[2024年03月07日] 検証済みのNSE8_812問題集と62格別な問題
NSE8_812問題集合格保証付きの合格できるNSE8_812試験2024年更新
質問 # 30
Refer to the exhibits.

A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)
- A. Ports 3 and 4 can be part of different switch interfaces.
- B. Client devices must have 802 1X authentication enabled
- C. Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
- D. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
正解:B、C
解説:
The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a single switch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "ssl-inspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switch-interfaces https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1x-authentication
質問 # 31
Refer to the exhibit.
You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:
FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?
- A. Objects from the root FortiGate will only be synchronized to FGT_3.
- B. Objects from the root FortiGate will only be synchronized to FGT__2.
- C. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
- D. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.
正解:C
解説:
The security fabric shown in the exhibit consists of three FortiGate devices connected in a hierarchical topology, where FGT_1 is the root device, FGT_2 is a downstream device, and FGT_3 is a downstream device of FGT_2. FGT_2 has a configuration setting that enables fabric-object synchronization for all objects except firewall policies and firewall policy packages (set sync-fabric-objects enable). Fabric-object synchronization is a feature that allows downstream devices to synchronize their objects (such as addresses, services, schedules, etc.) with their upstream devices in a security fabric. This simplifies object management and ensures consistency across devices. Therefore, in this case, objects from FGT_2 will be synchronized to FGT_1 (the upstream device), but not to FGT_3 (the downstream device). Objects from FGT_1 will not be synchronized to any downstream device because the default setting for fabric-object synchronization is disabled. Objects from FGT_3 will not be synchronized to any device because it does not have fabric-object synchronization enabled. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/fabric-object-synchronization
質問 # 32
Review the VPN configuration shown in the exhibit.
What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?
- A. 3 redundant packet for every 9 base packets
- B. 3 redundant packet for every 5 base packets
- C. 2 redundant packet for every 8 base packets
- D. 1 redundant packet for every 10 base packets
正解:C
解説:
The FEC configuration in the exhibit specifies that if the packet loss is greater than 10%, then the FEC mapping will be 8 base packets and 2 redundant packets. The download bandwidth of 500 Mbps is not greater than 950 Mbps, so the FEC mapping is not overridden by the bandwidth setting. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.
Here is the explanation of the FEC mappings in the exhibit:
Packet loss greater than 10%: 8 base packets and 2 redundant packets.
Upload bandwidth greater than 950 Mbps: 9 base packets and 3 redundant packets.
The mappings are matched from top to bottom, so the first mapping that matches the conditions will be used. In this case, the first mapping matches because the packet loss is greater than 10%. Therefore, the FEC behavior will be 2 redundant packets for every 8 base packets.
質問 # 33
Refer to the exhibit showing a FortiSOAR playbook.
You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.
What should be your next step?
- A. Click on the notification icon on FortiSOAR GUI and run the pending input action
- B. Run the Mark Drive by Download playbook action
- C. Reply to the e-mail with the requested Playbook action
- D. Go to the Incident Response tasks dashboard and run the pending actions
正解:A
解説:
To intervene in a suspicious e-mail alert on FortiSOAR, after reviewing the executed playbook, the next step is to click on the notification icon on FortiSOAR GUI and run the pending input action. The notification icon will show a badge with the number of pending input actions that require manual intervention from the user. The user can click on the notification icon and see a list of pending input actions, along with their details, such as playbook name, step name, record ID, and trigger time. The user can then click on the Run button to execute the pending input action and resume the playbook execution. Reference: https://docs.fortinet.com/document/fortisoar/7.0.0/administration-guide/103440/automation-stitches https://docs.fortinet.com/document/fortisoar/7.0.0/administration-guide/103441/incoming-webhook
質問 # 34
Refer to the exhibit showing FortiGate configurations
FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?
- A. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
- B. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.
- C. Change the priority of FMG-A to be numerically lower for higher preference
- D. Make the monitored IP to match on both FortiManager devices.
正解:D
解説:
B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. References: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options
質問 # 35
Refer to the exhibit.
A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)
- A. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
- B. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
- C. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
- D. You can only deploy initial installations to Windows clients.
- E. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
正解:A、D
解説:
B is correct because a client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority. This is explained in the FortiClient EMS Administration Guide under Deployment & Installers > Manage Deployment > Managing deployment configuration priority levels. C is correct because you can only deploy initial installations to Windows clients using FortiClient EMS. This is also explained in the FortiClient EMS Administration Guide under Deployment & Installers > Deploying FortiClient software to endpoints. Reference: https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide/278884/deployment-installers https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide/374506/deploying-forticlient-software-to-endpoints
質問 # 36
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?
- A. Use local-id
- B. Change advpn2 to IKEv1
- C. Use peer-id
- D. Use network-overlay id
正解:D
解説:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. References: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn
質問 # 37
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:
Given the information shown in the output, which two statements are true? (Choose two.)
- A. There are packet drops at the XAUI.
- B. The output is showing a packet descriptor queue accumulated counter
- C. Host-shortcut mode is enabled.
- D. Enabling bandwidth control between the ISF and the NP will change the output
- E. Enable HPE shaper for the NP6 will change the output
正解:A、B
解説:
The diagnose command shown in the output is used to display information about NP6 packet descriptor queues. The output shows that there are 16 NP6 units in total, and each unit has four XAUI ports (XA0-XA3). The output also shows that there are some non-zero values in the columns PDQ ACCU (packet descriptor queue accumulated counter) and PDQ DROP (packet descriptor queue drop counter). These values indicate that there are some packet descriptor queues that have reached their maximum capacity and have dropped some packets at the XAUI ports. This could be caused by congestion or misconfiguration of the XAUI ports or the ISF (Internal Switch Fabric). References: https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/19662/diagnose-np6-pdq The output is showing a packet descriptor queue accumulated counter, which is a measure of the number of packets that have been dropped by the NP6 due to congestion. The counter will increase if there are more packets than the NP6 can handle, which can happen if the bandwidth between the ISF and the NP is not sufficient or if the HPE shaper is enabled.
The output also shows that there are packet drops at the XAUI, which is the interface between the NP6 and the FortiGate's backplane. This means that the NP6 is not able to keep up with the traffic and is dropping packets.
The other statements are not true. Host-shortcut mode is not enabled, and enabling bandwidth control between the ISF and the NP will not change the output. HPE shaper is a feature that can be enabled to improve performance, but it will not change the output of the diagnose command.
質問 # 38
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)
- A. API
- B. SCP
- C. FTP
- D. Report
正解:A、D
解説:
FortiSIEM supports two methods for importing user defined Lookup Table Data:
Report: You can import lookup table data from a report. This is the most common method for importing lookup table data.
API: You can also import lookup table data using the FortiSIEM API. This is a more advanced method that allows you to import lookup table data programmatically.
FTP, SCP, and other file transfer protocols are not supported for importing lookup table data into FortiSIEM.
質問 # 39
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:
Given the information shown in the output, which two statements are true? (Choose two.)
- A. There are packet drops at the XAUI.
- B. The output is showing a packet descriptor queue accumulated counter
- C. Host-shortcut mode is enabled.
- D. Enabling bandwidth control between the ISF and the NP will change the output
- E. Enable HPE shaper for the NP6 will change the output
正解:A、B
解説:
The diagnose command shown in the output is used to display information about NP6 packet descriptor queues. The output shows that there are 16 NP6 units in total, and each unit has four XAUI ports (XA0-XA3). The output also shows that there are some non-zero values in the columns PDQ ACCU (packet descriptor queue accumulated counter) and PDQ DROP (packet descriptor queue drop counter). These values indicate that there are some packet descriptor queues that have reached their maximum capacity and have dropped some packets at the XAUI ports. This could be caused by congestion or misconfiguration of the XAUI ports or the ISF (Internal Switch Fabric). Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/19662/diagnose-np6-pdq
質問 # 40
Refer to the exhibit, which shows a VPN topology.
The device IP 10.1.100.40 downloads a file from the FTP server IP 192.168.4.50 Referring to the exhibit, what will be the traffic flow behavior if ADVPN is configured in this environment?
- A. The TCP port 21 must be allowed on the NAT Device2
- B. All the session traffic will pass through the Hub
- C. Spoke1 will establish an ADVPN shortcut to Spoke2
- D. ADVPN is not supported when spokes are behind NAT
正解:C
解説:
D is correct because Spoke1 will establish an ADVPN shortcut to Spoke2 when it detects that there is a demand for traffic between them. This is explained in the Fortinet Community article on Technical Tip: Fortinet Auto Discovery VPN (ADVPN) under Summary - ADVPN sequence of events. References: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Fortinet-Auto-Discovery-VPN-ADVPN/ta-p/195698
質問 # 41
Refer to the exhibit.
A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)
- A. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
- B. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
- C. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
- D. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
- E. You can only deploy initial installations to Windows clients.
正解:A、D
解説:
A is correct because if no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. This is because the FortiClient EMS server will not force the installation on the client.
E is correct because the Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy. This is because the Active Directory group policy will configure the Windows clients to automatically install FortiClient and the FortiClient EMS server will only need to push the initial configuration to the clients.
The other options are incorrect. Option B is incorrect because a client can only be eligible for one enabled configuration on the EMS server. Option C is incorrect because you can deploy initial installations to both Windows and macOS clients. Option D is incorrect because you can use the included SQL Server Express to deploy FortiClient EMS.
References:
Deploying FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library Configuring FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library FortiClient EMS installation requirements | FortiClient / FortiOS 7.4.0 - Fortinet Document Library
質問 # 42
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)
- A. Change the Adaptive Mode.
- B. Replace with a FortiDDoS 1500F
- C. Create an HA setup with a second FortiDDoS 200F
- D. Move the internet connection from the SFP interfaces to the LC interfaces
正解:B、C
解説:
B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
References:
FortiDDoS 200F Datasheet | Fortinet Document Library
FortiDDoS 1500F Datasheet | Fortinet Document Library
High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library
質問 # 43
A remote IT Team is in the process of deploying a FortiGate in their lab. The closed environment has been configured to support zero-touch provisioning from the FortiManager, on the same network, via DHCP options. After waiting 15 minutes, they are reporting that the FortiGate received an IP address, but the zero-touch process failed.
The exhibit below shows what the IT Team provided while troubleshooting this issue:
Which statement explains why the FortiGate did not install its configuration from the FortiManager?
- A. The DHCP server used the incorrect option type for the FortiManager IP address.
- B. The FortiGate was not configured with the correct pre-shared key to connect to the FortiManager
- C. The configuration was modified on the FortiGate prior to connecting to the FortiManager
- D. The DHCP server was not configured with the FQDN of the FortiManager
正解:A
解説:
C is correct because the DHCP server used the incorrect option type for the FortiManager IP address. The option type should be 43 instead of 15, as shown in the FortiManager Administration Guide under Zero-Touch Provisioning > Configuring DHCP options for ZTP. Reference: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options
質問 # 44
Refer to the exhibit.
You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)
- A. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
- B. After replacing the FortiSwitch unit, the automatically created trunk name changes.
- C. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
- D. After replacing the FortiSwitch unit, the automatically created trunk name does not change
正解:C、D
解説:
A is correct because the automatically created trunk name is based on the MAC address of the FortiSwitch unit. When the FortiSwitch unit is replaced, the MAC address will change, but the trunk name will not change.
B is correct because CLAG-ICL is a manually configured link aggregation group. When the FortiSwitch unit is replaced, the CLAG-ICL configuration will need to be manually reconfigured on the new FortiSwitch unit.
The other options are incorrect. Option C is incorrect because the automatically created trunk name does not change when the FortiSwitch unit is replaced. Option D is incorrect because MCLAG-ICL is a manually configured link aggregation group and will not be automatically reconfigured when the FortiSwitch unit is replaced.
References:
Configuring link aggregation on FortiSwitches | FortiSwitch / FortiOS 7.0.4 - Fortinet Document Library Managing FortiLink | FortiGate / FortiOS 7.0.4 - Fortinet Document Library
質問 # 45
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)
- A. Create an HA setup with a second FortiDDoS 200F
- B. Change the Adaptive Mode.
- C. Replace with a FortiDDoS 1500F
- D. Move the internet connection from the SFP interfaces to the LC interfaces
正解:A、B
解説:
To prevent the situation where all the traffic was dropped by the FortiDDoS 200F even though there was no DoS attack, the following options can be considered:
Change the Adaptive Mode. The Adaptive Mode is a feature that allows the FortiDDoS 200F to automatically adjust its detection and prevention thresholds based on the traffic patterns and behavior. However, if the Adaptive Mode is not configured properly, it may cause false positives and drop legitimate traffic. Therefore, changing the Adaptive Mode settings or disabling it may help to avoid this situation.
Create an HA setup with a second FortiDDoS 200F. The HA setup is a feature that allows two FortiDDoS 200F devices to work together as a cluster and provide redundancy and load balancing. If one device fails or drops traffic, the other device can take over and continue to protect the network. Therefore, creating an HA setup with a second FortiDDoS 200F may help to avoid this situation. Reference: https://docs.fortinet.com/document/fortiddos-f/6.2.0/handbook/380639/understanding-fortiddos-adaptive-mode https://docs.fortinet.com/document/fortiddos-f/6.2.0/handbook/380639/configuring-fortiddos-ha
質問 # 46
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)
- A. disable on the ISL and FortiLink trunks
- B. disable on ICL trunks
- C. enable on ICL trunks
- D. enable on the ISL and FortiLink trunks
正解:A、B
解説:
A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference: https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding/381058/configuring-multicast-forwarding
質問 # 47
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)
- A. FTP
- B. API
- C. SCP
- D. Report
正解:A、B
解説:
User defined Lookup Table Data (LTD) is a feature that allows users to import custom data into FortiSIEM for correlation, reporting, and analysis purposes. Users can create LTD files in CSV format and import them into FortiSIEM using two methods: FTP or API. FTP is a file transfer protocol that allows users to upload LTD files to a designated folder on the FortiSIEM server. API is an application programming interface that allows users to send HTTP requests to upload LTD files to FortiSIEM using RESTful web services. Reference: https://docs.fortinet.com/document/fortisiem/6.4.0/administration-guide/19662/user-defined-lookup-table-data
質問 # 48
Refer to the exhibits, which show a firewall policy configuration and a network topology.
An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?
- A. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
- B. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
- C. FortiGate will reject the connection since no certificate is defined.
- D. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
正解:A
解説:
When using inbound SSL inspection, FortiGate needs to present a certificate to the client that matches the requested domain name. If no matching certificate is found in the server-cert list, FortiGate will fall-back to the default Fortinet_CA_SSL certificate, which is self-signed and may trigger a warning on the client browser. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection
質問 # 49
Refer to the exhibit.
You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?
- A. Connect the switch on any interface between ports 5 to 8.
- B. Connect the switch on any interface between ports 21 to 24
- C. Connect the switch on any interface between ports 25 to 28
- D. Connect the switch on any interface between ports 1 to 4
正解:D
解説:
The FortiGate 6000F has 24 1/10/25-Gbps SFP28 data network interfaces (1 to 24). These interfaces are divided into the following interface groups: 1 to 4, 5 to 8, 9 to 12, 13 to 16, 17 to 20, and 21 to 24. The ports 25 to 28 are 40/100-Gbps QSFP28 data network interfaces.
The initial connection should be made to any interface between ports 1 to 4. This is because the ports 21 to 24 are part of the same interface group, and changing the speed of one of these ports will affect the speeds of all of the ports in the group. The ports 5 to 8 are also part of the same interface group, so they should not be used for the initial connection.
The new hardware module that will be installed in the switch will provide higher speed ports. When this module is installed, the speed of the ports 21 to 24 will be increased. However, this will not affect the ports 1 to 4, because they are not part of the same interface group.
Therefore, the initial connection should be made to any interface between ports 1 to 4, in order to ensure that the FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
Reference:
FortiGate 6000F Front Panel Interfaces: https://docs.fortinet.com/document/fortigate-6000/hardware/fortigate-6000f-system-guide/827055/front-panel-interfaces
質問 # 50
Refer to the exhibit.
A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)
- A. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode
- B. Traffic on AccountVInk and SalesVInk will not be accelerated.
- C. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk
- D. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.
- E. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.
正解:A、E
解説:
a) You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode. This is because VDOM links can be configured in either PPP or Ethernet mode, and OSPF routing can be configured on both types of links.
d) Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. This is because the Root VDOM is the default VDOM, and it is used for management and internet access. VDOM 1 and VDOM 2 are traffic type VDOMs, which are used for segregating internal traffic.
The other options are not correct.
b) Traffic on AccountVInk and SalesVInk will not be accelerated. This is because VDOM links are not accelerated by default. However, you can configure acceleration on VDOM links if you want.
c) The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides. This is not necessarily true. The VDOM links could be in PPP mode even if they have IP addresses assigned on both sides.
e) OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk. This is correct. OSPF routing can be configured between any two VDOMs, even if they are not directly connected. In this case, the OSPF routing would be configured on the AccountVInk link.
質問 # 51
Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:
Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?
- A. FortiGate will reject all HTTP/2 ALPN headers.
- B. FortiGate will forward the traffic without modifying the ALPN header.
- C. FortiGate will strip the ALPN header and forward the traffic.
- D. FortiGate will rewrite the ALPN header to request HTTP/1.
正解:C
解説:
When an HTTP/2 request comes in, FortiGate will strip the Application-Layer Protocol Negotiation (ALPN) header and forward the traffic as HTTP/1.1 to the real server. This is because FortiGate does not support HTTP/2 inspection, and therefore cannot process ALPN headers that indicate HTTP/2 support. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic
質問 # 52
Refer to the CLI output:
Given the information shown in the output, which two statements are correct? (Choose two.)
- A. The IP Reputation feature has been manually updated
- B. An IP address that was previously used by an attacker will always be blocked
- C. Geographical IP policies are enabled and evaluated after local techniques.
- D. Attackers can be blocked before they target the servers behind the FortiWeb.
- E. Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored
正解:D、E
解説:
The CLI output shown in the exhibit indicates that FortiWeb has enabled IP Reputation feature with local techniques enabled and geographical IP policies enabled after local techniques (set geoip-policy-order after-local). IP Reputation feature is a feature that allows FortiWeb to block or allow traffic based on the reputation score of IP addresses, which reflects their past malicious activities or behaviors. Local techniques are methods that FortiWeb uses to dynamically update its own blacklist based on its own detection of attacks or violations from IP addresses (such as signature matches, rate limiting, etc.). Geographical IP policies are rules that FortiWeb uses to block or allow traffic based on the geographical location of IP addresses (such as country, region, city, etc.). Therefore, based on the output, one correct statement is that attackers can be blocked before they target the servers behind the FortiWeb. This is because FortiWeb can use IP Reputation feature to block traffic from IP addresses that have a low reputation score or belong to a blacklisted location, which prevents them from reaching the servers and launching attacks. Another correct statement is that reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored. This is because FortiWeb can use local techniques to remove IP addresses from its own blacklist if they stop sending malicious traffic for a certain period of time (set local-techniques-expire-time), which allows them to regain their reputation and access the servers. This is useful for IP addresses that are dynamically assigned by DHCP or PPPoE and may change frequently. Reference: https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/ip-reputation https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/geographical-ip-policies
質問 # 53
......
Fortinet NSE8_812試験は、ネットワークセキュリティの専門知識をテストするための筆記試験です。この試験は、Fortinet Network Security Expert(NSE)プログラムの一部であり、複雑なネットワークセキュリティソリューションを設計、構成、管理するために必要な知識とスキルを個人に提供するマルチレベル認定プログラムです。
Fortinet NSE8_812試験は、ネットワークセキュリティの専門家のスキルと専門知識を検証するために設計された上級レベルの認定試験です。この試験は、複雑なネットワークセキュリティソリューションの設計、実装、管理に豊富な経験を持つ人々を対象としています。Fortinet NSE8_812認定試験は、高度なルーティングとスイッチング、ダイナミックルーティングプロトコル、安全なVPN、高度なファイアウォールポリシー、高度な脅威保護など、多岐にわたるトピックをカバーしています。試験は、ネットワークセキュリティのプロフェッショナルが日常の業務で直面する可能性のある実践的なシナリオと現実世界の課題に基づいています。
最新100%合格率保証付きの素晴らしいNSE8_812試験問題PDF:https://jp.fast2test.com/NSE8_812-premium-file.html
NSE8_812試験問題集を試そう!ベストNSE8_812試験問題:https://drive.google.com/open?id=1lITfvWS2qnBXsCox6p9zVCmHMnD7xAKR