Fortinet NSE8_810 Ebook 2021

NEW QUESTION 1
Exhibit

A customer gas just finished their Azure deployment to ensure a Web application behind a FortiWeb. Now they want to add components to protect against advance threats (zero day attacks), centrally the entire environment, and centrally monitor Fortinet and non-Fortinet products.
Which Fortinet will standby these requirements?

• A. Use FotiAnalyzer lor monitor in Azure, FortiSlEM for managemnet, and FortiSandbox for zero day attacks on their local network.
• B. Use Fortianalyzer for monitor Azure, FortiSiEM for management, and FortiGate has zero day attacks on their local network.
• C. Use FortiManager for management in Azure, FortSIEM for monitoring and FcrtiSandbox for zero day attacks on their local network.
• D. Use FortiSIEM for management Azure, FortiManager for management, and FortrGate for zero day attacks on their local network.

Answer: A

NEW QUESTION 2
Exhibit

You configured an IPsec tunnel to a branch office. Now you want to make sure that the encryption of the tunnel is offloaded to hardware referring to the exhibit, which statement is true?

• A. Incoming and outgoing traffic is offloaded
• B. Outgoing traffic is offloaded, you cannot determine if incoming traffic is offloaded at this time.
• C. Traffic is not offloaded.
• D. Outgoing traffic is offloaded: incoming traffic not offloade

Answer: D

NEW QUESTION 3
FortiMail configured with the protected domain "internal lab".
Which two envelopes addresses will need an access control rule to relay e-mail sent for unauthenticated users? (Choose two.)

• A. MAIL FROM: traming@fortinet com: RCPT TO: student@fortmet com
• B. MAIL FROM student@fortinet com: RCPT TO student@internal.lab
• C. MAIL FROM: trainmg@internallab; RCPT TO student@mternallab
• D. MAIL FROM student@internal lab: RCPT TO student@fortmet.com

Answer: C

NEW QUESTION 4
Exhibit

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device. Which two statements are true about the traffic matching being inspection by this SPP? (Choose two.)

• A. Traffic that does match any spp policy will not be inspection by this spp.
• B. FortiDDos will not send a SYNACK if a SYN packet is coming from an IP address that is not the legtimate IP (LIP) address table.
• C. FortiDooS will start dropping packets as soon as the traffic executed the configured maintain threshold.
• D. SYN packets with payloads will be droope

Answer: AB

NEW QUESTION 5
Exhibit

The exhibit shows a full-mesh topology between Fortigates FortiSwitches. To deploy configuration, two requirements must be met:
-- 20 Gbps full duplex connectivity is available between each FortiGate and the FortiSwitches.
--the FortiGate HA must be in AP mode.
Referring to the exhibit, what are two actions that wil fulfill the requirements?

• A. Configure both FortiSwitch as pears with ICL over cable E, create one MCLAG on ports connected to cables A and C, and create another MCLAG on ports connected to cables B and D.
• B. Configure the master FortiGate with one and FortiLink split interface disable on ports connected to cables A and C and make sure the same ports are used for to cables B and D.
• C. Configure both FortiSwitches as peers ISL over cable on create one MCLAG on ports connected cables A and C, and ceate another MCLAG on ports connected to cables B and D.
• D. Configure the master FortiGate with one LAG and FortiLink split interface enables on ports connected to cable A and C make sure the ports are used for cables B and D on the slave.

Answer: C

NEW QUESTION 6
Exhibit

You log into FortiManager, look at the Device Manager window and notice that one of you managed devices is not in normal status.
Referring to the exhibit, which two statements correctly describe the affected device's status and result? (Choose two.)

• A. The device configuration was changed on the local FoitiGate side onl
• B. auto-update is disabled.
• C. The device configuration was changed on both the local FortiGate side and the FortiManager side, auto-update is disabled.
• D. The changed configuration on the FortiGate wrt remain the next time that the device configuration is pushed from ForbManager.
• E. The changed configuration on the FortiGate will be overwritten in favor of what is on the FortiMAnager the next time that the device configuration is pushed.

Answer: BD

NEW QUESTION 7
A FortOS devices is used for termination of VPNs for number of remote spoke VPN units (designated group A spokes) using a phase 1 main mode dial-up tunnel using pre-shared. Your company recently acquired another organization. You are asked establish VPN correctively for the newly acquired organization's sites which new devices will be provisioned (designated Group B spokes). Both exiting (Group A) and new (Group B) spoke units are dynamically addressed. You are asked to ensure that spokes from the acquired organization (Group B) have different access permission than your existing VPN spokes (Group A).
Which two solutions meet the represents for the new spoke group? (Choose two.)

• A. implements a new phase 1 dial-up mode tunnel with preshared keys and XAut
• B. Use identity to filter traffic.
• C. Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spoke
• D. Use standard policies to filter for the new dial-up tunnel
• E. Implement a new phase 1 dial-up main mode tunnel with certificate authenticatio
• F. Use standard policies to filter for the dial-up tunnel.
• G. Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer I
• H. Use standard policies to filter traffic for the new dial-up tunnel.

Answer: AB

NEW QUESTION 8
A customer wants to enable SYN Rood mitigation in a FortiDDoS device. The FortiDDoS must reply with one SYN/ACK packet per SYN packet ftom a new source IP address. Which SYN packet from a new source IP address. Which SYN flood mitigation mode must the customer use?

• A. SYN cookie
• B. SYN/ACK cookie
• C. ACK cookie
• D. SYN retransmission

Answer: A

NEW QUESTION 9
Exhibit

The exhibit shows a topology where a FortiGate is two VDOMS, root and vd-vlasn. The root VDCM provides SSL-VPN access, where the users authenticated by a FortiAuthenticatator.
The vd-lan VDOM provids internal access to a Web server. For the remote users to access the internal web server, there are a few requirements, which are shown below.
--At traffic must come from the SSI-VPN
--The vd-lan VDOM only allows authenticated traffic to the Web server.
-- Users must only authenticate once, using the SSL-VPN portal.
-- SSL-VPN uses RADIUS-based authentication.
referring to the exhibit, and the requirement describe above, which two statements are true? (Choose two.)

• A. vd-lan authentication messages from root using FSSO.
• B. vd-lan connects to Fort authenticator as a regular FSSO client.
• C. root is configured for FSSO while vd-lan is configuration for RSSO.
• D. root sends “RADIUS Accounting Messages" to FortiAuthenticato

Answer: AC

NEW QUESTION 10
Exhibit

You need to apply the security feature below to the network shown in the exhibit.
-- high grade DDoS protection
-- Web security and load balacng for Server 1 and Server
-- Solution must be PCI DSS compliant'
-- enhanced security to DNS 1 and DNS 2 What are three solutio for the scenario?

• A. FortiWeb forVDOM-A
• B. FortDDoS between FG1 and FG2 and the Internet
• C. FortiADC for VDOM-A
• D. FortADC for VDoM-B
• E. FortiDDoS between FG1 and FG2 and VDOMs

Answer: D

NEW QUESTION 11
You ate asked lo add a FortiDDoS to the network to combat detected slow connection attacks such as Slowloris. Which prevention mode on FortiDDoS will protect you against this specific type of attack?

• A. aggressive aging mode
• B. rate limiting mode
• C. blocking mode
• D. asymmetric mode

Answer: A

NEW QUESTION 12
Exhibit

Your organization has a FortrGate cluster that is connected to two independent ISPs. You must configure the FortiGate failover for a single ISP failure to occur without disruption.
Referring to the exhibit, which two FortiGate BGP features would be used to accomplish this task' (Choose two.)

• A. Enable BFD
• B. Enable EBGP multipath
• C. Enable graceful restart
• D. Enable synchronization

Answer: BC

NEW QUESTION 13
Exhibit

You have configured an HA cluster with Two FortiGates You want to make sore that you are able to manage the individual duster members using ports3.
Referring to the exhibit, what are two ways to accomplish this task? (Choose two.)

• A. Disable the sync feature on porl3: then configure specific IPs for ports on both cluster members.
• B. Configure port3 to be a dedicated HA management interface, then configure specific IPs for port3 on both cluster members.
• C. Create a management VDOM and Disable the HA synchronization for this VDOM, assign ports to this VDOM, then configure specific IPs for ports on both cluster member.
• D. Allow administrative access in the HA heartbeat interface

Answer: BC

NEW QUESTION 14
You have a customer with a SCADA environmental control devices that is trigged a false-positive OPS alert whenever the device's Web GUI is accessed. You cannot seem to create a functional custom IPS filter expert this behavior, and it appears that the device is so old that it does HTTPS support. You need to prevent the false posited IPS alert occurring. In this scenario, which two actions would accomplish this task? (Choose two.)

• A. Create a very granular firewall for that device's IP address which does not perform IPS scanning.
• B. Reconfigure the FortiGate to operate in proxy-based inspection mode instead of flow-base
• C. Create a URL filter with the exempt action for that device's IP address.
• D. Change the relevant firewall policies to use SSL certificate-inspection instead of SSL deep-inspectio

Answer: BC

NEW QUESTION 15
Exhibit

The exhibit shows the steps for creating a URL rewrite policy on a FortWet-Which statement represents the purpose of this policy?

• A. The policy redirects all HTTP URLs to HTTPS.
• B. The policy redirects all HTTPS URLs to HTTP.
• C. The policy redirects only HTTPS URLs containing the ˆ/ (. *) S string to HTTP.
• D. The pokey redirects only HTTP URLs containing theˆ/ ( .*)S string to HTTP

Answer: A

NEW QUESTION 16
You are asked implement a single FortiGate 5000 chassis using Session-aware Load Balance Cluster (SLBC) with Active-passive for Controllers have the configuration shown below, with the rest of the configuration set to the default values.

Both FotiController show Master status. What is the problem in this scenario?

• A. The management interface of both FotiControllers was connected on the some network.
• B. The priority should be set higher for ForControllers on slot-1.
• C. The b1 interface the two FortiConrollers do not see each other.
• D. The chassis ID settings on FotiControllers on slot 2 should be set to 2.

Answer: A

NEW QUESTION 17
An organization has one central site And three remote sites. A FotiSIEM has been drafted on the central site and now all devices across the remote sites need to be monitored by the FortiSlEM.
When action would reduce the WAN usage by the monitoring system?

• A. Deploy a single Supervisor on the central site and enable WAN optimize on the WAN gateways.
• B. Install local Collection remote site.
• C. Disable monitoring on the remote sites during the day.
• D. install a Supervisor and a Collector for each remote sit

Answer: C

NEW QUESTION 18
Exhibit

Referring to the exhibit, a FortiADC is load balancing IPV4 traffic between next-hop routers. The FortiADC does not know the IP addresses of the servers, Also the FortiADC is doing Layer 7 content inspection and modification.
In this scenario, which application delivery control is configured in the FortiADC?

• A. Layer 2
• B. Layer 3
• C. Laye.4
• D. Layer 7

Answer: D

NEW QUESTION 19
Exhibit
[MISSING]
You configure AV and Web filtering for your outgoing internet connection.
You later notice that not all Web session are being inspection and you start troubleshooting the problem. Referring to the exhibit, what would cause this problem?

• A. The Web session is using QUIC which a not inspected by the FortiGate
• B. These are problem with the connection to the Web filter servers, therefore the Web session cannot be categorized.
• C. The SSL inspection options are not set to inspection
• D. Web filtering is not licensed, therefore no inspection occur

Answer: A

NEW QUESTION 20
You want to manage a FortiCloud service. The FortiGate shows up in your list devices on the FortiCloud Web site, but all management functions are either missing or grayed out.
Which statement a correct in this scenario?

• A. The managed FcrtGate a running a version of ForflOS that is either too new or too for FortCloud.
• B. The managed FortiGate requires that a FortiCloud management license be purchased and applied.
• C. You must manually configure system control-management on the FortiGate CLI and set the management type to fortiguard.
• D. The management tunnel mode on the managed FortiGate must be changed to norma

Answer: C

NEW QUESTION 21
You must create a high Availability deployment with two FortiWebs in Amazon Services (AWS): each on different Availability Zones(AZ) from the same region. At the same time, each FortiWeb should be able to deliver content from the Web server of both of the AZs. Which deployment would will this requirement?

• A. Configure the FortiWebs Active-Active Ha mode and use AWS Router 53 load Router balance the internal Web servers.
• B. Configure the FortiWebs in Active-Active HA mode and use AWS Elastic load Balancer (ELB) for the internal Web servers.
• C. Use AWS Router 53 to load balance FortiWebs in standone mode and use AWS Virtual private Cloud (VPC) peering to load balance the internal Web servers.
• D. Use AWS Elastic load Balancer (ELB) for both FortiWebs in standdone mode and the internal Webservers in an ELB sandwic

Answer: C

NEW QUESTION 22
Exhibit

You have deployed several perimeter FortiGates wilh terminal segmentation FortiGates befwid them All ForbGale devices are logging to Fortianaluzer. When you search the logs in FortiAnatyzer (or denied traffic,
you see numerous log messages, as shown in the exhibit, on your perimeter FortiGates only. Which two actions would reduce the number pt these log message? (Choose two)

• A. Apply an application control profile lo the perimeter FortiGates that does not inspect DNS traffic to the outbound firewall policy.
• B. Configure the internal ForbGates to communicate to ForpGuard using port 8888.
• C. Disable DNS events logging horn ForirGate In the config log fortianalyser filter section.
• D. Remove DNS signature* <rom the IPS protte appfced to the outbound firewall polic

Answer: BC

NEW QUESTION 23
......