Fortinet NSE8-811 Exam Questions
Questions for the NSE8-811 were updated on : Nov 14 ,2024
Page 1 out of 5. Viewing questions 1-15 out of 65
Question 1
Refer to the exhibit.
The exhibit shows a full-mesh topology between FortiGate and FortiSwitch devices. To deploy this
configuration, two requirements must be met:
20 Gbps full duplex connectivity is available between each FortiGate and the FortiSwitch devices
The FortiGate HA must be in AP mode
Referring to the exhibit, what are two actions that will fulfill the requirements? (Choose two.)
- A. Configure the master FortiGate with one LAG and FortiLink split interface disabled on ports connected to cables A and C and make sure the same ports are used for cables B and D on the slave.
- B. Configure the master FortiGate with one LAG and FortiLink split interface enabled on ports connected to cables A and C and make sure the same ports are used for cables B and D on the slave.
- C. Configure both FortiSwitch devices as peers with ICL over cable E, create one MCLAG on ports connected to cables A and C, and create another MCLAG on ports connected to cables B and D.
- D. Configure both FortiSwitch devices as peers with ISL over cable E, create one MCLAG on ports connected to cables A and C, and create another MCLAG on ports connected to cables B and D.
Answer:
AC
Question 2
You want to manage a FortiCloud service. The FortiGate shows up in your list devices on the
FortiCloud Web site, but all management functions are either missing or grayed out.
Which statement a correct in this scenario?
- A. The managed FcrtGate a running a version of ForflOS that is either too new or too for FortCloud.
- B. The managed FortiGate requires that a FortiCloud management license be purchased and applied.
- C. You must manually configure system control-management on the FortiGate CLI and set the management type to fortiguard.
- D. The management tunnel mode on the managed FortiGate must be changed to normal.
Answer:
C
Question 3
Exhibit
Click the Exhibit button. The exhibit shows the steps for creating a URL rewrite policy on a FortiWeb.
Which statement represents the purpose of this policy?
- A. The policy redirects all HTTP URLs to HTTPS.
- B. The policy redirects all HTTPS URLs to HTTP.
- C. The policy redirects only HTTPS URLs containing the ˆ/ (. *) S string to HTTP.
- D. The pokey redirects only HTTP URLs containing theˆ/ ( .*)S string to HTTPS.
Answer:
A
Explanation:
https://help.fortinet.com/fweb/581/Content/FortiWeb/fortiweb-
admin/application_delivery.htm#application_delivery_1557589163_940788
Question 4
You are asked to add a FortiDDoS to the network to combat detected slow connection attacks such as
Slowloris.
Which prevention mode on FortiDDoS will protect you against this specific type of attack?
- A. aggressive aging mode
- B. rate limiting mode
- C. blocking mode
- D. asymmetric mode
Answer:
A
Explanation:
https://help.fortinet.com/fddos/4-3-0/FortiDDoS/Understanding_FortiDDoS_Prevention_Mode.htm
Question 5
You are building a FortiGala cluster which is stretched over two locations. The HA connections for the
cluster are terminated on the data centers. Once the FortiGates have booted, they do form a cluster.
The network operators inform you that CRC eoors are present on the switches where the FortiGAtes
are connected.
What would you do to solve this problem?
- A. Replace the caables where the CRC errors occur.
- B. Change the ethertype for the HA packets.
- C. Set the speedduplex setting to 1 Gbps /Full Duplex.
- D. Place the HA interfaces in dedicated VLANs.
Answer:
B
Explanation:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-high-
availability/HA_failoverHeartbeat.htm#Heartbea
Question 6
You want to access the JSON API on FortiManager to retrieve information on an object.
In this scenario, which two methods will satisfy the requirement? (Choose two.)
- A. Make a call with the Web browser on your workstation.
- B. Make a call with the SoapUl API tool on your workstation.
- C. Download the WSDL file from FortiManager administration GUI.
- D. Make a call with the curl utility on your workstation
Answer:
AD
Question 7
Exhibit
You created a custom health-check for your FortiWeb deployment.
Referring to the output shown in the exhibit, which statement is true?
- A. The FortiWeb must receive an RST packet from the server.
- B. The FortiWeb must receive an HTTP 200 response code from the server.
- C. The FortiWeb must receive an ICMP Echo Request from the server.
- D. The FortiWeb must match the hash value of the page index html.
Answer:
B
Question 8
Click the exhibit.
You created an aggregate interface between your FortiGate and a switch consisting of two 1 Gbps
links as shown in the exhibit. However, the maximum bandwidth never exceeds. 1 Gbps and
employees are complaining that the network is slow. After troubleshooting, you notice only one
member interface is being used. The configuration for the aggregate interface is shown in the
exhibit.
In this scenario, which command will solve this problem?
- A. config system interface edit Agg1 set min-links 2 end
- B. config system interface edit Agg1 set weight 2 end
- C. config system interface edit Agg1 set Algorithm L4 end
- D. config system interface edit Agg1 set lacp-mode active end
Answer:
C
Question 9
Click the exhibit button.
A FortiGate device is configured to authenticate SSL VPN users using digital certificates. Part of the
FortiGate configuration is shown in the exhibit.
Which two statements are true in this scenario? (Choose two.)
- A. The authentication will fail if the OCSP server is down.
- B. OCSP is used to verify that the user-signed certificate has not expired.
- C. The authentication will fail if the certificate does not contain user principle name (UPN) information.
- D. The authentication will fail if the user certificate does not contain the CA_Cert string in the Failed.
Answer:
AC
Explanation:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48218
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-
integrated-certificate-authentication
Question 10
Click the Exhibit button.
Referring to the exhibit, which command-line option for deep inspection SSL would have the
FortiGate re-sign all untrusted self-signed certificates with the trusted Fortinet_CA_SSL certificate?
- A. allow
- B. block
- C. ignore
- D. inspect
Answer:
C
Explanation:
https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/firewall/ssl-ssh-
profile.htm
Question 11
Exhibit
Click the Exhibit button.
A FortiGate is configured for a dial-up IPsec VPN to allow multiple remote FortiGates to connect to it.
However, FortiGates A and B have problems connecting to the VPN. Only one of them can be
connected at a time. If site B tries to connect white site A is connected, site A is disconnected. The
IKE real time debug shows the output in the exhibit when site A is disconnected.
Which configuration setting should be executed in the dial-up configuration to allow both VPNs to be
connected at the same time?
- A. set enforce-unique-id disable
- B. set add-router enable
- C. set single-source disable
- D. set router-overlap allow
Answer:
D
Explanation:
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/487941/vpn-ipsec-phase2-
interface-phase2
Question 12
A customer wants to enable SYN Rood mitigation in a FortiDDoS device. The FortiDDoS must reply
with one SYN/ACK packet per SYN packet ftom a new source IP address. Which SYN packet from a
new source IP address.
Which SYN flood mitigation mode must the customer use?
- A. SYN cookie
- B. SYN/ACK cookie
- C. ACK cookie
- D. SYN retransmission
Answer:
A
Question 13
Click the Exhibit button.
You configured AV and Web filtering for your outgoing Internet connections. You later noticed that
not all Web sessions are being inspected and you start troubleshooting the problem.
Referring to the exhibit, what would cause this problem?
- A. The Web session is using QUIC which a not inspected by the FortiGate
- B. These are problem with the connection to the Web filter servers, therefore the Web session cannot be categorized.
- C. The SSL inspection options are not set to inspection
- D. Web filtering is not licensed, therefore no inspection occurs.
Answer:
A
Question 14
You are administrating the FortiGate 5000 and FortiGate 7000 series products. You want to access the
HTTPS GU of the blade located n logical slot of the secondary chassis in a high-availability cluster.
Which URL will accomplish this task?
- A. https//192.168.1.99.44302
- B. https//192.168.1.99.44313
- C. https//192.168.1.99.44322
- D. https//192.168.1.99.44323
Answer:
D
Question 15
Click the Exhibit button.
Referring to the exhibit, which two statements are true? (Choose two.)
- A. port13 and port14 on FS448D-A should be connected to port13 and port14 on FS448D-B.
- B. LAG-1 and LAG 2 should be connected to a single 4-port 802 3ad interface on the FortiGate-A.
- C. LAG-3 on switches on FS448D-A and FS448D-B may be connected to a single 802 3ad trunk on another device.
- D. LAG-1 and LAG-2 should be connected to a 4-port single 802 3ad trunk on another device.
Answer:
AC
Explanation:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-managing-
fortiswitch/Stacking.htm