Fortinet NSE8_811

Fortinet NSE 8 Written Exam

Version: 1.0
 Fortinet NSE8_811 Exam
QUESTION NO: 1

Refer to the exhibit.

The exhibit shows a full-mesh topology between FortiGate and FortiSwitch devices. To deploy this
configuration, two requirements must be met:

• 20 Gbps full duplex connectivity is available between each FortiGate and the FortiSwitch devices

• The FortiGate HA must be in AP mode

Referring to the exhibit, what are two actions that will fulfill the requirements? (Choose two.)

A.
Configure the master FortiGate with one LAG and FortiLink split interface disabled on ports
connected to cables A and C and make sure the same ports are used for cables B and D on the
slave.

B.
Configure the master FortiGate with one LAG and FortiLink split interface enabled on ports
connected to cables A and C and make sure the same ports are used for cables B and D on the
slave.

C.
Configure both FortiSwitch devices as peers with ICL over cable E, create one MCLAG on ports
connected to cables A and C, and create another MCLAG on ports connected to cables B and D.

D.
Configure both FortiSwitch devices as peers with ISL over cable E, create one MCLAG on ports
connected to cables A and C, and create another MCLAG on ports connected to cables B and D.

Answer: A,C

"Pass Any Exam. Any Time." - www.actualtests.com 2

 Fortinet NSE8_811 Exam
Explanation:

QUESTION NO: 2

You want to manage a FortiGate with the FortiCloud service. The FortiGate shows up in your list
of devices on the FortiCloud Web site, but all management functions are either missing or grayed
out.

Which statement is correct in this scenario?

A.
The management tunnel mode on the managed FortiGate must be changed to normal.

B.
The managed FortiGate is running a version of FortiOS that is either too new or too old for
FortiCloud.

C.
The managed FortiGate requires that a FortiCloud management license be purchased and
applied.

D.
You must manually configure system central-management on the FortiGate CLI and set the
management type to fortiguard.

Answer: D
Explanation:

QUESTION NO: 3

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 3

 Fortinet NSE8_811 Exam

The exhibit shows the steps for creating a URL rewrite policy on a FortiWeb.

Which statement represents the purpose of this policy?

A.
"Pass Any Exam. Any Time." - www.actualtests.com 4
 Fortinet NSE8_811 Exam
The policy redirects all HTTPS URLs to HTTP.

B.
The policy redirects all HTTP URLs to HTTPS.

C.
The policy redirects only HTTP URLs containing the ^/(.*)$ string to HTTPS.

D.
The policy redirects only HTTPS URLs containing the ^/(.*)$ string to HTTP.

Answer: B
Explanation:

QUESTION NO: 4

You are asked to add a FortiDDoS to the network to combat detected slow connection attacks
such as Slowloris.

Which prevention mode on FortiDDoS will protect you against this specific type of attack?

A.
asymmetric mode

B.
aggressive aging mode

C.
rate limiting mode

D.
blocking mode

Answer: B
Explanation:

QUESTION NO: 5

You are building a FortiGate cluster which is stretched over two locations. The HA connections for
the cluster are terminated on the local switches in the data centers. Once the FortiGate devices
"Pass Any Exam. Any Time." - www.actualtests.com 5
 Fortinet NSE8_811 Exam
have booted, they do not form a cluster. The network operators inform you that CRC errors are
present on the switches where the FortiGate devices are connected.

What should you do to solve this problem?

A.
Set the speed/duplex setting to 1 Gbps / Full Duplex.

B.
Replace the cables where the CRC errors occur.

C.
Place the HA interfaces in dedicated VLANs.

D.
Change the ethertype for the HA packets.

Answer: D
Explanation:

QUESTION NO: 6

You want to access the JSON API on FortiManager to retrieve information on an object.

In this scenario, which two methods will satisfy the requirement? (Choose two.)

A.
Download the WSDL file from FortiManager administration GUI.

B.
Make a call with the curl utility on your workstation.

C.
Make a call with the SoapUI API tool on your workstation.

D.
Make a call with the Web browser on your workstation.

Answer: A,C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 6

 Fortinet NSE8_811 Exam
QUESTION NO: 7

Refer to the exhibit.

You created a custom health-check for your FortiWeb deployment.

Given the output shown in the exhibit, which statement is true?

A.
The FortiWeb must receive an RST packet from the server.

B.
The FortiWeb must receive an HTTP 200 response code from the server.

C.
The FortiWeb must match the hash value of the page index.html.

D.
The FortiWeb must receive an ICMP Echo Request from the server.
"Pass Any Exam. Any Time." - www.actualtests.com 7
 Fortinet NSE8_811 Exam
Answer: B
Explanation:

QUESTION NO: 8

Refer to the exhibit.

You created an aggregate interface between a FortiGate and a switch consisting of two 1 Gbps
links as shown in the exhibit. However, the maximum bandwidth never exceeds 1 Gbps and
employees are reporting that the network is slow. After troubleshooting, you notice that only one
member interface is being used. The configuration for the aggregate interface is shown in the
exhibit.

In this scenario, which command will solve this problem?

A.

B.

"Pass Any Exam. Any Time." - www.actualtests.com 8

 Fortinet NSE8_811 Exam

C.

D.

Answer: A
Explanation:

QUESTION NO: 9

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 9

 Fortinet NSE8_811 Exam

A FortiGate device is configured to authenticate SSL VPN users using digital certificates. A partial
FortiGate configuration is shown in the exhibit.

Referring to the exhibit, which two statements about this configuration are true? (Choose two.)

A.
The authentication will fail if the user certificate does not contain the user principal name (UPN)
information.

B.
The authentication will fail if the user certificate does not contain the CA_Cert string in the CA field.

C.
The authentication will fail if the OCSP server is down.

D.
OCSP is used to verify that the user-signed certificate has not expired.

Answer: A,C

"Pass Any Exam. Any Time." - www.actualtests.com 10

 Fortinet NSE8_811 Exam
Explanation:

QUESTION NO: 10

Consider the following FortiGate configuration:

Which command-line option for deep inspection SSL would have the FortiGate re-sign all
untrusted self-signed certificates with the trusted Fortinet_CA_SSL certificate?

A.
block

B.
inspect

C.
allow

D.
ignore

Answer: D
Explanation:

QUESTION NO: 11

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 11

 Fortinet NSE8_811 Exam

A FortiGate is configured for a dial-up IPsec VPN to allow multiple remote FortiGate devices to
connect to it. However, FortiGate A and B have problems connecting to the VPN. Only one of
them can be connected at a time. If site B tries to connect while site A is connected, site A is
disconnected. The IKE real-time debug shows the output in the exhibit when site A is
disconnected.

Referring to the exhibit, which configuration setting should be executed in the dial-up configuration
to allow both VPNs to be connected at the same time?

A.
set route-overlap allow

B.
set single-source disable

C.
set enforce-unique-id disable

D.
set add-route enable

Answer: A
Explanation:

QUESTION NO: 12

A customer wants to enable SYN flood mitigation in a FortiDDoS device. The FortiDDoS must
reply with one SYN/ACK packet per SYN packet from a new source IP address.

Which SYN flood mitigation mode must the customer use?

A.
SYN retransmission

B.

"Pass Any Exam. Any Time." - www.actualtests.com 12

 Fortinet NSE8_811 Exam
SYN/ACK cookie

C.
SYN cookie

D.
ACK cookie

Answer: C
Explanation:

QUESTION NO: 13

Refer to the exhibit.

You configured AV and Web filtering for your outgoing Internet connections. You later notice that
not all Web sessions are being inspected and you start troubleshooting the problem.

Referring to the exhibit, what can be causing this problem?

"Pass Any Exam. Any Time." - www.actualtests.com 13

 Fortinet NSE8_811 Exam
A.
The Web session is using QUIC which is not inspected by the FortiGate.

B.
There are problems with the connection to the Web filter servers, therefore the Web session
cannot be categorized.

C.
The SSL inspection options are not set to deep inspection.

D.
Web filtering is not licensed; therefore, no inspection occurs.

Answer: A
Explanation:

QUESTION NO: 14

You are administering the FortiGate 5000 and FortiGate 7000 series products. You want to access
the HTTPS GUI of the blade located in logical slot 3 of the secondary chassis in a high-availability
cluster.

Which URL will accomplish this task?

A.
https://192.168.1.99:44322

B.
https://192.168.1.99:44323

C.
https://192.168.1.99:44313

D.
https://192.168.1.99:44302

Answer: B
Explanation:

QUESTION NO: 15

"Pass Any Exam. Any Time." - www.actualtests.com 14

 Fortinet NSE8_811 Exam
Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 15

 Fortinet NSE8_811 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 16

 Fortinet NSE8_811 Exam
Given the configuration shown in the exhibit, which two statements are true? (Choose two.)

A.
LAG-3 on switches on FS448D-A and FS448D-B may be connected to a single 802.3ad trunk on
another device.

B.
LAG-1 and LAG-2 should be connected to a 4-port single 802.3ad trunk on another device.

C.
port13 and port14 on FS448D-A should be connected to port13 and port14 on FS448D-B.

D.
LAG-1 and LAG-2 should be connected to a single 4-port 802.3ad interface on the FortiGate-A.

Answer: A,C
Explanation:

QUESTION NO: 16

A customer wants to integrate their on-premise FortiGate with their Azure infrastructure.

Which two components must be in place to configure the Azure Fabric connector? (Choose two.)

A.
FortiGate-VM virtual appliance deployed on-premise.

B.
An inbound policy from the Azure FortiGate-VM virtual appliance.

C.
An outbound policy from the Azure FortiGate-VM virtual appliance.

D.
A FortiGate-VM virtual appliance deployed in Azure.

Answer: C,D
Explanation:

QUESTION NO: 17
"Pass Any Exam. Any Time." - www.actualtests.com 17
 Fortinet NSE8_811 Exam
You cannot ping the FortiGate default gateway 10.10.10.1 from the FortiGate CLI. The FortiGate
interface facing the default gateway is wan1 and its IP address is 10.10.10.254/24. During the
initial troubleshooting tests, you confirm that you can ping other IP addresses in the 10.10.10.0/24
subnet from the FortiGate CLI without packets lost.

Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

A.
diagnose debug flow filter saddr 10.10.10.1

diagnose debug flow trace start 10

B.
diagnose hardware deviceinfo nic wan1

C.
diagnose ip arp list

D.
diag sniffer packet wan1 'arp and host 10.10.10.1'

Answer: A,C
Explanation:

QUESTION NO: 18

An organization has one central site and three remote sites. A FortiSIEM has been installed on the
central site and now all devices across the remote sites must be centrally monitored by the
FortiSIEM at the central site.

Which action will reduce the WAN usage by the monitoring system?

A.
Enable SD-WAN FEC (Forward Error Correction) on the FortiGate at the remote site.

B.
Install both Supervisor and Collector on each remote site.

C.
Install local Collectors on each remote site.

D.
Disable real-time log upload on the remote sites.

"Pass Any Exam. Any Time." - www.actualtests.com 18

 Fortinet NSE8_811 Exam
Answer: C
Explanation:

QUESTION NO: 19

A customer is looking for a way to remove javascripts, macros and hyperlinks from documents
traversing the network without affecting the integrity of the content. You propose to use the
Content disarm and reconstruction (CDR) feature of the FortiGate.

Which two considerations are valid to implement CDR in this scenario? (Choose two.)

A.
The inspection mode of the FortiGate is not relevant for CDR to operate.

B.
CDR is supported on HTTPS, SMTPS, and IMAPS if deep inspection is enabled.

C.
CDR can only be performed on Microsoft Office Document and PDF files.

D.
Files processed by CDR can have the original copy quarantined on the FortiGate.

Answer: C,D
Explanation:

QUESTION NO: 20

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 19

 Fortinet NSE8_811 Exam
As shown in the exhibit, a FortiADC is load-balancing IPv4 traffic between two next-hop routers.
The FortiADC does not know the IP addresses of the servers. Also, the FortiADC is doing Layer 7
content inspection and modification.

In this scenario, which application delivery control is configured in the FortiADC?

A.
Layer 3

B.
Layer 4

C.
Layer 7

D.
Layer 2

Answer: D
Explanation:

QUESTION NO: 21

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 20

 Fortinet NSE8_811 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 21

 Fortinet NSE8_811 Exam
You are trying to configure Link-Aggregation Group (LAG), but ports A and B do not appear on the
list of member options.

Referring to the exhibit, which statement is correct in this situation?

A.
The FortiGate interfaces are defective and require replacement.

B.
The FortiGate model does not have an Integrated Switch Fabric (ISF).

C.
The FortiGate model being used does not support LAG.

D.
The FortiGate SFP+ slot does not have the correct module.

Answer: B
Explanation:

QUESTION NO: 22

You have deployed a FortiGate in NAT/Route mode as a Secure Web Gateway with a few IP-
based authentication firewall policies. Your customer reports that some users now have different
browsing permissions from what is expected. All these users are browsing using Internet Explorer
through a Remote Desktop Connection to a Terminal Server. When you look at the FortiGate logs,
the username for the Terminal Server IP is not consistent.

Which action will correct this problem?

A.
Change the FSSO Polling mode to Windows NetAPI.

B.
Configure FSSO Advanced with LDAP integration.

C.
Install the TS/Citrix agent on the terminal server.

D.
Make sure the Terminal Server is using the correct DNS server.

"Pass Any Exam. Any Time." - www.actualtests.com 22

 Fortinet NSE8_811 Exam
Answer: C
Explanation:

QUESTION NO: 23

Refer to the exhibit.

While deploying a new FortiGate-VMX Security node, an administrator receives the error message
shown in the exhibit.

In this scenario, which statement is correct?

A.
The NSX Manager is not able to connect on the FortiGate Service Manager RestAPI service.

B.
The vCenter is not able to locate the FortiGate-VMX OVF file.

C.
The FortiGate Service Manager does not have the proper permission to register the FortiGate-
VMX Service.

D.
The vCenter cannot connect to the FortiGate Service Manager.

Answer: B
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 23

 Fortinet NSE8_811 Exam

QUESTION NO: 24

A customer is experiencing problems with a legacy L3/L4 firewall device and the IPv6 SIP VoIP
traffic. Their device is dropping SIP packets, consequently, it cannot process SIP voice calls.

Which solution will solve the customer's problem?

A.
Replace their legacy device with a FortiGate and deploy a FortiVoice to extract information from
the body of the IPv6 SIP packet.

B.
Deploy a FortiVoice and enable IPv6 SIP.

C.
Deploy a FortiVoice and enable an IPv6 SIP session helper.

D.
Replace their legacy device with a FortiGate and configure it to extract information from the body
of the IPv6 SIP packet.

Answer: A
Explanation:

QUESTION NO: 25

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 24

 Fortinet NSE8_811 Exam

A VPN IPsec is connecting the headquarters office (HQ) with a branch office (BO). OSPF is used
to redistribute routes between the offices. After deployment, a server with IP address 10.10.10.35
located on the DMZ network of the BO FortiGate, was reported unreachable from hosts located on
the LAN network of the same FortiGate.

Referring to the exhibit, which statement is true?

A.
The ICMP packets are being blocked by an implicit deny policy.

B.
A directly connected subnet is being partially superseded by an OSPF redistributed subnet.

C.
Enabling NAT on the VPN firewall policy will solve the problem.

D.
The incoming access list should have an accept action instead of a deny action to solve the
problem.
"Pass Any Exam. Any Time." - www.actualtests.com 25
 Fortinet NSE8_811 Exam
Answer: B
Explanation:

QUESTION NO: 26

A customer has a SCADA environmental control device that is triggering a false-positive IPS alert
whenever the Web GUI of the device is accessed. You cannot create a functional custom IPS filter
to exempt this behavior, and it appears that the device is so old that it does not have HTTPS
support. You need to prevent the false positive IPS alerts from occurring.

In this scenario, which two actions will accomplish this task? (Choose two.)

A.
Create a URL filter with the Exempt action for that device IP address.

B.
Change the relevant firewall policies to use SSL certificate-inspection instead of SSL deep-
inspection.

C.
Create a very specific firewall policy for that device IP address which does not perform IPS
scanning.

D.
Reconfigure the FortiGate to operate in proxy-based inspection mode instead of flow-based.

Answer: A,C
Explanation:

QUESTION NO: 27

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 26

 Fortinet NSE8_811 Exam

The FortiAP profile used by the FortiGate managed AP is shown in the exhibit.

Which two statements in this scenario are correct? (Choose two.)

A.
Interference will be prevented between FortiAP devices using this profile.

B.
This profile will map specific SSIDs available to the FortiAP devices.

C.
All FortiAP devices using this profile will have Radio 1 monitor wireless clients.

D.
All FortiAP devices using this profile will have Radio 1 scan rogue access points.

"Pass Any Exam. Any Time." - www.actualtests.com 27

 Fortinet NSE8_811 Exam
Answer: B,D
Explanation:

QUESTION NO: 28

Refer to the exhibit.

The exhibit shows a topology where a FortiGate is split into two VDOMs, root and vd-lan. The root
VDOM provides external SSL-VPN access, where the users are authenticated by a
FortiAuthenticator. The vd-lan VDOM provides internal access to a Web server.

For the remote users to access the internal Web server, there are a few requirements as follows:

• All traffic must come from the SSL-VPN.

• The vd-lan VDOM only allows authenticated traffic to the Web server.

• Users must only authenticate once, using the SSL-VPN portal.

• SSL-VPN uses RADIUS-based authentication.

Given these requirements and the topology shown in the exhibit, which two statements are true?
"Pass Any Exam. Any Time." - www.actualtests.com 28
 Fortinet NSE8_811 Exam
(Choose two.)

A.
vd-lan connects to FortiAuthenticator as a regular FSSO client.

B.
root is configured for FSSO while vd-lan is configured for RSSO.

C.
root sends "RADIUS Accounting Messages" to FortiAuthenticator

D.
vd-lan receives authentication messages from root using FSSO.

Answer: A,C
Explanation:

QUESTION NO: 29

A customer wants to use a central RADIUS server for management authentication when
connecting to the FortiGate GUI and to provide different levels of access for different types of
employees.

Which three actions are required to provide the requested functionality? (Choose three.)

A.
Create a wildcard administrator on the FortiGate.

B.
Enable radius-vdom-override in the CLI.

C.
Create multiple administrator profiles with matching RADIUS VSAs.

D.
Enable accprofile-override in the CLI.

E.
Set the RADIUS authentication type to MS-CHAPv2.

Answer: A,C,D
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 29

 Fortinet NSE8_811 Exam

QUESTION NO: 30

Refer to the exhibit.

You need to apply the security features listed below to the network shown in the exhibit.

• High grade DDoS protection

• Web security and load balancing for Server 1 and Server 2

• Solution must be PCI DSS compliant

• Enhanced security to DNS 1 and DNS 2

What are three solutions for this scenario? (Choose three.)

A.
FortiDDoS between FG1 and FG2 and the Internet

B.
FortiADC for VDOM-A
"Pass Any Exam. Any Time." - www.actualtests.com 30
 Fortinet NSE8_811 Exam
C.
FortiWeb for VDOM-A

D.
FortiADC for VDOM-B

E.
FortiDDoS between FG1 and FG2 and VDOMs

Answer: A,C,D
Explanation:

QUESTION NO: 31

In a FortiGate 5000 series, two FortiControllers are working as an SLBC cluster in a-p mode. The
configuration shown below is applied.

Which statement is true on how new TCP sessions are handled by the Distributor Processor (DP)?

A.
The new session added in the DP session table is automatically deleted, if the traffic is denied by
the processing worker.

B.
No new session is added in the DP session table until the processing worker accepts the traffic.

C.
A new session added in the DP session table remains in the table even if the traffic is denied by
the processing worker.

D.
A new session added in the DP session table remains in the table only if traffic is accepted by the
processing worker.

Answer: C
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 31

 Fortinet NSE8_811 Exam

QUESTION NO: 32

An administrator reports continuous high CPU utilization on a FortiGate device due to the IPS
engine. Consider the global IPS configuration shown below.

Which two configuration actions will reduce the CPU usage? (Choose two.)

A.
Reduce the number of packets being logged.

B.
Increase engine-count to 2.

C.
Enable intelligent mode.

D.
Disable fail open.

Answer: A,C
Explanation:

QUESTION NO: 33

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 32

 Fortinet NSE8_811 Exam

You configured an IPsec tunnel to a branch office. Now you want to make sure that the encryption
of the tunnel is offloaded to hardware.

Referring to the exhibit, which statement is true?

A.
Outgoing traffic is offloaded; you cannot determine if incoming traffic is offloaded at this time.

B.
Outgoing traffic is offloaded; incoming traffic not offloaded.

C.
Incoming and outgoing traffic is offloaded.

D.
Traffic is not offloaded.

Answer: B
Explanation:

QUESTION NO: 34

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 33

 Fortinet NSE8_811 Exam

You have installed a FortiSandbox and configured it in your FortiMail.

Referring to the exhibit, which two statements are correct? (Choose two.)

"Pass Any Exam. Any Time." - www.actualtests.com 34

 Fortinet NSE8_811 Exam
A.
If FortiMail is not able to obtain the results from the FortiGuard queries, URIs will not be checked
by the FortiSandbox.

B.
FortiMail will cache the results for 30 minutes

C.
If the FortiSandbox with IP 10.10.10.3 is not available, the e-mail will be checked by the FortiCloud
Sandbox.

D.
FortiMail will wait up to 30 minutes to obtain the scan results.

Answer: A,D
Explanation:

QUESTION NO: 35

A FortiGate with the default configuration shown below is deployed between two IP telephones.
FortiGate receives the INVITE request shown in the exhibit from Phone A (internal) to Phone B
(external).

NVITE sip:[email protected] SIP/2.0

Via: SIP/2.0/UDP 10.31.101.20:5060

From: PhoneA <sip:[email protected]>

To: PhoneB <sip:[email protected]>

Call-ID: [email protected]

CSeq: 1 INVITE

Contact: sip:[email protected]

v=0

o=PhoneA 5462346 332134 IN IP4 10.31.101.20

c=IN IP4 10.31.101.20

m=audio 49170 RTP 0 3

Which two statements are correct after the FortiGate receives the packet? (Choose two.)
"Pass Any Exam. Any Time." - www.actualtests.com 35
 Fortinet NSE8_811 Exam
A.
NAT takes place only in the SIP application layer.

B.
A pinhole will be opened to accept traffic sent to the FortiGate WAN IP address.

C.
NAT takes place at both the network and SIP application layers.

D.
A pinhole is not required to accept traffic sent to the FortiGate WAN IP address.

Answer: B,C
Explanation:

QUESTION NO: 36

Refer to the exhibit.

You have two data centers with a FortiGate 7000-series chassis connected by VPN. All traffic
flows over an established generic routing encapsulation (GRE) tunnel between them. You are

"Pass Any Exam. Any Time." - www.actualtests.com 36

 Fortinet NSE8_811 Exam
troubleshooting traffic that is traversing between Server VLAN A and Server VLAN B. The
performance is lower than expected and you notice all traffic is only going through the FPM in slot
3 while nothing through the FPM in slot 4.

Referring to the exhibit, which statement is true?

A.
Removing traffic shaping from the firewall policy allowing this traffic will allow for load-balancing to
the other module.

B.
Changing the algorithm to take source IP, destination IP and port into account will load balance
this traffic to the other module.

C.
There is no way to load-balance the traffic in this scenario.

D.
Configuring a load-balance flow-rule in the CLI will load-balance this traffic.

Answer: D
Explanation:

QUESTION NO: 37

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 37

 Fortinet NSE8_811 Exam

A customer is using dynamic routing to exchange the default route between two FortiGate devices
using OSPFv2. The output of the get router info ospf neighbor command shows that the neighbor
is up, but the default route does not appear in the routing neighbor shown below.

According to the exhibit, what is causing the problem?

"Pass Any Exam. Any Time." - www.actualtests.com 38

 Fortinet NSE8_811 Exam
A.
FG2 is within the wrong OSPF area.

B.
OSPF requires the redistribution of connected networks.

C.
There is an OSPF interface network-type mismatch.

D.
A prefix for the default route is missing.

Answer: C
Explanation:

QUESTION NO: 38

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 39

 Fortinet NSE8_811 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 40

 Fortinet NSE8_811 Exam

Referring to the firewall polices shown in exhibit, which two statements are true? (Choose two.)

A.
The IPv4 policy is allowing security profile groups.

B.
The IPv6 traffic for nse8user is filtered using the DNS profile.

C.
The IPv4 traffic for nse8user is filtered using the DNS profile.

D.
The Web traffic for nse8user is being filtered differently in IPv4 and IPv6.

Answer: B,C
Explanation:

QUESTION NO: 39

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 41

 Fortinet NSE8_811 Exam

Referring to the exhibit, what will happen if FortiSandbox categorizes an e-mail attachment
submitted by FortiMail as a high risk?

A.
The high-risk file will be discarded by attachment analysis.

B.
The high-risk file will go to the system quarantine.

C.
The high-risk file will be received by the recipient.

D.
The high-risk file will be discarded by malware/virus outbreak protection.

Answer: D
Explanation:

QUESTION NO: 40

"Pass Any Exam. Any Time." - www.actualtests.com 42

 Fortinet NSE8_811 Exam
Consider the following VDOM configuration:

In which two ways can you establish communication between an existing NAT VDOM and a new
transparent VDOM? (Choose two.)

A.
Set the set ip 10.10.10.1 command to vlink2l.

B.
Set the set ip 10.10.10.1 command to vlink20.

C.
Set type ppp to the vdom-link, vlink2.

D.
Set type ethernet to the vdom-link, vlink2.

Answer: B,D
Explanation:

QUESTION NO: 41

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 43

 Fortinet NSE8_811 Exam

You log into FortiManager, access the Device Manager window and notice that one of the
managed devices is not in normal status.

Referring to the exhibit, which two statements correctly describe the status and result of the
affected device? (Choose two.)

A.
The device configuration was changed on the local FortiGate side only; auto-update is disabled.

B.
The changed configuration on the FortiGate will remain the next time that the device configuration
is pushed from FortiManager.

C.
The device configuration was changed on both the local FortiGate side and the FortiManager side;
auto-update is disabled.

D.
The changed configuration on the FortiGate will be overwritten in favor of what is on the
FortiManager the next time that the device configuration is pushed.

Answer: C,D
Explanation:

QUESTION NO: 42

A company has just deployed a new FortiMail in gateway mode. The administrator is asked to
strengthen e-mail protection by applying the policies shown below.

• E-mails can only be accepted if a valid e-mail account exists.

• Only authenticated users can send e-mails out.

"Pass Any Exam. Any Time." - www.actualtests.com 44
 Fortinet NSE8_811 Exam
Which two actions will satisfy the requirements? (Choose two.)

A.
Configure recipient address verification.

B.
Configure inbound recipient policies.

C.
Configure outbound recipient policies.

D.
Configure access control rules.

Answer: A,D
Explanation:

QUESTION NO: 43

Refer to the exhibit.

The exhibit shows the configuration of a service protection profile (SPP) in a FortiDDoS device.

Which two statements are true about the traffic matching being inspected by this SPP? (Choose
two.)

"Pass Any Exam. Any Time." - www.actualtests.com 45

 Fortinet NSE8_811 Exam
A.
Traffic that does not match any SPP policy will be inspected by this SPP.

B.
FortiDDoS will not send a SYN/ACK if a SYN packet is coming from an IP address that is not in
the legitimate IP (LIP) address table.

C.
FortiDDoS will start dropping packets as soon as the traffic exceeds the configured minimum
threshold.

D.
SYN packets with payloads will be dropped.

Answer: A,D
Explanation:

QUESTION NO: 44

FortiMail is configured with the protected domain "internal.lab".

Which two envelope addresses will need an access control rule to relay e-mail sent for
unauthenticated users? (Choose two.)

A.
MAIL FROM: [email protected]; RCPT TO: [email protected]

B.
MAIL FROM: [email protected]; RCPT TO: [email protected]

C.
MAIL FROM: [email protected]; RCPT TO: [email protected]

D.
MAIL FROM: [email protected]; RCPT TO: [email protected]

Answer: B,C
Explanation:

QUESTION NO: 45

"Pass Any Exam. Any Time." - www.actualtests.com 46

 Fortinet NSE8_811 Exam

Anti-Virus Real-Time Protection is enabled without any exclusions.

Referring to the exhibit, which two behaviors will the FortiClient endpoint have after receiving the
profile update from the FortiClient EMS? (Choose two.)

A.
Access to a downloaded file will always be allowed after 60 seconds when the FortiSandbox is
reachable.

B.
The user will not be able to access a downloaded file for a maximum of 60 seconds if it is not a
virus and the FortiSandbox is reachable.

C.
Files executed from a mapped network drive will not be inspected by the FortiClient endpoint

"Pass Any Exam. Any Time." - www.actualtests.com 47

 Fortinet NSE8_811 Exam
AntiVirus engine.

D.
If the Real-Time Protection does not detect a virus, the user will be able to access a downloaded
file when the FortiSandbox is unreachable.

Answer: A,B
Explanation:

QUESTION NO: 46

Refer to the exhibit.

A company has two data centers (DC) connected using a Layer 3 network. Servers in farm A need
to connect to servers in farm B as though they were all in the same Layer 2 segment.

Referring to the exhibit, what is configured on the FortiGate devices on each DC to allow this
connectivity?

A.
Create an IPsec tunnel with VXLAN encapsulation.

B.
Create an IPsec tunnel with VLAN encapsulation.

C.
Create an IPsec tunnel with transport-mode encapsulation.

"Pass Any Exam. Any Time." - www.actualtests.com 48

 Fortinet NSE8_811 Exam
D.
Create an IPsec tunnel with tunnel-mode encapsulation.

Answer: A
Explanation:

QUESTION NO: 47

Refer to the exhibit.

You have deployed several perimeter FortiGate devices with internal segmentation FortiGate
devices behind them. All FortiGate devices are logging to FortiAnalyzer. When you search the logs
in FortiAnalyzer for denied traffic, you see numerous log messages, as shown in the exhibit, on
your perimeter FortiGate device only.

Which two actions will reduce the number of these log messages? (Choose two.)

A.
Disable DNS events logging from FortiGate in the config log fortianalyzer filter section.

B.
Apply an application control profile to the perimeter FortiGate devices that does not inspect DNS
traffic to the outbound firewall policy.

C.

"Pass Any Exam. Any Time." - www.actualtests.com 49

 Fortinet NSE8_811 Exam
Remove DNS signatures from the IPS profile applied to the outbound firewall policy.

D.
Configure the internal FortiGate devices to communicate to FortiGuard using port 8888.

Answer: A,D
Explanation:

QUESTION NO: 48

Consider the following configuration setting:

Which two statements about local authentication are true? (Choose two.)

A.
The FortiGate will allow the TCP connection when a ClientHello message indicating a
renegotiation is received.

B.
The user’s IP address will be blocked 15 seconds after five login failures.

C.
The user will be blocked 15 seconds after five login failures.

D.
The user will need to re-authenticate after five minutes.

Answer: B,D

"Pass Any Exam. Any Time." - www.actualtests.com 50

 Fortinet NSE8_811 Exam
Explanation:

QUESTION NO: 49

You are asked to implement a single FortiGate 5000 chassis using Session-aware Load Balance
Cluster (SLBC) with Active-Passive FortiControllers. Both FortiControllers have the configuration
shown below, with the rest of the configuration set to the default values.

Both FortiControllers show Master status.

What is the problem in this scenario?

A.
The b1 interface of the two FortiControllers do not see each other.

B.
The management interface of both FortiControllers was connected on the same network.

C.
The chassis ID settings on FortiController on slot 2 should be set to 2.

D.
The priority should be set higher for FortiController on slot-1.

Answer: A
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 51

 Fortinet NSE8_811 Exam
QUESTION NO: 50

You must create a High Availability deployment with two FortiWebs in Amazon Web Services
(AWS); each on different Availability Zones (AZ) from the same region. At the same time, each
FortiWeb should be able to deliver content from the Web servers of both of the AZs.

Which deployment would fulfill this requirement?

A.
Configure the FortiWebs in Active-Active HA mode and use AWS Elastic Load Balancer (ELB) for
the internal Web servers.

B.
Use AWS Elastic Load Balancer (ELB) for both the FortiWebs in standalone mode and the internal
Web servers in an ELB sandwich.

C.
Configure the FortiWebs in Active-Active HA mode and use AWS Route 53 to load balance the
internal Web servers.

D.
Use AWS Route 53 to load balance the FortiWebs in standalone mode and use AWS Virtual
Private Cloud (VPC) Peering to load balance the internal Web servers.

Answer: B
Explanation:

QUESTION NO: 51

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 52

 Fortinet NSE8_811 Exam

An administrator wants to implement a multi-chassis link aggregation (MCLAG) solution using two
FortiSwitch 448D devices and one FortiGate 3700D. As described in the network topology shown
in the exhibit, two links are already connected from the FortiGate to each FortiSwitch.

What is required to implement this solution? (Choose two.)

A.
Replace the FortiGate as this one does not have an ISF.

B.
Create two separate link aggregated (LAG) interfaces on the FortiGate side for each FortiSwitch.

C.
Add set fortilink-split-interface disable on the FortiLink interface.

D.
An ICL link between both FortiSwitch devices needs to be added.

Answer: C,D
Explanation:

QUESTION NO: 52

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 53
 Fortinet NSE8_811 Exam

Only users authenticated in FortiGate-B can reach the server. A customer wants to deploy a single
sign-on solution for IPsec VPN users. Once a user is connected and authenticated to the VPN in
FortiGate-A, the user does not need to authenticate again in FortiGate-B to reach the server.

Referring to the exhibit, which two actions satisfy this requirement? (Choose two.)

A.
Use Kerberos authentication.

B.
Use the Collector Agent.

C.
Use FortiAuthenticator.

D.
FortiGate-A must generate a RADIUS accounting packet.

Answer: C,D
Explanation:

QUESTION NO: 53

A FortiGate is used as a VPN hub for a number of remote spoke VPN units (Group A) spokes
using a phase 1 main mode dial-up tunnel and pre-shared keys. You are asked to establish VPN
connectivity for a newly acquired organization's sites for which new devices will be provisioned
Group B spokes.

Both existing Group A and new Group B spoke units are dynamically addressed through a single
public IP Address on the hub. You are asked to ensure that spokes from Group B have different
access permissions than the existing VPN spokes units Group A.

"Pass Any Exam. Any Time." - www.actualtests.com 54

 Fortinet NSE8_811 Exam
Which two solutions meet the requirements for the new spoke group? (Choose two.)

A.
Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the
Group A spokes.

B.
Implement a new phase 1 dial-up main mode tunnel with certificate authentication.

C.
Implement a new phase 1 dial-up main mode tunnel with pre-shared keys and XAuth.

D.
Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer ID.

Answer: C,D
Explanation:

QUESTION NO: 54

You configured a firewall policy with only a Web filter profile for accessing the Internet. Access to
websites belonging to the "Information Technology" category are blocked and to the "Business"
category are allowed. SSL deep inspection is not enabled on this policy.

A user wants to access the website https://www.it-acme.com which presents a certificate with
CN=www.acme.com. The it-acme.com domain is categorized as "Information Technology" and the
acme.com domain is categorized as "Business".

Which statement regarding this scenario is correct?

A.
The FortiGate is able to read the URL within HTTPS sessions when using SSL certificate
inspection so the website will be blocked by the "Information Technology".

B.
The website will be blocked by category "Information Technology" as the SNI takes precedence
over the certificate name.

C.
The website will be allowed by category "Business" as the certificate name takes precedence over
the URL.

D.
"Pass Any Exam. Any Time." - www.actualtests.com 55
 Fortinet NSE8_811 Exam
Only with SSL deep inspection enabled will the FortiGate be able to categorized this website.

Answer: B
Explanation:

QUESTION NO: 55

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 56

 Fortinet NSE8_811 Exam
Central NAT was configured on a FortiGate firewall. A sniffer shows ICMP packets out to a host on
the Internet egresses with the port1 IP address instead of the virtual IP (VIP) that was configured

Referring to the exhibit, which configuration change will ensure that ICMP traffic is also translated?

A.

B.

C.

D.

Answer: B

"Pass Any Exam. Any Time." - www.actualtests.com 57

 Fortinet NSE8_811 Exam
Explanation:

QUESTION NO: 56

A company has just rolled out new remote sites and now you need to deploy a single firewall
policy to all of these sites to allow Internet access using FortiManager. For this particular firewall
policy, the source address object is called LAN, but its value will change according to the site the
policy is being installed.

Which statement about creating the object LAN is correct?

A.
Create a new object called LAN and enable per-device mapping.

B.
Create a new object called LAN and promote it to the global database.

C.
Create a new object called LAN and use it as a variable on a TCL script.

D.
Create a new object called LAN and set meta-fields per remote site.

Answer: A
Explanation:

QUESTION NO: 57

Refer to the exhibit.

"Pass Any Exam. Any Time." - www.actualtests.com 58

 Fortinet NSE8_811 Exam

You are working on FortiGate 61E operating in flow-based inspection mode with various settings
optimized for performance. The main Internet firewall policy is using the "default" antivirus profile.
You found that some executable virus samples files downloaded over HTTP are not being blocked
by the FortiGate.

Referring to the exhibit, how can this be fixed?

A.
Change the set scan-mode configuration to full.

B.
Disable the emulator feature.

C.
Change the set default-db configuration to extreme.

D.
Add set content-disarm enable to the configuration.

Answer: A
"Pass Any Exam. Any Time." - www.actualtests.com 59
 Fortinet NSE8_811 Exam
Explanation:

QUESTION NO: 58

Refer to the exhibit.

An organization has a FortiGate cluster that is connected to two independent ISPs. You must
configure the FortiGate failover for a single ISP failure to occur without disruption.

Referring to the exhibit, which two FortiGate BGP features are enabled to accomplish this task?
(Choose two.)

A.
EBGP multipath

B.
Graceful restart

C.
Synchronization

"Pass Any Exam. Any Time." - www.actualtests.com 60

 Fortinet NSE8_811 Exam
D.
BFD

Answer: B,D
Explanation:

QUESTION NO: 59

A legacy router has been replaced by a FortiGate device. The FortiGate has inherited the
management IP address of the router and now the network administrator needs to remove the
router from the FortiSIEM configuration.

Which two statements about this operation are true? (Choose two.)

A.
FortiSIEM will move the router device into the Decommission folder.

B.
The router will be completely deleted from the FortiSIEM database.

C.
By default, FortiSIEM can only parser event logs for FortiGate devices.

D.
FortiSIEM will discover a new device for the FortiGate with the same IP.

Answer: A,D
Explanation:

QUESTION NO: 60

You have configured an HA cluster with two FortiGate devices. You want to make sure that you
are able to manage the individual cluster members directly using port3.

"Pass Any Exam. Any Time." - www.actualtests.com 61

 Fortinet NSE8_811 Exam

Referring to the configuration shown, in which two ways can you accomplish this task? (Choose
two.)

A.
Create a management VDOM and disable the HA synchronization for this VDOM, assign port3 to
this VDOM, then configure specific IPs for port3 on both cluster members.

B.
Configure port3 to be a dedicated HA management interface; then configure specific IPs for port3
on both cluster members.

C.
Allow administrative access in the HA heartbeat interfaces.

D.
Disable the sync feature on port3; then configure specific IPs for port3 on both cluster members.

Answer: A,B
Explanation:

"Pass Any Exam. Any Time." - www.actualtests.com 62