Fortinet nse8-812 practice test
Fortinet NSE 8 Written Exam
Question 1
Refer to the exhibit containing the configuration snippets from the FortiGate.
Customer requirements:
SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
Public IP address (129.11.1.100) is assigned to port1
Datacenter.acmecorp.com resolves to the public IP address assigned to port1
The customer has a Lets Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
- D. None
Answer:
d
Question 2
Refer to the exhibit showing FortiGate configurations.
FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI. The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?
- A. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.
- B. Make the monitored IP to match on both FortiManager devices.
- C. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
- D. Change the priority of FMG-A to be numerically lower for higher preference.
Answer:
d
Question 3
Refer to the exhibit, which shows a VPN topology.
The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50.
Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?
- A. All the session traffic will pass through the Hub
- B. The TCP port 21 must be allowed on the NAT Device2
- C. ADVPN is not supported when spokes are behind NAT
- D. Spoke1 will establish an ADVPN shortcut to Spoke2
Answer:
a
Question 4
Refer to the exhibit.
You have deployed a security fabric with three FortiGate devices as shown in the exhibit.
FGT_2 has the following configuration:
FGT_1 and FGT_3 are configured with the default setting.
Which statement is true for the synchronization of fabric-objects?
- A. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate
- B. Objects from the root FortiGate will only be synchronized to FGT_2
- C. Objects from the root FortiGate will not be synchronized to any downstream FortiGate
- D. Objects from the root FortiGate will only be synchronized to FGT_3
Answer:
a
Question 5
You are creating the CLI script to be used on a new SD-WAN deployment. You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.
The current configuration is:
Which configuration do you use for the Performance SLA members?
- A. set members any
- B. set members 0
- C. current configuration already fulfills the requirement
- D. set members all
Answer:
c
Question 6
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:
Given the information shown in the output, which two statements are true? (Choose two.)
- A. Enabling bandwidth control between the ISF and the NP will change the output
- B. The output is showing a packet descriptor queue accumulated counter
- C. Enable HPE shaper for the NP6 will change the output
- D. Host-shortcut mode is enabled
- E. There are packet drops at the XAUI
Answer:
b
Question 7
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-flood-traffic and igmps-flood-report settings? (Choose two.)
- A. disable on ICL trunks
- B. enable on ICL trunks
- C. disable on the ISL and FortiLink trunks
- D. enable on the ISL and FortiLink trunks
Answer:
ac -
Question 8
Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).
GUI Access 
Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?
- A. FAC2 can only process requests when FAC1 fails.
- B. FAC2 can have its HA interface on a different network than FAC1
- C. The FortiToken license will need to be installed on the FAC2
- D. FSSO sessions from FAC1 will be synchronized to FAC2
Answer:
b
Question 9
A customer is planning on moving their secondary data center to a cloud-based IaaS. They want to place all the Oracle-based systems on Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.
They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy, and performance as a priority.
Which two design options are true based on these requirements? (Choose two.)
- A. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.
- B. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
- C. Branch FortiGate devices must be configured as VPN clients for the branches internal network to be able to access Oracle services without using public IPs.
- D. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge.
Answer:
ac
Question 10
Refer to the exhibit, which shows a Branch1 configuration and routing table.
In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.
In this scenario, which configuration change will meet this requirement?
- A. Change the load-balance-mode to source-ip-based.
- B. Create a new static route with the internet sdwan-zone only.
- C. Configure the cost in each overlay member to 10.
- D. Configure the priority in each overlay member to 10.
Answer:
d