NSE8_810 Online Practice Questions and Answers

You must create a high Availability deployment with two FortiWebs in Amazon Services (AWS): each on

different Availability Zones(AZ) from the same region. At the same time, each FortiWeb should be able to

deliver content from the Web server of both of the AZs.

Which deployment would will this requirement?

A. Configure the FortiWebs Active-Active Ha mode and use AWS Router 53 load Router balance the internal Web servers.

B. Configure the FortiWebs in Active-Active HA mode and use AWS Elastic load Balancer (ELB) for the internal Web servers.

C. Use AWS Router 53 to load balance FortiWebs in standone mode and use AWS Virtual private Cloud (VPC) peering to load balance the internal Web servers.

D. Use AWS Elastic load Balancer (ELB) for both FortiWebs in standdone mode and the internal Web servers in an ELB sandwich.

You have a customer experiencing problem with a legacy L3L4 firewall device and IPV6 SIP VoIP traffic. They devices is dropping SIP packets, consequently, it process SIP voice calls. Which solution would solve the customer's problem?

A. Deploy a FortiVoice and enable IPv6 SIP.

B. Replace their legacy device with a FortiGate and configure it to extract information from the body of the IPv6 packet.

C. Deploy a FotiVoice and enable an IPv6 SIP session helper.

D. Replace their legacy device with a FortiGate and deploy a FortiVoice to extract information from the body of the IPv6 SIP packet

Exhibit

Click the Exhibit button.

You have deployed several perimeter FortiGates with internal segmentation FortiGates behind them. All FortiGate devices are logging to FortiAnalyzer. When you search the logs in FortiAnalyzer for denied traffic, you see numerous log messages, as shown in the exhibit, on your perimeter FortiGates only.

Which two actions would reduce the number of these log messages? (Choose two.)

A. Apply an application control profile lo the perimeter FortiGates that does not inspect DNS traffic to the outbound firewall policy.

B. Configure the internal ForbGates to communicate to ForpGuard using port 8888.

C. Disable DNS events logging horn ForirGate In the config log fortianalyser filter section.

D. Remove DNS signature*

Exhibit

Click the Exhibit button.

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device.

Which two statements are true about the traffic matching being inspected by this SPP? (Choose two.)

A. Traffic that does match any spp policy will not be inspection by this spp.

B. FortiDDos will not send a SYNACK if a SYN packet is coming from an IP address that is not the legtimate IP (LIP) address table.

C. FortiDooS will start dropping packets as soon as the traffic executed the configured maintain threshold.

D. SYN packets with payloads will be drooped.

Click the exhibit.

A VPN IPsec is connecting the headquarters office (HQ) with a branch office (BO) and OSPF is used to redistribute routes between the offices. After deployment, a server with IP address 10.10.10.35 located on the DMZ network of the BO FortiGate, was reported unreachable from hosts located on the LAN network of the same FortiGate.

Referring to the exhibit, which statement is true?

A. The ICMP packets are Being blocked by an implicit deny policy.

B. The incoming access list should have an accept action instead deny action to solve the problem.

C. A directly connected subnet is being partially superseded by an OSPF redistributed subnet.

D. Enabling NAT on the VPN firewall policy will solve the problem.

Click the Exhibit button.

Your customer is using dynamic routing to exchange the default route between two FortiGates using OSPFv2. The output of the get router info ospf neighbor command shows that the neighbor is up, but the default route does not appear in the routing neighbor shown below:

According to the exhibit, what is causing the problem?

A. A prefix for the detail route is missing

B. OSPF requires the redistribution of connected networks.

C. There is an OSPF interface network-type mismatch.

D. FG2 is within the wrong OSPF area.

A FortOS devices is used for termination of VPNs for number of remote spoke VPN units (designated group A spokes) using a phase 1 main mode dial-up tunnel using pre-shared. Your company recently acquired another organization. You are asked establish VPN correctively for the newly acquired organization's sites which new devices will be provisioned (designated Group B spokes). Both exiting (Group A) and new (Group B) spoke units are dynamically addressed. You are asked to ensure that spokes from the acquired organization (Group B) have different access permission than your

existing VPN spokes (Group A).

Which two solutions meet the represents for the new spoke group? (Choose two.)

A. implements a new phase 1 dial-up mode tunnel with preshared keys and XAuth. Use identity to filter traffic.

B. Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spokes. Use standard policies to filter for the new dial-up tunnel

C. Implement a new phase 1 dial-up main mode tunnel with certificate authentication. Use standard policies to filter for the dial-up tunnel.

D. Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer ID. Use standard policies to filter traffic for the new dial-up tunnel.

Click the exhibit button.

A FortiGate device is configured to authenticate SSL VPN users using digital certificates. Part of the

FortiGate configuration is shown in the exhibit.

Which two statements are true in this scenario? (Choose two.)

A. The authentication will fail if the OCSP server is down.

B. OCSP is used to verify that the user-signed certificate has not expired.

C. The authentication will fail if the certificate does not contain user principle name (UPN) information.

D. The authentication will fail if the user certificate does not contain the CA_Cert string in the Failed.

Exhibit

Click the Exhibit button.

A FortiGate is configured for a dial-up IPsec VPN to allow multiple remote FortiGates to connect to it.

However, FortiGates A and B have problems connecting to the VPN. Only one of them can be connected at a time. If site B tries to connect white site A is connected, site A is disconnected. The IKE real time debug shows the output in the exhibit when site A is disconnected.

Which configuration setting should be executed in the dial-up configuration to allow both VPNs to be connected at the same time?

A. set enforce-unique-id disable

B. set add-router enable

C. set single-source disable

D. set router-overlap allow

Click the Exhibit button.

Only users authenticated in FortiGate-B can reach the server. A customer wants to deploy a single sign-on solution for IPsec VPN users. Once a user is connected and authenticated to the VPN in FortiGate-A, the user does not need to authenticate again in FortiGate 瑽 to reach the server.

Which two actions satisfy this requirement? (Choose two.)

A. Use Kerberos authentication.

B. FortiGate-A must generate a RADUIS accounting packets.

C. Use FortiAuthenticator.

D. Use the Collector Agent.