NSE8_812 Network Security Expert 8 Written Exam Questions and Answers

B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.

D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F. This means that it will be less likely to drop traffic even under heavy load.

The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.

References:

FortiDDoS 200F Datasheet | Fortinet Document Library

FortiDDoS 1500F Datasheet | Fortinet Document Library

High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/810981/sd-wan-segmentation-over-a-single-overlay

https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-VRRP-HA-configuration-in-Azure-Public/ta-p/267503 https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-setup-and-troubleshooting/ta-p/222998

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/238665/authentication-policy-extensions

To retrieve an SSO group called SalesGroup using the FortiAuthenticator REST API, the following issues need to be fixed in the API call:

The API version should be v2, not v1, as SSO groups are only supported in version 2 of the REST API.

The HTTP method should be GET, not POST, as GET is used to retrieve information from the server, while POST is used to create or update information on the server. Therefore, a correct API call would look like this: curl -X GET -H “Authorization: Bearer ” https://fac.example.com/api/v2/sso/groups/SalesGroup References: https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api-solution-guide/927310/introduction https://docs.fortinet.com/document/fortiauthenticator/6.4.1/rest-api-solution-guide/927311/sso-groups

The OSPF configuration shown in the exhibit is using the default priority value of 1 for the interface port1. This means that FGT_3 will participate in the DR/BDR election process with the other OSPF routers on the same LAN segment. However, this is not desirable because FGT_3 is a new device that needs to be added to the OSPF network without affecting the existing DR/BDR election. Therefore, to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election, the priority value of the interface port1 should be changed to 0. This will prevent FGT_3 from becoming a DR or BDR and allow it to form OSPF adjacencies with the current DR and BDR. Option B shows the correct configuration that changes the priority value to 0. Option A is incorrect because it does not change the priority value. Option C is incorrect because it changes the network type to point-to-point, which is not suitable for a LAN segment with multiple OSPF routers. Option D is incorrect because it changes the area ID to 0.0.0.1, which does not match the area ID of the other OSPF routers on the same LAN segment. References:https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/358640/basic-ospf-example

References:

Configuring SSL VPN authentication using digital certificates | FortiGate / FortiOS 7.2.0 - Fortinet Document Library

Online Certificate Status Protocol (OCSP) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library

Certificate Revocation Lists (CRLs) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library

C. The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuardwith the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.

E. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/889364/fortiguard-outbreak-prevention

The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. References: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/installing-fortigate-vm-on-vmware-esxi https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/networking

C. The IP address of the FortiSwitch is 10.12.240.2:This statement is correct based on the exhibit and your clarification. The exhibit lists the "IP Address" as 10.12.240.2 across multiple entries, including ports and VLANs associated with the device "sup-fgt-hw" (FortiSwitch). Your reasoning indicates that this IP is the management address of the FortiSwitch, as it is consistently shown as the IP for the device containing the ports. In Fortinet’s architecture, as described in the NSE 8 study guide, the management IP of a FortiSwitch is typically configured and visible in such configurations, especially when integrated with FortiGate and FortiNAC. The "Device" column labeling "sup-fgt-hw" further supports that this is the FortiSwitch, and the IP 10.12.240.2 is its management address. This aligns with FortiSwitch management and integration details in the NSE 8 study guide.

D. An unknown host is connected to port3:This statement is correct as the exhibit highlights port3 under the "Name" column for the device "sup-fgt-hw" with a "Rogue Host" status in the "Connection" column, an IP address of 10.12.240.2, a Default VLAN of 100, and an Operational Status of "Link Up." In FortiNAC, a "Rogue Host" indicates an unknown or unauthorized device connected to the network, which FortiNAC identifies for further action or isolation. This is consistent with FortiNAC’s capabilities for detecting and classifying unknown devices, as detailed in the NSE 8 study guide under network access control and rogue device detection.

Why A and B are incorrect:

A. A device that is modeled in FortiNAC is connected on VLAN_4093: This is incorrect based on your clarification that there is no device connected on that port—it is simply the default VLAN (4093) for that entry. The exhibit shows VLAN_4093 with a "Not Connected" status and "Link Up" operational status, but no active device connection is indicated. The NSE 8 study guide emphasizes that FortiNAC requires an active connection and device profiling for a device to be considered "connected," which is not evident here for VLAN_4093.

B. Port8 is connected to a FortiGate in FortiLink mode: This is incorrect because the exhibit shows port8 with a "Learned Uplink" status, which, as you noted, refers to any kind of uplink and does not specifically indicate FortiLink mode. FortiLink mode is a specific configuration between FortiGate and FortiSwitch requiring explicit settings, which are not mentioned or implied in the exhibit. The NSE 8 study guide clarifies that FortiLink mode involves distinct configuration details (e.g., FortiLink interfaces), which are absent here.

Fortinet Network Security Expert 8 Study Guide References:

FortiNAC 7.2 Admin Guide (NSE 8): Sections on Device Visibility, VLAN Management, and Rogue Device Detection.

FortiSwitch 7.2 Admin Guide (NSE 8): Sections on FortiLink Configuration, Network Segmentation, and Management IP Configuration.

FortiGate 7.2 Admin Guide (NSE 8): Sections on Integration with FortiNAC and FortiSwitch for Network Security.

https://help.fortinet.com/fddos/4-3-0/FortiDDoS/Built_in_bypass.htm

The soft reconfigure is correct by elimination (FGTs all support BGP Refresh, so question is not worded correctly - to refresh routes in advertisements, there is no need to do manually anything, after the change is committed to config FGT will send BGP Refresh message to the peers to notify them of it. The same is true for Cisco and Juniper routers. The question should ask "when routing policy was changed" - then yes, reconfiguraiton is the way to notify BGP peers that BGP policy was changed.

the access point will require about 24.5 W of power and the 124E-FPOE has a Capacity of about 370 meaning 25x12 = 300 so you left with about 70 W on the switch meaning you can still add two more access point on that switch.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-perform-zero-touch-provisioning-with/ta-p/197623