Fortinet NSE8_812 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

An HTTPS access proxy is configured to demonstrate its function as a reverse proxy on behalf of the web server it is protecting. It verifies user identity, device identity, and trust context, before granting access to the protected source. It is assumed that the FortiGate EMS fabric connector has already been successfully connected.

You need to ensure that ZTNA access through the FortiGate will redirect users to the FortiAuthenticator to perform username/password and multifactor authentication to validate access prior to accessing resources behind the FortiGate.

In this scenario, which two further steps need to be taken on the FortiGate? (Choose two.)

ACreate a SAML user/server object referring to the FortiAuthenticator.

BCreate an authentication rule that sets the sso-auth-method to the FortiAuthenticator.

CCreate an authentication scheme with the 'method' as SAML.

DCreate a firewall rule that allows access from the remote endpoint to the resources behind the FortiGate.

Answer : A, C

Question 2

Refer to the exhibit showing a FortiView monitor screen.

After a Secure SD-WAN implementation a customer reports that in FortiAnalyzer under FortiView Secure SD-WAN Monitor there is No Device for selection.

What can cause this issue?

AUpload option from FortiGate to FortiAnalyzer is not set as a real time.

BExtended logging is not enabled on FortiGate.

CADOM 1 is set as a Fabric ADOM.

Dsla-fail-log-period and sla-pass-log-period on FortiGate health check is not set.

Answer : A

Question 3

Refer to the exhibit, which shows a FortiGate configuration snippet.

A customer in Costa Rica has a FortiGate with SD-WAN configured to use a VPN connection to the United States to browse the internet using a public IP from that country. They would like to enable the SD-WAN rule using a webhook.

Which configuration must be added to the FortiGate, and which type of HTTP request must be used to accomplish this? (Choose two.)

AOption A

BOption B

COption C

DOption D

Answer : A, B

Question 4

SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.

You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.

What should you configure?

AConfigure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.

BConfigure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.

CConfigure two DNS servers and use DNS servers recommended by the two internet providers.

DConfigure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

Answer : D

SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan

Question 5

An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the OCSP server.

Part of the FortiGate configuration is shown below:

Based on this configuration, which authentication scenario will FortiGate deny?

AThe user certificate does not contain the OCSP URL.

BFortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.

CFortiAuthenticator responds to an OCSP request that the user certificate status is unknown.

Answer : B

Question 6

Refer to The exhibit showing a FortiEDR configuration.

Based on the exhibit, which statement is correct?

AThe presence of a cryptolocker malware at rest on the filesystem will be detected by the Ransomware Prevention security policy.

BFortiEDR Collector will not collect OS Metadata.

CIf a malicious file is executed and attempts to establish a connection it will generate duplicate events.

DIf an unresolved file rule is triggered, by default the file is logged but not blocked.

Answer : D

Question 7

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

AOption A

BOption B

COption C

DOption D

Answer : C

The output in Exhibit A shows that the VPN tunnel is not established because the peer IP address is incorrect. The output in Exhibit B shows that the peer IP address is 192.168.1.100, but the baseline VPN configuration in Exhibit C shows that the peer IP address should be 192.168.1.101.

To restore VPN connectivity, you need to change the peer IP address in the VPN tunnel configuration to 192.168.1.101. The correct configuration is shown below:

config vpn ipsec phase1-interface

edit 'wan'

set peer-ip 192.168.1.101

set peer-id 192.168.1.101

set dhgrp 1

set auth-mode psk

set psk SECRET_PSK

end

Option A is incorrect because it does not change the peer IP address. Option B is incorrect because it changes the peer IP address to 192.168.1.100, which is the incorrect IP address. Option D is incorrect because it does not include the necessary configuration for the VPN tunnel.

Fortinet NSE8_812 Fortinet NSE 8 - Written Exam Practice Test