[Apr 19, 2024] NSE8_812 Dumps Full Questions - Exam Study Guide
Fortinet Network Security Expert Free Certification Exam Material from ActualCollection with 62 Questions
Fortinet NSE8_812 (Fortinet NSE 8 - Written Exam) Certification Exam is designed for cybersecurity professionals who aim to enhance their knowledge and skills to keep up with the ever-evolving cybersecurity threats. Obtaining this certification demonstrates that the individual is capable of designing, deploying, and managing complex security solutions using Fortinet's latest products and technologies. NSE8_812 exam is challenging, but it is an excellent way to demonstrate a high level of cybersecurity expertise that can lead to better job opportunities and career growth.
The Fortinet NSE8_812 exam consists of 60 multiple-choice questions that are to be completed in 120 minutes. The questions are designed to test the candidate's understanding of advanced security concepts and their ability to apply this knowledge to real-world scenarios. NSE8_812 exam also includes scenario-based questions that require the candidate to analyze a given situation and provide the best course of action.
NEW QUESTION # 30
Refer to the exhibit, which shows a VPN topology.
The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?
- A. The TCP port 21 must be allowed on the NAT Device2
- B. All the session traffic will pass through the Hub
- C. Spoke1 will establish an ADVPN shortcut to Spoke2
- D. ADVPN is not supported when spokes are behind NAT
Answer: C
Explanation:
D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698
NEW QUESTION # 31
Refer to the exhibit showing FortiGate configurations
FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?
- A. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
- B. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.
- C. Change the priority of FMG-A to be numerically lower for higher preference
- D. Make the monitored IP to match on both FortiManager devices.
Answer: D
Explanation:
B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. Reference: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options
NEW QUESTION # 32
A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)
- A. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.
- B. Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
- C. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters
- D. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
Answer: A,D
Explanation:
To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. Reference: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration
NEW QUESTION # 33
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)
- A. disable on the ISL and FortiLink trunks
- B. disable on ICL trunks
- C. enable on ICL trunks
- D. enable on the ISL and FortiLink trunks
Answer: A,B
Explanation:
A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference: https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding/381058/configuring-multicast-forwarding
NEW QUESTION # 34
Refer to the exhibit.
You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)
- A. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
- B. After replacing the FortiSwitch unit, the automatically created trunk name changes.
- C. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
- D. After replacing the FortiSwitch unit, the automatically created trunk name does not change
Answer: C,D
Explanation:
A is correct because the automatically created trunk name is based on the MAC address of the FortiSwitch unit. When the FortiSwitch unit is replaced, the MAC address will change, but the trunk name will not change.
B is correct because CLAG-ICL is a manually configured link aggregation group. When the FortiSwitch unit is replaced, the CLAG-ICL configuration will need to be manually reconfigured on the new FortiSwitch unit.
The other options are incorrect. Option C is incorrect because the automatically created trunk name does not change when the FortiSwitch unit is replaced. Option D is incorrect because MCLAG-ICL is a manually configured link aggregation group and will not be automatically reconfigured when the FortiSwitch unit is replaced.
References:
Configuring link aggregation on FortiSwitches | FortiSwitch / FortiOS 7.0.4 - Fortinet Document Library Managing FortiLink | FortiGate / FortiOS 7.0.4 - Fortinet Document Library
NEW QUESTION # 35
On a FortiGate Configured in Transparent mode, which configuration option allows you to control Multicast traffic passing through the?
- A.

- B.

- C.

- D.

Answer: D
Explanation:
To control multicast traffic passing through a FortiGate configured in transparent mode, you can use multicast policies. Multicast policies allow you to filter multicast traffic based on source and destination addresses, protocols, and interfaces. You can also apply security profiles to scan multicast traffic for threats and violations. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/configuring-multicast-forwarding
NEW QUESTION # 36
What is the benefit of using FortiGate NAC LAN Segments?
- A. It provides support for multiple DHCP servers within the same VLAN.
- B. It allows for assignment of dynamic address objects matching NAC policy.
- C. It provides physical isolation without changing the IP address of hosts.
- D. It provides support for IGMP snooping between hosts within the same VLAN
Answer: B
Explanation:
FortiGate NAC LAN Segments are a feature that allows users to assign different VLANs to different LAN segments without changing the IP address of hosts or bouncing the switch port. This provides physical isolation while maintaining firewall sessions and avoiding DHCP issues. One benefit of using FortiGate NAC LAN Segments is that it allows for assignment of dynamic address objects matching NAC policy. This means that users can create firewall policies based on dynamic address objects that match the NAC policy criteria, such as device type, OS type, MAC address, etc. This simplifies firewall policy management and enhances security by applying different security profiles to different types of devices. References: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/856212/nac-lan-segments-7-0-1
NEW QUESTION # 37
Refer to the exhibit showing a FortiSOAR playbook.
You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.
What should be your next step?
- A. Run the Mark Drive by Download playbook action
- B. Reply to the e-mail with the requested Playbook action
- C. Go to the Incident Response tasks dashboard and run the pending actions
- D. Click on the notification icon on FortiSOAR GUI and run the pending input action
Answer: C
Explanation:
The exhibited playbook requires intervention, which means that the playbook has reached a point where it needs a human operator to take action. The next step should be to go to the Incident Response tasks dashboard and run the pending actions. This will allow you to see the pending actions that need to be taken and to take those actions.
The other options are not correct. Option B will only show you the notification icon, but it will not allow you to run the pending input action. Option C will run the Mark Drive by Download playbook action, but this is not the correct action to take in this case. Option D is not a valid option.
Here are some additional details about pending actions in FortiSOAR:
Pending actions are actions that need to be taken by a human operator.
Pending actions are displayed in the Incident Response tasks dashboard.
Pending actions can be run by clicking on the action in the dashboard.
NEW QUESTION # 38
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.
The current configuration is:
Which configuration do you use for the Performance SLA members?
- A. current configuration already fulfills the requirement
- B. set members any
- C. set members 0
- D. set members all
Answer: D
Explanation:
D is correct because using set members all allows you to apply the Performance SLA configuration to all available interfaces without specifying them individually. This way, you do not need to change the configuration in case more connections are added to the branch. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan/978795/configuring-sd-wan-performance-sla
NEW QUESTION # 39
Refer to the exhibit showing a firewall policy configuration.
To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.
What change does the administrator need to make?
- A.

- B.

- C.

- D.

Answer: D
Explanation:
The firewall policy in the exhibit allows all traffic from the internal network to the cloud. To enforce authentication on this traffic, the administrator needs to add the auth-on-demand option to the policy. This option will force all users to authenticate before they are allowed to access the cloud.
The following is the correct configuration:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "all"
set action accept
set auth-on-demand enable
References:
Configuring firewall authentication | FortiGate / FortiOS 7.4.0 - Fortinet Document Library Firewall policy configuration | FortiGate / FortiOS 7.4.0 - Fortinet Document Library
NEW QUESTION # 40
Review the following FortiGate-6000 configuration excerpt:
Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?
- A. It statically distributes SNAT source ports to operating FPCs or FPMs
- B. It equally distributes SNAT source ports across chassis slots.
- C. It dynamically distributes SNAT source ports to operating FPCs or FPMs.
- D. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
Answer: A
Explanation:
Based on the configuration, the statement that is correct regarding SNAT source port partitioning behavior is that it statically distributes SNAT source ports to operating FPCs or FPMs. This is because the nat-source-port option is set to chassis-slots, which means that the FortiGate-6000 will allocate SNAT source ports to all FPCs or FPMs that are enabled when the command is entered. If an FPC or FPM is disabled from the CLI, the SNAT source ports assigned to that FPC or FPM will not be re-allocated to the remaining FPCs or FPMs. This option preserves active sessions when an FPC or FPM goes down, but does not dynamically re-distribute SNAT source ports if an FPC or FPM is powered off. Reference: https://docs.fortinet.com/document/fortigate/7.2.5/fortigate-6000-administration-guide/81276/controlling-snat-port-partitioning-behavior
NEW QUESTION # 41
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?
- A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
- B. Configure two DNS servers and use DNS servers recommended by the two internet providers.
- C. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
- D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.
Answer: D
Explanation:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan
NEW QUESTION # 42
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?
- A. Use local-id
- B. Change advpn2 to IKEv1
- C. Use peer-id
- D. Use network-overlay id
Answer: D
Explanation:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. References: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn
NEW QUESTION # 43
Refer to the exhibit.
A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)
- A. Configuration for TPM is not synchronized between FortiGate HA cluster members.
- B. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
- C. TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager
- D. The private-data-encryption key entered on the primary did not match the value that the TPM expected.
Answer: A,D
Explanation:
The two reasons for the negative impact on the FortiGate HA status and FortiManager status after enabling TPM are:
The private-data-encryption key entered on the primary unit did not match the value that the TPM expected. This could happen if the TPM was previously enabled and then disabled, and the key was changed in between. The TPM will reject the new key and cause an error in the configuration synchronization.
Configuration for TPM is not synchronized between FortiGate HA cluster members. Each cluster member must have the same private-data-encryption key to form a valid HA cluster and synchronize their configurations. However, enabling TPM on one unit does not automatically enable it on the other units, and the key must be manually entered on each unit. To resolve these issues, the administrator should disable TPM on all units, clear the TPM data, and then enable TPM again with the same private-data-encryption key on each unit. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic
NEW QUESTION # 44
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:
* SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
* Public IP address (129.11.1.100) is assigned to portl
* Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)
B)
C)

- A. Option B
- B. Option D
- C. Option A
- D. Option C
Answer: D
Explanation:
To resolve the issue of failing to renew the Let's Encrypt certificate, the configuration change that is needed is to enable the HTTP-to-HTTPS redirect option in the SSL-VPN settings. This option allows the FortiGate to redirect HTTP requests to HTTPS port 443, which is required for Let's Encrypt to validate the domain ownership and issue a new certificate. By enabling this option, the FortiGate will be able to respond to the HTTP challenge from Let's Encrypt and renew the certificate successfully. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic
NEW QUESTION # 45
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:
The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?
- A. 12.37:08
- B. 10:37:08
- C. 17:37:08
- D. 20:37:08
Answer: C
Explanation:
To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is 20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. References: https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/103664/time-zone-and-daylight-saving-time
NEW QUESTION # 46
Wh.ch feature must you enable on the BGP neighbors to accomplish this goal?
- A. Graceful-restart
- B. Soft-reconfiguration
- C. Deterministic-med
- D. Synchronization
Answer: A
Explanation:
Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful-restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper routers) that it is about to restart or failover, and request them to preserve their routing information and forwarding state for a certain period of time (the restart time). The helper routers then mark the routes learned from the restarting router as stale, but keep them in their routing table and continue forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing instability during a BGP restart or failover event. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/bgp-graceful-restart
NEW QUESTION # 47
Refer to the exhibit.
You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)
- A. After replacing the FortiSwitch unit, the automatically created trunk name changes.
- B. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
- C. After replacing the FortiSwitch unit, the automatically created trunk name does not change
- D. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
Answer: B,C
Explanation:
Based on the exhibit, the two correct actions regarding the replacement process are:
After replacing the FortiSwitch unit, the automatically created trunk name does not change. This is because the trunk name is based on the slot number and port number of the FortiGate unit that connects to the FortiSwitch unit, which remain the same after the replacement. If a different trunk name is desired, the trunk must be deleted and a new trunk will be created automatically with an updated name.
MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate. This is because the MCLAG-ICL configuration is stored on the FortiGate unit and applied to the FortiSwitch unit when it is authorized. The replacement FortiSwitch unit will inherit the MCLAG-ICL configuration of the failed FortiSwitch unit after it is replaced using the replace-device command in FortiOS. Reference: https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/173284/replacing-a-managed-fortiswitch-unit
NEW QUESTION # 48
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?
- A. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
- B. Configure two DNS servers and use DNS servers recommended by the two internet providers.
- C. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
- D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.
Answer: D
Explanation:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan
NEW QUESTION # 49
Refer to the exhibits, which show a firewall policy configuration and a network topology.
An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?
- A. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
- B. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
- C. FortiGate will reject the connection since no certificate is defined.
- D. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
Answer: A
Explanation:
When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection
NEW QUESTION # 50
Refer to the exhibit.
A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation?
- A. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
- B. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
- C. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
- D. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions
Answer: A
Explanation:
The Server Pool in the exhibit is configured with a weight of 20 for server 1 and a weight of 60 for server 2. This means that server 1 will receive 20% of the sessions and server 2 will receive 75% of the sessions.
The following formula is used to calculate the load balancing between servers in a Server Pool:
weight_of_server_1 / (weight_of_server_1 + weight_of_server_2)
In this case, the formula is:
20 / (20 + 60) = 20 / 80 = 0.25 = 25%
Therefore, server 1 will receive 25% of the sessions and server 2 will receive 75% of the sessions.
NEW QUESTION # 51
Refer to the exhibit.
A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)
- A. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
- B. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
- C. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
- D. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
- E. You can only deploy initial installations to Windows clients.
Answer: A,D
Explanation:
A is correct because if no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. This is because the FortiClient EMS server will not force the installation on the client.
E is correct because the Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy. This is because the Active Directory group policy will configure the Windows clients to automatically install FortiClient and the FortiClient EMS server will only need to push the initial configuration to the clients.
The other options are incorrect. Option B is incorrect because a client can only be eligible for one enabled configuration on the EMS server. Option C is incorrect because you can deploy initial installations to both Windows and macOS clients. Option D is incorrect because you can use the included SQL Server Express to deploy FortiClient EMS.
References:
Deploying FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library Configuring FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library FortiClient EMS installation requirements | FortiClient / FortiOS 7.4.0 - Fortinet Document Library
NEW QUESTION # 52
Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).
Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?
- A. FSSO sessions from FAC1 will be synchronized to FAC2.
- B. The FortiToken license will need to be installed on the FAC2.
- C. FAC2 can have its HA interface on a different network than FAC1.
- D. FAC2 can only process requests when FAC1 fails.
Answer: A
Explanation:
When FortiAuthenticator operates in cluster mode, it provides active-passive failover and synchronization of all configuration and data, including FSSO sessions, between the cluster members. Therefore, if FAC1 is the active unit and FAC2 is the standby unit, any FSSO sessions from FAC1 will be synchronized to FAC2. If FAC1 fails, FAC2 will take over the active role and continue to process the FSSO sessions. References: https://docs.fortinet.com/document/fortiauthenticator/6.1.2/administration-guide/122076/high-availability
NEW QUESTION # 53
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)
- A. Add a connection-pool to the FortiADC virtual server
- B. Disable SSL between the FortiADC and the web servers
- C. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
- D. Add more web servers to the real server poof
Answer: A,C
Explanation:
The FortiADC HA cluster is a load balancing solution that distributes traffic among multiple web servers in L7 Full NAT mode. L7 Full NAT mode means that FortiADC terminates both client and server SSL connections and performs full NAT for both source and destination IP addresses and ports. One possible reason for users not being able to access the website during a sale event is that the persistence rule is not configured properly. Persistence rule is a feature that ensures that subsequent requests from the same client are sent to the same web server, which is important for maintaining session continuity and avoiding errors or data loss. The default persistence rule for L7 Full NAT mode is LB_PERSIS_SRC_IP, which uses the source IP address of the client as the persistence key. However, this rule may not work well if there are many clients behind a proxy or NAT device that share the same source IP address, or if there are clients that change their source IP address frequently due to roaming or switching networks. Therefore, to resolve this situation, one option is to change the persistence rule to LB_PERSIS_SSL_SESSJD, which uses the SSL session ID of the client as the persistence key. This rule can provide more accurate and reliable persistence for SSL connections than LB_PERSIS_SRC_IP. Another possible reason for users not being able to access the website during a sale event is that there are too many TCP connections being established and terminated between FortiADC and the web servers, which consumes CPU resources and causes performance degradation. Therefore, to resolve this situation, another option is to add a connection-pool to the FortiADC virtual server. Connection-pool is a feature that allows FortiADC to reuse existing TCP connections between FortiADC and the web servers, instead of creating new ones for each request. This can reduce CPU overhead, improve response time, and increase throughput. Reference: https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/load-balancing-methods-and-persistence https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/connection-pool
NEW QUESTION # 54
......
The NSE8_812 exam is an eight-hour, open-book exam that consists of 60 multiple-choice questions. NSE8_812 exam covers a wide range of topics, including network design, security protocols, VPN technologies, firewall policies, and advanced threat protection. To pass the exam, candidates must score at least 70% on each section of the exam. In addition, candidates must have at least five years of experience in the network security field and hold the Fortinet NSE 7 certification.
Dumps Brief Outline Of The NSE8_812 Exam: https://www.actualcollection.com/NSE8_812-exam-questions.html
Use Real NSE8_812 - 100% Cover Real Exam Questions: https://drive.google.com/open?id=1TPkPr-O6OWJNHNOm5VTrpXZz6btstG21