Verified NSE8_812 dumps Q&As 100% Pass in First Attempt Guaranteed Updated Dump from VCEEngine [Q12-Q32]

Share

Verified NSE8_812 dumps Q&As 100% Pass in First Attempt Guaranteed Updated Dump from VCEEngine

Pass Fortinet Network Security Expert NSE8_812 Exam With  62 Questions


Fortinet NSE8_812 (Fortinet NSE 8 - Written Exam) Certification Exam is designed for cybersecurity professionals who aim to enhance their knowledge and skills to keep up with the ever-evolving cybersecurity threats. Obtaining this certification demonstrates that the individual is capable of designing, deploying, and managing complex security solutions using Fortinet's latest products and technologies. NSE8_812 exam is challenging, but it is an excellent way to demonstrate a high level of cybersecurity expertise that can lead to better job opportunities and career growth.


Fortinet NSE8_812 certification exam has a time limit of 120 minutes. It is an online exam, and candidates must have a reliable and stable internet connection to take the exam. NSE8_812 exam fee is $400, and the certification is valid for two years. Fortinet NSE 8 - Written Exam (NSE8_812) certification demonstrates that the certified individual possesses a high level of expertise in using Fortinet's latest products, technologies, and best practices to secure a network.

 

NEW QUESTION # 12
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

  • A. disable on ICL trunks
  • B. disable on the ISL and FortiLink trunks
  • C. enable on the ISL and FortiLink trunks
  • D. enable on ICL trunks

Answer: A,C

Explanation:
To ensure that unnecessary multicast traffic is pruned from links that do not have a multicast listener, you must disable IGMP flood traffic on the ICL trunks and enable IGMP flood reports on the ISL and FortiLink trunks.
Disabling IGMP flood traffic will prevent the FortiSwitch units from flooding multicast traffic to all ports on the ICL trunks. This will help to reduce unnecessary multicast traffic on the network.
Enabling IGMP flood reports will allow the FortiSwitch units to learn which ports are interested in receiving multicast traffic. This will help the FortiSwitch units to prune multicast traffic from links that do not have a multicast listener.


NEW QUESTION # 13
An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.
Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

  • A. OCSP checks will always go to the configured FortiAuthenticator
  • B. The OCSP check of the certificate can be combined with a certificate revocation list.
  • C. If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.
  • D. OCSP certificate responses are never cached by the FortiGate.

Answer: A,C

Explanation:
A is correct because the OCSP server is configured as the FortiAuthenticator in the config vpn certificate ocsp-server section. D is correct because the config vpn ssl settings section has set ocsp-option to allow. This means that if the OCSP server is unreachable, authentication will succeed if the certificate matches the CA. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/ssl-vpn-authentication https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/266506/ssl-vpn-with-certificate-authentication


NEW QUESTION # 14
Refer to the exhibits.

An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?

  • A. FAC-1 must have an internet routable IP address for push notifications.
  • B. On FG-1 CLI, the ftm-push server setting must point to 100.64.141.
  • C. On FG-1 port1, the ftm access protocol must be enabled.
  • D. On FAC-1, the FortiToken public IP setting must point to 100.64.1 41

Answer: A

Explanation:
FortiToken push notifications require that the FortiAuthenticator has an internet routable IP address. This is because the FortiAuthenticator uses this IP address to send push notifications to the FortiGate.
The other options are not correct. Enabling the ftm access protocol on FG-1 port1 is not necessary for push notifications to work. The ftm-push server setting on FG-1 CLI should already point to the FortiAuthenticator's IP address. The FortiToken public IP setting on FAC-1 is not relevant to push notifications.
Here is a table that summarizes the different options:


NEW QUESTION # 15
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?

  • A. Add a VLAN under the FEX-WAN interface on the FortiGate.
  • B. Add a switch between the FortiGate and FEX.
  • C. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
  • D. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode

Answer: C

Explanation:
The FortiExtender (FEX) is a device that provides wireless WAN connectivity for FortiGate devices by using 3G/4G/LTE cellular networks. The FEX can be managed by the FortiGate device that it connects to, or by a FortiManager device in a centralized management scenario. The FEX can use either Ethernet or CAPWAP connectivity to communicate with the FortiGate device. Ethernet connectivity means that the FEX uses a standard Ethernet connection to send and receive data packets from the FortiGate device. CAPWAP connectivity means that the FEX uses a Control And Provisioning of Wireless Access Points (CAPWAP) tunnel to encapsulate data packets and send them over an IP network to the FortiGate device. If the requirement is to minimize the overhead on the device for WAN traffic, one option is to enable CAPWAP connectivity between the FortiGate and the FEX. This option can reduce the overhead on the device by offloading some of the processing tasks from the CPU to the NP6 processor, which can handle CAPWAP traffic more efficiently than Ethernet traffic. This option can also provide more flexibility and scalability for WAN traffic by allowing multiple FEX devices to connect to a single FortiGate device over an IP network. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/configuring-fortigate-with-fortiextender https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/capwap-connectivity


NEW QUESTION # 16
Refer to the exhibit, which shows a VPN topology.

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

  • A. ADVPN is not supported when spokes are behind NAT
  • B. The TCP port 21 must be allowed on the NAT Device2
  • C. All the session traffic will pass through the Hub
  • D. Spoke1 will establish an ADVPN shortcut to Spoke2

Answer: D

Explanation:
D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events. References: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698


NEW QUESTION # 17
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

  • A. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
  • B. Add a connection-pool to the FortiADC virtual server
  • C. Add more web servers to the real server poof
  • D. Disable SSL between the FortiADC and the web servers

Answer: A,B

Explanation:
The FortiADC HA cluster is a load balancing solution that distributes traffic among multiple web servers in L7 Full NAT mode. L7 Full NAT mode means that FortiADC terminates both client and server SSL connections and performs full NAT for both source and destination IP addresses and ports. One possible reason for users not being able to access the website during a sale event is that the persistence rule is not configured properly. Persistence rule is a feature that ensures that subsequent requests from the same client are sent to the same web server, which is important for maintaining session continuity and avoiding errors or data loss. The default persistence rule for L7 Full NAT mode is LB_PERSIS_SRC_IP, which uses the source IP address of the client as the persistence key. However, this rule may not work well if there are many clients behind a proxy or NAT device that share the same source IP address, or if there are clients that change their source IP address frequently due to roaming or switching networks. Therefore, to resolve this situation, one option is to change the persistence rule to LB_PERSIS_SSL_SESSJD, which uses the SSL session ID of the client as the persistence key. This rule can provide more accurate and reliable persistence for SSL connections than LB_PERSIS_SRC_IP. Another possible reason for users not being able to access the website during a sale event is that there are too many TCP connections being established and terminated between FortiADC and the web servers, which consumes CPU resources and causes performance degradation. Therefore, to resolve this situation, another option is to add a connection-pool to the FortiADC virtual server. Connection-pool is a feature that allows FortiADC to reuse existing TCP connections between FortiADC and the web servers, instead of creating new ones for each request. This can reduce CPU overhead, improve response time, and increase throughput. Reference: https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/load-balancing-methods-and-persistence https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/connection-pool


NEW QUESTION # 18
Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

  • A. 172,620,64,27
  • B. 172.16.204.128/25
  • C. 172.16.204.64/27
  • D. 172.16.201.96/29

Answer: B,C

Explanation:
The prefix list in the exhibit is configured to match prefixes that are either in the 172.16.204.0/24 subnet or in the 172.62.0.0/16 subnet. The routes that match these prefixes will be active in the routing table on the HQ firewall.
The routes that match the following prefixes will not be active in the routing table:
172.16.201.96/29
172.62.0.64/27
These routes do not match the criteria set by the prefix list.
References:
Prefix lists | FortiGate / FortiOS 7.4.0 - Fortinet Document Library
Configuring BGP | FortiGate / FortiOS 7.4.0 - Fortinet Document Library


NEW QUESTION # 19
Refer to the exhibit showing a firewall policy configuration.

To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.
What change does the administrator need to make?

  • A.
  • B.
  • C.
  • D.

Answer: C

Explanation:
The firewall policy in the exhibit allows all traffic from the internal network to the cloud. To enforce authentication on this traffic, the administrator needs to add the auth-on-demand option to the policy. This option will force all users to authenticate before they are allowed to access the cloud.
The following is the correct configuration:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "all"
set action accept
set auth-on-demand enable
References:
Configuring firewall authentication | FortiGate / FortiOS 7.4.0 - Fortinet Document Library Firewall policy configuration | FortiGate / FortiOS 7.4.0 - Fortinet Document Library


NEW QUESTION # 20
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

  • A. Virtual Function (VF) PCI Passthrough
  • B. Physical Function (PF) PCI Passthrough
  • C. Native ESXi Networking with VMXNET3
  • D. Native ESXi Networking with E1000

Answer: C

Explanation:
The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/installing-fortigate-vm-on-vmware-esxi https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/networking


NEW QUESTION # 21
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)

  • A. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.
  • B. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
  • C. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
  • D. The FortiMail DKIM key was not set using the Auto Generation option.

Answer: A,C

Explanation:
FortiMail Cloud service is a cloud-based email security solution that integrates with Office 365 to provide protection against spam, malware, phishing, data loss, etc. To use FortiMail Cloud service with Office 365, users need to configure both FortiMail Cloud settings and Office 365 settings properly. One possible reason for outgoing emails not reaching the recipients' mailboxes is that the FortiMail access control rules to relay from Office 365 servers public IPs are missing. This means that FortiMail Cloud service does not recognize the Office 365 servers as authorized senders and rejects the outgoing emails. Users need to add the Office 365 servers public IPs to the FortiMail access control rules to allow relaying. Another possible reason for outgoing emails not reaching the recipients' mailboxes is that a Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN. This means that Office 365 does not route the outgoing emails to the FortiMail Cloud service for scanning and delivery. Users need to create a Mail Flow connector from the Exchange Admin Center and specify the FortiMail Cloud FQDN as the smart host. Reference: https://docs.fortinet.com/document/fortimail-cloud/6.4.0/administration-guide/19662/integrating-fortimail-cloud-with-office-365


NEW QUESTION # 22
Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.
The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.
Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.) A)

B)


  • A. Option B
  • B. Option D
  • C. Option C
  • D. Option A

Answer: A,C

Explanation:
To enable application detection on plain-text traffic that has been decrypted by FortiADC, the administrator must perform two configuration tasks on CL-1:
Enable SSL offloading in the firewall policy and select the SSL-Offload protocol options profile.
Enable application control in the firewall policy and select the SSL-Offload-App-Detect application list. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic


NEW QUESTION # 23
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?

  • A. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
  • B. Add a VLAN under the FEX-WAN interface on the FortiGate.
  • C. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
  • D. Add a switch between the FortiGate and FEX.

Answer: A

Explanation:
VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate than CAPWAP Mode. This is because VLAN Mode does not require the FortiExtender to send additional control traffic to the FortiGate.
The other options are not correct.
a) Add a switch between the FortiGate and FEX. This will add overhead to the network, as the switch will need to process the traffic.
b) Enable CAPWAP connectivity between the FortiGate and the FortiExtender. This will increase the overhead on the FortiGate, as it will need to process additional control traffic.
d) Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect the overhead on the FortiGate.


NEW QUESTION # 24
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

  • A. disable on ICL trunks
  • B. disable on the ISL and FortiLink trunks
  • C. enable on the ISL and FortiLink trunks
  • D. enable on ICL trunks

Answer: A,B

Explanation:
A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference: https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding/381058/configuring-multicast-forwarding


NEW QUESTION # 25
Review the following FortiGate-6000 configuration excerpt:

Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?

  • A. It statically distributes SNAT source ports to operating FPCs or FPMs
  • B. It equally distributes SNAT source ports across chassis slots.
  • C. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
  • D. It dynamically distributes SNAT source ports to operating FPCs or FPMs.

Answer: A

Explanation:
Based on the configuration, the statement that is correct regarding SNAT source port partitioning behavior is that it statically distributes SNAT source ports to operating FPCs or FPMs. This is because the nat-source-port option is set to chassis-slots, which means that the FortiGate-6000 will allocate SNAT source ports to all FPCs or FPMs that are enabled when the command is entered. If an FPC or FPM is disabled from the CLI, the SNAT source ports assigned to that FPC or FPM will not be re-allocated to the remaining FPCs or FPMs. This option preserves active sessions when an FPC or FPM goes down, but does not dynamically re-distribute SNAT source ports if an FPC or FPM is powered off. Reference: https://docs.fortinet.com/document/fortigate/7.2.5/fortigate-6000-administration-guide/81276/controlling-snat-port-partitioning-behavior


NEW QUESTION # 26
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)

  • A. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
  • B. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.
  • C. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
  • D. The FortiMail DKIM key was not set using the Auto Generation option.

Answer: A,C

Explanation:
a) The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
If the access control rule to relay from Office 365 servers FQDN is missing, then FortiMail will not be able to send emails to Office 365. This is because the access control rule specifies which IP addresses or domains are allowed to relay emails through FortiMail.
b) A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
If the Mail Flow connector from the Exchange Admin Center is not set properly to the FortiMail Cloud FQDN, then Office 365 will not be able to send emails to FortiMail. This is because the Mail Flow connector specifies which SMTP server is used to send emails to external recipients.


NEW QUESTION # 27
What is the benefit of using FortiGate NAC LAN Segments?

  • A. It provides support for IGMP snooping between hosts within the same VLAN
  • B. It provides physical isolation without changing the IP address of hosts.
  • C. It provides support for multiple DHCP servers within the same VLAN.
  • D. It allows for assignment of dynamic address objects matching NAC policy.

Answer: D

Explanation:
FortiGate NAC LAN Segments are a feature that allows users to assign different VLANs to different LAN segments without changing the IP address of hosts or bouncing the switch port. This provides physical isolation while maintaining firewall sessions and avoiding DHCP issues. One benefit of using FortiGate NAC LAN Segments is that it allows for assignment of dynamic address objects matching NAC policy. This means that users can create firewall policies based on dynamic address objects that match the NAC policy criteria, such as device type, OS type, MAC address, etc. This simplifies firewall policy management and enhances security by applying different security profiles to different types of devices. References: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/856212/nac-lan-segments-7-0-1


NEW QUESTION # 28
Refer to the exhibits.


A customer wants to deploy 12 FortiAP 431F devices on high density conference center, but they do not currently have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy From the FortiSwitch models and sample retail prices shown in the exhibit, which build of materials would have the lowest cost, while fulfilling the customer's requirements?

  • A. 2x FortiSwitch 124E-FPOE
  • B. 1x FortiSwitch 248EFPOE
  • C. 2x FortiSwitch 248E-FPOE
  • D. 2x FortiSwitch 224E-POE

Answer: C

Explanation:
The customer wants to deploy 12 FortiAP 431F devices on a high density conference center, but they do not have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy. PoE switches are switches that can provide both data and power to connected devices over Ethernet cables, eliminating the need for separate power adapters or outlets. PoE switches are useful for deploying devices such as wireless access points, IP cameras, and VoIP phones in locations where power outlets are scarce or inconvenient. The FortiAP 431F is a wireless access point that supports PoE+ (IEEE 802.3at) standard, which can deliver up to 30W of power per port. The FortiAP 431F has a maximum power consumption of 25W when running at full power. Therefore, to run 12 FortiAP 431F devices at full power, the customer needs PoE switches that can provide at least 300W of total PoE power budget (25W x 12). The customer also needs network redundancy, which means that they need at least two PoE switches to connect the FortiAP devices in case one switch fails or loses power. From the FortiSwitch models and sample retail prices shown in the exhibit, the build of materials that has the lowest cost while fulfilling the customer's requirements is 2x FortiSwitch 248E-FPOE. The FortiSwitch 248E-FPOE is a PoE switch that has 48 GE ports with PoE+ capability and a total PoE power budget of 370W. It also has 4x 10 GE SFP+ uplink ports for high-speed connectivity. The sample retail price of the FortiSwitch 248E-FPOE is $1,995, which means that two units will cost $3,990. This is the lowest cost among the other options that can meet the customer's requirements. Option A is incorrect because the FortiSwitch 248EFPOE is a non-PoE switch that has no PoE capability or power budget. It cannot provide power to the FortiAP devices over Ethernet cables. Option B is incorrect because the FortiSwitch 224E-POE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Option D is incorrect because the FortiSwitch 124E-FPOE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Reference: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiAP_400_Series.pdf


NEW QUESTION # 29
Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).

Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?

  • A. The FortiToken license will need to be installed on the FAC2.
  • B. FAC2 can only process requests when FAC1 fails.
  • C. FAC2 can have its HA interface on a different network than FAC1.
  • D. FSSO sessions from FAC1 will be synchronized to FAC2.

Answer: D

Explanation:
When FortiAuthenticator operates in cluster mode, it provides active-passive failover and synchronization of all configuration and data, including FSSO sessions, between the cluster members. Therefore, if FAC1 is the active unit and FAC2 is the standby unit, any FSSO sessions from FAC1 will be synchronized to FAC2. If FAC1 fails, FAC2 will take over the active role and continue to process the FSSO sessions. References: https://docs.fortinet.com/document/fortiauthenticator/6.1.2/administration-guide/122076/high-availability


NEW QUESTION # 30
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

  • A. Move the internet connection from the SFP interfaces to the LC interfaces
  • B. Change the Adaptive Mode.
  • C. Create an HA setup with a second FortiDDoS 200F
  • D. Replace with a FortiDDoS 1500F

Answer: C,D

Explanation:
B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
References:
FortiDDoS 200F Datasheet | Fortinet Document Library
FortiDDoS 1500F Datasheet | Fortinet Document Library
High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library


NEW QUESTION # 31
A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

  • A. Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
  • B. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters
  • C. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
  • D. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

Answer: C,D

Explanation:
To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. Reference: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration


NEW QUESTION # 32
......

Ultimate Guide to Prepare Free NSE8_812 Exam Questions and Answer: https://drive.google.com/open?id=1ZtiHmG05e9z2AwGnti-sSXKY32guJjbQ

Pass NSE8_812 Tests Engine pdf - All Free Dumps: https://www.vceengine.com/NSE8_812-vce-test-engine.html