[2023年10月最新リリース]NSE8_812問題集でFortinet Network Security Expert認証 [Q28-Q48]

[2023年10月最新リリース]NSE8_812問題集でFortinet Network Security Expert認証

最新の完璧なNSE8_812問題集問題と解答で100%パスさせます

質問 # 28
Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:

Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?

• A. FortiGate will forward the traffic without modifying the ALPN header.
• B. FortiGate will reject all HTTP/2 ALPN headers.
• C. FortiGate will rewrite the ALPN header to request HTTP/1.
• D. FortiGate will strip the ALPN header and forward the traffic.

正解：D

解説：
When an HTTP/2 request comes in, FortiGate will strip the Application-Layer Protocol Negotiation (ALPN) header and forward the traffic as HTTP/1.1 to the real server. This is because FortiGate does not support HTTP/2 inspection, and therefore cannot process ALPN headers that indicate HTTP/2 support. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic

質問 # 29
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

• A. Native ESXi Networking with VMXNET3
• B. Physical Function (PF) PCI Passthrough
• C. Native ESXi Networking with E1000
• D. Virtual Function (VF) PCI Passthrough

正解：A

解説：
The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. References: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/installing-fortigate-vm-on-vmware-esxi https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/networking

質問 # 30
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

• A. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
• B. Add a connection-pool to the FortiADC virtual server
• C. Disable SSL between the FortiADC and the web servers
• D. Add more web servers to the real server poof

正解：A、B

解説：
The FortiADC HA cluster is a load balancing solution that distributes traffic among multiple web servers in L7 Full NAT mode. L7 Full NAT mode means that FortiADC terminates both client and server SSL connections and performs full NAT for both source and destination IP addresses and ports. One possible reason for users not being able to access the website during a sale event is that the persistence rule is not configured properly. Persistence rule is a feature that ensures that subsequent requests from the same client are sent to the same web server, which is important for maintaining session continuity and avoiding errors or data loss. The default persistence rule for L7 Full NAT mode is LB_PERSIS_SRC_IP, which uses the source IP address of the client as the persistence key. However, this rule may not work well if there are many clients behind a proxy or NAT device that share the same source IP address, or if there are clients that change their source IP address frequently due to roaming or switching networks. Therefore, to resolve this situation, one option is to change the persistence rule to LB_PERSIS_SSL_SESSJD, which uses the SSL session ID of the client as the persistence key. This rule can provide more accurate and reliable persistence for SSL connections than LB_PERSIS_SRC_IP. Another possible reason for users not being able to access the website during a sale event is that there are too many TCP connections being established and terminated between FortiADC and the web servers, which consumes CPU resources and causes performance degradation. Therefore, to resolve this situation, another option is to add a connection-pool to the FortiADC virtual server. Connection-pool is a feature that allows FortiADC to reuse existing TCP connections between FortiADC and the web servers, instead of creating new ones for each request. This can reduce CPU overhead, improve response time, and increase throughput. Reference: https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/load-balancing-methods-and-persistence https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/connection-pool

質問 # 31
Refer to the exhibit.

A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation?

• A. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions
• B. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
• C. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
• D. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions

正解：D

解説：
The Server Pool in the exhibit is configured with a weight of 20 for server 1 and a weight of 60 for server 2. This means that server 1 will receive 20% of the sessions and server 2 will receive 75% of the sessions.
The following formula is used to calculate the load balancing between servers in a Server Pool:
weight_of_server_1 / (weight_of_server_1 + weight_of_server_2)
In this case, the formula is:
20 / (20 + 60) = 20 / 80 = 0.25 = 25%
Therefore, server 1 will receive 25% of the sessions and server 2 will receive 75% of the sessions.

質問 # 32
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

• A. SCP
• B. Report
• C. FTP
• D. API

正解：B、D

解説：
FortiSIEM supports two methods for importing user defined Lookup Table Data:
Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.
API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.
FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.

質問 # 33
Review the following FortiGate-6000 configuration excerpt:

Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?

• A. It statically distributes SNAT source ports to operating FPCs or FPMs
• B. It dynamically distributes SNAT source ports to operating FPCs or FPMs.
• C. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
• D. It equally distributes SNAT source ports across chassis slots.

正解：A

解説：
Based on the configuration, the statement that is correct regarding SNAT source port partitioning behavior is that it statically distributes SNAT source ports to operating FPCs or FPMs. This is because the nat-source-port option is set to chassis-slots, which means that the FortiGate-6000 will allocate SNAT source ports to all FPCs or FPMs that are enabled when the command is entered. If an FPC or FPM is disabled from the CLI, the SNAT source ports assigned to that FPC or FPM will not be re-allocated to the remaining FPCs or FPMs. This option preserves active sessions when an FPC or FPM goes down, but does not dynamically re-distribute SNAT source ports if an FPC or FPM is powered off. Reference: https://docs.fortinet.com/document/fortigate/7.2.5/fortigate-6000-administration-guide/81276/controlling-snat-port-partitioning-behavior

質問 # 34
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

• A. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
• B. The FortiGuard VOS can be used only with proxy-base policy inspections.
• C. If third-party AV database returns a match the scanned file is deemed to be malicious.
• D. The AV engine scan must be enabled to use the FortiGuard VOS feature
• E. The antivirus database queries FortiGuard with the hash of a scanned file

正解：A、E

解説：
c) The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuard with the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.
e) The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.

質問 # 35
A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

• A. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
• B. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters
• C. Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
• D. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

正解：A、D

解説：
To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. References: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration

質問 # 36
Refer to the exhibits.
Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

• A.
• B.
• C.
• D.

正解：A

解説：
The VPN configuration shown in Exhibit C is a baseline VPN configuration that uses IKEv2 with pre-shared keys and AES256 encryption for both IKE and ESP phases. However, this configuration does not match the output shown in Exhibit A and B, which indicate that IKEv1 is used with RSA signatures and AES128 encryption for both IKE and ESP phases. Therefore, to restore VPN connectivity, the configuration needs to be modified to match these parameters. Option B shows the correct configuration that matches these parameters. Option A is incorrect because it still uses IKEv2 instead of IKEv1. Option C is incorrect because it still uses pre-shared keys instead of RSA signatures. Option D is incorrect because it still uses AES256 encryption instead of AES128 encryption. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/ipsec-vpn-with-forticlient

質問 # 37
Refer to the exhibits.


A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)

• A. Ports 3 and 4 can be part of different switch interfaces.
• B. Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
• C. Client devices must have 802 1X authentication enabled
• D. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.

正解：B、C

解説：
The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a single switch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "ssl-inspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. References: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switch-interfaces https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1x-authentication

質問 # 38
You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor. Your recommendation must consider performance as the main concern, cost is not a factor. Which adapter type for the NICs will you recommend?

• A. Native ESXi Networking with VMXNET3
• B. Physical Function (PF) PCI Passthrough
• C. Native ESXi Networking with E1000
• D. Virtual Function (VF) PCI Passthrough

正解：A

解説：
The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/installing-fortigate-vm-on-vmware-esxi https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/networking

質問 # 39
Refer to the exhibits.


A customer wants to deploy 12 FortiAP 431F devices on high density conference center, but they do not currently have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy From the FortiSwitch models and sample retail prices shown in the exhibit, which build of materials would have the lowest cost, while fulfilling the customer's requirements?

• A. 2x FortiSwitch 124E-FPOE
• B. 2x FortiSwitch 248E-FPOE
• C. 2x FortiSwitch 224E-POE
• D. 1x FortiSwitch 248EFPOE

正解：B

解説：
The customer wants to deploy 12 FortiAP 431F devices on a high density conference center, but they do not have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy. PoE switches are switches that can provide both data and power to connected devices over Ethernet cables, eliminating the need for separate power adapters or outlets. PoE switches are useful for deploying devices such as wireless access points, IP cameras, and VoIP phones in locations where power outlets are scarce or inconvenient. The FortiAP 431F is a wireless access point that supports PoE+ (IEEE 802.3at) standard, which can deliver up to 30W of power per port. The FortiAP 431F has a maximum power consumption of 25W when running at full power. Therefore, to run 12 FortiAP 431F devices at full power, the customer needs PoE switches that can provide at least 300W of total PoE power budget (25W x 12). The customer also needs network redundancy, which means that they need at least two PoE switches to connect the FortiAP devices in case one switch fails or loses power. From the FortiSwitch models and sample retail prices shown in the exhibit, the build of materials that has the lowest cost while fulfilling the customer's requirements is 2x FortiSwitch 248E-FPOE. The FortiSwitch 248E-FPOE is a PoE switch that has 48 GE ports with PoE+ capability and a total PoE power budget of 370W. It also has 4x 10 GE SFP+ uplink ports for high-speed connectivity. The sample retail price of the FortiSwitch 248E-FPOE is $1,995, which means that two units will cost $3,990. This is the lowest cost among the other options that can meet the customer's requirements. Option A is incorrect because the FortiSwitch 248EFPOE is a non-PoE switch that has no PoE capability or power budget. It cannot provide power to the FortiAP devices over Ethernet cables. Option B is incorrect because the FortiSwitch 224E-POE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Option D is incorrect because the FortiSwitch 124E-FPOE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Reference: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiAP_400_Series.pdf

質問 # 40
Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

• A. port1 and port15
• B. port1 and port1
• C. port16 and port1
• D. port16 and port15

正解：C

解説：
According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. References: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-wan-interface

質問 # 41
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?

• A. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
• B. Add a VLAN under the FEX-WAN interface on the FortiGate.
• C. Add a switch between the FortiGate and FEX.
• D. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.

正解：A

解説：
VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate than CAPWAP Mode. This is because VLAN Mode does not require the FortiExtender to send additional control traffic to the FortiGate.
The other options are not correct.
a) Add a switch between the FortiGate and FEX. This will add overhead to the network, as the switch will need to process the traffic.
b) Enable CAPWAP connectivity between the FortiGate and the FortiExtender. This will increase the overhead on the FortiGate, as it will need to process additional control traffic.
d) Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect the overhead on the FortiGate.

質問 # 42
Review the VPN configuration shown in the exhibit.

What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?

• A. 2 redundant packet for every 8 base packets
• B. 3 redundant packet for every 9 base packets
• C. 1 redundant packet for every 10 base packets
• D. 3 redundant packet for every 5 base packets

正解：A

解説：
The FEC configuration in the exhibit specifies that if the packet loss is greater than 10%, then the FEC mapping will be 8 base packets and 2 redundant packets. The download bandwidth of 500 Mbps is not greater than 950 Mbps, so the FEC mapping is not overridden by the bandwidth setting. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.
Here is the explanation of the FEC mappings in the exhibit:
Packet loss greater than 10%: 8 base packets and 2 redundant packets.
Upload bandwidth greater than 950 Mbps: 9 base packets and 3 redundant packets.
The mappings are matched from top to bottom, so the first mapping that matches the conditions will be used. In this case, the first mapping matches because the packet loss is greater than 10%. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.

質問 # 43
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

* SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
* Public IP address (129.11.1.100) is assigned to portl
* Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)

B)

C)

• A. Option B
• B. Option C
• C. Option D
• D. Option A

正解：A

解説：
The customer's SSLVPN Portal is currently configured to use a self-signed certificate. This means that the certificate is not trusted by any browsers, and users will have to accept a security warning before they can connect to the portal.
To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt certificate for the SSLVPN Portal. This will allow users to connect to the portal without having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will configure the FortiGate to use a different port for the SSLVPN Portal, but this will not resolve the issue with the self-signed certificate. Option C will configure the FortiGate to use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue with the self-signed certificate. Option D will configure the FortiGate to use a different certificate authority for the SSLVPN Portal, but this will also not resolve the issue because the customer still needs to use a trusted certificate.
References:
Configuring SSLVPN with Let's Encrypt: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/822087/acme-certificate-support Let's Encrypt: https://letsencrypt.org/

質問 # 44
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

• A. enable on ICL trunks
• B. enable on the ISL and FortiLink trunks
• C. disable on the ISL and FortiLink trunks
• D. disable on ICL trunks

正解：B、D

解説：
To ensure that unnecessary multicast traffic is pruned from links that do not have a multicast listener, you must disable IGMP flood traffic on the ICL trunks and enable IGMP flood reports on the ISL and FortiLink trunks.
Disabling IGMP flood traffic will prevent the FortiSwitch units from flooding multicast traffic to all ports on the ICL trunks. This will help to reduce unnecessary multicast traffic on the network.
Enabling IGMP flood reports will allow the FortiSwitch units to learn which ports are interested in receiving multicast traffic. This will help the FortiSwitch units to prune multicast traffic from links that do not have a multicast listener.

質問 # 45
Refer to the exhibit, which shows a Branch1 configuration and routing table.

In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.
In this scenario, which configuration change will meet this requirement?

• A. Configure the cost in each overlay member to 10.
• B. Configure the priority in each overlay member to 10.
• C. Create a new static route with the internet sdwan-zone only
• D. Change the load-balance-mode to source-ip-based.

正解：A

解説：
The SD-WAN implicit rule is a default rule that applies to all traffic that does not match any explicit SD-WAN rule. The SD-WAN implicit rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on the performance SLA metrics. This means that the traffic load balance for the overlay interface will depend on the quality of each overlay member, which may vary over time. However, if the requirement is to minimize the overhead on the device for WAN traffic and avoid load balancing for the overlay interface when all members are available, one option is to configure the cost in each overlay member to 10. The cost is a parameter that can be used to influence the selection of an SD-WAN member by adding a penalty value to its quality score. By configuring the same cost value for all overlay members, the quality score of each member will be reduced by the same amount, which will make them less preferable than the underlay members. This way, the SD-WAN implicit rule will select the underlay members first, unless they are unavailable or out of SLA, and only use the overlay members as a backup option. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan-rules

質問 # 46
Refer to the exhibits.

The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.
You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.
All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.
Which three configuration tasks must be performed to meet these requirements? (Choose three.)

• A. Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe
• B. Change the scan order in FML-GW to antispam-sandbox-content.
• C. Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.
• D. Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN
• E. Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

正解：A、D

解説：
To integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path, while ensuring that all inbound e-mails are scanned by FortiMail antispam and antivirus with FortiSandbox integration, and then forwarded to the third-party service and back to FortiMail for final delivery, the following configuration tasks must be performed:
Apply the Catch-All profile to the CFInbound profile and configure a content action profile to deliver to the srv.thirdparty.com FQDN. This will ensure that all inbound e-mails that pass the antispam and antivirus scanning are forwarded to the third-party service for further processing.
Create an access receive rule with a Sender value of srv.thirdparty.com, Recipient value of *@acme.com, and action value of Safe. This will ensure that all e-mails that are sent back from the third-party service to FortiMail are accepted without any further scanning or filtering. Reference: https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/921588/configuring-content-profiles-and-content-action-profiles https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/629994/configuring-session-profiles

質問 # 47
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?

• A. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
• B. Configure two DNS servers and use DNS servers recommended by the two internet providers.
• C. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.
• D. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.

正解：C

解説：
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan

質問 # 48
......

最新のNSE8_812試験問題集でFortinet試験トレーニング：https://www.goshiken.com/Fortinet/NSE8_812-mondaishu.html

2023年最新のの問題NSE8_812問題集で最新のFortinet試験を使おう：https://drive.google.com/open?id=1Rpm9sC4HGweP9Eto43NS0Q33VEhoZiUo