NSE8 Exam - NSE8

NEW QUESTION 1
Referring to the exhibit, you want to know if aggregating port7 and port22 will work. Which statement is correct?

• A. Yes, LACP is supported on all ports regardless if they are connected to the same NP6.
• B. No, LACP is not supported on NP6 platforms.
• C. No, LACP is only supported on ports connected to the same NP6.
• D. Yes, LACP is supported on ports that are linked together with integrated Switch Fabric.

Answer: C

Explanation: References:
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration- 52/NP6.htm

NEW QUESTION 2
Your security department has requested that you implement the OpenSSL.TLS.Heartbeat.Information.Disclosure signature using an IPS sensor to scan traffic destined to the FortiGate. You must log all packets that attempt to exploit this vulnerability.
Referring to the exhibit, which two configurations are required to accomplish this task? (Choose two.)

• A.
• B.
• C.
• D.

Answer: B

Explanation: http://defadhil.blogspot.in/2014/04/how-to-protect-fortigate-from.html

NEW QUESTION 3
The wireless controller diagnostic output is shown in the exhibit. Which three statements are true? (Choose three.)

• A. Firewall policies using device types are blocking Android devices.
• B. An access control list applied to the VAP interface blocks Android devices.
• C. This is a CAPWAP control channel diagnostic command.
• D. There are no wireless clients connected to the guest wireless network.
• E. The “src-vis” process is active on the staff wireless network VAP interface.

Answer: ACD

Explanation: References:
http://docs.fortinet.com/uploaded/files/1083/fortigate-managing-devices-50.pdf

NEW QUESTION 4
The dashboard widget indicates that FortiGuard Web Filtering is not reachable. However, AntiVirus, IPS, and Application Control have no problems as shown in the exhibit.

You contacted Fortinet’s customer service and discovered that your FortiGuard Web Filtering contract is still valid for several months.
What are two reasons for this problem? (Choose two.)

• A. You have another security device in front of FortiGate blocking ports 8888 and 53.
• B. FortiGuard Web Filtering is not enabled in any firewall policy.
• C. You did not enable Web Filtering cache under Web Filtering and E-mail Filtering Options.
• D. You have a firewall policy blocking ports 8888 and 53.

Answer: BD

Explanation: If Web filtering shows unreachable then we have to verify, whether web filtering enabled in security policies or not.
Web filtering enabled in a policy but the port 8888 and 53 are not selected, means the policy blocking the ports.
References:

NEW QUESTION 5
You are asked to design a secure solution using Fortinet products for a company. The company recently has Web servers that were exploited and defaced. The customer has also experienced Denial or Service due to SYN Flood attacks. Taking this into consideration, the customer’s solution should have the following requirements:
- management requires network-based content filtering with man-in-the-middle inspection
- the customer has no existing public key infrastructure but requires centralized certificate management
- users are tracked by their active directory username without installing any software on their hosts
- Web servers that have been exploited need to be protected from the OWASP Top 10
- notification of high volume SYN Flood attacks when a threshold has been triggered Which three solutions satisfy these requirements? (Choose three.)

• A. FortiGate
• B. FortiClient
• C. FortiWeb
• D. FortiAuthenticator
• E. FortiDDOS

Answer: ACE

NEW QUESTION 6
Which two features are supported only by FortiMail but not by FortiGate? (Choose two.)

• A. DNSBL
• B. built-in MTA
• C. end-to-end IBE encryption
• D. FortiGuard Antispam

Answer: AB

NEW QUESTION 7
A customer wants to install a FortiSandbox device to identify suspicious files received by an e-mail server. All the incoming e-mail traffic to the e-mail server uses the SMTPS protocol.
Which three solutions would be implemented? (Choose three.)

• A. FortiGate device in transparent mode sending the suspicious files to the FortiSandbox
• B. FortiSandbox in sniffer input mode
• C. FortiMail device in gateway mode using the built-in MTA and sending the suspicious files to the FortiSandbox
• D. FortiMail device in transparent mode acting as an SMTP proxy sending the suspicious files to the FortiSandbox
• E. FortiGate device in NAT mode sending the suspicious files to the FortiSandbox

Answer: BCE

Explanation: References: http://kb.fortinet.com/kb/documentLink.do?externalID=FD34371

NEW QUESTION 8
A customer is authenticating users using a FortiGate and an external LDAP server. The LDAP user, John Smith, cannot authenticate. The administrator runs the debug command diagnose debug application fnbamd 255 while John Smith attempts the authentication:
Based on the output shown in the exhibit, what is causing the problem?

• A. The LDAP administrator password in the FortiGate configuration is incorrect.
• B. The user, John Smith, does have an account in the LDAP server.
• C. The user, John Smith, does not belong to any allowed user group.
• D. The user, John Smith, is using an incorrect password.

Answer: A

Explanation: Fortigate not binded with LDAP server because of failed authentication. References:

NEW QUESTION 9
You have implemented FortiGate in transparent mode as shown in the exhibit. User1 from the Internet is trying to access the 192.168.10.10 Web servers.

Which two statements about this scenario are true? (Choose two.)

• A. User1 would be able to access the Web server intermittently.
• B. User1 would not be able to access any of the Web servers at all.
• C. FortiGate learns Web servers MAC address when the Web servers transmit packets.
• D. FortiGate always flood packets to both Web servers at the same time.

Answer: AC

Explanation: Both servers have same ip address, so there will be intermittent we server connectivity from outside and whichever web server forwards packets fortigate learns its mac address.

NEW QUESTION 10
You are an administrator of FortiGate devices that use FortiManager for central management. You need to add a policy on an ADOM, but upon selecting the ADOM drop- down list, you notice that the ADOM is in locked state. Workflow mode is enabled on your FortiManager to define approval or notification workflow when creating and installing policy changes.
What caused this problem?

• A. Another administrator has locked the ADOM and is currently working on it.
• B. There is pending approval waiting from a previous modification.
• C. You need to use set workspace-mode workflow on the CLI.
• D. You have read-only permission on Workflow Approve in the administrator profile.

Answer: D

Explanation: http://docs.fortinet.com/uploaded/files/2250/FortiManager-5.2.1-Administration-Guide.pdf

NEW QUESTION 11
A company wants to protect against Denial of Service attacks and has launched a new project. They want to block the attacks that go above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are
letting the traffic pass through without action. Given the following:
- The interface to the Internet is on WAN1.
- There is no requirement to specify which addresses are being protected or protected from.
- The protection is to extend to all services.
- The tcp_syn_flood attacks are to be recorded and blocked.
- The udp_flood attacks are to be recorded but not blocked.
- The tcp_syn_flood attack’s threshold is to be changed from the default to 1000. The exhibit shows the current DoS-policy.

Which policy will implement the project requirements?

• A.
• B.
• C.
• D.

Answer: BD

Explanation: B&D both have same policy which fulfills the above criteria. http://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Examples/Example-%20DoS%20Policy.htm

NEW QUESTION 12
The FortiGate is used as an IPsec gateway at a branch office. Two tunnels, tunA and tunB, are established between this FortiGate and the headquarters’ IPsec gateway. The branch office’s subnet is 10.1.1.0/24. The headquarters’ subnet is 10.2.2.0/24. The desired usage for tunA and tunB has been defined as follows:
- sessions initiated from 10.1.1.0/24 to 10.2.2.0/24 must be routed out over tunA when tunA is up
- sessions initiated from 10.1.1.0/24 to 10.2.2.0/24 have to be routed out over tunB when tunA is down
- sessions initiated from 10.2.2.0/24 can ingress either on tunA or on tunB Which static routing configuration meets the requirements?

• A.
• B.
• C.
• D.

Answer: C

NEW QUESTION 13
Referring to the exhibit, which statement is true?

• A. The packet failed the HMAC validation.
• B. The packet did not match any of the local IPsec SAs.
• C. The packet was protected with an unsupported encryption algorithm.
• D. The IPsec negotiation failed because the SPI was unknown.

Answer: A

Explanation: http://kb.fortinet.com/kb/viewContent.do?externalId=FD33101

NEW QUESTION 14
The SECOPS team in your company has started a new project to store all logging data in a disaster recovery center. All FortiGates will log to a secondary FortiAnalyzer and establish a TCP session to send logs to the syslog server.
Which two configurations will achieve this goal? (Choose two.)

• A.
• B.
• C.
• D.

Answer: AC

Explanation: https://forum.fortinet.com/tm.aspx?m=122848

NEW QUESTION 15
The exhibit shows an LDAP server configuration in a FortiGate device.

The LDAP user, John Smith, has the following LDAP attributes:

John Smith’s LDAP password is ABC123.
Which CLI command should you use to test the LDAP authentication using John Smith’s credentials?

• A. diagnose test authserver ldap Lab jsmith ABC123
• B. diagnose test authserver ldap-direct Lab jsmith ABC123
• C. diagnose test authserver ldap Lab ‘John Smith’ ABC123
• D. diagnose test authserver ldap-direct Lab john ABC123

Answer: A

Explanation: References: https://forum.fortinet.com/tm.aspx?m=119178

NEW QUESTION 16
Which three configuration scenarios will result in an IPsec negotiation failure between two FortiGate devices? (Choose three.)

• A. mismatched phase 2 selectors
• B. mismatched Anti-Replay configuration
• C. mismatched Perfect Forward Secrecy
• D. failed Dead Peer Detection negotiation
• E. mismatched IKE version

Answer: ACE

Explanation: In IPsec negotiations, Perfect Forward Secrecy (PFS) ensures that each new cryptographic key is unrelated to any previous key. Either enable or disable PFS on both the tunnel peers; otherwise, the LAN-to-LAN (L2L) IPsec tunnel is not established

NEW QUESTION 17
Your marketing department uncompressed and executed a file that the whole department received using Skype.

Reviewing the exhibit, which two details do you determine from your initial analysis of the payload?

• A. The payload contains strings that the malware is monitoring to harvest credentials.
• B. This is a type of Trojan that will download and pirate movies using your Netflix credentials.
• C. This type of threat of a DDoS attack using instant messaging to send e-mails to further spread the infection.
• D. This threat payload is uploading private user videos which are then used to extort Bitcoin payments.

Answer: B