NSE8_811 : Fortinet NSE 8 Written Exam

Fortinet
NSE8_811
Fortinet NSE 8 Written Exam
https://killexams.com/pass4sure/exam-_d8e1ta1il/NSE8
Question #48 Section 1
Consider the following configuration setting:
ue? (Choose two.)
when a ClientHello message indicating a renegotiation is received. nds after five login failures.
login failures. minutes.
hassis using Session-aware Load Balance Cluster (SLBC) with Active-Passive FortiControllers. Both ith the rest of the configuration set to the default values.
not see each other.
Which two statements about local authentication are tr
1. The FortiGate will allow the TCP connection
2. The user's IP address will be blocked 15 seco
3. The user will be blocked 15 seconds after five
4. The user will need to re-authenticate after five
Answer: BD
Question #49 Section 1
You are asked to implement a single FortiGate 5000 c FortiControllers have the configuration shown below, w
Both FortiControllers show Master status. What is the problem in this scenario?
1. The b1 interface of the two FortiControllers do
The management interface of both FortiControllers was connected on the same network.
The chassis ID settings on FortiController on slot 2 should be set to 2.
The priority should be set higher for FortiController on slot-1.
Answer: A
Question #50 Section 1
You must create a High Availability deployment with two FortiWebs in Amazon Web Services (AWS); each on different Availability Zones (AZ) from the same region. At the same time, each FortiWeb should be able to deliver content from the Web servers of both of the AZs.
Which deployment would fulfill this requirement?
Configure the FortiWebs in Active-Active HA mode and use AWS Elastic Load Balancer (ELB) for the internal Web servers.
Use AWS Elastic Load Balancer (ELB) for both the FortiWebs in standalone mode and the internal Web servers in an ELB sandwich.
Configure the FortiWebs in Active-Active HA mode and use AWS Route 53 to load balance the internal Web servers.
Use AWS Route 53 to load balance the FortiWebs in standalone mode and use AWS Virtual Private Cloud (VPC) Peering to load balance the internal Web servers.
Answer: B
Question #51 Section 1 Refer to the exhibit.
ink aggregation (MCLAG) solution using two FortiSwitch 448D devices and one FortiGate 3700D. As d ach FortiSwitch.
wo.)
ve an ISF.
terfaces on the FortiGate side for each FortiSwitch. FortiLink interface.
needs to be added.
An administrator wants to implement a multi-chassis l escribed in the network topology shown in the exhibit, two links are already connected from the FortiGate to e
What is required to implement this solution? (Choose t
1. Replace the FortiGate as this one does not ha
2. Create two separate link aggregated (LAG) in
3. Add set fortilink-split-interface disable on the
4. An ICL link between both FortiSwitch devices
Answer: CD
Question #52 Section 1 Refer to the exhibit.
Only users authenticated in FortiGate-B can reach the server. A customer wants to deploy a single sign-on solution for IPsec VPN users. Once a user is connected and authenticated to the VPN in FortiGate-A, the user does not need to authenticate again in FortiGate-B to reach the server.
Referring to the exhibit, which two actions satisfy this requirement? (Choose two.)
Use Kerberos authentication.
Use the Collector Agent.
Use FortiAuthenticator.
FortiGate-A must generate a RADIUS accounting packet.
Answer: CD
Question #53 Section 1
A FortiGate is used as a VPN hub for a number of remote spoke VPN units (Group A) spokes using a phase 1 main mode dial-up tunnel and pre-shared keys. You are asked to establish VPN connectivity for a newly acquired organization's sites for which new devices will be provisioned Group B spokes.
Both existing Group A and new Group B spoke units are dynamically addressed through a single public IP Address on the hub. You are asked to ensure that spokes from Group B have different access permissions than the existing VPN spokes units Group A.
Which two solutions meet the requirements for the new spoke group? (Choose two.)
Implement a new phase 1 dial-up main mode tunnel with a different pre-shared key than the Group A spokes.
Implement a new phase 1 dial-up main mode tunnel with certificate authentication.
Implement a new phase 1 dial-up main mode tunnel with pre-shared keys and XAuth.
Implement separate phase 1 dial-up aggressive mode tunnels with a distinct peer ID.
profile for accessing the Internet. Access to websites belonging to the "Information Technology" categ licy.
e.com which presents a certificate with CN=www.acme.com. The it-acme.com domain is categorized as categorized as "Business".
TTPS sessions when using SSL certificate inspection so the website will be blocked by the "Informati ormation Technology" as the SNI takes precedence over the certificate name.
iness" as the certificate name takes precedence over the URL. he FortiGate be able to categorized this website.
Answer: CD
Question #54 Section 1
You configured a firewall policy with only a Web filter ory are blocked and to the "Business" category are allowed. SSL deep inspection is not enabled on this po
A user wants to access the website https://www.it-acm "Information Technology" and the acme.com domain is Which statement regarding this scenario is correct?
The FortiGate is able to read the URL within H on Technology".
The website will be blocked by category "Inf
The website will be allowed by category "Bus
Only with SSL deep inspection enabled will t
Answer: B
Question #55 Section 1 Refer to the exhibit.
sniffer shows ICMP packets out to a host on the Internet egresses with the port1 IP address instead of ill ensure that ICMP traffic is also translated?
Central NAT was configured on a FortiGate firewall. A the virtual IP (VIP) that was configured
Referring to the exhibit, which configuration change w A.
B.
C.
D.
Answer: B
Question #56 Section 1
A company has just rolled out new remote sites and now you need to deploy a single firewall policy to all of these sites to allow Internet access using FortiManager. For this particular firewall policy, the source address object is called LAN, but its value will change according to the site the policy is being installed. Which statement about creating the object LAN is correct?
er-device mapping.
it to the global database.
a variable on a TCL script. fields per remote site.
1. Create a new object called LAN and enable p
2. Create a new object called LAN and promote
3. Create a new object called LAN and use it as
4. Create a new object called LAN and set meta-
Answer: A
Question #57 Section 1 Refer to the exhibit.
You are working on FortiGate 61E operating in flow-based inspection mode with various settings optimized for performance. The main Internet firewall policy is using the "default" antivirus profile. You found that some executable virus samples files downloaded over HTTP are not being blocked by the FortiGate.
Referring to the exhibit, how can this be fixed?
Change the set scan-mode configuration to full.
Disable the emulator feature.
Change the set default-db configuration to extreme.
Add set content-disarm enable to the configuration.
Answer: A
ed to two independent ISPs. You must configure the FortiGate failover for a single ISP failure to occur without tures are enabled to accomplish this task? (Choose two.)
ce. The FortiGate has inherited the management IP address of the router and now the network administra Choose two.)
the Decommission folder.
FortiSIEM database.
Question #58 Section 1 Refer to the exhibit.
An organization has a FortiGate cluster that is connect disruption.
Referring to the exhibit, which two FortiGate BGP fea
1. EBGP multipath
2. Graceful restart
3. Synchronization
4. BFD
Answer: BD
Question #59 Section 1
A legacy router has been replaced by a FortiGate devi tor needs to remove the router from the FortiSIEM configuration.
Which two statements about this operation are true? (
1. FortiSIEM will move the router device into
2. The router will be completely deleted from the
3. By default, FortiSIEM can only parser event logs for FortiGate devices.
FortiSIEM will discover a new device for the FortiGate with the same IP.
Answer: AD
Question #60 Section 1
You have configured an HA cluster with two FortiGate devices. You want to make sure that you are able to manage the individual cluster members directly using port3.
Referring to the configuration shown, in which two ways can you accomplish this task? (Choose two.)
Create a management VDOM and disable the HA synchronization for this VDOM, assign port3 to this VDOM, then configure specific IPs for port3 on both cluster members.
Configure port3 to be a dedicated HA management interface; then configure specific IPs for port3 on both cluster members.
Allow administrative access in the HA heartbeat interfaces.
ure specific IPs for port3 on both cluster members.
Disable the sync feature on port3; then config
Answer: AB

User: Orina***** After practicing with Killexams.com for a few weeks, I passed the nse8_811 exam. The questions and answers provided were accurate, and I was able to answer the questions easily because they were taken from the real exam. Thanks to Killexams.com, I was able to score higher than I had hoped for, and I am relieved to have passed the exam.

User: Maryana***** Thank you, Killexams.com! I passed my FORTINET NSE 8 WRITTEN EXAM exam with 92% marks, and your Question Bank was very beneficial. If everyone practices 100% with your questions set and memorizes them well, they will undoubtedly succeed. I have passed three other tests with the help of your website, and I am truly grateful for the excellent material you consistently provide.

User: Orel***** Killexams.com proved to be an exceptional resource in helping me achieve success on my NSE8_811 exam, with over 90% of the practice test questions being accurate. Their dedication to regularly updating their materials ensures they remain a dependable and trustworthy platform. As a frequent user, I am grateful for their comprehensive test prep resources and look forward to utilizing them for future certifications, hopefully with a discount on my next purchase.

User: Sebastian***** When my father questioned whether I would fail the NSE8_811 exam, I confidently assured him I would not, thanks to killexams.com’s testprep resources. Their materials bolstered my self-assurance, enabling me to pass with flying colors and make my father proud. I am thankful for their invaluable assistance in achieving my goals.

User: Tatia***** If you find yourself short on time and need to successfully pass the nse8_811 exam, then Killexams.com is absolutely the solution you are looking for. Their user-friendly exam simulator, combined with authentic questions and answers, made studying for the exam incredibly straightforward. I wholeheartedly attribute my success to Killexams.com.

---