Fortinet NSE8_812 Exam Questions Instant Access

Question 1

An administrator discovers that CPU utilization of a FortiGate-200F is high and determines that no traffic is being accelerated by hardware.

Why is no traffic being accelerated by hardware?

AOper-session-accounting is enabled under np6xlite config.

Bstrict-dirty-session-check is enabled in global config.

Ccheck-protocol-header is set to strict in the global config.

Ddelay-tcp-npu-session is enabled under the firewall policy.

Answer : C

Question 2

You deployed a fully loaded FG-7121F in the data center and enabled sslvpn-load-balance. Based on the behavior of this feature which statement is correct?

AYou can use src-ip or dst-ip-dport on dp-load-distribution-method to make SSL VPN load balancing work as expected.

BIf an FPM goes down, SSL VPN IP pool IP addresses will be re-allocated to the remaining FPMs.

CTo have better traffic distribution you should use IP pools that increment in multiples of 12.

DEnabling SSL VPN load balancing will clear the session table.

Answer : A

Question 3

Refer to the exhibits, which show a network topology and VPN configuration.

A network administrator has been tasked with modifying the existing dial-up IPsec VPN infrastructure to detect the path quality to the remote endpoints.

After applying the configuration shown in the configuration exhibit, the VPN clients can still connect and access the protected 172.16.205.0/24 network, but no SLA information shows up for the client tunnels when issuing the diagnose sys link-monitor tunnel all command on the FortiGate CLI.

What is wrong with the configuration?

ASLA link monitoring does not work with the net-device setting.

BThe admin needs to disable the mode-cfg setting.

CIPsec Phase1 Interface has to be configured in IPsec main mode.

DIt is necessary to use the IKEv2 protocol in this situation.

Answer : A

Question 4

You are performing a packet capture on a FortiGate 2600F with the hyperscale licensing installed. You need to display on screen all egress/ingress packets from the port16 interface that have been offloaded to the NP7.

Which three commands need to be run? (Choose three.)

Adiagnose npu sniffer filter intf port16

Bdiagnose npu sniffer filter selector 0

Cdiagnose sniffer packet npudbg

Ddiagnose npu sniffer filter dir 2

Ediagnose sniffer packet port16

Answer : A, C, D

Question 5

Refer to the exhibit.

The exhibit shows the topology a customer wants to implement using a flexible authentication scheme. Users connecting from trusted remote locations are authenticated using only their username/password when connecting to the SSLVPN FortiGate in the data center.

When connecting from the Untrusted Clients, users must authenticate using 2-factor authentication.

In this scenario, which RADIUS attribute can be used as a RADIUS policy selector on the FortiAuthenticator to accomplish this goal?

ACalling-Station-Id

BFramed-IP-Address

CTunnel-Client-Auth-Id

DLogin-IP-Host

Answer : C

Question 6

Refer to the exhibit.

You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:

FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?

AObjects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.

BObjects from the root FortiGate will only be synchronized to FGT__2.

CObjects from the root FortiGate will not be synchronized to any downstream FortiGate.

DObjects from the root FortiGate will only be synchronized to FGT_3.

Answer : D

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/520820/improvements-to-synchronizing-objects-across-the-security-fabric-6-4-4

Question 7

Refer to the exhibit, which shows diagnostic output.

A customer reports that ICMP traffic flow from 192.168.1.11 to 93.190.134.171 is not corresponding to the SD-WAN setup.

What is the problem in this scenario?

ASD-WAN Rule is matching only DNS traffic.

BPort1 is used because it has more available bandwidth.

CTraffic is matched by policy route.

DRoute for the destination IP is missing in the routing table.

Answer : C

Fortinet NSE 8 - Written NSE8_812 Exam Questions