[2023年10月] を試そう!リアルNSE8_812問題集で100%無料NSE8_812試験問題集 [Q18-Q42]

Share

[2023年10月] を試そう!リアルNSE8_812問題集で100%無料NSE8_812試験問題集

NSE8_812のPDF問題集試験問題 有効なNSE8_812問題集

質問 # 18
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?

  • A. Change advpn2 to IKEv1
  • B. Use peer-id
  • C. Use network-overlay id
  • D. Use local-id

正解:C

解説:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. References: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn


質問 # 19
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?

  • A. Change advpn2 to IKEv1
  • B. Use peer-id
  • C. Use network-overlay id
  • D. Use local-id

正解:C

解説:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn


質問 # 20
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

  • A. FTP
  • B. SCP
  • C. API
  • D. Report

正解:C、D

解説:
FortiSIEM supports two methods for importing user defined Lookup Table Data:
Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.
API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.
FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.


質問 # 21
Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

  • A. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
  • B. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
  • C. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
  • D. FortiGate will reject the connection since no certificate is defined.

正解:A

解説:
When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection


質問 # 22
Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

  • A. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
  • B. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
  • C. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
  • D. FortiGate will reject the connection since no certificate is defined.

正解:A

解説:
When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection


質問 # 23
Refer to the exhibit.

A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)

  • A. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.
  • B. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode
  • C. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk
  • D. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.
  • E. Traffic on AccountVInk and SalesVInk will not be accelerated.

正解:A、B

解説:
a) You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode. This is because VDOM links can be configured in either PPP or Ethernet mode, and OSPF routing can be configured on both types of links.
d) Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. This is because the Root VDOM is the default VDOM, and it is used for management and internet access. VDOM 1 and VDOM 2 are traffic type VDOMs, which are used for segregating internal traffic.
The other options are not correct.
b) Traffic on AccountVInk and SalesVInk will not be accelerated. This is because VDOM links are not accelerated by default. However, you can configure acceleration on VDOM links if you want.
c) The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides. This is not necessarily true. The VDOM links could be in PPP mode even if they have IP addresses assigned on both sides.
e) OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk. This is correct. OSPF routing can be configured between any two VDOMs, even if they are not directly connected. In this case, the OSPF routing would be configured on the AccountVInk link.


質問 # 24
Refer to the exhibits.
Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

  • A.
  • B.
  • C.
  • D.

正解:B

解説:
The VPN configuration shown in Exhibit C is a baseline VPN configuration that uses IKEv2 with pre-shared keys and AES256 encryption for both IKE and ESP phases. However, this configuration does not match the output shown in Exhibit A and B, which indicate that IKEv1 is used with RSA signatures and AES128 encryption for both IKE and ESP phases. Therefore, to restore VPN connectivity, the configuration needs to be modified to match these parameters. Option B shows the correct configuration that matches these parameters. Option A is incorrect because it still uses IKEv2 instead of IKEv1. Option C is incorrect because it still uses pre-shared keys instead of RSA signatures. Option D is incorrect because it still uses AES256 encryption instead of AES128 encryption. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/ipsec-vpn-with-forticlient


質問 # 25
Refer to the exhibit, which shows a VPN topology.

The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?

  • A. All the session traffic will pass through the Hub
  • B. Spoke1 will establish an ADVPN shortcut to Spoke2
  • C. ADVPN is not supported when spokes are behind NAT
  • D. The TCP port 21 must be allowed on the NAT Device2

正解:B

解説:
D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events. References: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698


質問 # 26
Refer to the exhibits.
Exhibit A

Exhibit B

Exhibit C

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the configuration. Output during a troubleshooting session is shown in the exhibits A and B and a baseline VPN configuration is shown in Exhibit C Referring to the exhibits, which configuration will restore VPN connectivity?

  • A.
  • B.
  • C.
  • D.

正解:B

解説:
The output in Exhibit A shows that the VPN tunnel is not established because the peer IP address is incorrect. The output in Exhibit B shows that the peer IP address is 192.168.1.100, but the baseline VPN configuration in Exhibit C shows that the peer IP address should be 192.168.1.101.
To restore VPN connectivity, you need to change the peer IP address in the VPN tunnel configuration to 192.168.1.101. The correct configuration is shown below:
config vpn ipsec phase1-interface
edit "wan"
set peer-ip 192.168.1.101
set peer-id 192.168.1.101
set dhgrp 1
set auth-mode psk
set psk SECRET_PSK
next
end
Option A is incorrect because it does not change the peer IP address. Option B is incorrect because it changes the peer IP address to 192.168.1.100, which is the incorrect IP address. Option D is incorrect because it does not include the necessary configuration for the VPN tunnel.


質問 # 27
Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?

  • A. Change the priority of FMG-A to be numerically lower for higher preference
  • B. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
  • C. Make the monitored IP to match on both FortiManager devices.
  • D. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

正解:C

解説:
B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. References: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options


質問 # 28
Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?

  • A. Change the priority of FMG-A to be numerically lower for higher preference
  • B. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
  • C. Make the monitored IP to match on both FortiManager devices.
  • D. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

正解:C

解説:
B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. Reference: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options


質問 # 29
Refer to the exhibit.

A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)

  • A. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
  • B. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
  • C. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
  • D. You can only deploy initial installations to Windows clients.
  • E. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority

正解:A、C

解説:
A is correct because if no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. This is because the FortiClient EMS server will not force the installation on the client.
E is correct because the Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy. This is because the Active Directory group policy will configure the Windows clients to automatically install FortiClient and the FortiClient EMS server will only need to push the initial configuration to the clients.
The other options are incorrect. Option B is incorrect because a client can only be eligible for one enabled configuration on the EMS server. Option C is incorrect because you can deploy initial installations to both Windows and macOS clients. Option D is incorrect because you can use the included SQL Server Express to deploy FortiClient EMS.
References:
Deploying FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library Configuring FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library FortiClient EMS installation requirements | FortiClient / FortiOS 7.4.0 - Fortinet Document Library


質問 # 30
Refer to the exhibits.

The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate.
Given this information, which statement is correct?

  • A. The cluster members are on the same network and the IP addresses were statically assigned.
  • B. FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.
  • C. The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892
  • D. The cluster mode can support a maximum of four (4) FortiGate VMs

正解:B

解説:
The output of the status of high availability on the FortiGate shows that the cluster mode is active-passive, which means that only one FortiGate unit is active at a time, while the other unit is in standby mode. The active unit handles all traffic and also sends HA heartbeat packets to monitor the standby unit. The standby unit becomes active if it stops receiving heartbeat packets from the active unit, or if it receives a higher priority from another cluster unit. In active-passive mode, all cluster units share a virtual MAC address for each interface, which is used as the source MAC address for all packets forwarded by the cluster. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/high-availability-with-two-fortigates


質問 # 31
Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

  • A. port1 and port15
  • B. port1 and port1
  • C. port16 and port15
  • D. port16 and port1

正解:D

解説:
According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-wan-interface


質問 # 32
Refer to the exhibit.

The exhibit shows the forensics analysis of an event detected by the FortiEDR core In this scenario, which statement is correct regarding the threat?

  • A. This is a ransomware attack and has been stopped by FortiEDR
  • B. This is an exfiltration attack and has not been stopped by FortiEDR
  • C. This is an exfiltration attack and has been stopped by FortiEDR.
  • D. This is a ransomware attack and has not been stopped by FortiEDR.

正解:B

解説:
The exhibit shows that the FortiEDR core has detected an exfiltration attack. The attack is attempting to copy files from the device to an external location. The FortiEDR core has blocked the attack, and the files have not been exfiltrated.
The exhibit also shows that the attack is using the Cobalt Strike beacon. Cobalt Strike is a penetration testing tool that can be used for both legitimate and malicious purposes. In this case, the Cobalt Strike beacon is being used to exfiltrate files from the device.
The other options are incorrect. Option A is incorrect because the attack has not been stopped. Option C is incorrect because the attack is not a ransomware attack. Option D is incorrect because the FortiEDR core has not stopped the attack.
References:
FortiEDR Forensics: https://docs.fortinet.com/document/fortiedr/6.0.0/administration-guide/733983/forensics Cobalt Strike: https://www.cobaltstrike.com/


質問 # 33
Refer to the exhibits.

The exhibits show a FortiMail network topology, Inbound configuration settings, and a Dictionary Profile.
You are required to integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path.
All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must forward it to the third-party service, which will send the email back to FortiMail for final delivery, FortiMail must not scan the e-mail again.
Which three configuration tasks must be performed to meet these requirements? (Choose three.)

  • A. Apply the Catch-Ail profile to the CFInbound profile and configure a content action profile to deliver to the srv. thirdparty. com FQDN
  • B. Create an access receive rule with a Sender value of srv. thirdparcy.com, Recipient value of *@acme.com, and action value of Safe
  • C. Apply the Catch-AII profile to the ASinbound profile and configure an access delivery rule to deliver to the 100.64.0.72 host.
  • D. Change the scan order in FML-GW to antispam-sandbox-content.
  • E. Create an IP policy with a Source value of 100. 64 .0.72/32, enable precedence, and place the policy at the top of the list.

正解:A、B

解説:
To integrate a third-party's host service (srv.thirdparty.com) into the e-mail processing path, while ensuring that all inbound e-mails are scanned by FortiMail antispam and antivirus with FortiSandbox integration, and then forwarded to the third-party service and back to FortiMail for final delivery, the following configuration tasks must be performed:
Apply the Catch-All profile to the CFInbound profile and configure a content action profile to deliver to the srv.thirdparty.com FQDN. This will ensure that all inbound e-mails that pass the antispam and antivirus scanning are forwarded to the third-party service for further processing.
Create an access receive rule with a Sender value of srv.thirdparty.com, Recipient value of *@acme.com, and action value of Safe. This will ensure that all e-mails that are sent back from the third-party service to FortiMail are accepted without any further scanning or filtering. Reference: https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/921588/configuring-content-profiles-and-content-action-profiles https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/629994/configuring-session-profiles


質問 # 34
You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.
After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments.
Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase?

  • A. Acquire a FortiGate model with more capacity, considering the next 5 years growth.
  • B. Implement network-id, neighbor-group and increase the advertisement-interval
  • C. No change in design is needed as even small FortiGate devices have a large memory capacity.
  • D. Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP

正解:D

解説:
Using multiple VPN tunnels and BGP sessions for each internal segment is not scalable and efficient, especially when the number of segments, DCs or internet links per DC increases. A better solution is to use a single VPN tunnel per branch and segment traffic using virtual routing and forwarding (VRF) instances on BGP. This way, each VRF can have its own routing table and BGP session, while sharing the same VPN tunnel. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/sd-wan-with-vrf-and-bgp


質問 # 35
Refer to the exhibit.

A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation?

  • A. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
  • B. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
  • C. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
  • D. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

正解:D

解説:
D is correct because server 1 has a weight of 0, which means it will not receive any sessions from the load balancer. Server 2 has a weight of 100, which means it will receive all sessions from the load balancer. This is explained in the FortiWeb Administration Guide under Server Load Balancing > Server pools > Weighted round robin. Reference: https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/381057/server-load-balancing https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/381057/server-load-balancing/381058/server-pools


質問 # 36
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)

  • A. FTP
  • B. SCP
  • C. API
  • D. Report

正解:C、D

解説:
FortiSIEM supports two methods for importing user defined Lookup Table Data:
Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.
API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.
FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.


質問 # 37
Refer to the exhibit showing the history logs from a FortiMail device.

Which FortiMail email security feature can an administrator enable to treat these emails as spam?

  • A. DKIM validation in a session profile
  • B. Impersonation analysis in an antispam profile
  • C. Sender domain validation in a session profile
  • D. Soft fail SPF validation in an antispam profile

正解:B

解説:
Impersonation analysis is a feature that detects emails that attempt to impersonate a trusted sender, such as a company executive or a well-known brand, by using spoofed or look-alike email addresses. This feature can help prevent phishing and business email compromise (BEC) attacks. Impersonation analysis can be enabled in an antispam profile and applied to a firewall policy. References: https://docs.fortinet.com/document/fortimail/6.4.0/administration-guide/103663/impersonation-analysis


質問 # 38
You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.
After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments.
Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase?

  • A. Acquire a FortiGate model with more capacity, considering the next 5 years growth.
  • B. Implement network-id, neighbor-group and increase the advertisement-interval
  • C. No change in design is needed as even small FortiGate devices have a large memory capacity.
  • D. Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP

正解:D

解説:
Using multiple VPN tunnels and BGP sessions for each internal segment is not scalable and efficient, especially when the number of segments, DCs or internet links per DC increases. A better solution is to use a single VPN tunnel per branch and segment traffic using virtual routing and forwarding (VRF) instances on BGP. This way, each VRF can have its own routing table and BGP session, while sharing the same VPN tunnel. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/sd-wan-with-vrf-and-bgp


質問 # 39
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

  • A. The FortiGuard VOS can be used only with proxy-base policy inspections.
  • B. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
  • C. The AV engine scan must be enabled to use the FortiGuard VOS feature
  • D. The antivirus database queries FortiGuard with the hash of a scanned file
  • E. If third-party AV database returns a match the scanned file is deemed to be malicious.

正解:B、D

解説:
The FortiGuard Outbreak Prevention Service (VOS) is a feature that enhances the antivirus scanning capabilities of FortiGate by querying FortiGuard with the hash of a scanned file that is not found in the local antivirus database. If the hash matches a signature in the FortiGuard Global Threat Intelligence database, which contains information about known malware and zero-day threats, the file is deemed to be malicious and blocked by FortiGate. The VOS feature can be used with both proxy-based and flow-based policy inspections, and does not require the AV engine scan to be enabled. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/outbreak-prevention-service


質問 # 40
Refer to the exhibits.

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.
The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.
Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.) A)

B)


  • A. Option D
  • B. Option A
  • C. Option B
  • D. Option C

正解:C、D

解説:
To enable application detection on plain-text traffic that has been decrypted by FortiADC, the administrator must perform two configuration tasks on CL-1:
Enable SSL offloading in the firewall policy and select the SSL-Offload protocol options profile.
Enable application control in the firewall policy and select the SSL-Offload-App-Detect application list. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic


質問 # 41
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)

  • A. enable on ICL trunks
  • B. enable on the ISL and FortiLink trunks
  • C. disable on ICL trunks
  • D. disable on the ISL and FortiLink trunks

正解:B、C

解説:
To ensure that unnecessary multicast traffic is pruned from links that do not have a multicast listener, you must disable IGMP flood traffic on the ICL trunks and enable IGMP flood reports on the ISL and FortiLink trunks.
Disabling IGMP flood traffic will prevent the FortiSwitch units from flooding multicast traffic to all ports on the ICL trunks. This will help to reduce unnecessary multicast traffic on the network.
Enabling IGMP flood reports will allow the FortiSwitch units to learn which ports are interested in receiving multicast traffic. This will help the FortiSwitch units to prune multicast traffic from links that do not have a multicast listener.


質問 # 42
......


フォーティネットNSE8_812認定試験は、ネットワークセキュリティに関する高いレベルの知識と専門知識が必要な、厳しい試験です。受験者は、初回の合格に向けて十分に準備する必要があります。トレーニングコースに参加したり、学習教材を読んだり、サンプル問題やシミュレーションで練習したりすることで、試験の準備ができます。

 

究極のNSE8_812無料準備ガイド最新のFortinet練習テスト問題集:https://jp.fast2test.com/NSE8_812-premium-file.html

今すぐゲットせよ!高評価Fortinet NSE8_812試験問題集:https://drive.google.com/open?id=1lITfvWS2qnBXsCox6p9zVCmHMnD7xAKR


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어