Fortinet NSE8_810 Free Practice Questions

NEW QUESTION 1
Exhibit

Referring to the exhibit, a FortiADC is load balancing IPV4 traffic between next-hop routers. The FortiADC does not know the IP addresses of the servers, Also the FortiADC is doing Layer 7 content inspection and modification.
In this scenario, which application delivery control is configured in the FortiADC?

• A. Layer 2
• B. Layer 3
• C. Laye.4
• D. Layer 7

Answer: D

NEW QUESTION 2
A FortOS devices is used for termination of VPNs for number of remote spoke VPN units (designated group A spokes) using a phase 1 main mode dial-up tunnel using pre-shared. Your company recently acquired another organization. You are asked establish VPN correctively for the newly acquired organization's sites which new devices will be provisioned (designated Group B spokes). Both exiting (Group A) and new (Group B) spoke units are dynamically addressed. You are asked to ensure that spokes from the acquired organization (Group B) have different access permission than your existing VPN spokes (Group A).
Which two solutions meet the represents for the new spoke group? (Choose two.)

• A. implements a new phase 1 dial-up mode tunnel with preshared keys and XAut
• B. Use identity to filter traffic.
• C. Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spoke
• D. Use standard policies to filter for the new dial-up tunnel
• E. Implement a new phase 1 dial-up main mode tunnel with certificate authenticatio
• F. Use standard policies to filter for the dial-up tunnel.
• G. Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer I
• H. Use standard policies to filter traffic for the new dial-up tunnel.

Answer: AB

NEW QUESTION 3
Exhibit

You have deployed several perimeter FortiGates wilh terminal segmentation FortiGates befwid them All ForbGale devices are logging to Fortianaluzer. When you search the logs in FortiAnatyzer (or denied traffic,
you see numerous log messages, as shown in the exhibit, on your perimeter FortiGates only. Which two actions would reduce the number pt these log message? (Choose two)

• A. Apply an application control profile lo the perimeter FortiGates that does not inspect DNS traffic to the outbound firewall policy.
• B. Configure the internal ForbGates to communicate to ForpGuard using port 8888.
• C. Disable DNS events logging horn ForirGate In the config log fortianalyser filter section.
• D. Remove DNS signature* <rom the IPS protte appfced to the outbound firewall polic

Answer: BC

NEW QUESTION 4
You want to access the JSON API on FortiManager to retrieve information on an object. In this scenario, which two methods will satisfy the requirement? (Choose two.)

• A. Make a call with the Web browser on your workstation.
• B. Make a call with the SoapUl API tool on your workstation.
• C. Download the WSDL file from FortiManager administration GUI.
• D. Make a call with the curl utility on your workstation

Answer: AC

NEW QUESTION 5
You are asked implement a single FortiGate 5000 chassis using Session-aware Load Balance Cluster (SLBC) with Active-passive for Controllers have the configuration shown below, with the rest of the configuration set to the default values.

Both FotiController show Master status. What is the problem in this scenario?

• A. The management interface of both FotiControllers was connected on the some network.
• B. The priority should be set higher for ForControllers on slot-1.
• C. The b1 interface the two FortiConrollers do not see each other.
• D. The chassis ID settings on FotiControllers on slot 2 should be set to 2.

Answer: A

NEW QUESTION 6
Exhibit

A FortiGate with the default configuration is deployed between two IP phones. FortiGate receives the INVITE request shown in the exhibit from Phone A (internal) to Phone b (exltrnal).
Which two actions are taken by the FortiGate after the packet is received? (Choose two.)

• A. A pinhole will be opened to accept traffic sent to FortiGate's WAN IP address and ports 49169 and 49170.
• B. a pinhole will be opened to accept traffic sent to FortiGate's WAN IP address and ports 49l70 and 49171.
• C. The phone A IP address will be translated lo the WAN IP address in all INVITE header fields and the m: field of the SDP statement.
• D. The phone A IP address will be translated for the WAN IP address in all INVITE header fields and the SDP statement remains intact.

Answer: BC

NEW QUESTION 7
You are administrating the FortiGate 5000 and FortiGate 7000 series products. You want to access the HTTPS GU of the blade located n logical slot of the secondary chassis in a high-availability cluster.
Which URL will accomplish this task?

• A. https//192.168.1.99.44302
• B. https//192.168.1.99.44313
• C. https//192.168.1.99.44322
• D. https//192.168.1.99.44323

Answer: A

NEW QUESTION 8
A company has just deployed a new FortiMail in gateway mode. The administrator is asked to strengthen e-mail protection by applying the policies shown below.
- E-mails can only be accepted if a valid e-mail account exists.
- Only authenticated users can send e-mails out
Which two actions will satisfy the requirements? (Choose two. )

• A. Configure recipient address verification.
• B. Configure inbound recipient policies.
• C. Configure outbound recipient policies.
• D. Configure access control rule

Answer: AC

NEW QUESTION 9
Exhibit

Referring to the exhibit, which command-line option for deep inspection SSL would have the FortiGAte re=sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSl certificate?

• A. allow
• B. block
• C. ignore
• D. inspect

Answer: D

NEW QUESTION 10
An organization has one central site And three remote sites. A FotiSIEM has been drafted on the central site and now all devices across the remote sites need to be monitored by the FortiSlEM.
When action would reduce the WAN usage by the monitoring system?

• A. Deploy a single Supervisor on the central site and enable WAN optimize on the WAN gateways.
• B. Install local Collection remote site.
• C. Disable monitoring on the remote sites during the day.
• D. install a Supervisor and a Collector for each remote sit

Answer: C

NEW QUESTION 11
A customer wants to enable SYN Rood mitigation in a FortiDDoS device. The FortiDDoS must reply with one SYN/ACK packet per SYN packet ftom a new source IP address. Which SYN packet from a new source IP address. Which SYN flood mitigation mode must the customer use?

• A. SYN cookie
• B. SYN/ACK cookie
• C. ACK cookie
• D. SYN retransmission

Answer: A

NEW QUESTION 12
You want to manage a FortiCloud service. The FortiGate shows up in your list devices on the FortiCloud Web site, but all management functions are either missing or grayed out.
Which statement a correct in this scenario?

• A. The managed FcrtGate a running a version of ForflOS that is either too new or too for FortCloud.
• B. The managed FortiGate requires that a FortiCloud management license be purchased and applied.
• C. You must manually configure system control-management on the FortiGate CLI and set the management type to fortiguard.
• D. The management tunnel mode on the managed FortiGate must be changed to norma

Answer: C

NEW QUESTION 13
Exhibit

Referring to the exhibit, which two statements are true? (Choose two.)

• A. port13 and port14 on FS448D-A should be connected to port13 and port14 on FS448D-B.
• B. LAG-1 and LAG 2 should be connected to a single 4-port 802 3ad interface on the FortiGate-A.
• C. LAG-3 on switches on FS448D-A and FS448D-B may be connected to a single 802 3ad trunk on another device.
• D. LAG-1 and LAG-2 should be connected to a 4-port single 802 3ad trunk on another devic

Answer: CD

NEW QUESTION 14
In a FortiGate 5000 series, two FortiControllers are working as an SLBC cluster in a-p mode. The configuration shown below is applied.

When statement is true on how new TCP sessions are handled by the Distributor Processor (DP).
The new session added the DP session table is automatically deleted, if the traffic is denied by the processing worker.

• A. No new session is added is the DP session table until the processing worker accepts the traffic.
• B. A new session added m the DP session table remains in the table remain in the traffic is denied by the procession worker.
• C. A new session added in the OP session table remains is the table only if traffic is traffic is accepted by the processing worker.

Answer: C

NEW QUESTION 15
Exhibit

You have configured an HA cluster with Two FortiGates You want to make sore that you are able to manage the individual duster members using ports3.
Referring to the exhibit, what are two ways to accomplish this task? (Choose two.)

• A. Disable the sync feature on porl3: then configure specific IPs for ports on both cluster members.
• B. Configure port3 to be a dedicated HA management interface, then configure specific IPs for port3 on both cluster members.
• C. Create a management VDOM and Disable the HA synchronization for this VDOM, assign ports to this VDOM, then configure specific IPs for ports on both cluster member.
• D. Allow administrative access in the HA heartbeat interface

Answer: BC

NEW QUESTION 16
Exhibit

The exhibit shows a topology where a FortiGate is two VDOMS, root and vd-vlasn. The root VDCM provides SSL-VPN access, where the users authenticated by a FortiAuthenticatator.
The vd-lan VDOM provids internal access to a Web server. For the remote users to access the internal web server, there are a few requirements, which are shown below.
--At traffic must come from the SSI-VPN
--The vd-lan VDOM only allows authenticated traffic to the Web server.
-- Users must only authenticate once, using the SSL-VPN portal.
-- SSL-VPN uses RADIUS-based authentication.
referring to the exhibit, and the requirement describe above, which two statements are true? (Choose two.)

• A. vd-lan authentication messages from root using FSSO.
• B. vd-lan connects to Fort authenticator as a regular FSSO client.
• C. root is configured for FSSO while vd-lan is configuration for RSSO.
• D. root sends “RADIUS Accounting Messages" to FortiAuthenticato

Answer: AC

NEW QUESTION 17
An old router has been replaced by a FortiWan device. The routers management IP address and now the network administrator to remove the old router from the FortiSIEM configuration.
Which two statements are true about this oper atjon? (Choose two)

• A. FortiSIEM will discover a new device for the FortiWAN with the same IP.
• B. The old router will be completely deleted from FortiSIEM's CMDB.
• C. FotiSEIM needs a special syslog for FortiWAN.
• D. FortiSIM will move the old router device into the Decommission folde

Answer: CD

NEW QUESTION 18
Exhibit

A customer gas just finished their Azure deployment to ensure a Web application behind a FortiWeb. Now they want to add components to protect against advance threats (zero day attacks), centrally the entire environment, and centrally monitor Fortinet and non-Fortinet products.
Which Fortinet will standby these requirements?

• A. Use FotiAnalyzer lor monitor in Azure, FortiSlEM for managemnet, and FortiSandbox for zero day attacks on their local network.
• B. Use Fortianalyzer for monitor Azure, FortiSiEM for management, and FortiGate has zero day attacks on their local network.
• C. Use FortiManager for management in Azure, FortSIEM for monitoring and FcrtiSandbox for zero day attacks on their local network.
• D. Use FortiSIEM for management Azure, FortiManager for management, and FortrGate for zero day attacks on their local network.

Answer: A

NEW QUESTION 19
Exhibit

An administrator implements a multi-chassis Link aggregation (MCLAG) solution using two FortiSwitch 448Ds and one FortiGate 3700D.
As described in the topology shown in the exhibit. two Inks are connected to each FortiSwitch. what is required to implement this solution? (Choose two )

• A. a FortiGate with a hardware or a software switch
• B. an ICL link between both FortiSwitches
• C. a disabled FortiLink, split interface
• D. two Link aggregated (LAG) interfaces on the FortiGate side

Answer: AD

NEW QUESTION 20
Exhibit

You log into FortiManager, look at the Device Manager window and notice that one of you managed devices is not in normal status.
Referring to the exhibit, which two statements correctly describe the affected device's status and result? (Choose two.)

• A. The device configuration was changed on the local FoitiGate side onl
• B. auto-update is disabled.
• C. The device configuration was changed on both the local FortiGate side and the FortiManager side, auto-update is disabled.
• D. The changed configuration on the FortiGate wrt remain the next time that the device configuration is pushed from ForbManager.
• E. The changed configuration on the FortiGate will be overwritten in favor of what is on the FortiMAnager the next time that the device configuration is pushed.

Answer: BD

NEW QUESTION 21
Exhibit

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device. Which two statements are true about the traffic matching being inspection by this SPP? (Choose two.)

• A. Traffic that does match any spp policy will not be inspection by this spp.
• B. FortiDDos will not send a SYNACK if a SYN packet is coming from an IP address that is not the legtimate IP (LIP) address table.
• C. FortiDooS will start dropping packets as soon as the traffic executed the configured maintain threshold.
• D. SYN packets with payloads will be droope

Answer: AB

NEW QUESTION 22
Exhibit

You need to run a script in FortiManager against several managed FortiGale devices in your organization to install a configuration for a new static route.
Which two scripts will successfully configure the static route on the managed device? (Choose two)

• A. Script 1
• B. Script 2
• C. Script 3
• D. Script 4

Answer: BC

NEW QUESTION 23
You have a customer experiencing problem with a legacy L3L4 firewall device and IPV6 SIP VoIP traffic. They devices is dropping SIP packets, consequently, it process SIP voice calls. Which solution would solve the customer's problem?

• A. Deploy a FortiVoice and enable IPv6 SIP.
• B. Replace their legacy device with a FortiGate and configure it to extract information from the body of the IPv6 packet.
• C. Deploy a FotiVoice and enable an IPv6 SIP session helper.
• D. Replace their legacy device with a FortiGate and deploy a FortiVoice to extract information from the body of the IPv6 SIP packet

Answer: A

NEW QUESTION 24
You have deployed a FortiGate In NAT/Route mode as a secure as a web gateway with a few P-base authentication firewall policies. Your customer reports that some users now have different browsing permission =s from what is expected. All these users are browsing using internet Explorer through Desktop Connection to a Terminal Server. When you took at the Fortigate logs the username for the Terminal Server IP is not consistent.
Which action will correct this problem?

• A. Make sure Terminal Service is using the correct DNS ever.
• B. Configure FSSO Advanced with LDAP integration
• C. Change the FSSO polling mode to windows NetAPI
• D. Install the TSCitrix on the terminal server

Answer: C

NEW QUESTION 25
......