Down To Date Fortinet Network Security Expert 8 Written Exam (810) NSE8_810 Exam Prep

NEW QUESTION 1
Exhibit

Only users authenticated in FortiGate-B reach the server. A customer wants to deploy a single sing-on solution for VPN users. Once a user’s is connected and authenticated to the VPN in FortiGate-A, the user does not need to authenticate again in FortiGate-B to reach the server.
Which two actions satisfy this requirement? (Choose two.)

• A. Use Kerberos authentication.
• B. FortiGate-A must generate a RADUIS accounting packets.
• C. Use FortiAuthenticator.
• D. Use the Collector Agen

Answer: CD

NEW QUESTION 2
In a FortiGate 5000 series, two FortiControllers are working as an SLBC cluster in a-p mode. The configuration shown below is applied.

When statement is true on how new TCP sessions are handled by the Distributor Processor (DP).
The new session added the DP session table is automatically deleted, if the traffic is denied by the processing worker.

• A. No new session is added is the DP session table until the processing worker accepts the traffic.
• B. A new session added m the DP session table remains in the table remain in the traffic is denied by the procession worker.
• C. A new session added in the OP session table remains is the table only if traffic is traffic is accepted by the processing worker.

Answer: C

NEW QUESTION 3
Exhibit

The exhibit shows the steps for creating a URL rewrite policy on a FortWet-Which statement represents the purpose of this policy?

• A. The policy redirects all HTTP URLs to HTTPS.
• B. The policy redirects all HTTPS URLs to HTTP.
• C. The policy redirects only HTTPS URLs containing the ˆ/ (. *) S string to HTTP.
• D. The pokey redirects only HTTP URLs containing theˆ/ ( .*)S string to HTTP

Answer: A

NEW QUESTION 4
An organization has one central site And three remote sites. A FotiSIEM has been drafted on the central site and now all devices across the remote sites need to be monitored by the FortiSlEM.
When action would reduce the WAN usage by the monitoring system?

• A. Deploy a single Supervisor on the central site and enable WAN optimize on the WAN gateways.
• B. Install local Collection remote site.
• C. Disable monitoring on the remote sites during the day.
• D. install a Supervisor and a Collector for each remote sit

Answer: C

NEW QUESTION 5
You want to access the JSON API on FortiManager to retrieve information on an object. In this scenario, which two methods will satisfy the requirement? (Choose two.)

• A. Make a call with the Web browser on your workstation.
• B. Make a call with the SoapUl API tool on your workstation.
• C. Download the WSDL file from FortiManager administration GUI.
• D. Make a call with the curl utility on your workstation

Answer: AC

NEW QUESTION 6
Exhibit

Referring to the exhibit, which command-line option for deep inspection SSL would have the FortiGAte re=sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSl certificate?

• A. allow
• B. block
• C. ignore
• D. inspect

Answer: D

NEW QUESTION 7
Exhibit

The FortiAP profile used by the FortiGate managed AP is shown in the exhibit. Which two statements are correct n this scenario? (Choose two.)

• A. All FortiAPs using thre profile will nave Radio 1 scan rogue access points.
• B. Map this profile to SSlDs that you want to be available on the FortiAPs using this profile.
• C. All FortiAPs using this profile will have Radio 1 monitor wireless clients.
• D. Interference will be prevented between FortiAPs using this profile.

Answer: BC

NEW QUESTION 8
Exhibit

The exhibit shows a full-mesh topology between Fortigates FortiSwitches. To deploy configuration, two requirements must be met:
-- 20 Gbps full duplex connectivity is available between each FortiGate and the FortiSwitches.
--the FortiGate HA must be in AP mode.
Referring to the exhibit, what are two actions that wil fulfill the requirements?

• A. Configure both FortiSwitch as pears with ICL over cable E, create one MCLAG on ports connected to cables A and C, and create another MCLAG on ports connected to cables B and D.
• B. Configure the master FortiGate with one and FortiLink split interface disable on ports connected to cables A and C and make sure the same ports are used for to cables B and D.
• C. Configure both FortiSwitches as peers ISL over cable on create one MCLAG on ports connected cables A and C, and ceate another MCLAG on ports connected to cables B and D.
• D. Configure the master FortiGate with one LAG and FortiLink split interface enables on ports connected to cable A and C make sure the ports are used for cables B and D on the slave.

Answer: C

NEW QUESTION 9
You deploy a FortiGate device in a remote office based on the requirements shown below.
-- Due to company's security policy, management IP of your FortiGate is not allowed to access the Internet.
-- Apply Web Filtering, Antivirus, IPS and Application control to the protected subnet.
-- Be managed by a central FortiManager in the head office. Which action will help to achieve the requirements?

• A. Configure a default route and make sure that the FortiGate device can pmg to service fortiguard net.
• B. Configure the FortiGuard override server and use the IP address of the FortiManager
• C. Configure the FortiGuard override server and use the IP address of service, fortiguard net.
• D. Configure FortiGate to use FortiGuard Filtering Port 8888.

Answer: B

NEW QUESTION 10
Exhibit

You need to run a script in FortiManager against several managed FortiGale devices in your organization to install a configuration for a new static route.
Which two scripts will successfully configure the static route on the managed device? (Choose two)

• A. Script 1
• B. Script 2
• C. Script 3
• D. Script 4

Answer: BC

NEW QUESTION 11
Exhibit

A FortiGate with the default configuration is deployed between two IP phones. FortiGate receives the INVITE request shown in the exhibit from Phone A (internal) to Phone b (exltrnal).
Which two actions are taken by the FortiGate after the packet is received? (Choose two.)

• A. A pinhole will be opened to accept traffic sent to FortiGate's WAN IP address and ports 49169 and 49170.
• B. a pinhole will be opened to accept traffic sent to FortiGate's WAN IP address and ports 49l70 and 49171.
• C. The phone A IP address will be translated lo the WAN IP address in all INVITE header fields and the m: field of the SDP statement.
• D. The phone A IP address will be translated for the WAN IP address in all INVITE header fields and the SDP statement remains intact.

Answer: BC

NEW QUESTION 12
You want to manage a FortiCloud service. The FortiGate shows up in your list devices on the FortiCloud Web site, but all management functions are either missing or grayed out.
Which statement a correct in this scenario?

• A. The managed FcrtGate a running a version of ForflOS that is either too new or too for FortCloud.
• B. The managed FortiGate requires that a FortiCloud management license be purchased and applied.
• C. You must manually configure system control-management on the FortiGate CLI and set the management type to fortiguard.
• D. The management tunnel mode on the managed FortiGate must be changed to norma

Answer: C

NEW QUESTION 13
Exhibit

You configured an IPsec tunnel to a branch office. Now you want to make sure that the encryption of the tunnel is offloaded to hardware referring to the exhibit, which statement is true?

• A. Incoming and outgoing traffic is offloaded
• B. Outgoing traffic is offloaded, you cannot determine if incoming traffic is offloaded at this time.
• C. Traffic is not offloaded.
• D. Outgoing traffic is offloaded: incoming traffic not offloade

Answer: D

NEW QUESTION 14
You have deployed a FortiGate In NAT/Route mode as a secure as a web gateway with a few P-base authentication firewall policies. Your customer reports that some users now have different browsing permission =s from what is expected. All these users are browsing using internet Explorer through Desktop Connection to a Terminal Server. When you took at the Fortigate logs the username for the Terminal Server IP is not consistent.
Which action will correct this problem?

• A. Make sure Terminal Service is using the correct DNS ever.
• B. Configure FSSO Advanced with LDAP integration
• C. Change the FSSO polling mode to windows NetAPI
• D. Install the TSCitrix on the terminal server

Answer: C

NEW QUESTION 15
You configure an outgoing firewall policy with a web filter for accessing the internet. The access to URL https// itacm.co and web belonging to the same category should be blocked. You notice that the Web server presents a certificate with CN=www acme.com. The www.it.acme site is as '' information Technology and the www.acme.com site is categorized as ''Business".
Which statements is correct in this scenario?

• A. Category "information Technology" needs to blocked, the FortiGate is able to inspection the URL with HTTPS sessions.
• B. Category "Business" need a to be block: the certificate name takes precedence over the SNI.
• C. SSL inspection must be configured to deep-inspection: the category "information Technology "needs to be blocked.
• D. Category :information Technology" needs to be blocked, the SNI takes precedence over the certificate nam

Answer: A

NEW QUESTION 16
You cannot the FortiGales default gateway 10.10.10 .1 from the FortiGate CLI. The FortiGate interface facing the default gateway is wan 1 and its IP address 10.10 .10 K74 During the troubleshooting, tests, you confirmed that you can plug other IP addresses in the 10.10.10. 0/24 subnet from the FortiGAte CLI without packets lost.
Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

• A. diagnose ip arp list
• B. diag aniffer packet wan1 'arp and host 10.10.1O.1'
• C. diagnose hardware deviceinfo nice wan1
• D. diagnose debug flow filter addt 10.10.10.1
• E. diagnose debug flow trace trace 10

Answer: AD

NEW QUESTION 17
Exhibit

You log into FortiManager, look at the Device Manager window and notice that one of you managed devices is not in normal status.
Referring to the exhibit, which two statements correctly describe the affected device's status and result? (Choose two.)

• A. The device configuration was changed on the local FoitiGate side onl
• B. auto-update is disabled.
• C. The device configuration was changed on both the local FortiGate side and the FortiManager side, auto-update is disabled.
• D. The changed configuration on the FortiGate wrt remain the next time that the device configuration is pushed from ForbManager.
• E. The changed configuration on the FortiGate will be overwritten in favor of what is on the FortiMAnager the next time that the device configuration is pushed.

Answer: BD

NEW QUESTION 18
Your client wants to use a central RADIUS server for management authentication when connecting to the FortiGate GUL and provide different levels of access for different types of employees.
Which three actions required providing the requested functionality? (Choose three.)

• A. Enable radius-vdom-override in the CLI.
• B. Create a wildcard administrator on the FortGate
• C. Enable occprofile-override in the CLI.
• D. Set the RADIUS authencation type to MS-CHApV2.
• E. Create multiple administrator profiles with matching RADIUS VSA

Answer: CDE

NEW QUESTION 19
Exhibit

You created a custom health-check for your FortiWeb deployment. Referring to the output shown in the exhibit, which statement is true?

• A. The FortiWeb must receive an RST packet from the server.
• B. The FortiWeb must receive an HTTP 200 response code from the server.
• C. The FortiWeb must receive an ICMP Echo Request from the server.
• D. The FortiWeb must match the hash value of the page index htm

Answer: B

NEW QUESTION 20
Exhibit

You have to data center with a FortiGate 7000-series chassis connected by VPN, and all traffic flows over an established generic routing encapsulation (GRE) tunnel between them. You are troubleshooting traffic that is traversing between Server VLAN A and Server VLAN B. The performance is lower than expected and all traffic is only on the FPM module in slot 3.
Referring to the exhibit, which action will correct the problem?

• A. Remove traffic shaping from the firewall policy allowing the traffic.
• B. NO course of action enables load balancing in this scenario.
• C. Change the algorithm so it takes IP source IP, destination IP, and port no account.
• D. Configuration a local-balance flow-rule in the CLI to enable load balancin

Answer: A

NEW QUESTION 21
Exhibit

You need to apply the security feature below to the network shown in the exhibit.
-- high grade DDoS protection
-- Web security and load balacng for Server 1 and Server
-- Solution must be PCI DSS compliant'
-- enhanced security to DNS 1 and DNS 2 What are three solutio for the scenario?

• A. FortiWeb forVDOM-A
• B. FortDDoS between FG1 and FG2 and the Internet
• C. FortiADC for VDOM-A
• D. FortADC for VDoM-B
• E. FortiDDoS between FG1 and FG2 and VDOMs

Answer: D

NEW QUESTION 22
......