NSE8_812リアルな試験問題NSE8_812練習問題集 [Q25-Q40]

Share

NSE8_812リアルな試験問題NSE8_812練習問題集

厳密検証されたNSE8_812試験問題集と解答で無料提供のNSE8_812問題と正解付き


Fortinet NSE8_812試験の準備には、トレーニングコース、学習ガイド、模擬試験など、さまざまなリソースを活用することができます。Fortinetはまた、試験に合格し、キャリアを進めるために必要なスキルと知識を開発するためのさまざまな認定プログラムを提供しています。

 

質問 # 25
Refer to the exhibit.

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?

  • A. Connect the switch on any interface between ports 1 to 4
  • B. Connect the switch on any interface between ports 21 to 24
  • C. Connect the switch on any interface between ports 25 to 28
  • D. Connect the switch on any interface between ports 5 to 8.

正解:B

解説:
The FortiGate 6000F is a high-performance firewall appliance that has 28 network interfaces with different speeds and types. The device should be directly connected to a switch that will have a new hardware module providing higher speed in the future. The connection to the FortiGate must be moved to this higher-speed port without affecting any other port. Therefore, the initial connection should be made on any interface between ports 21 to 24, which are 10G SFP+ interfaces. These interfaces are independent from each other and do not share bandwidth with any other interface. This means that moving the connection to a higher-speed port in the future will not affect any other port on the FortiGate. Option A shows the correct answer. Option B is incorrect because ports 25 to 28 are 40G QSFP+ interfaces, which share bandwidth with ports 21 to 24. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Option C is incorrect because ports 1 to 4 are 100G QSFP28 interfaces, which share bandwidth with ports 5 to 8 and ports 9 to 12. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Option D is incorrect because ports 5 to 8 are 25G SFP28 interfaces, which share bandwidth with ports 1 to 4 and ports 9 to 12. Moving the connection to a higher-speed port in the future will affect the bandwidth of these ports. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/hardware-acceleration-guide/19662/fortigate-6000f


質問 # 26
Refer to the exhibits.


A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)

  • A. Devices connected directly to ports 3 and 4 can perform 802 1X authentication.
  • B. Client devices must have 802 1X authentication enabled
  • C. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
  • D. Ports 3 and 4 can be part of different switch interfaces.

正解:A、B

解説:
The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a single switch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "ssl-inspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switch-interfaces https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1x-authentication


質問 # 27
Refer to the exhibit.

To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.
Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

  • A. set add-route enable
  • B. set net-device disable
  • C. set mode-cfg-allow-client-selector enable
  • D. set ike-version 1
  • E. set mode-cfg enable

正解:A、B、C

解説:
A is correct because net-device disable prevents the VPN interface from being added to the routing table as a connected route. This allows IKE routes to be injected instead. D is correct because add-route enable enables IKE route injection on the VPN interface. E is correct because mode-cfg-allow-client-selector enable allows the VPN interface to accept IKE routes from any peer that matches the phase 1 configuration. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490352/advpn https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490352/advpn-configuration


質問 # 28
Refer to the exhibit.

A FortiWeb appliance is configured for load balancing web sessions to internal web servers. The Server Pool is configured as shown in the exhibit.
How will the sessions be load balanced between server 1 and server 2 during normal operation?

  • A. Server 1 will receive 25% of the sessions, Server 2 will receive 75% of the sessions
  • B. Server 1 will receive 20% of the sessions, Server 2 will receive 66.6% of the sessions
  • C. Server 1 will receive 33.3% of the sessions, Server 2 will receive 66 6% of the sessions
  • D. Server 1 will receive 0% of the sessions Server 2 will receive 100% of the sessions

正解:A

解説:
The Server Pool in the exhibit is configured with a weight of 20 for server 1 and a weight of 60 for server 2. This means that server 1 will receive 20% of the sessions and server 2 will receive 75% of the sessions.
The following formula is used to calculate the load balancing between servers in a Server Pool:
weight_of_server_1 / (weight_of_server_1 + weight_of_server_2)
In this case, the formula is:
20 / (20 + 60) = 20 / 80 = 0.25 = 25%
Therefore, server 1 will receive 25% of the sessions and server 2 will receive 75% of the sessions.


質問 # 29
Refer to the exhibit showing an SD-WAN configuration.

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be used?

  • A. port1 and port1
  • B. port1 and port15
  • C. port16 and port1
  • D. port16 and port15

正解:C

解説:
According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. References: https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-wan-interface


質問 # 30
Wh.ch feature must you enable on the BGP neighbors to accomplish this goal?

  • A. Soft-reconfiguration
  • B. Synchronization
  • C. Deterministic-med
  • D. Graceful-restart

正解:D

解説:
Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful-restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper routers) that it is about to restart or failover, and request them to preserve their routing information and forwarding state for a certain period of time (the restart time). The helper routers then mark the routes learned from the restarting router as stale, but keep them in their routing table and continue forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing instability during a BGP restart or failover event. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/bgp-graceful-restart


質問 # 31
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer requirements:

* SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
* Public IP address (129.11.1.100) is assigned to portl
* Datacenter.acmecorp.com resolves to the public IP address assigned to portl The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)

B)

C)

  • A. Option C
  • B. Option B
  • C. Option D
  • D. Option A

正解:B

解説:
The customer's SSLVPN Portal is currently configured to use a self-signed certificate. This means that the certificate is not trusted by any browsers, and users will have to accept a security warning before they can connect to the portal.
To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt certificate for the SSLVPN Portal. This will allow users to connect to the portal without having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will configure the FortiGate to use a different port for the SSLVPN Portal, but this will not resolve the issue with the self-signed certificate. Option C will configure the FortiGate to use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue with the self-signed certificate. Option D will configure the FortiGate to use a different certificate authority for the SSLVPN Portal, but this will also not resolve the issue because the customer still needs to use a trusted certificate.
References:
Configuring SSLVPN with Let's Encrypt: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/822087/acme-certificate-support Let's Encrypt: https://letsencrypt.org/


質問 # 32
A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

  • A. Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
  • B. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
  • C. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.
  • D. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

正解:B、C

解説:
To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. Reference: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration


質問 # 33
Refer to the exhibit.

You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:

FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?

  • A. Objects from the root FortiGate will only be synchronized to FGT__2.
  • B. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.
  • C. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
  • D. Objects from the root FortiGate will only be synchronized to FGT_3.

正解:C

解説:
The security fabric shown in the exhibit consists of three FortiGate devices connected in a hierarchical topology, where FGT_1 is the root device, FGT_2 is a downstream device, and FGT_3 is a downstream device of FGT_2. FGT_2 has a configuration setting that enables fabric-object synchronization for all objects except firewall policies and firewall policy packages (set sync-fabric-objects enable). Fabric-object synchronization is a feature that allows downstream devices to synchronize their objects (such as addresses, services, schedules, etc.) with their upstream devices in a security fabric. This simplifies object management and ensures consistency across devices. Therefore, in this case, objects from FGT_2 will be synchronized to FGT_1 (the upstream device), but not to FGT_3 (the downstream device). Objects from FGT_1 will not be synchronized to any downstream device because the default setting for fabric-object synchronization is disabled. Objects from FGT_3 will not be synchronized to any device because it does not have fabric-object synchronization enabled. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/fabric-object-synchronization


質問 # 34
Refer to the exhibit.

A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)

  • A. Traffic on AccountVInk and SalesVInk will not be accelerated.
  • B. OSPF routing can be configured between VDOM 1 and Root VDOM without any configuration changes to AccountVInk
  • C. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs.
  • D. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode
  • E. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides.

正解:A、C

解説:
The FortiGate configuration shown in the exhibit is using virtual domains (VDOMs) enabled in multi-VDOM mode. There are three VDOMs: Root is for management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal traffic. AccountVInk and SalesVInk are standard VDOM links in Ethernet mode. One correct statement about VDOM behavior is that traffic on AccountVInk and SalesVInk will not be accelerated. This is because standard VDOM links do not support hardware acceleration features such as NP6 or CP9 offloading, which can improve performance and throughput for traffic between VDOMs. To enable hardware acceleration for inter-VDOM traffic, non-standard VDOM links such as NP6 or CP9 interfaces should be used instead of standard VDOM links. Another correct statement about VDOM behavior is that Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Traffic type VDOMs. This is because Admin type VDOMs are special VDOMs that can only be used for management purposes and cannot process any traffic other than management traffic (such as SSH, HTTPS, SNMP, etc.). Traffic type VDOMs are normal VDOMs that can process any kind of traffic (such as firewall policies, VPN tunnels, routing protocols, etc.). By default, Root VDOM is an Admin type VDOM that can manage other Traffic type VDOMs, unless it is converted to a Traffic type VDOM by using the set vdom-admin enable command. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/virtual-domains https://docs.fortinet.com/document/fortigate/7.0.0/hardware-acceleration-guide/19662/vdom-links


質問 # 35
An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates. A FortiAuthenticator is the certificate authority (CA) and the Online Certificate Status Protocol (OCSP) server.
Part of the FortiGate configuration is shown below:

Based on this configuration, which two statements are true? (Choose two.)

  • A. OCSP certificate responses are never cached by the FortiGate.
  • B. OCSP checks will always go to the configured FortiAuthenticator
  • C. The OCSP check of the certificate can be combined with a certificate revocation list.
  • D. If the OCSP server is unreachable, authentication will succeed if the certificate matches the CA.

正解:B、D

解説:
A is correct because the OCSP server is configured as the FortiAuthenticator in the config vpn certificate ocsp-server section. D is correct because the config vpn ssl settings section has set ocsp-option to allow. This means that if the OCSP server is unreachable, authentication will succeed if the certificate matches the CA. Reference: https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/490351/ssl-vpn-authentication https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/266506/ssl-vpn-with-certificate-authentication


質問 # 36
Refer to the exhibits.


A customer wants to deploy 12 FortiAP 431F devices on high density conference center, but they do not currently have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy From the FortiSwitch models and sample retail prices shown in the exhibit, which build of materials would have the lowest cost, while fulfilling the customer's requirements?

  • A. 1x FortiSwitch 248EFPOE
  • B. 2x FortiSwitch 224E-POE
  • C. 2x FortiSwitch 248E-FPOE
  • D. 2x FortiSwitch 124E-FPOE

正解:C

解説:
The customer wants to deploy 12 FortiAP 431F devices on a high density conference center, but they do not have any PoE switches to connect them to. They want to be able to run them at full power while having network redundancy. PoE switches are switches that can provide both data and power to connected devices over Ethernet cables, eliminating the need for separate power adapters or outlets. PoE switches are useful for deploying devices such as wireless access points, IP cameras, and VoIP phones in locations where power outlets are scarce or inconvenient. The FortiAP 431F is a wireless access point that supports PoE+ (IEEE 802.3at) standard, which can deliver up to 30W of power per port. The FortiAP 431F has a maximum power consumption of 25W when running at full power. Therefore, to run 12 FortiAP 431F devices at full power, the customer needs PoE switches that can provide at least 300W of total PoE power budget (25W x 12). The customer also needs network redundancy, which means that they need at least two PoE switches to connect the FortiAP devices in case one switch fails or loses power. From the FortiSwitch models and sample retail prices shown in the exhibit, the build of materials that has the lowest cost while fulfilling the customer's requirements is 2x FortiSwitch 248E-FPOE. The FortiSwitch 248E-FPOE is a PoE switch that has 48 GE ports with PoE+ capability and a total PoE power budget of 370W. It also has 4x 10 GE SFP+ uplink ports for high-speed connectivity. The sample retail price of the FortiSwitch 248E-FPOE is $1,995, which means that two units will cost $3,990. This is the lowest cost among the other options that can meet the customer's requirements. Option A is incorrect because the FortiSwitch 248EFPOE is a non-PoE switch that has no PoE capability or power budget. It cannot provide power to the FortiAP devices over Ethernet cables. Option B is incorrect because the FortiSwitch 224E-POE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. Option D is incorrect because the FortiSwitch 124E-FPOE is a PoE switch that has only 24 GE ports with PoE+ capability and a total PoE power budget of 185W. It cannot provide enough ports or power to run 12 FortiAP devices at full power. References: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiSwitch_Secure_Access_Series.pdf https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiAP_400_Series.pdf


質問 # 37
Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing deployment.
The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the GUI The managed devices never show online when FMG-B becomes primary, but they will show online whenever the FMG-A becomes primary.
What change will correct HA functionality in this scenario?

  • A. Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.
  • B. Make the monitored IP to match on both FortiManager devices.
  • C. Change the priority of FMG-A to be numerically lower for higher preference
  • D. Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

正解:B

解説:
B is correct because the monitored IP must match on both FortiManager devices for HA to function properly. This is explained in the FortiManager Administration Guide under High Availability > Configuring HA options > Configuring HA options using the GUI. Reference: https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability https://docs.fortinet.com/document/fortimanager/7.4.0/administration-guide/568591/high-availability/568592/configuring-ha-options


質問 # 38
A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS, but these belong to different departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each department's VPC? (Choose two.)

  • A. Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.
  • B. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster
  • C. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.
  • D. Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

正解:B、C

解説:
To implement security for the traffic between two VPCs in AWS, while keeping separate management of each department's VPC, two possible actions are:
Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster. This option allows the cybersecurity department to manage the transit VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The VPC peering connections enable direct communication between the VPCs without using public IPs or gateways. The routing tables can be configured to direct all inter-VPC traffic to the transit VPC.
Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPCs to force routing through the FortiGate cluster. This option also allows the cybersecurity department to manage the security VPC and apply security policies on the FortiGate cluster, while the other departments can manage their own VPCs and instances. The Transit Gateway acts as a network hub that connects multiple VPCs and on-premises networks. The routing tables can be configured to direct all inter-VPC traffic to the security VPC. References: https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/aws-administration-guide/506140/connecting-a-local-fortigate-to-an-aws-vpc-vpn https://docs.fortinet.com/document/fortigate-public-cloud/7.0.0/sd-wan-architecture-for-enterprise/166334/sd-wan-configuration


質問 # 39
Refer to the exhibit.

You have deployed a security fabric with three FortiGate devices as shown in the exhibit. FGT_2 has the following configuration:

FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the synchronization of fabric-objects?

  • A. Objects from the root FortiGate will only be synchronized to FGT__2.
  • B. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
  • C. Objects from the root FortiGate will only be synchronized to FGT_3.
  • D. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.

正解:D

解説:
The fabric-object-unification setting on FGT_2 is set to local, which means that objects will not be synchronized to any other FortiGate devices in the security fabric. The default setting for fabric-object-unification is default, which means that objects will be synchronized from the root FortiGate to all downstream FortiGate devices.
Since FGT_2 is not the root FortiGate and the fabric-object-unification setting is set to local, objects from the root FortiGate will not be synchronized to FGT_2.
Reference:
Synchronizing objects across the Security Fabric: https://docs.fortinet.com/document/fortigate/6.4.0/administration-guide/880913/synchronizing-objects-across-the-security-fabric


質問 # 40
......

無料でゲット!高評価Fortinet NSE8_812試験問題集を今すぐダウンロード!:https://jp.fast2test.com/NSE8_812-premium-file.html

あなたを合格させるNSE8_812無料最新問題集でFortinet練習テストしよう:https://drive.google.com/open?id=1_UzG4e8dL23c3Kg1_oX2z_83vHSV99c_


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어