NSE8_811 Online Practice Questions and Answers

You are building a FortiGate cluster which is stretched over two locations. The HA connections for the cluster are terminated on the local switches in the data centers. Once the FortiGate devices have booted, they do not form a cluster. The network operators inform you that CRC errors are present on the switches where the FortiGate devices are connected.

What should you do to solve this problem?

A. Set the speed/duplex setting to 1 Gbps / Full Duplex.

B. Replace the cables where the CRC errors occur.

C. Place the HA interfaces in dedicated VLANs.

D. Change the ethertype for the HA packets.

Consider the following FortiGate configuration: Which command-line option for deep inspection SSL would have the FortiGate re-sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSL certificate?

A. block

B. inspect

C. allow

D. ignore

You are administering the FortiGate 5000 and FortiGate 7000 series products. You want to access the HTTPS GUI of the blade located in logical slot 3 of the secondary chassis in a high-availability cluster.

Which URL will accomplish this task?

A. https://192.168.1.99:44322

B. https://192.168.1.99:44323

C. https://192.168.1.99:44313

D. https://192.168.1.99:44302

You cannot ping the FortiGate default gateway 10.10.10.1 from the FortiGate CLI. The FortiGate interface facing the default gateway is wan1 and its IP address is 10.10.10.254/24. During the initial troubleshooting tests, you confirm that you can ping other IP addresses in the 10.10.10.0/24 subnet from the FortiGate CLI without packets lost.

Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

A. diagnose debug flow filter saddr 10.10.10.1 diagnose debug flow trace start 10

B. diagnose hardware deviceinfo nic wan1

C. diagnose ip arp list

D. diag sniffer packet wan1 'arp and host 10.10.10.1'

An administrator reports continuous high CPU utilization on a FortiGate device due to the IPS engine. Consider the global IPS configuration shown below.

Which two configuration actions will reduce the CPU usage? (Choose two.)

A. Reduce the number of packets being logged.

B. Increase engine-count to 2.

C. Enable intelligent mode.

D. Disable fail open.

A FortiGate with the default configuration shown below is deployed between two IP telephones. FortiGate receives the INVITE request shown in the exhibit from Phone A (internal) to Phone B (external).

NVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 10.31.101.20:5060 From: PhoneA To: PhoneB Call-ID: [email protected] CSeq: 1 INVITE Contact: sip:[email protected] v=0 o=PhoneA 5462346 332134 IN IP4 10.31.101.20 c=IN IP4 10.31.101.20 m=audio 49170 RTP 0 3

Which two statements are correct after the FortiGate receives the packet? (Choose two.)

A. NAT takes place only in the SIP application layer.

B. A pinhole will be opened to accept traffic sent to the FortiGate WAN IP address.

C. NAT takes place at both the network and SIP application layers.

D. A pinhole is not required to accept traffic sent to the FortiGate WAN IP address.

Refer to the exhibit.

You have two data centers with a FortiGate 7000-series chassis connected by VPN. All traffic flows over an established generic routing encapsulation (GRE) tunnel between them. You are troubleshooting traffic that is traversing between Server VLAN A and Server VLAN B. The performance is lower than expected and you notice all traffic is only going through the FPM in slot 3 while nothing through the FPM in slot 4.

Referring to the exhibit, which statement is true?

A. Removing traffic shaping from the firewall policy allowing this traffic will allow for load-balancing to the other module.

B. Changing the algorithm to take source IP, destination IP and port into account will load balance this traffic to the other module.

C. There is no way to load-balance the traffic in this scenario.

D. Configuring a load-balance flow-rule in the CLI will load-balance this traffic.

FortiMail is configured with the protected domain "internal.lab".

Which two envelope addresses will need an access control rule to relay e-mail sent for unauthenticated users? (Choose two.)

A. MAIL FROM: [email protected]; RCPT TO: [email protected]

B. MAIL FROM: [email protected]; RCPT TO: [email protected]

C. MAIL FROM: [email protected]; RCPT TO: [email protected]

D. MAIL FROM: [email protected]; RCPT TO: [email protected]

Refer to the exhibit.

Central NAT was configured on a FortiGate firewall. A sniffer shows ICMP packets out to a host on the Internet egresses with the port1 IP address instead of the virtual IP (VIP) that was configured

Referring to the exhibit, which configuration change will ensure that ICMP traffic is also translated?

A. Option A

B. Option B

C. Option C

D. Option D

Refer to the exhibit.

An organization has a FortiGate cluster that is connected to two independent ISPs. You must configure the FortiGate failover for a single ISP failure to occur without disruption.

Referring to the exhibit, which two FortiGate BGP features are enabled to accomplish this task? (Choose two.)

A. EBGP multipath

B. Graceful restart

C. Synchronization

D. BFD