NSE8_812 Online Practice Questions and Answers

Correct Answer: C

Explanation: To review this log on FortiAnalyzer GUI, the administrator should use the time filter that matches the local time zone of FortiAnalyzer, which is GMT-0800. Since the log was generated at 20:37 UTC (GMT+0000), the corresponding time in GMT-0800 is

20:37 - 8 hours = 12:37. However, since DST is disabled on FortiAnalyzer, the administrator should add one hour to account for daylight saving time difference, resulting in 12:37 + 1 hour = 13:37. Therefore, the time filter to use is 13:37:08. References:https://docs.fortinet.com/document/fortianalyzer/6.4.0/administration- guide/103664/time-zone-and-daylight-saving-time

Correct Answer: ABE

A is correct because the scan order must be changed to antispam-sandbox- content in order for FortiMail to scan the email for spam and viruses before forwarding it to the third-party service.

B is correct because the Catch-All profile must be applied to the CFInbound profile in order for FortiMail to forward clean emails to the third-party service. E is correct because an IP policy must be created with a Source value of 100.64.0.72/32

in order to allow emails from the third-party service to be delivered to FortiMail.

The other options are not necessary to meet the requirements. Option C is not necessary because the access receive rule will already allow emails from the third-party service to be received by FortiMail. Option D is not necessary because

the Catch-All profile already allows emails to be delivered to any destination. Here are some additional details about integrating a third-party service into the FortiMail email processing path:

The third-party service must be able to receive emails from FortiMail and send them back to FortiMail.

The third-party service must be able to communicate with FortiMail using the SMTP protocol.

The third-party service must be able to authenticate with FortiMail using the SMTP AUTH protocol.

Once the third-party service is integrated into the FortiMail email processing path, all inbound emails will be processed by FortiMail as usual. If the email is clean, FortiMail will forward it to the third-party service. The third-party service will then

send the email back to FortiMail for final delivery. FortiMail will not scan the email again.

Correct Answer: AE

A is correct because if no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. This is because the FortiClient EMS server will not force the installation on the client. E is correct

because the Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy. This is because the Active Directory group policy will configure the Windows clients to automatically install

FortiClient and the FortiClient EMS server will only need to push the initial configuration to the clients.

The other options are incorrect. Option B is incorrect because a client can only be eligible for one enabled configuration on the EMS server. Option C is incorrect because you can deploy initial installations to both Windows and macOS clients.

Option D is incorrect because you can use the included SQL Server Express to deploy FortiClient EMS.

References:

Deploying FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library Configuring FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library

FortiClient EMS installation requirements | FortiClient / FortiOS 7.4.0 - Fortinet Document Library

Correct Answer: C

Explanation: The FortiGate 6000F has 24 1/10/25-Gbps SFP28 data network interfaces (1 to 24). These interfaces are divided into the following interface groups: 1 to 4, 5 to 8, 9 to 12, 13 to 16, 17 to 20, and 21 to 24. The ports 25 to 28 are

40/100-Gbps QSFP28 data network interfaces.

The initial connection should be made to any interface between ports 1 to 4. This is because the ports 21 to 24 are part of the same interface group, and changing the speed of one of these ports will affect the speeds of all of the ports in the

group. The ports 5 to 8 are also part of the same interface group, so they should not be used for the initial connection. The new hardware module that will be installed in the switch will provide higher speed ports. When this module is installed,

the speed of the ports 21 to 24 will be increased. However, this will not affect the ports 1 to 4, because they are not part of the same interface group.

Therefore, the initial connection should be made to any interface between ports 1 to 4, in order to ensure that the FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port

speed is defined.

Reference:

FortiGate 6000F Front Panel Interfaces: https://docs.fortinet.com/document/fortigate- 6000/hardware/fortigate-6000f-system-guide/827055/front-panel-interfaces

Correct Answer: CE

C. The antivirus database queries FortiGuard with the hash of a scanned file. This is how the FortiGuard VOS service works. The FortiGate queries FortiGuard with the hash of a scanned file, and FortiGuard returns a list of known malware signatures that match the hash.

E. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database. This is where the FortiGuard VOS service gets its hash signatures from. The FortiGuard Global Threat Intelligence database is updated regularly with new malware signatures.

Correct Answer: B

Explanation: The exhibit shows that the FortiEDR core has detected an exfiltration attack. The attack is attempting to copy files from the device to an external location. The FortiEDR core has blocked the attack, and the files have not been

exfiltrated. The exhibit also shows that the attack is using the Cobalt Strike beacon. Cobalt Strike is a penetration testing tool that can be used for both legitimate and malicious purposes. In this case, the Cobalt Strike beacon is being used to

exfiltrate files from the device. The other options are incorrect. Option A is incorrect because the attack has not been stopped. Option C is incorrect because the attack is not a ransomware attack. Option D is incorrect because the FortiEDR

core has not stopped the attack.

References:

FortiEDR Forensics:

https://docs.fortinet.com/document/fortiedr/6.0.0/administration- guide/733983/forensics

Cobalt Strike: https://www.cobaltstrike.com/

Correct Answer: B

Explanation: FortiToken push notifications require that the FortiAuthenticator has an internet routable IP address. This is because the FortiAuthenticator uses this IP address to send push notifications to the FortiGate.

The other options are not correct. Enabling the ftm access protocol on FG-1 port1 is not necessary for push notifications to work. The ftm-push server setting on FG-1 CLI should already point to the FortiAuthenticator's IP address. The

FortiToken public IP setting on FAC-1 is not relevant to push notifications.

Here is a table that summarizes the different options:

Correct Answer: B

Explanation: The OSPF configuration shown in the exhibit is using the default priority value of 1 for the interface port1. This means that FGT_3 will participate in the DR/BDR election process with the other OSPF routers on the same LAN segment. However, this is not desirable because FGT_3 is a new device that needs to be added to the OSPF network without affecting the existing DR/BDR election. Therefore, to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election, the priority value of the interface port1 should be changed to 0. This will prevent FGT_3 from becoming a DR or BDR and allow it to form OSPF adjacencies with thecurrent DR and BDR. Option B shows the correct configuration that changes the priority value to 0. Option A is incorrect because it does not change the priority value. Option C is incorrect because it changes the network type to point-to-point, which is not suitable for a LAN segment with multiple OSPF routers. Option D is incorrect because it changes the area ID to 0.0.0.1, which does not match the area ID of the other OSPF routers on the same LAN segment. References:https://docs.fortinet.com/document/ fortigate/7.0.0/administration- guide/358640/basic-ospf-example

Correct Answer: C

Explanation: The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. References: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation- for-vmware-esxi/19662/installing-fortigate-vm-on-vmware- esxihttps://docs.fortinet.com/document/fortigate/7.0.0/vm-installationfor-vmware- esxi/19662/networking

Correct Answer: BD

B is correct because the OCSP check of the certificate can be combined with a certificate revocation list (CRL). This means that the FortiGate will check the OCSP server to see if the certificate has been revoked, and it will also check the CRL to see if the certificate has been revoked. D is correct because if the OCSP server is unreachable, authentication will succeed if the certificate matches the CA. This is because the FortiGate will fall back to using the CRL if the OCSP server is unreachable. The other options are incorrect. Option A is incorrect because OCSP checks can go to other OCSP servers, not just the FortiAuthenticator. Option C is incorrect because OCSP certificate responses can be cached by the FortiGate. References: Configuring SSL VPN authentication using digital certificates | FortiGate / FortiOS 7.2.0 - Fortinet Document Library Online Certificate Status Protocol (OCSP) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library Certificate Revocation Lists (CRLs) | FortiGate / FortiOS 7.2.0 - Fortinet Document Library