NSE8_811 Online Practice Questions and Answers

You are building a FortiGate cluster which is stretched over two locations. The HA connections for the cluster are terminated on the local switches in the data centers. Once the FortiGate devices have booted, they do not form a cluster. The network operators inform you that CRC errors are present on the switches where the FortiGate devices are connected.

What should you do to solve this problem?

A. Set the speed/duplex setting to 1 Gbps / Full Duplex.

B. Replace the cables where the CRC errors occur.

C. Place the HA interfaces in dedicated VLANs.

D. Change the ethertype for the HA packets.

Refer to the exhibit.

A FortiGate is configured for a dial-up IPsec VPN to allow multiple remote FortiGate devices to connect to it. However, FortiGate A and B have problems connecting to the VPN. Only one of them can be connected at a time. If site B tries to connect while site A is connected, site A is disconnected. The IKE real-time debug shows the output in the exhibit when site A is disconnected.

Referring to the exhibit, which configuration setting should be executed in the dial-up configuration to allow both VPNs to be connected at the same time?

A. set route-overlap allow

B. set single-source disable

C. set enforce-unique-id disable

D. set add-route enable

You cannot ping the FortiGate default gateway 10.10.10.1 from the FortiGate CLI. The FortiGate interface facing the default gateway is wan1 and its IP address is 10.10.10.254/24. During the initial troubleshooting tests, you confirm that you can ping other IP addresses in the 10.10.10.0/24 subnet from the FortiGate CLI without packets lost.

Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

A. diagnose debug flow filter saddr 10.10.10.1 diagnose debug flow trace start 10

B. diagnose hardware deviceinfo nic wan1

C. diagnose ip arp list

D. diag sniffer packet wan1 'arp and host 10.10.10.1'

Refer to the exhibit.

You are trying to configure Link-Aggregation Group (LAG), but ports A and B do not appear on the list of member options.

Referring to the exhibit, which statement is correct in this situation?

A. The FortiGate interfaces are defective and require replacement.

B. The FortiGate model does not have an Integrated Switch Fabric (ISF).

C. The FortiGate model being used does not support LAG.

D. The FortiGate SFP+ slot does not have the correct module.

Refer to the exhibit.

A VPN IPsec is connecting the headquarters office (HQ) with a branch office (BO). OSPF is used to redistribute routes between the offices. After deployment, a server with IP address 10.10.10.35 located on the DMZ network of the BO FortiGate, was reported unreachable from hosts located on the LAN network of the same FortiGate.

Referring to the exhibit, which statement is true?

A. The ICMP packets are being blocked by an implicit deny policy.

B. A directly connected subnet is being partially superseded by an OSPF redistributed subnet.

C. Enabling NAT on the VPN firewall policy will solve the problem.

D. The incoming access list should have an accept action instead of a deny action to solve the problem.

Refer to the exhibit.

The FortiAP profile used by the FortiGate managed AP is shown in the exhibit. Which two statements in this scenario are correct? (Choose two.)

A. Interference will be prevented between FortiAP devices using this profile.

B. This profile will map specific SSIDs available to the FortiAP devices.

C. All FortiAP devices using this profile will have Radio 1 monitor wireless clients.

D. All FortiAP devices using this profile will have Radio 1 scan rogue access points.

Refer to the exhibit.

Referring to the firewall polices shown in exhibit, which two statements are true? (Choose two.)

A. The IPv4 policy is allowing security profile groups.

B. The IPv6 traffic for nse8user is filtered using the DNS profile.

C. The IPv4 traffic for nse8user is filtered using the DNS profile.

D. The Web traffic for nse8user is being filtered differently in IPv4 and IPv6.

Refer to the exhibit.

You log into FortiManager, access the Device Manager window and notice that one of the managed devices is not in normal status.

Referring to the exhibit, which two statements correctly describe the status and result of the affected device? (Choose two.)

A. The device configuration was changed on the local FortiGate side only; auto-update is disabled.

B. The changed configuration on the FortiGate will remain the next time that the device configuration is pushed from FortiManager.

C. The device configuration was changed on both the local FortiGate side and the FortiManager side; auto-update is disabled.

D. The changed configuration on the FortiGate will be overwritten in favor of what is on the FortiManager the next time that the device configuration is pushed.

A company has just deployed a new FortiMail in gateway mode. The administrator is asked to strengthen e-mail protection by applying the policies shown below.

E-mails can only be accepted if a valid e-mail account exists. Only authenticated users can send e-mails out.

Which two actions will satisfy the requirements? (Choose two.)

A. Configure recipient address verification.

B. Configure inbound recipient policies.

C. Configure outbound recipient policies.

D. Configure access control rules.

Refer to the exhibit.

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device. Which two statements are true about the traffic matching being inspected by this SPP? (Choose two.)

A. Traffic that does not match any SPP policy will be inspected by this SPP.

B. FortiDDoS will not send a SYN/ACK if a SYN packet is coming from an IP address that is not in the legitimate IP (LIP) address table.

C. FortiDDoS will start dropping packets as soon as the traffic exceeds the configured minimum threshold.

D. SYN packets with payloads will be dropped.

FortiMail is configured with the protected domain "internal.lab".

Which two envelope addresses will need an access control rule to relay e-mail sent for unauthenticated users? (Choose two.)

A. MAIL FROM: [email protected]; RCPT TO: [email protected]

B. MAIL FROM: [email protected]; RCPT TO: [email protected]

C. MAIL FROM: [email protected]; RCPT TO: [email protected]

D. MAIL FROM: [email protected]; RCPT TO: [email protected]

Refer to the exhibit.

You have deployed several perimeter FortiGate devices with internal segmentation FortiGate devices behind them. All FortiGate devices are logging to FortiAnalyzer. When you search the logs in FortiAnalyzer for denied traffic, you see numerous log messages, as shown in the exhibit, on your perimeter FortiGate device only.

Which two actions will reduce the number of these log messages? (Choose two.)

A. Disable DNS events logging from FortiGate in the config log fortianalyzer filter section.

B. Apply an application control profile to the perimeter FortiGate devices that does not inspect DNS traffic to the outbound firewall policy.

C. Remove DNS signatures from the IPS profile applied to the outbound firewall policy.

D. Configure the internal FortiGate devices to communicate to FortiGuard using port 8888.

Refer to the exhibit.

Central NAT was configured on a FortiGate firewall. A sniffer shows ICMP packets out to a host on the Internet egresses with the port1 IP address instead of the virtual IP (VIP) that was configured

Referring to the exhibit, which configuration change will ensure that ICMP traffic is also translated?

A. Option A

B. Option B

C. Option C

D. Option D

A company has just rolled out new remote sites and now you need to deploy a single firewall policy to all of these sites to allow Internet access using FortiManager. For this particular firewall policy, the source address object is called LAN, but its value will change according to the site the policy is being installed.

Which statement about creating the object LAN is correct?

A. Create a new object called LAN and enable per-device mapping.

B. Create a new object called LAN and promote it to the global database.

C. Create a new object called LAN and use it as a variable on a TCL script.

D. Create a new object called LAN and set meta-fields per remote site.

Refer to the exhibit.

You are working on FortiGate 61E operating in flow-based inspection mode with various settings optimized for performance. The main Internet firewall policy is using the "default" antivirus profile. You found that some executable virus samples files downloaded over HTTP are not being blocked by the FortiGate.

Referring to the exhibit, how can this be fixed?

A. Change the set scan-mode configuration to full.

B. Disable the emulator feature.

C. Change the set default-db configuration to extreme.

D. Add set content-disarm enable to the configuration.