Yes, LACP is supported on all ports regardless if they are connected to the same NP6.

B. No, LACP is not supported on NP6 platforms.

C. No, LACP is only supported on ports connected to the same NP6.

D. Yes, LACP is supported on ports that are linked together with integrated Switch Fabric.

View Answer

Q13. A café offers free Wi-Fi. Customers’ portable electronic devices often do not have antivirus software installed and may be hosting worms without their knowledge. You must protect all customers from any other customers’ infected devices that join the same SSID.

Which step meets the requirement?

A. Enable deep SSH inspection with antivirus and IPS.

B. Use a captive portal to redirect unsecured connections such as HTTP and SMTP to their secured equivalents, preventing worms on infected clients from tampering with other customer traffic.

C. Use WPA2 encryption and configure a policy on FortiGate to block all traffic between clients.

D. Use WPA2 encryption, and enable “Block Intra-SSID Traffic”.

View Answer

Q14. The output shown in the exhibit from FortiManager is displayed during an import of the device configuration.

Which statement describes the correct action taken for these duplicate objects?

A. The import fails because of the duplicate entries detected which exist in the ADOM database.

B. FortiManager installs these duplicate objects to the managed device from the ADOM database.

C. FortiManager does not import these duplicate entries into the ADOM database because they already exist in the ADOM database.

D. FortiManager creates indexed duplicate entries for these objects in the ADOM database.

View Answer

Q15. A café offers free Wi-Fi. Customers’ portable electronic devices often do not have antivirus software installed and may be hosting worms without their knowledge. You must protect all customers from any other customers’ infected devices that join the same SSID.

Which step meets the requirement?

A. Enable deep SSH inspection with antivirus and IPS.

B. Use a captive portal to redirect unsecured connections such as HTTP and SMTP to their secured equivalents, preventing worms on infected clients from tampering with other customer traffic.

C. Use WPA2 encryption and configure a policy on FortiGate to block all traffic between clients.

D. Use WPA2 encryption, and enable “Block Intra-SSID Traffic”.

View Answer

Q16. You are installing a new FortiAP as shown in the exhibit, however, the FortiAP cannot discover the FortiGate. The FortiAP obtained an IP from the DHCP server and is reachable.

Which two configurations will resolve the problem? (Choose two.)

A.  

B.  

C.  

D.  

View Answer