NSE8 Exam
Top Tips Of NSE8 software
We provide real NSE8 exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Fortinet NSE8 Exam quickly & easily. The NSE8 PDF type is available for reading and printing. You can print more and practice many times. With the help of our Fortinet NSE8 dumps pdf and vce product and material, you can easily pass the NSE8 exam.
Q11. Referring to the diagram shown in the exhibit, you deployed VRRP load balancing using two FortiGate units and two VRRP groups with a VRRP virtual MAC address enabled on both FortiGate’s port2 interface. During normal operation, both FortiGate units are processing traffic and the VRRP groups are used to load balance the traffic between the two FortiGate units.
If FortiGate unit A fails, what would happen?
A. The FortiGate Unit B port2 interface sends gratuitous ARPs to associate the VRRP
virtual router IP address with its own MAC address, and all traffic fails over to it.
B. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-00-5e-00-01- 05 and 00-00-5e-00-01-0a, and all traffic fails over to it.
C. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-a0-5e-00-01- 05 and 00-a0-5e-00-01-0a, and all traffic fails over to it.
D. The FortiGate Unit B port2 interface will use the physical MAC addresses of the FortiGate Unit A port2 interface, and all traffic fails over to it.
Answer: B
Explanation:
If primary fails secondary device uses virtual mac address to forward traffic
Q12. You are asked to establish a VPN tunnel with a service provider using a third-party VPN device. The service provider has assigned subnet 30.30.30.0/24 for your outgoing traffic going towards the services hosted by the provider on network 20.20.20.0/24. You have multiple computers which will be accessing the remote services hosted by the service provider.
Which three configuration components meet these requirements? (Choose three.)
A. Configure an IP Pool of type Overload for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN forwards the VPN tunnel and select that pool.
B. Configure IPsec phase 2 proxy IDs for a source of 10.10.10.0/24 and destination of 20.20.20.0/24.
C. Configure an IP Pool of Type One-to-One for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN towards the VPN tunnel and select that pool.
D. Configure a static route towards the VPN tunnel for 20.20.20.0/24.
E. Configure IPsec phase 2 proxy IDs for a source of 30.30.30.0/24 and destination of 20.20.20.0/24.
Answer: C,D,E
Q13. A customer wants to implement a RADIUS Single Sign On (RSSO) solution for multiple FortiGate devices. The customer’s network already includes a RADIUS server that can generate the logon and logoff accounting records. However, the RADIUS server can send those records to only one destination.
What should the customer do to overcome this limitation?
A. Send the RADIUS records to an LDAP server and add the LDAP server to the FortiGate configuration.
B. Send the RADIUS records to an RSSO Collector Agent.
C. Send the RADIUS records to one of the FortiGate devices, which can replicate them to the other FortiGate units.
D. Use the RADIUS accounting proxy feature available in FortiAuthenticator devices.
Answer: B
Explanation:
References:
http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf
Q14. The SECOPS team in your company has started a new project to store all logging data in a disaster recovery center. All FortiGates will log to a secondary FortiAnalyzer and establish a TCP session to send logs to the syslog server.
Which two configurations will achieve this goal? (Choose two.)
A.
B.
C.
D.
Answer: A,C
Explanation:
https://forum.fortinet.com/tm.aspx?m=122848
Q15. You have implemented FortiGate in transparent mode as shown in the exhibit. User1 from the Internet is trying to access the 192.168.10.10 Web servers.
Which two statements about this scenario are true? (Choose two.)
A. User1 would be able to access the Web server intermittently.
B. User1 would not be able to access any of the Web servers at all.
C. FortiGate learns Web servers MAC address when the Web servers transmit packets.
D. FortiGate always flood packets to both Web servers at the same time.
Answer: A,C
Explanation:
Both servers have same ip address, so there will be intermittent we server connectivity from outside and whichever web server forwards packets fortigate learns its mac address.
Q16. There is an interface-mode IPsec tunnel configured between FortiGate1 and FortiGate2. You want to run OSPF over the IPsec tunnel. On both FortiGates. the IPsec tunnel is based on physical interface port1. Port1 has the default MTU setting on both FortiGate units.
Which statement is true about this scenario?
A. A multicast firewall policy must be added on FortiGate1 and FortiGate2 to allow protocol 89.
B. The MTU must be set manually in the OSPF interface configuration.
C. The MTU must be set manually on the IPsec interface.
D. An IP address must be assigned to the IPsec interface on FortiGate1 and FortiGate2.
Answer: B
Explanation:
If MTU doesn’t match then the neighbour ship gets stuck in exchange state.
Q17. The exhibit shows an LDAP server configuration in a FortiGate device.
The LDAP user, John Smith, has the following LDAP attributes:
John Smith’s LDAP password is ABC123.
Which CLI command should you use to test the LDAP authentication using John Smith’s credentials?
A. diagnose test authserver ldap Lab jsmith ABC123
B. diagnose test authserver ldap-direct Lab jsmith ABC123
C. diagnose test authserver ldap Lab ‘John Smith’ ABC123
D. diagnose test authserver ldap-direct Lab john ABC123
Answer: A
Explanation:
References: https://forum.fortinet.com/tm.aspx?m=119178
Q18. A customer is authenticating users using a FortiGate and an external LDAP server. The LDAP user, John Smith, cannot authenticate. The administrator runs the debug command diagnose debug application fnbamd 255 while John Smith attempts the authentication:
Based on the output shown in the exhibit, what is causing the problem?
A. The LDAP administrator password in the FortiGate configuration is incorrect.
B. The user, John Smith, does have an account in the LDAP server.
C. The user, John Smith, does not belong to any allowed user group.
D. The user, John Smith, is using an incorrect password.
Answer: A
Explanation:
Fortigate not binded with LDAP server because of failed authentication. References:
Q19. Referring to the exhibit, which statement is true?
A. The packet failed the HMAC validation.
B. The packet did not match any of the local IPsec SAs.
C. The packet was protected with an unsupported encryption algorithm.
D. The IPsec negotiation failed because the SPI was unknown.
Answer: A
Explanation:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD33101
Q20. You are investigating a problem related to FTP active mode. You use a test PC with IP address 10.100.60.5 to connect to the FTP server at 172.16.133.50 and transfer a large file. The FortiGate translates source address (SNAT) in network 10.100.60.0/24 to the IP address 172.16.133.1.
Which two groups of CLI commands allow you to see information related to this FTP connection (Choose two.)
A.
B.
C.
D.
Answer: A,D
Explanation:
FTP active on port 21 and passive uses port 20