• Home
  • Articles
  • [Dec-2025] Updated and Accurate NSE8_812 Questions & Answers for passing the exam Quickly [Q16-Q40]

[Dec-2025] Updated and Accurate NSE8_812 Questions & Answers for passing the exam Quickly [Q16-Q40]

Share

[Dec-2025] Updated and Accurate NSE8_812 Questions & Answers for passing the exam Quickly

Download Real NSE8_812 Exam Dumps for candidates. 100% Free Dump Files


Fortinet NSE8_812 certification exam is a written test that evaluates the candidate's understanding of advanced network security concepts and their ability to design and implement complex security solutions. NSE8_812 exam covers various topics, including network security design, analysis, and implementation, application security, cloud security, and advanced threat protection, among others.

 

NEW QUESTION # 16
Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

  • A. 172.16.204.64/27
  • B. 172,620,64,27
  • C. 172.16.204.128/25
  • D. 172.16.201.96/29

Answer: A,C

Explanation:
The prefix list in the exhibit is configured to match prefixes that are either in the 172.16.204.0/24 subnet or in the 172.62.0.0/16 subnet. The routes that match these prefixes will be active in the routing table on the HQ firewall.
The routes that match the following prefixes will not be active in the routing table:
172.16.201.96/29
172.62.0.64/27
These routes do not match the criteria set by the prefix list.
References:
Prefix lists | FortiGate / FortiOS 7.4.0 - Fortinet Document Library
Configuring BGP | FortiGate / FortiOS 7.4.0 - Fortinet Document Library


NEW QUESTION # 17
Refer to the exhibit showing a FortiSOAR playbook.

You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.
What should be your next step?

  • A. Reply to the e-mail with the requested Playbook action
  • B. Click on the notification icon on FortiSOAR GUI and run the pending input action
  • C. Run the Mark Drive by Download playbook action
  • D. Go to the Incident Response tasks dashboard and run the pending actions

Answer: D

Explanation:
The exhibited playbook requires intervention, which means that the playbook has reached a point where it needs a human operator to take action. The next step should be to go to the Incident Response tasks dashboard and run the pending actions. This will allow you to see the pending actions that need to be taken and to take those actions.
The other options are not correct. Option B will only show you the notification icon, but it will not allow you to run the pending input action. Option C will run the Mark Drive by Download playbook action, but this is not the correct action to take in this case. Option D is not a valid option.
Here are some additional details about pending actions in FortiSOAR:
Pending actions are actions that need to be taken by a human operator.
Pending actions are displayed in the Incident Response tasks dashboard.
Pending actions can be run by clicking on the action in the dashboard.


NEW QUESTION # 18
A FortiGate running FortiOS 7.2.0 GA is configured in multi-vdom mode with a vdom set to vdom type Admin and another vdom set to vdom type Traffic.
Which two GUI sections are available on both VDOM types? (Choose two.)

  • A. Interface configuration
  • B. Packet capture
  • C. Certificates
  • D. Security Fabric topology and external connectors
  • E. FortiClient configuration

Answer: A,B


NEW QUESTION # 19
Refer to the exhibit.

A customer is trying to setup a Playbook automation using a FortiAnalyzer, FortiWeb and FortiGate. The intention is to have the FortiGate quarantine any source of SQL Injection detected by the FortiWeb. They got the automation stitch to trigger on the FortiGate when simulating an attack to their website, but the quarantine object was created with the IP 0.0.0.0. Referring to the configuration and logs in the exhibits, which two statements are true? (Choose two.)

  • A. The Group By option in the handler should be different to src, so src can be used on the Playbook configuration.
  • B. FortiSOC Playbooks combining FortiWeb and FortiGate are not supported.
  • C. To fix the issue the parameter for script on the Playbook configuration should be epip.
  • D. The FortiAnalyzer ADOM Type must be Fabric.
  • E. To diagnose this issue, you need to use the commanddiagnose test application oftpd 22.

Answer: A,D


NEW QUESTION # 20
What is the benefit of using FortiGate NAC LAN Segments?

  • A. It provides support for multiple DHCP servers within the same VLAN.
  • B. It allows for assignment of dynamic address objects matching NAC policy.
  • C. It provides support for IGMP snooping between hosts within the same VLAN
  • D. It provides physical isolation without changing the IP address of hosts.

Answer: D

Explanation:
FortiGate NAC LAN Segments are a feature that allows users to assign different VLANs to different LAN segments without changing the IP address of hosts or bouncing the switch port. This provides physical isolation while maintaining firewall sessions and avoiding DHCP issues. One benefit of using FortiGate NAC LAN Segments is that it allows for assignment of dynamic address objects matching NAC policy. This means that users can create firewall policies based on dynamic address objects that match the NAC policy criteria, such as device type, OS type, MAC address, etc. This simplifies firewall policy management and enhances security by applying different security profiles to different types of devices.References:https://docs.fortinet.
com/document/fortigate/7.0.0/new-features/856212/nac-lan-segments-7-0-1
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/856212/nac-lan-segments-7-0-1


NEW QUESTION # 21
Wh.ch feature must you enable on the BGP neighbors to accomplish this goal?

  • A. Synchronization
  • B. Soft-reconfiguration
  • C. Graceful-restart
  • D. Deterministic-med

Answer: C

Explanation:
Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful-restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper routers) that it is about to restart or failover, and request them to preserve their routing information and forwarding state for a certain period of time (the restart time). The helper routers then mark the routes learned from the restarting router as stale, but keep them in their routing table and continue forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing instability during a BGP restart or failover event. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/bgp-graceful-restart


NEW QUESTION # 22
You are troubleshooting a FortiMail Cloud service integrated with Office 365 where outgoing emails are not reaching the recipients' mail What are two possible reasons for this problem? (Choose two.)

  • A. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
  • B. The FortiMail DKIM key was not set using the Auto Generation option.
  • C. The FortiMail access control rules to relay from Office 365 servers public IPs are missing.
  • D. The FortiMail access control rule to relay from Office 365 servers FQDN is missing.

Answer: A,D

Explanation:
a) The FortiMail access control rule to relay from Office 365 servers FQDN is missing.
If the access control rule to relay from Office 365 servers FQDN is missing, then FortiMail will not be able to send emails to Office 365. This is because the access control rule specifies which IP addresses or domains are allowed to relay emails through FortiMail.
b) A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN.
If the Mail Flow connector from the Exchange Admin Center is not set properly to the FortiMail Cloud FQDN, then Office 365 will not be able to send emails to FortiMail. This is because the Mail Flow connector specifies which SMTP server is used to send emails to external recipients.


NEW QUESTION # 23
Refer to the exhibit, which shows a Branch1 configuration and routing table.

In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.
In this scenario, which configuration change will meet this requirement?

  • A. Configure the priority in each overlay member to 10.
  • B. Create a new static route with the internet sdwan-zone only
  • C. Configure the cost in each overlay member to 10.
  • D. Change the load-balance-mode to source-ip-based.

Answer: A

Explanation:
The default load balancing mode for the SD-WAN implicit rule is source IP based. This means that traffic will be load balanced evenly between the overlay members, regardless of the member's priority.
To prevent traffic from being load balanced, you can configure the priority of each overlay member to 10. This will make the member ineligible for load balancing.
The other options are not correct. Changing the load balancing mode to source-IP based will still result in traffic being load balanced. Creating a new static route with the internet sdwan-zone only will not affect the load balancing of the overlay interface. Configuring the cost in each overlay member to 10 will also not affect the load balancing, as the cost is only used when the implicit rule cannot find a match for the destination IP address.


NEW QUESTION # 24
Refer to the CLI output:

Given the information shown in the output, which two statements are correct? (Choose two.)

  • A. Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored
  • B. The IP Reputation feature has been manually updated
  • C. Attackers can be blocked before they target the servers behind the FortiWeb.
  • D. An IP address that was previously used by an attacker will always be blocked
  • E. Geographical IP policies are enabled and evaluated after local techniques.

Answer: A,C

Explanation:
The CLI output shown in the exhibit indicates that FortiWeb has enabled IP Reputation feature with local techniques enabled and geographical IP policies enabled after local techniques (set geoip-policy-order after-local). IP Reputation feature is a feature that allows FortiWeb to block or allow traffic based on the reputation score of IP addresses, which reflects their past malicious activities or behaviors. Local techniques are methods that FortiWeb uses to dynamically update its own blacklist based on its own detection of attacks or violations from IP addresses (such as signature matches, rate limiting, etc.). Geographical IP policies are rules that FortiWeb uses to block or allow traffic based on the geographical location of IP addresses (such as country, region, city, etc.). Therefore, based on the output, one correct statement is that attackers can be blocked before they target the servers behind the FortiWeb. This is because FortiWeb can use IP Reputation feature to block traffic from IP addresses that have a low reputation score or belong to a blacklisted location, which prevents them from reaching the servers and launching attacks. Another correct statement is that reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored. This is because FortiWeb can use local techniques to remove IP addresses from its own blacklist if they stop sending malicious traffic for a certain period of time (set local-techniques-expire-time), which allows them to regain their reputation and access the servers. This is useful for IP addresses that are dynamically assigned by DHCP or PPPoE and may change frequently. References: https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/ip-reputation https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/geographical-ip-policies


NEW QUESTION # 25
Refer to the exhibits.


A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)

  • A. Client devices must have 802 1X authentication enabled
  • B. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication.
  • C. Ports 3 and 4 can be part of different switch interfaces.
  • D. Devices connected directly to ports 3 and 4 can perform 802 1X authentication.

Answer: A,D

Explanation:
The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a single switch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named "lan", which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named "ssl-inspection". The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. References: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switch-interfaces https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1x-authentication


NEW QUESTION # 26
Refer to the exhibit showing a FortiView monitor screen.

After a Secure SD-WAN implementation a customer reports that in FortiAnalyzer under FortiView Secure SD-WAN Monitor there is No Device for selection.
What can cause this issue?

  • A. Upload option from FortiGate to FortiAnalyzer is not set as a real time.
  • B. ADOM 1 is set as a Fabric ADOM.
  • C. sla-fail-log-period and sla-pass-log-period on FortiGate health check is not set.
  • D. Extended logging is not enabled on FortiGate.

Answer: A


NEW QUESTION # 27
Refer to the exhibit, which shows the high availability configuration for the FortiAuthenticator (FAC1).

Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this FortiAuthenticator (FAC1)?

  • A. FAC2 can have its HA interface on a different network than FAC1.
  • B. FSSO sessions from FAC1 will be synchronized to FAC2.
  • C. FAC2 can only process requests when FAC1 fails.
  • D. The FortiToken license will need to be installed on the FAC2.

Answer: B

Explanation:
When FortiAuthenticator operates in cluster mode, it provides active-passive failover and synchronization of all configuration and data, including FSSO sessions, between the cluster members. Therefore, if FAC1 is the active unit and FAC2 is the standby unit, any FSSO sessions from FAC1 will be synchronized to FAC2. If FAC1 fails, FAC2 will take over the active role and continue to process the FSSO sessions. References: https://docs.fortinet.com/document/fortiauthenticator/6.1.2/administration-guide/122076/high-availability


NEW QUESTION # 28
Refer to the exhibit.

A customer wants FortiClient EMS configured to deploy to 1500 endpoints. The deployment will be integrated with FortiOS and there is an Active Directory server.
Given the configuration shown in the exhibit, which two statements about the installation are correct? (Choose two.)

  • A. You can only deploy initial installations to Windows clients.
  • B. If no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay.
  • C. The Windows clients only require "File and Printer Sharing0 allowed and the rest is handled by Active Directory group policy
  • D. You must use Standard or Enterprise SQL Server rather than the included SQL Server Express
  • E. A client can be eligible for multiple enabled configurations on the EMS server, and one will be chosen based on first priority

Answer: B,C

Explanation:
A is correct because if no client update time is specified on EMS, the user will be able to choose the time of installation if they wish to delay. This is because the FortiClient EMS server will not force the installation on the client.
E is correct because the Windows clients only require "File and Printer Sharing" allowed and the rest is handled by Active Directory group policy. This is because the Active Directory group policy will configure the Windows clients to automatically install FortiClient and the FortiClient EMS server will only need to push the initial configuration to the clients.
The other options are incorrect. Option B is incorrect because a client can only be eligible for one enabled configuration on the EMS server. Option C is incorrect because you can deploy initial installations to both Windows and macOS clients. Option D is incorrect because you can use the included SQL Server Express to deploy FortiClient EMS.
References:
Deploying FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library Configuring FortiClient EMS | FortiClient / FortiOS 7.4.0 - Fortinet Document Library FortiClient EMS installation requirements | FortiClient / FortiOS 7.4.0 - Fortinet Document Library


NEW QUESTION # 29
Refer to the exhibit.

FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)

  • A. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
  • B. The template will fail because this configuration can only be applied with a CLI or TCL script.
  • C. The template will work if you change the variable format to {{ WAN }}.
  • D. The template will work if you change the variable format to $(WAN).
  • E. The administrator must first manually map the interface for each device with a meta field.
  • F. The template will fail because this configuration can only be applied with a CLI or TCL script.

Answer: B,E

Explanation:
The Jinja template in the exhibit is trying to configure the interface role on the managed FortiGate. This type of configuration can only be applied with a CLI or TCL script. The Jinja template will fail because it is not a valid CLI or TCL script.
Explanation:
d) The administrator must first manually map the interface for each device with a meta field.
The Jinja template in the exhibit is expecting a meta field called WAN to be set on the managed FortiGate. This meta field will specify which interface on the FortiGate should be assigned the "WAN" role. If the meta field is not set, then the template will fail.


NEW QUESTION # 30
Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains & TPM chip. The exhibit shows output from the FortiGate CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)

  • A. The private-data-encryption key entered on the primary did not match the value that the TPM expected.
  • B. TPM functionality is not yet compatible with FortiGate HA.
  • C. The administrator needs to manually enter the hex private data encryption key in FortiManager.
  • D. The FortiGate has not finished the auto-update process to synchronize the new configuration to FortiManager yet.
  • E. Configuration for TPM is not synchronized between FortiGate HA cluster members.

Answer: C,E

Explanation:
https://docs.fortinet.com/document/fortimanager/7.4.2/administration-guide/30332/verifying-devices-with- private-data-encryption-enabled


NEW QUESTION # 31
A customer with a FortiDDoS 200F protecting their fibre optic internet connection from incoming traffic sees that all the traffic was dropped by the device even though they were not under a DoS attack. The traffic flow was restored after it was rebooted using the GUI. Which two options will prevent this situation in the future?
(Choose two)

  • A. Move the internet connection from the SFP interfaces to the LC interfaces
  • B. Change the Adaptive Mode.
  • C. Replace with a FortiDDoS 1500F
  • D. Create an HA setup with a second FortiDDoS 200F

Answer: C,D

Explanation:
* B is correct because creating an HA setup with a second FortiDDoS 200F will provide redundancy in case one of the devices fails. This will prevent all traffic from being dropped in the event of a failure.
* D is correct because the FortiDDoS 1500F has a larger throughput capacity than the FortiDDoS 200F.
This means that it will be less likely to drop traffic even under heavy load.
The other options are incorrect. Option A is incorrect because changing the Adaptive Mode will not prevent the device from dropping traffic. Option C is incorrect because moving the internet connection from the SFP interfaces to the LC interfaces will not change the throughput capacity of the device.
References:
* FortiDDoS 200F Datasheet | Fortinet Document Library
* FortiDDoS 1500F Datasheet | Fortinet Document Library
* High Availability (HA) on FortiDDoS | FortiDDoS / FortiOS 7.0.0 - Fortinet Document Library


NEW QUESTION # 32
Refer to the exhibits, which show a firewall policy configuration and a network topology.

An administrator has configured an inbound SSL inspection profile on a FortiGate device (FG-1) that is protecting a data center hosting multiple web pages-Given the scenario shown in the exhibits, which certificate will FortiGate use to handle requests to xyz.com?

  • A. FortiGate will fall-back to the default Fortinet_CA_SSL certificate.
  • B. FortiGate will use the first certificate in the server-cert list-the abc.com certificate
  • C. FortiGate will use the Fortinet_CA_Untrusted certificate for the untrusted connection,
  • D. FortiGate will reject the connection since no certificate is defined.

Answer: B

Explanation:
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/850344/define-multiple-certificates-in- an-ssl-profile-in-replace-mode If there is no matched server certificate in the list, then the first server certificate in the list is used as a replacement.


NEW QUESTION # 33
An HA topology is using the following configuration:

Based on this configuration, how long will it take for a failover to be detected by the secondary cluster member?

  • A. 600ms
  • B. 200ms
  • C. 100ms
  • D. 300ms

Answer: D

Explanation:
The HA topology shown in the exhibit is using link monitoring with two heartbeat interfaces (port3 and port5) and a heartbeat interval of 100ms. Link monitoring is a feature that allows HA failover to occur when one or more monitored interfaces fail or become disconnected. The heartbeat interval is the time between each heartbeat packet sent by an HA cluster unit to other cluster units through heartbeat interfaces. The failover time is determined by multiplying the heartbeat interval by three (the default deadtime value). Therefore, in this case, the failover time is 100ms x 3 = 300ms. Reference: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/647723/link-monitoring-and-ha-failover-time


NEW QUESTION # 34
You are creating the CLI script to be used on a new SD-WAN deployment You will have branches with a different number of internet connections and want to be sure there is no need to change the Performance SLA configuration in case more connections are added to the branch.
The current configuration is:

Which configuration do you use for the Performance SLA members?

  • A. set members any
  • B. set members all
  • C. set members 0
  • D. current configuration already fulfills the requirement

Answer: B

Explanation:
D is correct because using set members all allows you to apply the Performance SLA configuration to all available interfaces without specifying them individually. This way, you do not need to change the configuration in case more connections are added to the branch. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/sd-wan/978795/configuring-sd-wan-performance-sla


NEW QUESTION # 35
A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

  • A. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
  • B. Disable SSL between the FortiADC and the web servers
  • C. Add a connection-pool to the FortiADC virtual server
  • D. Add more web servers to the real server poof

Answer: C,D

Explanation:
Option B: Adding more web servers to the real server pool will increase the overall capacity of the load balancer, which should help to resolve the issue of users not being able to access the website.
Option D: Adding a connection-pool to the FortiADC virtual server will allow the load balancer to cache connections to the web servers, which can help to improve performance and reduce the number of dropped connections.
Option A: Changing the persistence rule to LB_PERSIS_SSL_SESSJD would only be necessary if the current persistence rule is not working properly. In this case, the CPU usage on the FortiADC and the web servers is low, so the persistence rule is likely not the issue.
Option C: Disabling SSL between the FortiADC and the web servers would reduce the load on the FortiADC, but it would also make the website less secure. Since the bandwidth utilization is under 30%, it is unlikely that disabling SSL would resolve the issue.


NEW QUESTION # 36
You must analyze an event that happened at 20:37 UTC. One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled
* The FortiGate is at GMT-1000.
* The FortiAnalyzer is at GMT-0800
* Your browser local time zone is at GMT-03.00
You want to review this log on FortiAnalyzer GUI, what time should you use as a filter?

  • A. 17:37:08
  • B. 10:37:08
  • C. 20:37:08
  • D. 12.37:08

Answer: D

Explanation:
https://community.fortinet.com/t5/FortiAnalyzer/Technical-Note-Understanding-FortiAnalyzer-time-related- fields/ta-p/197569


NEW QUESTION # 37
A customer is planning on moving their secondary data center to a cloud-based laaS. They want to place all the Oracle-based systems Oracle Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.
They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an architecture using Fortinet products with security, redundancy and performance as a priority.
Which two design options are true based on these requirements? (Choose two.)

  • A. Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs.
  • B. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure.
  • C. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge
  • D. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.

Answer: A,D

Explanation:
a) Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud. This is because the Oracle Cloud is not directly connected to the Azure Cloud. The traffic will need to go through the main data center in order to reach the Oracle Cloud.
c) Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs. This is because the Oracle Cloud does not allow direct connections from the internet. The traffic will need to go through the FortiGate devices in order to reach the Oracle Cloud.
The other options are not correct.
b) Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure. This is not necessary. Azure does encrypt traffic over ExpressRoute.
d) Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge. This is not necessary. A single ExpressRoute service can be used to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge.


NEW QUESTION # 38
An administrator has configured a FortiGate device to authenticate SSL VPN users using digital certificates.
A FortiAuthenticator is the certificate authority (CA) and the OCSP server.
Part of the FortiGate configuration is shown below:

Based on this configuration, which authentication scenario will FortiGate deny?

  • A. FortiAuthenticator responds to an OCSP request that the user certificate authority is untrusted.
  • B. FortiAuthenticator responds to an OCSP request that the user certificate status is unknown.
  • C. The user certificate does not contain the OCSP URL.

Answer: A


NEW QUESTION # 39
Refer to the exhibits.

A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

  • A. 172.16.204.64/27
  • B. 172.16.204.128/25
  • C. 172.16.201.96/29
  • D. 172,620,64,27

Answer: B,D

Explanation:
A is correct because 172.16.204.128/25 matches the prefix list entry 172.16.204.0/24 ge 25 le 25. C is correct because 172.16.204.64/27 matches the prefix list entry 172.16.204.0/24 ge 27 le 27. Reference: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/978793/bgp


NEW QUESTION # 40
......


Fortinet NSE8_812 exam is a certification exam that is designed to test the skills and knowledge of network security professionals who work with Fortinet products and solutions. NSE8_812 exam is intended for individuals who are seeking to become certified as Fortinet Network Security Experts (NSEs) at the highest level. The NSE8_812 exam covers a wide range of topics, including advanced routing and switching, advanced firewalling, advanced VPN technologies, and advanced threat protection.

 

Prepare Important Exam with NSE8_812 Exam Dumps: https://dumpsstar.vce4plus.com/Fortinet/NSE8_812-valid-vce-dumps.html

Related Articles

more
Fortinet NSE8_812 Certification Practice Exam