最新的Fortinet NSE 8認證 NSE8_813考試題庫

問題1

Which command syntax would you use to configure the serial number of a FortiGate as its host name?

A.

B.

C.

D.

正確答案: C

說明：（僅 VCESoft 成員可見）

問題2

Referring to the diagram shown on the exhibit, you deployed VRRP load balancing using two FortiGate units and two VRRP groups with a VRRP virtual MAC address enabled on both FortiGate's port2 interface. During normal operation, both FortiGate units are processing traffic and the VRRP groups are used to load balance the traffic between the two FortiGate units.
If FortiGate unit A fails, what would happen?

A. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-00-5e-00-01-05 and 00-
00-5e-00-01-0a, and all traffic fails over to it.

B. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-a0-5e-00-01-05 and 00- a0- 5e-00-01-0a, and all traffic fails over to it.

C. The FortiGate Unit B port2 interface will use the physical MAC addresses of the FortiGate Unit A port2 interface, and all traffic fails over to it.

D. The FortiGate Unit B port2 interface sends gratuitous ARPs to associate the VRRP virtual router IP address with its own MAC address, and all traffic fails over to it.

正確答案: A

問題3

A FortiGate must be configured to accept VoIP traffic which will include session initiation protocol (SIP) traffic.
Which statement about the VoIP configuration options is correct?

A. By default, VoIP traffic will be processed using the SIP Session Helper.

B. Restricting SIP requests is only possible when using the SIP Session Helper.

C. FortiOS cannot accept SIP traffic if both the SIP Session Helper and the application layer gateway (ALG) are disabled.

D. Rate tracking of SIP requests is only possible when the application layer gateway (ALG) is set to Flow mode.

正確答案: C

問題4

A customer wants to install a FortiSandbox device to identify suspicious files received by an e- mail server. All the incoming e-mail traffic to the e-mail server uses the SMTPS protocol.
Which three solutions would be implemented? (Choose three.)

A. FortiGate device in transparent mode sending the suspicious files to the FortiSandbox

B. FortiGate device in NAT mode sending the suspicious files to the FortiSandbox

C. FortiMail device in gateway mode using the built-in MTA and sending the suspicious files to the FortiSandbox

D. FortiSandbox in sniffer input mode

E. FortiMail device in transparent mode acting as an SMTP proxy sending the suspicious files to the FortiSandbox

正確答案: B,C,D

問題5

Refer to the exhibits, which show a network topology and VPN configuration.

A network administrator has been tasked with modifying the existing dial-up IPsec VPN infrastructure to detect the path quality to the remote endpoints.
After applying the configuration shown in the configuration exhibit, the VPN clients can still connect and access the protected 172.16.205.0/24network, but no SLA information shows up for the client tunnels when issuing the diagnose sys link-monitor tunnel all command on the FortiGate CLI.
What is wrong with the configuration?

A. It is necessary to use the IKEv2 protocol in this situation.

B. SLA link monitoring does not work with the net-device setting.

C. The admin needs to disable the mode-cfg setting.

D. IPsec Phase1 Interface has to be configured in IPsec main mode.

正確答案: B

說明：（僅 VCESoft 成員可見）

問題6

A FortiGate deployment contains the following configuration:

What is the result of this configuration?

A. Route-maps from the Root VDOM configuration are available in VDOM SERVICES

B. Route-maps for VDOM SERVICES are excluded from HA configuration synchronization

C. Route-maps are not configurable in VDOM SERVICES

D. Route-maps from VDOM SERVICES are available in all other VDOMs

正確答案: B

問題7

Consider the following FortiGate configuration:

Which command-line option for deep inspection SSL would have the FortiGate re-sign all untrusted self- signed certificates with the trusted Fortinet_CA_SSL certificate?

A. ignore

B. allow

C. block

D. inspect

正確答案: A

問題8

In a FortiGate 5000 series, two FortiControllers are working as an SLBC cluster in a-p mode. The configuration shown below is applied.

Which statement is true on how new TCP sessions are handled by the Distributor Processor (DP)?

A. A new session added in the DP session table remains in the table even if the traffic is denied by the processing worker.

B. A new session added in the DP session table remains in the table only if traffic is accepted by the processing worker.

C. No new session is added in the DP session table until the processing worker accepts the traffic.

D. The new session added in the DP session table is automatically deleted, if the traffic is denied by the processing worker.

正確答案: A

問題9

Refer to the exhibit.

The Company Corp administrator has enabled Workflow mode in FortiManager and has assigned approval roles to the current administrators. However, workflow approval does not function as expected. The CTO is currently unable to approve submitted changes. Given the exhibit, which two possible solutions will resolve the workflow approval problems with the Workflow_72 ADOM?
(Choose two.)

A. The CTO and CISO need to swap Approval Groups so that the highest authority is in Group #1.

B. The CTO needs to be added to "Email Notification" in the Workflow_72 ADOM.

C. The CTO must have a defined email address for their admin user account.

D. The CTO must have Standard access level or higher for FortiManager.

E. The CISO must have a higher access level than "Read_Only_User" in FortiManager.

正確答案: C,D

說明：（僅 VCESoft 成員可見）

問題10

Refer to the exhibit, which shows a Branch1 configuration and routing table.

In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.
In this scenario, which configuration change will meet this requirement?

A. Create a new static route with the internet sdwan-zone only.

B. Change the load-balance-mode to source-ip-based.

C. Configure the cost in each overlay member to 10.

D. Configure the priority in each overlay member to 10.

正確答案: D

說明：（僅 VCESoft 成員可見）

問題11

What is the benefit of using FortiGate NAC LAN Segments?

A. It provides physical isolation without changing the IP address of hosts

B. It provides support for IGMP snooping between hosts within the same VLAN

C. It provides support for multiple DHCP servers within the same VLAN

D. It allows for assignment of dynamic address objects matching NAC policy

正確答案: A

說明：（僅 VCESoft 成員可見）

問題12

Refer to the exhibit.

You are trying to configure Link-Aggregation Group (LAG), but ports A and B do not appear on the list of member options.
Referring to the exhibit, which statement is correct in this situation?

A. The FortiGate SFP+ slot does not have the correct module.

B. The FortiGate model does not have an Integrated Switch Fabric (ISF).

C. The FortiGate interfaces are defective and require replacement.

D. The FortiGate model being used does not support LAG.

正確答案: B

問題13

Refer to the exhibit.

The exhibit shows a topology where a FortiGate is split into two VDOMs, rootand vd-lan. The rootVDOM provides external SSL-VPN access, where the users are authenticated by a FortiAuthenticator. The vd-lanVDOM provides internal access to a Web server.
For the remote users to access the internal Web server, there are a few requirements as follows:
* All traffic must come from the SSL-VPN.
* The vd-lanVDOM only allows authenticated traffic to the Web server.
* Users must only authenticate once, using the SSL-VPN portal.
* SSL-VPN uses RADIUS-based authentication.
Given these requirements and the topology shown in the exhibit, which two statements are true?
(Choose two.)

A. vd-lan receives authentication messages from root using FSSO.

B. root sends "RADIUS Accounting Messages" to FortiAuthenticator

C. root is configured for FSSO while vd-lan is configured for RSSO.

D. vd-lan connects to FortiAuthenticator as a regular FSSO client.

正確答案: B,D

最新的Fortinet NSE 8 - Recertification - NSE8_813免費考試真題

最新更新

站內鏈接

聯系我們