あなたのNSE8_812試験100%合格問題集はここFast2testで一発合格
突破上級者がシミュレーションされたNSE8_812試験問題集PDF
Fortinet NSE8_812の認定試験は、Fortinetのセキュリティソリューションに関する専門知識を証明し、認定されたFortinet Network Security Expert(NSE)になりたい個人を対象としています。この認定試験は、Fortinetのセキュリティ製品を使用して高度なセキュリティソリューションを設計、実装、管理するために必要なスキルと知識を検証します。
質問 # 13
Refer to the exhibit showing a firewall policy configuration.
To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.
What change does the administrator need to make?
- A.

- B.

- C.

- D.

正解:D
解説:
B is correct because it adds an identity-based policy with SSL-VPN as the source interface and requires authentication using a user group. This will enforce authentication on firewall policy ID 1 for SSL-VPN users. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/ssl-vpn-authentication https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/configuring-ssl-vpn-access-for-local-users
質問 # 14
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.
The current configuration is:
Which configuration do you use for the Performance SLA members?
- A. set members all
- B. set members any
- C. current configuration already fulfills the requirement
- D. set members 0
正解:A
解説:
D is correct because using set members all allows you to apply the Performance SLA configuration to all available interfaces without specifying them individually. This way, you do not need to change the configuration in case more connections are added to the branch. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan/978795/configuring-sd-wan-performance-sla
質問 # 15
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)
- A. The antivirus database queries FortiGuard with the hash of a scanned file
- B. The FortiGuard VOS can be used only with proxy-base policy inspections.
- C. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
- D. If third-party AV database returns a match the scanned file is deemed to be malicious.
- E. The AV engine scan must be enabled to use the FortiGuard VOS feature
正解:A、C
解説:
c) The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuard with the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.
e) The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.
質問 # 16
Refer to the exhibit.
You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection.
What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?
- A.

- B.

- C.

- D.

正解:A
解説:
The OSPF configuration shown in the exhibit is using the default priority value of 1 for the interface port1. This means that FGT_3 will participate in the DR/BDR election process with the other OSPF routers on the same LAN segment. However, this is not desirable because FGT_3 is a new device that needs to be added to the OSPF network without affecting the existing DR/BDR election. Therefore, to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election, the priority value of the interface port1 should be changed to 0. This will prevent FGT_3 from becoming a DR or BDR and allow it to form OSPF adjacencies with the current DR and BDR. Option B shows the correct configuration that changes the priority value to 0. Option A is incorrect because it does not change the priority value. Option C is incorrect because it changes the network type to point-to-point, which is not suitable for a LAN segment with multiple OSPF routers. Option D is incorrect because it changes the area ID to 0.0.0.1, which does not match the area ID of the other OSPF routers on the same LAN segment. References: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/358640/basic-ospf-example
質問 # 17
SD-WAN is configured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you configure?
- A. Configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server.
- B. Configure two DNS servers and use DNS servers recommended by the two internet providers.
- C. Configure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.
- D. Configure local out traffic to use the outgoing interface based on SD-WAN rules with a manual defined IP associated to a loopback interface and configure an SD-WAN rule from the loopback to the DNS server.
正解:A
解説:
SD-WAN is a feature that allows users to optimize network performance and reliability by using multiple WAN links and applying rules based on various criteria, such as latency, jitter, packet loss, etc. One way to ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work is to configure local out traffic to use the outgoing interface based on SD-WAN rules with the interface IP and configure an SD-WAN rule to the DNS server. This means that the FortiGate will use the best WAN link available to send DNS queries to the DNS server according to the SD-WAN rule, and use its own interface IP as the source address. This avoids NAT issues and ensures optimal DNS performance. References: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/sd-wan
質問 # 18
Refer to the exhibit.
The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to configure a new connection to a FortiClient EMS Server.
Referring to the exhibit, which two actions will fix these errors? (Choose two.)
- A. Authorize the root FortiGate on the FortiClient EMS
- B. Export and import the FortiClient EMS server certificate to the root FortiGate.
- C. Verify that the CRL is accessible from the root FortiGate
- D. Install a new known CA on the Win2K16-EMS server.
正解:A、C
解説:
A is correct because the error message "The CRL is not accessible" indicates that the root FortiGate cannot access the CRL for the FortiClient EMS server. Verifying that the CRL is accessible will fix this error.
D is correct because the error message "The FortiClient EMS server is not authorized" indicates that the root FortiGate is not authorized to connect to the FortiClient EMS server. Authorizing the root FortiGate on the FortiClient EMS server will fix this error.
The other options are incorrect. Option B is incorrect because exporting and importing the FortiClient EMS server certificate to the root FortiGate will not fix the CRL error. Option C is incorrect because installing a new known CA on the Win2K16-EMS server will not fix the authorization error.
References:
Troubleshooting FortiClient EMS connectivity | FortiClient / FortiOS 7.0.0 - Fortinet Document Library Authorizing FortiGates with FortiClient EMS | FortiClient / FortiOS 6.4.8 - Fortinet Document Library
質問 # 19
Refer to the exhibits.
The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.
You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.
All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.
Which three configuration tasks must be performed to meet these requirements? (Choose three.)
- A. Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN
- B. Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe
- C. Change the scan order in FML-GW to antispam-sandbox-content.
- D. Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.
- E. Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.
正解:A、C、D
解説:
A is correct because the scan order must be changed to antispam-sandbox-content in order for FortiMail to scan the email for spam and viruses before forwarding it to the third-party service.
B is correct because the Catch-All profile must be applied to the CFInbound profile in order for FortiMail to forward clean emails to the third-party service.
E is correct because an IP policy must be created with a Source value of 100.64.0.72/32 in order to allow emails from the third-party service to be delivered to FortiMail.
The other options are not necessary to meet the requirements. Option C is not necessary because the access receive rule will already allow emails from the third-party service to be received by FortiMail. Option D is not necessary because the Catch-All profile already allows emails to be delivered to any destination.
Here are some additional details about integrating a third-party service into the FortiMail email processing path:
The third-party service must be able to receive emails from FortiMail and send them back to FortiMail.
The third-party service must be able to communicate with FortiMail using the SMTP protocol.
The third-party service must be able to authenticate with FortiMail using the SMTP AUTH protocol.
Once the third-party service is integrated into the FortiMail email processing path, all inbound emails will be processed by FortiMail as usual. If the email is clean, FortiMail will forward it to the third-party service. The third-party service will then send the email back to FortiMail for final delivery. FortiMail will not scan the email again.
質問 # 20
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:
Given the information shown in the output, which two statements are true? (Choose two.)
- A. Enabling bandwidth control between the ISF and the NP will change the output
- B. Enable HPE shaper for the NP6 will change the output
- C. Host-shortcut mode is enabled.
- D. The output is showing a packet descriptor queue accumulated counter
- E. There are packet drops at the XAUI.
正解:D、E
解説:
The diagnose command shown in the output is used to display information about NP6 packet descriptor queues. The output shows that there are 16 NP6 units in total, and each unit has four XAUI ports (XA0-XA3). The output also shows that there are some non-zero values in the columns PDQ ACCU (packet descriptor queue accumulated counter) and PDQ DROP (packet descriptor queue drop counter). These values indicate that there are some packet descriptor queues that have reached their maximum capacity and have dropped some packets at the XAUI ports. This could be caused by congestion or misconfiguration of the XAUI ports or the ISF (Internal Switch Fabric). Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/19662/diagnose-np6-pdq
質問 # 21
Refer to the exhibit.
You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:
FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?
- A. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.
- B. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
- C. Objects from the root FortiGate will only be synchronized to FGT_3.
- D. Objects from the root FortiGate will only be synchronized to FGT__2.
正解:A
解説:
The fabric-object-unification setting on FGT_2 is set to local, which means that objects will not be synchronized to any other FortiGate devices in the security fabric. The default setting for fabric-object-unification is default, which means that objects will be synchronized from the root FortiGate to all downstream FortiGate devices.
Since FGT_2 is not the root FortiGate and the fabric-object-unification setting is set to local, objects from the root FortiGate will not be synchronized to FGT_2.
Reference:
Synchronizing objects across the Security Fabric: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/880913/synchronizing-objects-across-the-security-fabric
質問 # 22
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:
The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?
- A. 10:37:08
- B. 17:37:08
- C. 20:37:08
- D. 12.37:08
正解:B
解説:
To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is 20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. References: https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/103664/time-zone-and-daylight-saving-time
質問 # 23
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)
- A. API
- B. SCP
- C. FTP
- D. Report
正解:A、D
解説:
FortiSIEM supports two methods for importing user defined Lookup Table Data:
Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.
API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.
FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.
質問 # 24
Refer to the exhibit showing an SD-WAN configuration.
According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?
- A. port16 and port1
- B. port1 and port1
- C. port1 and port15
- D. port16 and port15
正解:A
解説:
According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-wan-interface
質問 # 25
Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).
Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?
- A. FAC2 can only process requests when FAC1 fails.
- B. FSSO sessions from FAC1 will be synchronized to FAC2.
- C. The FortiToken license will need to be installed on the FAC2.
- D. FAC2 can have its HA interface on a different network than FAC1.
正解:B
解説:
When FortiAuthenticator operates in cluster mode, it provides active-passive failover and synchronization of all configuration and data, including FSSO sessions, between the cluster members. Therefore, if FAC1 is the active unit and FAC2 is the standby unit, any FSSO sessions from FAC1 will be synchronized to FAC2. If FAC1 fails, FAC2 will take over the active role and continue to process the FSSO sessions. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.1.2/administration-guide/122076/high-availability
質問 # 26
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:
The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?
- A. 10:37:08
- B. 17:37:08
- C. 20:37:08
- D. 12.37:08
正解:B
解説:
To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is 20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. Reference: https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration-guide/103664/time-zone-and-daylight-saving-time
質問 # 27
Refer to the exhibits.
Exhibit A
Exhibit B
Exhibit C
A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?
- A.

- B.

- C.

- D.

正解:C
解説:
The VPN configuration shown in Exhibit C is a baseline VPN configuration that uses IKEv2 with pre-shared keys and AES256 encryption for both IKE and ESP phases. However, this configuration does not match the output shown in Exhibit A and B, which indicate that IKEv1 is used with RSA signatures and AES128 encryption for both IKE and ESP phases. Therefore, to restore VPN connectivity, the configuration needs to be modified to match these parameters. Option B shows the correct configuration that matches these parameters. Option A is incorrect because it still uses IKEv2 instead of IKEv1. Option C is incorrect because it still uses pre-shared keys instead of RSA signatures. Option D is incorrect because it still uses AES256 encryption instead of AES128 encryption. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/ipsec-vpn-with-forticlient
質問 # 28
Refer to the exhibit.
A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)
- A. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
- B. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
- C. You can only deploy initial installations to Windows clients.
- D. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
- E. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
正解:C、E
解説:
B is correct because a client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority. This is explained in the FortiClient EMS Administration Guide under Deployment & Installers > Manage Deployment > Managing deployment configuration priority levels. C is correct because you can only deploy initial installations to Windows clients using FortiClient EMS. This is also explained in the FortiClient EMS Administration Guide under Deployment & Installers > Deploying FortiClient software to endpoints. Reference: https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide/278884/deployment-installers https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide/374506/deploying-forticlient-software-to-endpoints
質問 # 29
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)
- A. Replace with a FortiDDoS 1500F
- B. Create an HA setup with a second FortiDDoS 200F
- C. Change the Adaptive Mode.
- D. Move the internet connection from the SFP interfaces to the LC interfaces
正解:A、B
解説:
B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
References:
FortiDDoS 200F Datasheet | Fortinet Document Library
FortiDDoS 1500F Datasheet | Fortinet Document Library
High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library
質問 # 30
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)
- A. The antivirus database queries FortiGuard with the hash of a scanned file
- B. The FortiGuard VOS can be used only with proxy-base policy inspections.
- C. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
- D. If third-party AV database returns a match the scanned file is deemed to be malicious.
- E. The AV engine scan must be enabled to use the FortiGuard VOS feature
正解:A、C
解説:
The FortiGuard Outbreak Prevention Service (VOS) is a feature that enhances the antivirus scanning capabilities of FortiGate by querying FortiGuard with the hash of a scanned file that is not found in the local antivirus database. If the hash matches a signature in the FortiGuard Global Threat Intelligence database, which contains information about known malware and zero-day threats, the file is deemed to be malicious and blocked by FortiGate. The VOS feature can be used with both proxy-based and flow-based policy inspections, and does not require the AV engine scan to be enabled. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/outbreak-prevention-service
質問 # 31
Refer to the exhibit.
FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)
- A. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
- B. The template will work if you change the variable format to {{ WAN }}.
- C. The template will work if you change the variable format to $(WAN).
- D. The template will fail because this configuration can only be applied with a CLI or TCL script.
- E. The administrator must first manually map the interface for each device with a meta field.
正解:B、E
解説:
The Jinja template will not automatically map the interface with "WAN" role on the managed FortiGate. The administrator must first manually map the interface for each device with a meta field.
The template will work if you change the variable format to {{ WAN }}. The {{ }} syntax is used to define a variable in a Jinja template.
質問 # 32
......
NSE8_812問題集トレーニングコース完全版:https://jp.fast2test.com/NSE8_812-premium-file.html
お客様を合格させる試験学習材料Fortinet NSE 8 - Written Exam (NSE8_812):https://drive.google.com/open?id=1lITfvWS2qnBXsCox6p9zVCmHMnD7xAKR