NSE8 Exam - NSE8

NEW QUESTION 1
You verified that application control is working from previous configured categories. You just added Skype on blocked signatures. However, after applying the profile to your firewall policy, clients running Skype can still connect and use the application.
What are two causes of this problem? (Choose two.)

• A. The application control database is not updated.
• B. SSL inspection is not enabled.
• C. A client on the network was already connected to the Skype network and serves as relay prior to configuration changes to block Skype
• D. The FakeSkype.botnet signature is included on your application control sensor.

Answer: AB

NEW QUESTION 2
You must establish a BGP peering with a service provider. The provider has supplied you with BGP peering parameters and you performed the basic configuration shown in the exhibit on your FortiGate unit. You notice that your peering session is not coming up.

Which three missing configuration statements are needed to make this configuration functional? (Choose three.)

• A.
• B.
• C.
• D.
• E.

Answer: CDE

NEW QUESTION 3
A FortiGate is deployed in the NAT/Route operation mode. This operation mode operates at which OSI layer?

• A. Layer 4
• B. Layer 1
• C. Layer 3
• D. Layer 2

Answer: C

NEW QUESTION 4
A company has just installed a new FortiGate in their core to route and inspect traffic between their subnetted VLANs. The security department reports that after the installation, their IP video cameras no longer work. Research by the IT department shows that the video system uses a multicast stream to send the video to multiple video receivers.
Which two commands must be configured to resolve this problem? (Choose two.)

• A.
• B.
• C.
• D.

Answer: BD

Explanation: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36500

NEW QUESTION 5
An administrator wants to assign static IP addresses to users connecting tunnel-mode SSL VPN. Each SSL VPN user must always get the same unique IP address which is never assigned to any other user.
Which solution accomplishes this task?

• A. TACACS+ authentication with an attribute-value (AV) pair containing each user’s IP address.
• B. RADIUS authentication with each user’s IP address stored in a Vendor Specific Attribute (VSA).
• C. LDAP authentication with an LDAP attribute containing each user’s IP address.
• D. FSSO authentication with an LDAP attribute containing each user’s IP address.

Answer: D

NEW QUESTION 6
You want to enable traffic between 2001:db8:1::/64 and 2001:db8:2::/64 over the public IPv4 Internet.

Given the CLI configuration shown in the exhibit, which two additional settings are required on this device to implement tunneling for the IPv6 transition? (Choose two.)

• A. IPv4 firewall policies to allow traffic between the local and remote IPv6 subnets.
• B. IPv6 static route to the destination phase2 destination subnet.
• C. IPv4 static route to the destination phase2 destination subnet.
• D. IPv6 firewall policies to allow traffic between the local and remote IPv6 subnets.

Answer: BD

Explanation: References: http://docs.fortinet.com/uploaded/files/1969/IPv6%20Handbook%20for%20FortiOS%205.2. pdf

NEW QUESTION 7
Which command syntax would you use to configure the serial number of a FortiGate as its host name?

• A.
• B.
• C.
• D.

Answer: AB

Explanation: References:
http://defadhil.blogspot.in/2014/04/how-to- protect-fortigate- from.html

NEW QUESTION 8
A customer wants to secure the network shown in the exhibit with a full redundancy design. Which security design would you use?

• A. Place a FortiGate FGCP Cluster between DD and AA, then connect it to SW1, SW2, SW3, and SW4.
• B. Place a FortiGate FGCP Cluster between BB and CC, then connect it to SW1, SW2, SW3, and SW4.
• C. Place a FortiGate FGCP Cluster between BB and AA, then connect it to SW1, SW2, SW3, and SW4.
• D. Place a FortiGate FGCP Cluster between DD and FF, then connect it to SW1, SW2, SW3, and SW4.

Answer: A

NEW QUESTION 9
Given the following FortiOS 5.2 commands:

Which vulnerability is being addresses when managing FortiGate through an encrypted management protocol?

• A. Remote Exploit Vulnerability in Bash (ShellShock)
• B. Information Disclosure Vulnerability in OpenSSL (Heartbleed)
• C. SSL v3 POODLE Vulnerability
• D. SSL/TLS MITM vulnerability (CVE-2014-0224)

Answer: C

Explanation: References: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36913

NEW QUESTION 10
A customer has the following requirements:
- local peer with two Internet links
- remote peer with one Internet link
- secure traffic between the two peers
- granular control with Accept policies
Which solution provides security and redundancy for traffic between the two peers?

• A. a fully redundant VPN with interface mode configuration
• B. a partially redundant VPN with interface mode configuration
• C. a partially redundant VPN with tunnel mode configuration
• D. a fully redundant VPN with tunnel mode configuration

Answer: B

NEW QUESTION 11
You are asked to write a FortiAnalyzer report that lists the session that has consumed the most bandwidth. You are required to include the source IP, destination IP, application, application category, hostname, and total bandwidth consumed.
Which dataset meets these requirements?

• A. select from_itime(itime) as timestamp, srcip, dstip, app, appcat, hostname, sum(coalesce(‘sentbyte”, 0) +coalesce(‘recbyte “, 0)) as bandwidth from $log where $filter LIMIT 1
• B. select from_itime(itime) as timestamp, srcip, dstip, app, appcat, hostname, sum(coalesce(‘sentbyte”, 0) +coalesce(‘recbyte“, 0)) as bandwidth from $log where $filter LIMIT 1
• C. select from_itime(itime) as timestamp, srcip, dstip, app, appcat, hostname, sum(coalesce(‘sentbyte”, 0) +coalesce(‘rcvdbyte“, 0)) as bandwidth from $log where $filter LIMIT 1
• D. select from_itime(itime) as timestamp, sourceip, destip, app, appcat, hostname, sum(coalesce(‘sentbyte’, 0)+coalesce(‘rcvdbyte“, 0)) as bandwidth from $log where $filter LIMIT 1

Answer: C

Explanation: References:
http://docs.fortinet.com/uploaded/files/2617/fortianalyzer-5.2.4-dataset-reference.pdf

NEW QUESTION 12
A café offers free Wi-Fi. Customers’ portable electronic devices often do not have antivirus software installed and may be hosting worms without their knowledge. You must protect all customers from any other customers’ infected devices that join the same SSID.
Which step meets the requirement?

• A. Enable deep SSH inspection with antivirus and IPS.
• B. Use a captive portal to redirect unsecured connections such as HTTP and SMTP to their secured equivalents, preventing worms on infected clients from tampering with other customer traffic.
• C. Use WPA2 encryption and configure a policy on FortiGate to block all traffic between clients.
• D. Use WPA2 encryption, and enable “Block Intra-SSID Traffic”.

Answer: B

NEW QUESTION 13
You have replaced an explicit proxy Web filter with a FortiGate. The human resources department requires that all URLs be logged. Users are reporting that their browsers are now indicating certificate errors as shown in the exhibit.

Which step is a valid solution to the problem?

• A. Make sure that the affected users’ browsers are no longer set to use the explicit proxy.
• B. Import the FortiGate’s SSL CA certificate into the Web browsers.
• C. Change the Web filter policies on the FortiGate to only do certificate inspection.
• D. Make a Group Policy to install the FortiGate’s SSL certificate as a trusted host certificate on the Web browser.

Answer: D

Explanation: For https traffic inspection, client machine should install fortigate’s ssl certificate

NEW QUESTION 14
Referring to the configuration shown in the exhibit, which three statements are true? (Choose three.)

• A. Traffic logging is disabled in policy 96.
• B. TCP handshake is completed and no FIN/RST has been forwarded.
• C. No packet has hit this session in the last five minutes.
• D. No QoS is applied to this traffic.
• E. The traffic goes through a VIP applied to policy 96.

Answer: BCE

Explanation: References:
http://kb.fortinet.com/kb/viewContent.do?externalId=FD30042

NEW QUESTION 15
You are hosting Web applications that must be PCI DSS compliant. The Web applications are protected by a FortiWeb. Compliance will be tested during the quarterly security review.
In this scenario, which three FortiWeb features should you use? (Choose three.)

• A. Vulnerability Scan
• B. Auto-learning
• C. Syn Cookie
• D. Credit Card Detection
• E. the command.

Answer: ACD

Explanation: References:
http://help.fortinet.com/fweb/551/Content/FortiWeb/fortiweb-admin/web_protection.htm

NEW QUESTION 16
FortiGate1 has a gateway-to-gateway IPsec VPN to FortiGate2. The entire IKE negotiation between FortiGate1 and FortiGate2 is on UDP port 500. A PC on FortuGate2’s local area network is sending continuous ping requests over the VPN tunnel to a PC of FortiGate1’s local area network. No other traffic is sent over the tunnel.

Which statement is true on this scenario?

• A. FortiGate1 sends an R-U-THERE packet every 300 seconds while ping traffic is flowing.
• B. FortiGate1 sends an R-U-THERE packet if pings stop for 300 seconds and no IKE packet is received during this period.
• C. FortiGate1 sends an R-U-THERE packet if pings stop for 60 seconds and no IKE packet is received during this period.
• D. FortiGate1 sends an R-U-THERE packet every 60 seconds while ping traffic is flowing.

Answer: C

Explanation: References: http://kb.fortinet.com/kb/documentLink.do?externalID=FD35337

NEW QUESTION 17

Given the following error message:

FortiManager fails to import policy ID 1. What is the problem?

• A. FortiManager already has Address LAN which has interface mapping set to “internal” in its database, it is contradicting with the STUDENT-2 FortiGate device which has address LAN mapped to “any”.
• B. FortiManager already has address LAN which has interface mapping set to “any” in its database; this conflicts with the STUDENT-2 FortiGate device which has address “LAN”mapped to “internal”.
• C. Policy ID 1 for this managed FortiGate device already exists on the FortiManager policy package named STUDENT-2.
• D. Policy ID 1 does not have interface mapping on FortiManager.

Answer: D

Explanation: References: http://kb.fortinet.com/kb/documentLink.do?externalID=FD38544