• Home
  • Articles
  • Prepare Top Fortinet NSE8_812 Exam Study Guide Practice Questions Edition [Q34-Q58]

Prepare Top Fortinet NSE8_812 Exam Study Guide Practice Questions Edition [Q34-Q58]

Share

Prepare Top Fortinet NSE8_812 Exam Study Guide Practice Questions Edition

Go to NSE8_812 Questions - Try NSE8_812 dumps pdf

NEW QUESTION # 34
Refer to the exhibit.

You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)

  • A. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
  • B. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
  • C. After replacing the FortiSwitch unit, the automatically created trunk name does not change
  • D. After replacing the FortiSwitch unit, the automatically created trunk name changes.

Answer: A,C

Explanation:
Based on the exhibit, the two correct actions regarding the replacement process are:
After replacing the FortiSwitch unit, the automatically created trunk name does not change. This is because the trunk name is based on the slot number and port number of the FortiGate unit that connects to the FortiSwitch unit, which remain the same after the replacement. If a different trunk name is desired, the trunk must be deleted and a new trunk will be created automatically with an updated name.
MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate. This is because the MCLAG-ICL configuration is stored on the FortiGate unit and applied to the FortiSwitch unit when it is authorized. The replacement FortiSwitch unit will inherit the MCLAG-ICL configuration of the failed FortiSwitch unit after it is replaced using the replace-device command in FortiOS. Reference: https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/173284/replacing-a-managed-fortiswitch-unit


NEW QUESTION # 35
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

  • A. FTP
  • B. SCP
  • C. API
  • D. Report

Answer: A,C

Explanation:
User defined Lookup Table Data (LTD) is a feature that allows users to import custom data into FortiSIEM for correlation, reporting, and analysis purposes. Users can create LTD files in CSV format and import them into FortiSIEM using two methods: FTP or API. FTP is a file transfer protocol that allows users to upload LTD files to a designated folder on the FortiSIEM server. API is an application programming interface that allows users to send HTTP requests to upload LTD files to FortiSIEM using RESTful web services. Reference: https://docs.fortinet.com/document/fortisiem/6.4.0/administration-guide/19662/user-defined-lookup-table-data


NEW QUESTION # 36
An HA topology is using the following configuration:

Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?

  • A. 300ms
  • B. 600ms
  • C. 200ms
  • D. 100ms

Answer: A

Explanation:
The HA topology shown in the exhibit is using link monitoring with two heartbeat interfaces (port3 and port5) and a heartbeat interval of 100ms. Link monitoring is a feature that allows HA failover to occur when one or more monitored interfaces fail or become disconnected. The heartbeat interval is the time between each heartbeat packet sent by an HA cluster unit to other cluster units through heartbeat interfaces. The failover time is determined by multiplying the heartbeat interval by three (the default deadtime value). Therefore, in this case, the failover time is 100ms x 3 = 300ms. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/647723/link-monitoring-and-ha-failover-time


NEW QUESTION # 37
Refer to the exhibit.

You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection.
What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?

  • A.
  • B.
  • C.
  • D.

Answer: C

Explanation:
The OSPF configuration shown in the exhibit is using the default priority value of 1 for the interface port1. This means that FGT_3 will participate in the DR/BDR election process with the other OSPF routers on the same LAN segment. However, this is not desirable because FGT_3 is a new device that needs to be added to the OSPF network without affecting the existing DR/BDR election. Therefore, to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election, the priority value of the interface port1 should be changed to 0. This will prevent FGT_3 from becoming a DR or BDR and allow it to form OSPF adjacencies with the current DR and BDR. Option B shows the correct configuration that changes the priority value to 0. Option A is incorrect because it does not change the priority value. Option C is incorrect because it changes the network type to point-to-point, which is not suitable for a LAN segment with multiple OSPF routers. Option D is incorrect because it changes the area ID to 0.0.0.1, which does not match the area ID of the other OSPF routers on the same LAN segment. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/358640/basic-ospf-example


NEW QUESTION # 38
Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.
The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.
Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.) A)

B)


  • A. Option C
  • B. Option A
  • C. Option D
  • D. Option B

Answer: A,D

Explanation:
To enable application detection on plain-text traffic that has been decrypted by FortiADC, the administrator must perform two configuration tasks on CL-1:
Enable SSL offloading in the firewall policy and select the SSL-Offload protocol options profile.
Enable application control in the firewall policy and select the SSL-Offload-App-Detect application list. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic


NEW QUESTION # 39
Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

  • A. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
  • B. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
  • C. FortiGate will reject the connection since no certificate is defined.
  • D. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,

Answer: B

Explanation:
When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection


NEW QUESTION # 40
A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.
Which two statements are true regarding the requirements? (Choose two.)

  • A. FortiGate can perform SSH access proxy host-key validation.
  • B. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
  • C. SSH traffic is tunneled between the client and the access proxy over HTTPS
  • D. Traffic is discarded as ZTNA does not support SSH connection rules

Answer: A,C

Explanation:
ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH. References: https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/899992/configuring-ztna-rules-to-control-access


NEW QUESTION # 41
Refer to the exhibit.

A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation?

  • A. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
  • B. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
  • C. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
  • D. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

Answer: A

Explanation:
The Server Pool in the exhibit is configured with a weight of 20 for server 1 and a weight of 60 for server 2. This means that server 1 will receive 20% of the sessions and server 2 will receive 75% of the sessions.
The following formula is used to calculate the load balancing between servers in a Server Pool:
weight_of_server_1 / (weight_of_server_1 + weight_of_server_2)
In this case, the formula is:
20 / (20 + 60) = 20 / 80 = 0.25 = 25%
Therefore, server 1 will receive 25% of the sessions and server 2 will receive 75% of the sessions.


NEW QUESTION # 42
You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster. Which statement about this solution is true?

  • A. The configuration is different than on a standalone device.
  • B. The MTA adapter is only available in the primary node.
  • C. The MTA adapter mode is only detection mode.
  • D. The configuration of the MTA Adapter Local Interface is different than on port1.

Answer: B

Explanation:
The MTA adapter feature on FortiSandbox is a feature that allows FortiSandbox to act as a mail transfer agent (MTA) that can receive, inspect, and forward email messages from external sources. The MTA adapter feature can be used to integrate FortiSandbox with third-party email security solutions that do not support direct integration with FortiSandbox, such as Microsoft Exchange Server or Cisco Email Security Appliance (ESA). The MTA adapter feature can also be used to enhance email security by adding an additional layer of inspection and filtering before delivering email messages to the final destination. The MTA adapter feature can be enabled on FortiSandbox in an HA-Cluster, which is a configuration that allows two FortiSandbox units to synchronize their settings and data and provide high availability and load balancing for sandboxing services. However, one statement about this solution that is true is that the MTA adapter is only available in the primary node. This means that only one FortiSandbox unit in the HA-Cluster can act as an MTA and receive email messages from external sources, while the other unit acts as a backup node that can take over the MTA role if the primary node fails or loses connectivity. This also means that only one IP address or FQDN can be used to configure the external sources to send email messages to the FortiSandbox MTA, which is the IP address or FQDN of the primary node. References: https://docs.fortinet.com/document/fortisandbox/3.2.0/administration-guide/19662/mail-transfer-agent-mta https://docs.fortinet.com/document/fortisandbox/3.2.0/administration-guide/19662/high-availability-ha


NEW QUESTION # 43
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

  • A. Add more web servers to the real server poof
  • B. Add a connection-pool to the FortiADC virtual server
  • C. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
  • D. Disable SSL between the FortiADC and the web servers

Answer: B,C

Explanation:
The FortiADC HA cluster is a load balancing solution that distributes traffic among multiple web servers in L7 Full NAT mode. L7 Full NAT mode means that FortiADC terminates both client and server SSL connections and performs full NAT for both source and destination IP addresses and ports. One possible reason for users not being able to access the website during a sale event is that the persistence rule is not configured properly. Persistence rule is a feature that ensures that subsequent requests from the same client are sent to the same web server, which is important for maintaining session continuity and avoiding errors or data loss. The default persistence rule for L7 Full NAT mode is LB_PERSIS_SRC_IP, which uses the source IP address of the client as the persistence key. However, this rule may not work well if there are many clients behind a proxy or NAT device that share the same source IP address, or if there are clients that change their source IP address frequently due to roaming or switching networks. Therefore, to resolve this situation, one option is to change the persistence rule to LB_PERSIS_SSL_SESSJD, which uses the SSL session ID of the client as the persistence key. This rule can provide more accurate and reliable persistence for SSL connections than LB_PERSIS_SRC_IP. Another possible reason for users not being able to access the website during a sale event is that there are too many TCP connections being established and terminated between FortiADC and the web servers, which consumes CPU resources and causes performance degradation. Therefore, to resolve this situation, another option is to add a connection-pool to the FortiADC virtual server. Connection-pool is a feature that allows FortiADC to reuse existing TCP connections between FortiADC and the web servers, instead of creating new ones for each request. This can reduce CPU overhead, improve response time, and increase throughput. Reference: https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/load-balancing-methods-and-persistence https://docs.fortinet.com/document/fortiadc/6.4.0/administration-guide/19662/connection-pool


NEW QUESTION # 44
Refer to the exhibits.

An administrator has configured a FortiGate and Forti Authenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications do not work Based on the information given in the exhibits, what must be done to fix this?

  • A. On FG-1 port1, the ftm access protocol must be enabled.
  • B. On FAC-1, the FortiToken public IP setting must point to 100.64.1 41
  • C. FAC-1 must have an internet routable IP address for push notifications.
  • D. On FG-1 CLI, the ftm-push server setting must point to 100.64.141.

Answer: D

Explanation:
The FortiGate and Forti Authenticator configuration shown in the exhibits is using two-factor authentication with FortiToken push notifications for SSL VPN login. FortiToken push notifications are a feature that allows users to receive a notification on their mobile devices when they attempt to log in to a FortiGate or FortiAuthenticator service, and approve or deny the login request with a single tap. However, push notifications do not work in this scenario, even though users can manually type in their two-factor code and authenticate. One possible reason for this issue is that the FortiGate does not know how to reach the FortiAuthenticator server for push notifications. Therefore, to fix this issue, one option is to configure the ftm-push server setting on FG-1 CLI, which specifies the IP address or FQDN of the FortiAuthenticator server that handles push notifications. In this case, since FAC-1 has an IP address of 100.64.141, the ftm-push server setting on FG-1 CLI must point to 100.64.141 as well. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/19662/fortitoken-mobile-push-notifications


NEW QUESTION # 45
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?

  • A. Use local-id
  • B. Use network-overlay id
  • C. Change advpn2 to IKEv1
  • D. Use peer-id

Answer: B

Explanation:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn


NEW QUESTION # 46
A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.
The exhibit below shows what the IT Team provided while troubleshooting this issue:

Which statement explains why the FortiGate did not install its configuration from the FortiManager?

  • A. The DHCP server used the incorrect option type for the FortiManager IP address.
  • B. The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager
  • C. The configuration was modified on the FortiGate prior to connecting to the FortiManager
  • D. The DHCP server was not configured with the FQDN of the FortiManager

Answer: A

Explanation:
C is correct because the DHCP server used the incorrect option type for the FortiManager IP address. The option type should be 43 instead of 15, as shown in the FortiManager Administration Guide under Zero-Touch Provisioning > Configuring DHCP options for ZTP. References: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options


NEW QUESTION # 47
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

  • A. The FortiGuard VOS can be used only with proxy-base policy inspections.
  • B. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
  • C. The antivirus database queries FortiGuard with the hash of a scanned file
  • D. The AV engine scan must be enabled to use the FortiGuard VOS feature
  • E. If third-party AV database returns a match the scanned file is deemed to be malicious.

Answer: B,C

Explanation:
c) The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuard with the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.
e) The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.


NEW QUESTION # 48
Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:

Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?

  • A. FortiGate will reject all HTTP/2 ALPN headers.
  • B. FortiGate will strip the ALPN header and forward the traffic.
  • C. FortiGate will rewrite the ALPN header to request HTTP/1.
  • D. FortiGate will forward the traffic without modifying the ALPN header.

Answer: B

Explanation:
When an HTTP/2 request comes in, FortiGate will strip the Application-Layer Protocol Negotiation (ALPN) header and forward the traffic as HTTP/1.1 to the real server. This is because FortiGate does not support HTTP/2 inspection, and therefore cannot process ALPN headers that indicate HTTP/2 support. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic


NEW QUESTION # 49
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?

  • A. Configure two DNS servers and use DNS servers recommended by the two internet providers.
  • B. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
  • C. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
  • D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.

Answer: D

Explanation:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan


NEW QUESTION # 50
Wh.ch feature must you enable on the BGP neighbors to accomplish this goal?

  • A. Deterministic-med
  • B. Soft-reconfiguration
  • C. Graceful-restart
  • D. Synchronization

Answer: C

Explanation:
Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful-restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper routers) that it is about to restart or failover, and request them to preserve their routing information and forwarding state for a certain period of time (the restart time). The helper routers then mark the routes learned from the restarting router as stale, but keep them in their routing table and continue forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing instability during a BGP restart or failover event. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/bgp-graceful-restart


NEW QUESTION # 51
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

  • A. 12.37:08
  • B. 20:37:08
  • C. 10:37:08
  • D. 17:37:08

Answer: D

Explanation:
To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is 20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. Reference: https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/103664/time-zone-and-daylight-saving-time


NEW QUESTION # 52
Refer to the exhibits.
Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

  • A.
  • B.
  • C.
  • D.

Answer: A

Explanation:
The VPN configuration shown in Exhibit C is a baseline VPN configuration that uses IKEv2 with pre-shared keys and AES256 encryption for both IKE and ESP phases. However, this configuration does not match the output shown in Exhibit A and B, which indicate that IKEv1 is used with RSA signatures and AES128 encryption for both IKE and ESP phases. Therefore, to restore VPN connectivity, the configuration needs to be modified to match these parameters. Option B shows the correct configuration that matches these parameters. Option A is incorrect because it still uses IKEv2 instead of IKEv1. Option C is incorrect because it still uses pre-shared keys instead of RSA signatures. Option D is incorrect because it still uses AES256 encryption instead of AES128 encryption. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/ipsec-vpn-with-forticlient


NEW QUESTION # 53
A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this traffic.
Which two statements are true regarding the requirements? (Choose two.)

  • A. FortiGate can perform SSH access proxy host-key validation.
  • B. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
  • C. SSH traffic is tunneled between the client and the access proxy over HTTPS
  • D. Traffic is discarded as ZTNA does not support SSH connection rules

Answer: A,C

Explanation:
ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/ztna-deployment/899992/configuring-ztna-rules-to-control-access


NEW QUESTION # 54
Refer to the exhibit showing a firewall policy configuration.

To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.
What change does the administrator need to make?

  • A.
  • B.
  • C.
  • D.

Answer: A

Explanation:
B is correct because it adds an identity-based policy with SSL-VPN as the source interface and requires authentication using a user group. This will enforce authentication on firewall policy ID 1 for SSL-VPN users. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/ssl-vpn-authentication https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/configuring-ssl-vpn-access-for-local-users


NEW QUESTION # 55
An automation stitch was configured using an incoming webhook as the trigger named 'my_incoming_webhook'. The action is configured to execute the CLI Script shown:

  • A.
  • B.
  • C.
  • D.

Answer: B

Explanation:
To execute the CLI script shown using an incoming webhook as the trigger, the correct syntax for the curl command is: curl -X POST -H "Content-Type: application/json" -d '{"trigger_name":"my_incoming_webhook"}' https://fortisoar.example.com/api/v1/trigger This command will send a POST request to the FortiSOAR API endpoint with the trigger name and the content type as JSON. The FortiSOAR API will then execute the automation stitch that matches the trigger name and run the CLI script on the FortiGate device. Reference: https://docs.fortinet.com/document/fortisoar/7.0.0/administration-guide/103440/automation-stitches https://docs.fortinet.com/document/fortisoar/7.0.0/administration-guide/103441/incoming-webhook


NEW QUESTION # 56
Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)

  • A. Configuration for TPM is not synchronized between FortiGate HA cluster members.
  • B. The private-data-encryption key entered on the primary did not match the value that the TPM expected.
  • C. TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager
  • D. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.

Answer: A,B

Explanation:
The two reasons for the negative impact on the FortiGate HA status and FortiManager status after enabling TPM are:
The private-data-encryption key entered on the primary unit did not match the value that the TPM expected. This could happen if the TPM was previously enabled and then disabled, and the key was changed in between. The TPM will reject the new key and cause an error in the configuration synchronization.
Configuration for TPM is not synchronized between FortiGate HA cluster members. Each cluster member must have the same private-data-encryption key to form a valid HA cluster and synchronize their configurations. However, enabling TPM on one unit does not automatically enable it on the other units, and the key must be manually entered on each unit. To resolve these issues, the administrator should disable TPM on all units, clear the TPM data, and then enable TPM again with the same private-data-encryption key on each unit. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic


NEW QUESTION # 57
Refer to the exhibit.

FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)

  • A. The template will work if you change the variable format to $(WAN).
  • B. The administrator must first manually map the interface for each device with a meta field.
  • C. The template will work if you change the variable format to {{ WAN }}.
  • D. The template will fail because this configuration can only be applied with a CLI or TCL script.
  • E. The template will fail because this configuration can only be applied with a CLI or TCL script.
  • F. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.

Answer: B,D

Explanation:
The Jinja template in the exhibit is trying to configure the interface role on the managed FortiGate. This type of configuration can only be applied with a CLI or TCL script. The Jinja template will fail because it is not a valid CLI or TCL script.
Explanation:
d) The administrator must first manually map the interface for each device with a meta field.
The Jinja template in the exhibit is expecting a meta field called WAN to be set on the managed FortiGate. This meta field will specify which interface on the FortiGate should be assigned the "WAN" role. If the meta field is not set, then the template will fail.


NEW QUESTION # 58
......

Free Fortinet Network Security Expert NSE8_812 Exam Question: https://www.testsdumps.com/NSE8_812_real-exam-dumps.html

Dumps Practice Exam Questions Study Guide for the NSE8_812 Exam: https://drive.google.com/open?id=1ukrGT_GIN9PJFKL_kjHUUtUmjJ8pjVoi

Related Articles

more
Fortinet NSE8_812 Certification Practice Exam

TestsDumps is an experienced and credible website offering you the latest test questions and professional study materials which help you pass the IT test exam with higher hit-rate.

Latest Test Dump

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 TestsDumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimers:
TestsDumps material do not contain actual Business Architecture Guild Exam Questions or materials.
SAP, Microsoft, Google, Amazon, Certiport, Qualtrics are Registered Trade Mark.
TestsDumps website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon.
TestsDumps offers only Probable Questions and Answers. TestsDumps offer learning materials and practice tests created by subject matter experts to assist and help learner prepare for those exams.
All Certification Brands used on the website are owned by the respective brand owners. TestsDumps does not own or claim any ownership on any of the brands. The site www.testsdumps.com is in no way affiliated with SAP SE.