Fortinet NSE8_812リアルに2024年最新のブレーン問題集で模擬試験問題集
NSE8_812試験問題 リアルなNSE8_812練習問題集
Fortinet NSE8_812試験は、Fortinet製品を使用した複雑なセキュリティソリューションの設計、実装、管理における候補者の知識とスキルを測定する認定試験です。これは、Fortinetが提供する最高レベルの認定であり、この試験に合格することはFortinet Network Security Expert(NSE)8になるための要件です。
質問 # 26
You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.
After reviewing the design, you notice the firewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each branch is using at least 10 internal segments.
Based on this scenario, what would you suggest as the more efficient solution, considering that in the future the number of internal segments, DCs or internet links per DC will increase?
- A. Implement network-id, neighbor-group and increase the advertisement-interval
- B. Acquire a FortiGate model with more capacity, considering the next 5 years growth.
- C. No change in design is needed as even small FortiGate devices have a large memory capacity.
- D. Redesign the SD-WAN deployment to only use a single VPN tunnel and segment traffic using VRFs on BGP
正解:D
解説:
Using multiple VPN tunnels and BGP sessions for each internal segment is not scalable and efficient, especially when the number of segments, DCs or internet links per DC increases. A better solution is to use a single VPN tunnel per branch and segment traffic using virtual routing and forwarding (VRF) instances on BGP. This way, each VRF can have its own routing table and BGP session, while sharing the same VPN tunnel. Reference: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/sd-wan-with-vrf-and-bgp
質問 # 27
Refer to the exhibits.
A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already configured for SSL decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted traffic from FAD-1, perform application detection on the plain-text traffic, and forward the inspected traffic to FAD-2.
The SSL-Offload-App-Detect application list and SSL-Offload protocol options profile are applied to the firewall policy handling the web application traffic on CL-1.
Given this scenario, which two configuration tasks must the administrator perform on CL-1? (Choose two.) A)
B)


- A. Option A
- B. Option B
- C. Option D
- D. Option C
正解:B、D
解説:
To enable application detection on plain-text traffic that has been decrypted by FortiADC, the administrator must perform two configuration tasks on CL-1:
Enable SSL offloading in the firewall policy and select the SSL-Offload protocol options profile.
Enable application control in the firewall policy and select the SSL-Offload-App-Detect application list. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic
質問 # 28
Refer to the exhibit.
You have been tasked with replacing the managed switch Forti Switch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)
- A. CLAG-ICL needs to be manually reconfigured once the new switch is connected to the FortiGate
- B. After replacing the FortiSwitch unit, the automatically created trunk name changes.
- C. MCLAG-ICL will be automatically reconfigured once the new switch is connected to the FortiGate.
- D. After replacing the FortiSwitch unit, the automatically created trunk name does not change
正解:A、D
解説:
A is correct because the automatically created trunk name is based on the MAC address of the FortiSwitch unit. When the FortiSwitch unit is replaced, the MAC address will change, but the trunk name will not change.
B is correct because CLAG-ICL is a manually configured link aggregation group. When the FortiSwitch unit is replaced, the CLAG-ICL configuration will need to be manually reconfigured on the new FortiSwitch unit.
The other options are incorrect. Option C is incorrect because the automatically created trunk name does not change when the FortiSwitch unit is replaced. Option D is incorrect because MCLAG-ICL is a manually configured link aggregation group and will not be automatically reconfigured when the FortiSwitch unit is replaced.
References:
Configuring link aggregation on FortiSwitches | FortiSwitch / FortiOS 7.0.4 - Fortinet Document Library Managing FortiLink | FortiGate / FortiOS 7.0.4 - Fortinet Document Library
質問 # 29
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future? (Choose two)
- A. Replace with a FortiDDoS 1500F
- B. Move the internet connection from the SFP interfaces to the LC interfaces
- C. Create an HA setup with a second FortiDDoS 200F
- D. Change the Adaptive Mode.
正解:A、C
解説:
B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
References:
FortiDDoS 200F Datasheet | Fortinet Document Library
FortiDDoS 1500F Datasheet | Fortinet Document Library
High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library
質問 # 30
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)
- A. The FortiMail DKIM key was not set using the Auto Generation option.
- B. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.
- C. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
- D. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
正解:B、C
解説:
FortiMail Cloud service is a cloud-based email security solution that integrates with Office 365 to provide protection against spam, malware, phishing, data loss, etc. To use FortiMail Cloud service with Office 365, users need to configure both FortiMail Cloud settings and Office 365 settings properly. One possible reason for outgoing emails not reaching the recipients' mailboxes is that the FortiMail access control rules to relay from Office 365 servers public IPs are missing. This means that FortiMail Cloud service does not recognize the Office 365 servers as authorized senders and rejects the outgoing emails. Users need to add the Office 365 servers public IPs to the FortiMail access control rules to allow relaying. Another possible reason for outgoing emails not reaching the recipients' mailboxes is that a Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN. This means that Office 365 does not route the outgoing emails to the FortiMail Cloud service for scanning and delivery. Users need to create a Mail Flow connector from the Exchange Admin Center and specify the FortiMail Cloud FQDN as the smart host. Reference: https://docs.fortinet.com/document/fortimail-cloud/6.4.0/administration-guide/19662/integrating-fortimail-cloud-with-office-365
質問 # 31
Review the VPN configuration shown in the exhibit.
What is the Forward Error Correction behavior if the SD-WAN network traffic download is 500 Mbps and has 8% of packet loss in the environment?
- A. 3 redundant packet for every 5 base packets
- B. 3 redundant packet for every 9 base packets
- C. 1 redundant packet for every 10 base packets
- D. 2 redundant packet for every 8 base packets
正解:A
解説:
Forward Error Correction (FEC) is a feature that can improve the quality of SD-WAN network traffic by adding redundant packets to the original packets. The ratio of redundant packets to base packets is determined by the FEC mode, which can be set to low, medium, or high. In low mode, the ratio is 1:10, in medium mode, the ratio is 2:8, and in high mode, the ratio is 3:5. The FEC mode can be configured manually or automatically based on the bandwidth and packet loss of the network. In this case, since the download bandwidth is 500 Mbps and the packet loss is 8%, the FEC mode is automatically set to high, which means that 3 redundant packets are added for every 5 base packets. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan/19662/forward-error-correction-fec
質問 # 32
Refer to the exhibit.
FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)
- A. The template will fail because this configuration can only be applied with a CLI or TCL script.
- B. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
- C. The administrator must first manually map the interface for each device with a meta field.
- D. The template will work if you change the variable format to {{ WAN }}.
- E. The template will work if you change the variable format to $(WAN).
正解:C、D
解説:
The Jinja template will not automatically map the interface with "WAN" role on the managed FortiGate. The administrator must first manually map the interface for each device with a meta field.
The template will work if you change the variable format to {{ WAN }}. The {{ }} syntax is used to define a variable in a Jinja template.
質問 # 33
Which two methods are supported for importing user defined Lookup Table Data into the FortiSIEM? (Choose two.)
- A. FTP
- B. SCP
- C. Report
- D. API
正解:A、D
解説:
User defined Lookup Table Data (LTD) is a feature that allows users to import custom data into FortiSIEM for correlation, reporting, and analysis purposes. Users can create LTD files in CSV format and import them into FortiSIEM using two methods: FTP or API. FTP is a file transfer protocol that allows users to upload LTD files to a designated folder on the FortiSIEM server. API is an application programming interface that allows users to send HTTP requests to upload LTD files to FortiSIEM using RESTful web services. Reference: https://docs.fortinet.com/document/fortisiem/6.4.0/administration-guide/19662/user-defined-lookup-table-data
質問 # 34
You must configure an environment with dual-homed servers connected to a pair of FortiSwitch units using an MCLAG.
Multicast traffic is expected in this environment, and you should ensure unnecessary traffic is pruned from links that do not have a multicast listener.
In which two ways must you configure the igmps-f lood-traffic and igmps-flood-report settings? (Choose two.)
- A. disable on the ISL and FortiLink trunks
- B. enable on ICL trunks
- C. enable on the ISL and FortiLink trunks
- D. disable on ICL trunks
正解:A、D
解説:
A is correct because disabling igmps-flood-traffic and igmps-flood-report on ICL trunks prevents unnecessary multicast traffic from being flooded across the MCLAG cluster members. C is correct because disabling igmps-flood-traffic and igmps-flood-report on the ISL and FortiLink trunks prevents unnecessary multicast traffic from being flooded to other switches or FortiGates that do not have multicast listeners. Reference: https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding https://docs.fortinet.com/document/fortiswitches/6.4.0/administration-guide/381057/multicast-forwarding/381058/configuring-multicast-forwarding
質問 # 35
Refer to the exhibit.
FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)
- A. The template will fail because this configuration can only be applied with a CLI or TCL script.
- B. The template will work if you change the variable format to {{ WAN }}.
- C. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
- D. The administrator must first manually map the interface for each device with a meta field.
- E. The template will fail because this configuration can only be applied with a CLI or TCL script.
- F. The template will work if you change the variable format to $(WAN).
正解:D、E
解説:
The Jinja template in the exhibit is trying to configure the interface role on the managed FortiGate. This type of configuration can only be applied with a CLI or TCL script. The Jinja template will fail because it is not a valid CLI or TCL script.
Explanation:
d) The administrator must first manually map the interface for each device with a meta field.
The Jinja template in the exhibit is expecting a meta field called WAN to be set on the managed FortiGate. This meta field will specify which interface on the FortiGate should be assigned the "WAN" role. If the meta field is not set, then the template will fail.
質問 # 36
Refer to the exhibit.
A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)
- A. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
- B. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
- C. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority
- D. You can only deploy initial installations to Windows clients.
- E. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
正解:C、D
解説:
B is correct because a client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority. This is explained in the FortiClient EMS Administration Guide under Deployment & Installers > Manage Deployment > Managing deployment configuration priority levels. C is correct because you can only deploy initial installations to Windows clients using FortiClient EMS. This is also explained in the FortiClient EMS Administration Guide under Deployment & Installers > Deploying FortiClient software to endpoints. Reference: https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide/278884/deployment-installers https://docs.fortinet.com/document/forticlient/7.0.7/ems-administration-guide/374506/deploying-forticlient-software-to-endpoints
質問 # 37
Refer to the exhibit.
A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)
- A. TPM functionality is not yet compatible with FortiGate HA D The administrator needs to manually enter the hex private data encryption key in FortiManager
- B. The private-data-encryption key entered on the primary did not match the value that the TPM expected.
- C. Configuration for TPM is not synchronized between FortiGate HA cluster members.
- D. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
正解:B、C
解説:
The two reasons for the negative impact on the FortiGate HA status and FortiManager status after enabling TPM are:
The private-data-encryption key entered on the primary unit did not match the value that the TPM expected. This could happen if the TPM was previously enabled and then disabled, and the key was changed in between. The TPM will reject the new key and cause an error in the configuration synchronization.
Configuration for TPM is not synchronized between FortiGate HA cluster members. Each cluster member must have the same private-data-encryption key to form a valid HA cluster and synchronize their configurations. However, enabling TPM on one unit does not automatically enable it on the other units, and the key must be manually entered on each unit. To resolve these issues, the administrator should disable TPM on all units, clear the TPM data, and then enable TPM again with the same private-data-encryption key on each unit. References: https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103437/inbound-ssl-inspection https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103438/application-detection-on-ssl-offloaded-traffic
質問 # 38
A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)
- A. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.
- B. Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
- C. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
- D. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters
正解:A、C
解説:
To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. References: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration
質問 # 39
You are deploying a FortiExtender (FEX) on a FortiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The requirement is to minimize the overhead on the device for WAN traffic.
Which action achieves the requirement in this scenario?
- A. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode
- B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender.
- C. Add a switch between the FortiGate and FEX.
- D. Add a VLAN under the FEX-WAN interface on the FortiGate.
正解:A
解説:
VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate than CAPWAP Mode. This is because VLAN Mode does not require the FortiExtender to send additional control traffic to the FortiGate.
The other options are not correct.
a) Add a switch between the FortiGate and FEX. This will add overhead to the network, as the switch will need to process the traffic.
b) Enable CAPWAP connectivity between the FortiGate and the FortiExtender. This will increase the overhead on the FortiGate, as it will need to process additional control traffic.
d) Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect the overhead on the FortiGate.
質問 # 40
Refer to the exhibits.
The exhibits show a diagram of a requested topology and the base IPsec configuration.
A customer asks you to configure ADVPN via two internet underlays. The requirement is that you use one interface with a single IP address on DC FortiGate.
In this scenario, which feature should be implemented to achieve this requirement?
- A. Use peer-id
- B. Change advpn2 to IKEv1
- C. Use network-overlay id
- D. Use local-id
正解:C
解説:
A is correct because using network-overlay id allows you to configure multiple ADVPN tunnels on a single interface with a single IP address on the DC FortiGate. This is explained in the FortiGate Administration Guide under ADVPN > Configuring ADVPN > Configuring ADVPN on the hub. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/advpn/978794/configuring-advpn
質問 # 41
Review the following FortiGate-6000 configuration excerpt:
Based on the configuration, which statement is correct regarding SNAT source port partitioning behavior?
- A. It is the default SNAT configuration and preserves active sessions when an FPC or FPM goes down.
- B. It statically distributes SNAT source ports to operating FPCs or FPMs
- C. It equally distributes SNAT source ports across chassis slots.
- D. It dynamically distributes SNAT source ports to operating FPCs or FPMs.
正解:D
解説:
The configuration excerpt shows that the SNAT source port partitioning behavior is set to dynamic. This means that the FortiGate will dynamically distribute SNAT source ports to operating FPCs or FPMs. This ensures that active sessions are not interrupted if an FPC or FPM goes down.
The other options are incorrect. Option B is incorrect because the default SNAT configuration is static. Option C is incorrect because the configuration excerpt does not specify that SNAT source ports are statically distributed. Option D is incorrect because the SNAT source ports are not evenly distributed across chassis slots.
Here are some additional details about SNAT source port partitioning behavior:
SNAT source port partitioning behavior can be set to dynamic or static.
The default SNAT configuration is static.
Dynamic SNAT source port partitioning ensures that active sessions are not interrupted if an FPC or FPM goes down.
Static SNAT source port partitioning can improve performance by reducing the number of SNAT lookups.
質問 # 42
Refer to the CLI configuration of an SSL inspection profile from a FortiGate device configured to protect a web server:
Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?
- A. FortiGate will reject all HTTP/2 ALPN headers.
- B. FortiGate will rewrite the ALPN header to request HTTP/1.
- C. FortiGate will strip the ALPN header and forward the traffic.
- D. FortiGate will forward the traffic without modifying the ALPN header.
正解:A
解説:
The supported-alpn parameter is set to http1.1 in the SSL inspection profile. This means that the FortiGate will only accept HTTP/1.1 traffic. Any HTTP/2 traffic will be rejected.
The following is the relevant documentation from Fortinet:
The supported-alpn parameter specifies the list of ALPN protocols that the FortiGate will accept. If the client requests a protocol that is not in this list, the FortiGate will reject the connection.
The default value for the supported-alpn parameter is all. This means that the FortiGate will accept any ALPN protocol that the client requests.
To reject all HTTP/2 traffic, set the supported-alpn parameter to http1.1.
Source: https://docs.fortinet.com/document/fortigate/7.0.0/new-features/710924/http-2-support-in-proxy-mode-ssl-inspection
質問 # 43
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.
The current configuration is:
Which configuration do you use for the Performance SLA members?
- A. set members any
- B. set members all
- C. set members 0
- D. current configuration already fulfills the requirement
正解:B
解説:
D is correct because using set members all allows you to apply the Performance SLA configuration to all available interfaces without specifying them individually. This way, you do not need to change the configuration in case more connections are added to the branch. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan/978795/configuring-sd-wan-performance-sla
質問 # 44
An HA topology is using the following configuration:
Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?
- A. 600ms
- B. 200ms
- C. 100ms
- D. 300ms
正解:D
解説:
The HA topology shown in the exhibit is using link monitoring with two heartbeat interfaces (port3 and port5) and a heartbeat interval of 100ms. Link monitoring is a feature that allows HA failover to occur when one or more monitored interfaces fail or become disconnected. The heartbeat interval is the time between each heartbeat packet sent by an HA cluster unit to other cluster units through heartbeat interfaces. The failover time is determined by multiplying the heartbeat interval by three (the default deadtime value). Therefore, in this case, the failover time is 100ms x 3 = 300ms. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/647723/link-monitoring-and-ha-failover-time
質問 # 45
Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)
- A. The antivirus database queries FortiGuard with the hash of a scanned file
- B. The FortiGuard VOS can be used only with proxy-base policy inspections.
- C. If third-party AV database returns a match the scanned file is deemed to be malicious.
- D. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database.
- E. The AV engine scan must be enabled to use the FortiGuard VOS feature
正解:A、D
解説:
The FortiGuard Outbreak Prevention Service (VOS) is a feature that enhances the antivirus scanning capabilities of FortiGate by querying FortiGuard with the hash of a scanned file that is not found in the local antivirus database. If the hash matches a signature in the FortiGuard Global Threat Intelligence database, which contains information about known malware and zero-day threats, the file is deemed to be malicious and blocked by FortiGate. The VOS feature can be used with both proxy-based and flow-based policy inspections, and does not require the AV engine scan to be enabled. Reference: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/968606/outbreak-prevention-service
質問 # 46
Refer to the exhibit.
You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?
- A. Connect the switch on any interface between ports 21 to 24
- B. Connect the switch on any interface between ports 1 to 4
- C. Connect the switch on any interface between ports 25 to 28
- D. Connect the switch on any interface between ports 5 to 8.
正解:A
解説:
The FortiGate 6000F is a high-performance firewall appliance that has 28 network interfaces with different speeds and types. The device should be directly connected to a switch that will have a new hardware module providing higher speed in the future. The connection to the FortiGate must be moved to this higher-speed port without affecting any other port. Therefore, the initial connection should be made on any interface between ports 21 to 24, which are 10G SFP+ interfaces. These interfaces are independent from each other and do not share bandwidth with any other interface. This means that moving the connection to a higher-speed port in the future will not affect any other port on the FortiGate. Option A shows the correct answer. Option B is incorrect because ports 25 to 28 are 40G QSFP+ interfaces, which share bandwidth with ports 21 to 24. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Option C is incorrect because ports 1 to 4 are 100G QSFP28 interfaces, which share bandwidth with ports 5 to 8 and ports 9 to 12. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Option D is incorrect because ports 5 to 8 are 25G SFP28 interfaces, which share bandwidth with ports 1 to 4 and ports 9 to 12. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/hardware-acceleration-guide/19662/fortigate-6000f
質問 # 47
Refer to the exhibit showing a firewall policy configuration.
To prevent unauthorized access of their cloud assets, an administrator wants to enforce authentication on firewall policy ID 1.
What change does the administrator need to make?
- A.

- B.

- C.

- D.

正解:C
解説:
B is correct because it adds an identity-based policy with SSL-VPN as the source interface and requires authentication using a user group. This will enforce authentication on firewall policy ID 1 for SSL-VPN users. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/ssl-vpn-authentication https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/configuring-ssl-vpn-access-for-local-users
質問 # 48
You are running a diagnose command continuously as traffic flows through a platform with NP6 and you obtain the following output:
Given the information shown in the output, which two statements are true? (Choose two.)
- A. There are packet drops at the XAUI.
- B. Enable HPE shaper for the NP6 will change the output
- C. The output is showing a packet descriptor queue accumulated counter
- D. Host-shortcut mode is enabled.
- E. Enabling bandwidth control between the ISF and the NP will change the output
正解:A、C
解説:
The diagnose command shown in the output is used to display information about NP6 packet descriptor queues. The output shows that there are 16 NP6 units in total, and each unit has four XAUI ports (XA0-XA3). The output also shows that there are some non-zero values in the columns PDQ ACCU (packet descriptor queue accumulated counter) and PDQ DROP (packet descriptor queue drop counter). These values indicate that there are some packet descriptor queues that have reached their maximum capacity and have dropped some packets at the XAUI ports. This could be caused by congestion or misconfiguration of the XAUI ports or the ISF (Internal Switch Fabric). Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cli-reference/19662/diagnose-np6-pdq
質問 # 49
Refer to the exhibit.
A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation?
- A. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
- B. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions
- C. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
- D. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
正解:B
解説:
D is correct because server 1 has a weight of 0, which means it will not receive any sessions from the load balancer. Server 2 has a weight of 100, which means it will receive all sessions from the load balancer. This is explained in the FortiWeb Administration Guide under Server Load Balancing > Server pools > Weighted round robin. Reference: https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/381057/server-load-balancing https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/381057/server-load-balancing/381058/server-pools
質問 # 50
......
厳密検証されたNSE8_812試験問題集と解答で無料提供のNSE8_812問題と正解付き:https://jp.fast2test.com/NSE8_812-premium-file.html
あなたを合格させるNSE8_812問題集無料で最新のFortinet練習テスト:https://drive.google.com/open?id=1lITfvWS2qnBXsCox6p9zVCmHMnD7xAKR