• ホーム
  • ブログ
  • 更新された2024年01月合格させるNSE8_812試験リアル練習テスト問題 [Q20-Q45]

更新された2024年01月合格させるNSE8_812試験リアル練習テスト問題 [Q20-Q45]

Share

更新された2024年01月合格させるNSE8_812試験リアル練習テスト問題

無料ダウンロードFortinet NSE8_812リアル試験問題


NSE8_812認定試験の対象となるには、有効なNSE7認定とネットワークセキュリティの少なくとも2年間の経験が必要です。また、Fortigate、Fortianalyzer、Fortimanager、FortisandboxなどのFortinet製品とサービスに関する幅広い知識も必要です。

 

質問 # 20
Refer to the exhibit.

The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.
Referring to the exhibit, which two actions will fix these errors? (Choose two.)

  • A. Verify that the CRL is accessible from the root FortiGate
  • B. Install a new known CA on the Win2K16-EMS server.
  • C. Authorize the root FortiGate on the FortiClient EMS
  • D. Export and import the FortiClient EMS server certificate to the root FortiGate.

正解:C、D

解説:
Based on the exhibit, the two actions that will fix the errors when trying to configure a new connection to a FortiClient EMS server are:
Export and import the FortiClient EMS server certificate to the root FortiGate. This will resolve the error message that says "The server certificate is not trusted". The root FortiGate needs to have the FortiClient EMS server certificate in its trusted CA list in order to establish a secure connection with it. The administrator can export the server certificate from the FortiClient EMS web UI and import it to the root FortiGate using the CLI or GUI.
Authorize the root FortiGate on the FortiClient EMS. This will resolve the error message that says "The device is not authorized". The FortiClient EMS needs to have the root FortiGate in its authorized device list in order to allow it to connect and receive configuration information. The administrator can authorize the root FortiGate on the FortiClient EMS web UI by entering its serial number and IP address. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/185333/forticlient-ems https://docs.fortinet.com/document/forticlient/6.0.3/administration-guide/936332/fortigate-and-ems-integration


質問 # 21
Review the VPN configuration shown in the exhibit.

What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

  • A. 3 redundant packet for every 5 base packets
  • B. 3 redundant packet for every 9 base packets
  • C. 2 redundant packet for every 8 base packets
  • D. 1 redundant packet for every 10 base packets

正解:C

解説:
The FEC configuration in the exhibit specifies that if the packet loss is greater than 10%, then the FEC mapping will be 8 base packets and 2 redundant packets. The download bandwidth of 500 Mbps is not greater than 950 Mbps, so the FEC mapping is not overridden by the bandwidth setting. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.
Here is the explanation of the FEC mappings in the exhibit:
Packet loss greater than 10%: 8 base packets and 2 redundant packets.
Upload bandwidth greater than 950 Mbps: 9 base packets and 3 redundant packets.
The mappings are matched from top to bottom, so the first mapping that matches the conditions will be used. In this case, the first mapping matches because the packet loss is greater than 10%. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.


質問 # 22
A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.
The exhibit below shows what the IT Team provided while troubleshooting this issue:

Which statement explains why the FortiGate did not install its configuration from the FortiManager?

  • A. The DHCP server was not configured with the FQDN of the FortiManager
  • B. The configuration was modified on the FortiGate prior to connecting to the FortiManager
  • C. The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager
  • D. The DHCP server used the incorrect option type for the FortiManager IP address.

正解:D

解説:
C is correct because the DHCP server used the incorrect option type for the FortiManager IP address. The option type should be 43 instead of 15, as shown in the FortiManager Administration Guide under Zero-Touch Provisioning > Configuring DHCP options for ZTP. Reference: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options


質問 # 23
Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

  • A. port16 and port15
  • B. port1 and port15
  • C. port16 and port1
  • D. port1 and port1

正解:C

解説:
According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-wan-interface


質問 # 24
Refer to the exhibit.

You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)

  • A. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
  • B. After replacing the FortiSwitch unit, the automatically created trunk name changes.
  • C. After replacing the FortiSwitch unit, the automatically created trunk name does not change
  • D. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.

正解:A、C

解説:
A is correct because the automatically created trunk name is based on the MAC address of the FortiSwitch unit. When the FortiSwitch unit is replaced, the MAC address will change, but the trunk name will not change.
B is correct because CLAG-ICL is a manually configured link aggregation group. When the FortiSwitch unit is replaced, the CLAG-ICL configuration will need to be manually reconfigured on the new FortiSwitch unit.
The other options are incorrect. Option C is incorrect because the automatically created trunk name does not change when the FortiSwitch unit is replaced. Option D is incorrect because MCLAG-ICL is a manually configured link aggregation group and will not be automatically reconfigured when the FortiSwitch unit is replaced.
References:
Configuring link aggregation on FortiSwitches | FortiSwitch / FortiOS 7.0.4 - Fortinet Document Library Managing FortiLink | FortiGate / FortiOS 7.0.4 - Fortinet Document Library


質問 # 25
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?

  • A. Use peer-id
  • B. Change advpn2 to IKEv1
  • C. Use local-id
  • D. Use network-overlay id

正解:D

解説:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn


質問 # 26
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

  • A. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
  • B. The antivirus database queries FortiGuard with the hash of a scanned file
  • C. The FortiGuard VOS can be used only with proxy-base policy inspections.
  • D. If third-party AV database returns a match the scanned file is deemed to be malicious.
  • E. The AV engine scan must be enabled to use the FortiGuard VOS feature

正解:A、B

解説:
c) The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuard with the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.
e) The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.


質問 # 27
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)

  • A. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
  • B. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
  • C. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.
  • D. The FortiMail DKIM key was not set using the Auto Generation option.

正解:A、C

解説:
FortiMail Cloud service is a cloud-based email security solution that integrates with Office 365 to provide protection against spam, malware, phishing, data loss, etc. To use FortiMail Cloud service with Office 365, users need to configure both FortiMail Cloud settings and Office 365 settings properly. One possible reason for outgoing emails not reaching the recipients' mailboxes is that the FortiMail access control rules to relay from Office 365 servers public IPs are missing. This means that FortiMail Cloud service does not recognize the Office 365 servers as authorized senders and rejects the outgoing emails. Users need to add the Office 365 servers public IPs to the FortiMail access control rules to allow relaying. Another possible reason for outgoing emails not reaching the recipients' mailboxes is that a Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN. This means that Office 365 does not route the outgoing emails to the FortiMail Cloud service for scanning and delivery. Users need to create a Mail Flow connector from the Exchange Admin Center and specify the FortiMail Cloud FQDN as the smart host. Reference: https://docs.fortinet.com/document/fortimail-cloud/6.4.0/administration-guide/19662/integrating-fortimail-cloud-with-office-365


質問 # 28
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

  • A. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
  • B. The antivirus database queries FortiGuard with the hash of a scanned file
  • C. The FortiGuard VOS can be used only with proxy-base policy inspections.
  • D. If third-party AV database returns a match the scanned file is deemed to be malicious.
  • E. The AV engine scan must be enabled to use the FortiGuard VOS feature

正解:A、B

解説:
The FortiGuard Outbreak Prevention Service (VOS) is a feature that enhances the antivirus scanning capabilities of FortiGate by querying FortiGuard with the hash of a scanned file that is not found in the local antivirus database. If the hash matches a signature in the FortiGuard Global Threat Intelligence database, which contains information about known malware and zero-day threats, the file is deemed to be malicious and blocked by FortiGate. The VOS feature can be used with both proxy-based and flow-based policy inspections, and does not require the AV engine scan to be enabled. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/outbreak-prevention-service


質問 # 29
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

  • A. Add more web servers to the real server poof
  • B. Disable SSL between the FortiADC and the web servers
  • C. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
  • D. Add a connection-pool to the FortiADC virtual server

正解:A、D

解説:
Option B: Adding more web servers to the real server pool will increase the overall capacity of the load balancer, which should help to resolve the issue of users not being able to access the website.
Option D: Adding a connection-pool to the FortiADC virtual server will allow the load balancer to cache connections to the web servers, which can help to improve performance and reduce the number of dropped connections.
Option A: Changing the persistence rule to LB_PERSIS_SSL_SESSJD would only be necessary if the current persistence rule is not working properly. In this case, the CPU usage on the FortiADC and the web servers is low, so the persistence rule is likely not the issue.
Option C: Disabling SSL between the FortiADC and the web servers would reduce the load on the FortiADC, but it would also make the website less secure. Since the bandwidth utilization is under 30%, it is unlikely that disabling SSL would resolve the issue.


質問 # 30
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

* SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
* Public IP address (129.11.1.100) is assigned to portl
* Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)

B)

C)

  • A. Option A
  • B. Option C
  • C. Option D
  • D. Option B

正解:B

解説:
To resolve the issue of failing to renew the Let's Encrypt certificate, the configuration change that is needed is to enable the HTTP-to-HTTPS redirect option in the SSL-VPN settings. This option allows the FortiGate to redirect HTTP requests to HTTPS port 443, which is required for Let's Encrypt to validate the domain ownership and issue a new certificate. By enabling this option, the FortiGate will be able to respond to the HTTP challenge from Let's Encrypt and renew the certificate successfully. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic


質問 # 31
Refer to the exhibit.

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?

  • A. Connect the switch on any interface between ports 25 to 28
  • B. Connect the switch on any interface between ports 1 to 4
  • C. Connect the switch on any interface between ports 21 to 24
  • D. Connect the switch on any interface between ports 5 to 8.

正解:C

解説:
The FortiGate 6000F is a high-performance firewall appliance that has 28 network interfaces with different speeds and types. The device should be directly connected to a switch that will have a new hardware module providing higher speed in the future. The connection to the FortiGate must be moved to this higher-speed port without affecting any other port. Therefore, the initial connection should be made on any interface between ports 21 to 24, which are 10G SFP+ interfaces. These interfaces are independent from each other and do not share bandwidth with any other interface. This means that moving the connection to a higher-speed port in the future will not affect any other port on the FortiGate. Option A shows the correct answer. Option B is incorrect because ports 25 to 28 are 40G QSFP+ interfaces, which share bandwidth with ports 21 to 24. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Option C is incorrect because ports 1 to 4 are 100G QSFP28 interfaces, which share bandwidth with ports 5 to 8 and ports 9 to 12. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Option D is incorrect because ports 5 to 8 are 25G SFP28 interfaces, which share bandwidth with ports 1 to 4 and ports 9 to 12. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/hardware-acceleration-guide/19662/fortigate-6000f


質問 # 32
Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

  • A. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
  • B. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
  • C. FortiGate will reject the connection since no certificate is defined.
  • D. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.

正解:D

解説:
When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection


質問 # 33
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

  • A. Change the Adaptive Mode.
  • B. Replace with a FortiDDoS 1500F
  • C. Move the internet connection from the SFP interfaces to the LC interfaces
  • D. Create an HA setup with a second FortiDDoS 200F

正解:B、D

解説:
B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
References:
FortiDDoS 200F Datasheet | Fortinet Document Library
FortiDDoS 1500F Datasheet | Fortinet Document Library
High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library


質問 # 34
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:

Given the information shown in the output, which two statements are true? (Choose two.)

  • A. Enable HPE shaper for the NP6 will change the output
  • B. The output is showing a packet descriptor queue accumulated counter
  • C. Host-shortcut mode is enabled.
  • D. There are packet drops at the XAUI.
  • E. Enabling bandwidth control between the ISF and the NP will change the output

正解:B、D

解説:
The diagnose command shown in the output is used to display information about NP6 packet descriptor queues. The output shows that there are 16 NP6 units in total, and each unit has four XAUI ports (XA0-XA3). The output also shows that there are some non-zero values in the columns PDQ ACCU (packet descriptor queue accumulated counter) and PDQ DROP (packet descriptor queue drop counter). These values indicate that there are some packet descriptor queues that have reached their maximum capacity and have dropped some packets at the XAUI ports. This could be caused by congestion or misconfiguration of the XAUI ports or the ISF (Internal Switch Fabric). References: https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/19662/diagnose-np6-pdq The output is showing a packet descriptor queue accumulated counter, which is a measure of the number of packets that have been dropped by the NP6 due to congestion. The counter will increase if there are more packets than the NP6 can handle, which can happen if the bandwidth between the ISF and the NP is not sufficient or if the HPE shaper is enabled.
The output also shows that there are packet drops at the XAUI, which is the interface between the NP6 and the FortiGate's backplane. This means that the NP6 is not able to keep up with the traffic and is dropping packets.
The other statements are not true. Host-shortcut mode is not enabled, and enabling bandwidth control between the ISF and the NP will not change the output. HPE shaper is a feature that can be enabled to improve performance, but it will not change the output of the diagnose command.


質問 # 35
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?

  • A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
  • B. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
  • C. Configure two DNS servers and use DNS servers recommended by the two internet providers.
  • D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

正解:D

解説:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan


質問 # 36
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)

  • A. Replace with a FortiDDoS 1500F
  • B. Move the internet connection from the SFP interfaces to the LC interfaces
  • C. Change the Adaptive Mode.
  • D. Create an HA setup with a second FortiDDoS 200F

正解:C、D

解説:
To prevent the situation where all the traffic was dropped by the FortiDDoS 200F even though there was no DoS attack, the following options can be considered:
Change the Adaptive Mode. The Adaptive Mode is a feature that allows the FortiDDoS 200F to automatically adjust its detection and prevention thresholds based on the traffic patterns and behavior. However, if the Adaptive Mode is not configured properly, it may cause false positives and drop legitimate traffic. Therefore, changing the Adaptive Mode settings or disabling it may help to avoid this situation.
Create an HA setup with a second FortiDDoS 200F. The HA setup is a feature that allows two FortiDDoS 200F devices to work together as a cluster and provide redundancy and load balancing. If one device fails or drops traffic, the other device can take over and continue to protect the network. Therefore, creating an HA setup with a second FortiDDoS 200F may help to avoid this situation. Reference: https://docs.fortinet.com/document/fortiddos-f/6.2.0/handbook/380639/understanding-fortiddos-adaptive-mode https://docs.fortinet.com/document/fortiddos-f/6.2.0/handbook/380639/configuring-fortiddos-ha


質問 # 37
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?

  • A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
  • B. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
  • C. Configure two DNS servers and use DNS servers recommended by the two internet providers.
  • D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

正解:D

解説:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan


質問 # 38
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?

  • A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
  • B. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
  • C. Configure two DNS servers and use DNS servers recommended by the two internet providers.
  • D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

正解:D

解説:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan


質問 # 39
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

  • A. SCP
  • B. Report
  • C. FTP
  • D. API

正解:B、D

解説:
FortiSIEM supports two methods for importing user defined Lookup Table Data:
Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.
API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.
FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.


質問 # 40
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

* SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
* Public IP address (129.11.1.100) is assigned to portl
* Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)

B)

C)

  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D

正解:B

解説:
The customer's SSLVPN Portal is currently configured to use a self-signed certificate. This means that the certificate is not trusted by any browsers, and users will have to accept a security warning before they can connect to the portal.
To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt certificate for the SSLVPN Portal. This will allow users to connect to the portal without having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will configure the FortiGate to use a different port for the SSLVPN Portal, but this will not resolve the issue with the self-signed certificate. Option C will configure the FortiGate to use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue with the self-signed certificate. Option D will configure the FortiGate to use a different certificate authority for the SSLVPN Portal, but this will also not resolve the issue because the customer still needs to use a trusted certificate.
References:
Configuring SSLVPN with Let's Encrypt: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/822087/acme-certificate-support Let's Encrypt: https://letsencrypt.org/


質問 # 41
Review the VPN configuration shown in the exhibit.

What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

  • A. 3 redundant packet for every 5 base packets
  • B. 3 redundant packet for every 9 base packets
  • C. 1 redundant packet for every 10 base packets
  • D. 2 redundant packet for every 8 base packets

正解:A

解説:
Forward Error Correction (FEC) is a feature that can improve the quality of SD-WAN network traffic by adding redundant packets to the original packets. The ratio of redundant packets to base packets is determined by the FEC mode, which can be set to low, medium, or high. In low mode, the ratio is 1:10, in medium mode, the ratio is 2:8, and in high mode, the ratio is 3:5. The FEC mode can be configured manually or automatically based on the bandwidth and packet loss of the network. In this case, since the download bandwidth is 500 Mbps and the packet loss is 8%, the FEC mode is automatically set to high, which means that 3 redundant packets are added for every 5 base packets. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/forward-error-correction-fec


質問 # 42
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

  • A. 17:37:08
  • B. 10:37:08
  • C. 20:37:08
  • D. 12.37:08

正解:A

解説:
To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is 20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. Reference: https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/103664/time-zone-and-daylight-saving-time


質問 # 43
A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.
Which two statements are true regarding the requirements? (Choose two.)

  • A. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
  • B. SSH traffic is tunneled between the client and the access proxy over HTTPS
  • C. FortiGate can perform SSH access proxy host-key validation.
  • D. Traffic is discarded as ZTNA does not support SSH connection rules

正解:B、C

解説:
ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/899992/configuring-ztna-rules-to-control-access


質問 # 44
Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

  • A. 172.16.204.128/25
  • B. 172.16.201.96/29
  • C. 172,620,64,27
  • D. 172.16.204.64/27

正解:A、C

解説:
A is correct because 172.16.204.128/25 matches the prefix list entry 172.16.204.0/24 ge 25 le 25. C is correct because 172.16.204.64/27 matches the prefix list entry 172.16.204.0/24 ge 27 le 27. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/bgp


質問 # 45
......


Fortinet NSE8_812(Fortinet NSE 8 - Written Exam とも呼ばれます)は、経験豊富なネットワークセキュリティ専門家の知識とスキルをテストするために設計された認定試験です。この試験は、Fortinet のセキュリティソリューションに深い理解を持ち、その分野で認定された専門家になりたい個人を対象としています。Fortinet NSE8_812 試験は、高度な脅威保護、ネットワーク設計、セキュリティポリシーなど、ネットワークセキュリティに関連する幅広いトピックをカバーする厳格で包括的なテストです。

 

NSE8_812問題集100パー合格保証には最新のサンプル:https://www.goshiken.com/Fortinet/NSE8_812-mondaishu.html

あなたを合格させる試験には100%確認済みNSE8_812試験問題:https://drive.google.com/open?id=1-Zxjc9cZI5rRddIWLftgFt9F8DjJznFg

関するブログ

もっと
NSE8_812無料問題集