NSE8 Exam
NSE8 dumps(21 to 30) for customers: Apr 2021 Edition
we provide Certified Fortinet NSE8 practice question which are the best for clearing NSE8 test, and to get certified by Fortinet Fortinet Network Security Expert 8 Written Exam (801). The NSE8 Questions & Answers covers all the knowledge points of the real NSE8 exam. Crack your Fortinet NSE8 Exam with latest dumps, guaranteed!
Q21. A customer wants to implement a RADIUS Single Sign On (RSSO) solution for multiple FortiGate devices. The customer’s network already includes a RADIUS server that can generate the logon and logoff accounting records. However, the RADIUS server can send those records to only one destination.
What should the customer do to overcome this limitation?
A. Send the RADIUS records to an LDAP server and add the LDAP server to the FortiGate configuration.
B. Send the RADIUS records to an RSSO Collector Agent.
C. Send the RADIUS records to one of the FortiGate devices, which can replicate them to the other FortiGate units.
D. Use the RADIUS accounting proxy feature available in FortiAuthenticator devices.
Answer: B
Explanation:
References:
http://docs.fortinet.com/uploaded/files/1937/fortigate-authentication-52.pdf
Q22. You notice that your FortiGate’s memory usage is very high and that the unit’s performance is adversely affected. You want to reduce memory usage.
Which three commands would meet this requirement? (Choose three.)
A.
B.
C.
D.
E.
Answer: A,D,E
Q23. You are an administrator of FortiGate devices that use FortiManager for central management. You need to add a policy on an ADOM, but upon selecting the ADOM drop- down list, you notice that the ADOM is in locked state. Workflow mode is enabled on your FortiManager to define approval or notification workflow when creating and installing policy changes.
What caused this problem?
A. Another administrator has locked the ADOM and is currently working on it.
B. There is pending approval waiting from a previous modification.
C. You need to use set workspace-mode workflow on the CLI.
D. You have read-only permission on Workflow Approve in the administrator profile.
Answer: D
Explanation:
http://docs.fortinet.com/uploaded/files/2250/FortiManager-5.2.1-Administration-Guide.pdf
Q24. Referring to the exhibit, you want to know if aggregating port7 and port22 will work. Which statement is correct?
A. Yes, LACP is supported on all ports regardless if they are connected to the same NP6.
B. No, LACP is not supported on NP6 platforms.
C. No, LACP is only supported on ports connected to the same NP6.
D. Yes, LACP is supported on ports that are linked together with integrated Switch Fabric.
Answer: C
Explanation:
References:
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration- 52/NP6.htm
Q25. You want to enable traffic between 2001:db8:1::/64 and 2001:db8:2::/64 over the public IPv4 Internet.
Given the CLI configuration shown in the exhibit, which two additional settings are required on this device to implement tunneling for the IPv6 transition? (Choose two.)
A. IPv4 firewall policies to allow traffic between the local and remote IPv6 subnets.
B. IPv6 static route to the destination phase2 destination subnet.
C. IPv4 static route to the destination phase2 destination subnet.
D. IPv6 firewall policies to allow traffic between the local and remote IPv6 subnets.
Answer: B,D
Explanation:
References: http://docs.fortinet.com/uploaded/files/1969/IPv6%20Handbook%20for%20FortiOS%205.2. pdf
Q26. A café offers free Wi-Fi. Customers’ portable electronic devices often do not have antivirus software installed and may be hosting worms without their knowledge. You must protect all customers from any other customers’ infected devices that join the same SSID.
Which step meets the requirement?
A. Enable deep SSH inspection with antivirus and IPS.
B. Use a captive portal to redirect unsecured connections such as HTTP and SMTP to their secured equivalents, preventing worms on infected clients from tampering with other customer traffic.
C. Use WPA2 encryption and configure a policy on FortiGate to block all traffic between clients.
D. Use WPA2 encryption, and enable “Block Intra-SSID Traffic”.
Answer: B
Q27. Which command detects where a routing path is broken?
A. exec traceroute <destination>
B. exec route ping <destination>
C. diag route null
D. diag debug route <destination>
Answer: A
Q28. A café offers free Wi-Fi. Customers’ portable electronic devices often do not have antivirus software installed and may be hosting worms without their knowledge. You must protect all customers from any other customers’ infected devices that join the same SSID.
Which step meets the requirement?
A. Enable deep SSH inspection with antivirus and IPS.
B. Use a captive portal to redirect unsecured connections such as HTTP and SMTP to their secured equivalents, preventing worms on infected clients from tampering with other customer traffic.
C. Use WPA2 encryption and configure a policy on FortiGate to block all traffic between clients.
D. Use WPA2 encryption, and enable “Block Intra-SSID Traffic”.
Answer: B
Q29. You verified that application control is working from previous configured categories. You just added Skype on blocked signatures. However, after applying the profile to your firewall policy, clients running Skype can still connect and use the application.
What are two causes of this problem? (Choose two.)
A. The application control database is not updated.
B. SSL inspection is not enabled.
C. A client on the network was already connected to the Skype network and serves as relay prior to configuration changes to block Skype
D. The FakeSkype.botnet signature is included on your application control sensor.
Answer: A,B
Q30. An administrator wants to assign static IP addresses to users connecting tunnel-mode SSL VPN. Each SSL VPN user must always get the same unique IP address which is never assigned to any other user.
Which solution accomplishes this task?
A. TACACS+ authentication with an attribute-value (AV) pair containing each user’s IP address.
B. RADIUS authentication with each user’s IP address stored in a Vendor Specific Attribute (VSA).
C. LDAP authentication with an LDAP attribute containing each user’s IP address.
D. FSSO authentication with an LDAP attribute containing each user’s IP address.
Answer: D