NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.

com/exams/fortinet/nse8_811/view/

- Expert Veri�ed, Online, .

 Custom View Settings

Question #1 Topic 1

Refer to the exhibit.

The exhibit shows a full-mesh topology between FortiGate and FortiSwitch devices. To deploy this con�guration, two requirements must be met:
"¢ 20 Gbps full duplex connectivity is available between each FortiGate and the FortiSwitch devices
"¢ The FortiGate HA must be in AP mode
Referring to the exhibit, what are two actions that will ful�ll the requirements? (Choose two.)

A. Con�gure the master FortiGate with one LAG and FortiLink split interface disabled on ports connected to cables A and C and make sure the
same ports are used for cables B and D on the slave.

B. Con�gure the master FortiGate with one LAG and FortiLink split interface enabled on ports connected to cables A and C and make sure the
same ports are used for cables B and D on the slave.

C. Con�gure both FortiSwitch devices as peers with ICL over cable E, create one MCLAG on ports connected to cables A and C, and create
another MCLAG on ports connected to cables B and D.

D. Con�gure both FortiSwitch devices as peers with ISL over cable E, create one MCLAG on ports connected to cables A and C, and create
another MCLAG on ports connected to cables B and D.

Question #2 Topic 1

You want to manage a FortiGate with the FortiCloud service. The FortiGate shows up in your list of devices on the FortiCloud Web site, but all
management functions are either missing or grayed out.
Which statement is correct in this scenario?

A. The management tunnel mode on the managed FortiGate must be changed to normal.

B. The managed FortiGate is running a version of FortiOS that is either too new or too old for FortiCloud.

C. The managed FortiGate requires that a FortiCloud management license be purchased and applied.

D. You must manually con�gure system central-management on the FortiGate CLI and set the management type to fortiguard.

1 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #3 Topic 1

Refer to the exhibit.

The exhibit shows the steps for creating a URL rewrite policy on a FortiWeb.
Which statement represents the purpose of this policy?

A. The policy redirects all HTTPS URLs to HTTP.

B. The policy redirects all HTTP URLs to HTTPS.

C. The policy redirects only HTTP URLs containing the ^/(.*)$ string to HTTPS.

D. The policy redirects only HTTPS URLs containing the ^/(.*)$ string to HTTP.

Question #4 Topic 1

You are asked to add a FortiDDoS to the network to combat detected slow connection attacks such as Slowloris.
Which prevention mode on FortiDDoS will protect you against this speci�c type of attack?

A. asymmetric mode

B. aggressive aging mode

C. rate limiting mode

D. blocking mode

2 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #5 Topic 1

You are building a FortiGate cluster which is stretched over two locations. The HA connections for the cluster are terminated on the local switches
in the data centers. Once the FortiGate devices have booted, they do not form a cluster. The network operators inform you that CRC errors are
present on the switches where the FortiGate devices are connected.
What should you do to solve this problem?

A. Set the speed/duplex setting to 1 Gbps / Full Duplex.

B. Replace the cables where the CRC errors occur.

C. Place the HA interfaces in dedicated VLANs.

D. Change the ethertype for the HA packets.

Question #6 Topic 1

You want to access the JSON API on FortiManager to retrieve information on an object.
In this scenario, which two methods will satisfy the requirement? (Choose two.)

A. Download the WSDL �le from FortiManager administration GUI.

B. Make a call with the curl utility on your workstation.

C. Make a call with the SoapUI API tool on your workstation.

D. Make a call with the Web browser on your workstation.

3 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #7 Topic 1

Refer to the exhibit.

You created a custom health-check for your FortiWeb deployment.

Given the output shown in the exhibit, which statement is true?

A. The FortiWeb must receive an RST packet from the server.

B. The FortiWeb must receive an HTTP 200 response code from the server.

C. The FortiWeb must match the hash value of the page index.html.

D. The FortiWeb must receive an ICMP Echo Request from the server.

4 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #8 Topic 1

Refer to the exhibit.

You created an aggregate interface between a FortiGate and a switch consisting of two 1 Gbps links as shown in the exhibit. However, the
maximum bandwidth never exceeds 1 Gbps and employees are reporting that the network is slow. After troubleshooting, you notice that only one
member interface is being used. The con�guration for the aggregate interface is shown in the exhibit.
In this scenario, which command will solve this problem?
A.

B.

C.

D.

5 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #9 Topic 1

Refer to the exhibit.

A FortiGate device is con�gured to authenticate SSL VPN users using digital certi�cates. A partial FortiGate con�guration is shown in the exhibit.
Referring to the exhibit, which two statements about this con�guration are true? (Choose two.)

A. The authentication will fail if the user certi�cate does not contain the user principal name (UPN) information.

B. The authentication will fail if the user certi�cate does not contain the CA_Cert string in the CA �eld.

C. The authentication will fail if the OCSP server is down.

D. OCSP is used to verify that the user-signed certi�cate has not expired.

Question #10 Topic 1

Consider the following FortiGate con�guration:

Which command-line option for deep inspection SSL would have the FortiGate re-sign all untrusted self-signed certi�cates with the trusted
Fortinet_CA_SSL certi�cate?

A. block

B. inspect

C. allow

D. ignore

6 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #11 Topic 1

Refer to the exhibit.

A FortiGate is con�gured for a dial-up IPsec VPN to allow multiple remote FortiGate devices to connect to it. However, FortiGate A and B have
problems connecting to the VPN. Only one of them can be connected at a time. If site B tries to connect while site A is connected, site A is
disconnected. The IKE real-time debug shows the output in the exhibit when site A is disconnected.
Referring to the exhibit, which con�guration setting should be executed in the dial-up con�guration to allow both VPNs to be connected at the
same time?

A. set route-overlap allow

B. set single-source disable

C. set enforce-unique-id disable

D. set add-route enable

Question #12 Topic 1

A customer wants to enable SYN �ood mitigation in a FortiDDoS device. The FortiDDoS must reply with one SYN/ACK packet per SYN packet from
a new source
IP address.
Which SYN �ood mitigation mode must the customer use?

A. SYN retransmission

B. SYN/ACK cookie

C. SYN cookie

D. ACK cookie

7 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #13 Topic 1

Refer to the exhibit.

You con�gured AV and Web �ltering for your outgoing Internet connections. You later notice that not all Web sessions are being inspected and you
start troubleshooting the problem.
Referring to the exhibit, what can be causing this problem?

A. The Web session is using QUIC which is not inspected by the FortiGate.

B. There are problems with the connection to the Web �lter servers, therefore the Web session cannot be categorized.

C. The SSL inspection options are not set to deep inspection.

D. Web �ltering is not licensed; therefore, no inspection occurs.

Question #14 Topic 1

You are administering the FortiGate 5000 and FortiGate 7000 series products. You want to access the HTTPS GUI of the blade located in logical
slot 3 of the secondary chassis in a high-availability cluster.
Which URL will accomplish this task?

A. https://192.168.1.99:44322

B. https://192.168.1.99:44323

C. https://192.168.1.99:44313

D. https://192.168.1.99:44302

8 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #15 Topic 1

Refer to the exhibit.

Given the con�guration shown in the exhibit, which two statements are true? (Choose two.)

A. LAG-3 on switches on FS448D-A and FS448D-B may be connected to a single 802.3ad trunk on another device.

B. LAG-1 and LAG-2 should be connected to a 4-port single 802.3ad trunk on another device.

C. port13 and port14 on FS448D-A should be connected to port13 and port14 on FS448D-B.

D. LAG-1 and LAG-2 should be connected to a single 4-port 802.3ad interface on the FortiGate-A.

9 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #16 Topic 1

A customer wants to integrate their on-premise FortiGate with their Azure infrastructure.
Which two components must be in place to con�gure the Azure Fabric connector? (Choose two.)

A. FortiGate-VM virtual appliance deployed on-premise.

B. An inbound policy from the Azure FortiGate-VM virtual appliance.

C. An outbound policy from the Azure FortiGate-VM virtual appliance.

D. A FortiGate-VM virtual appliance deployed in Azure.

Question #17 Topic 1

You cannot ping the FortiGate default gateway 10.10.10.1 from the FortiGate CLI. The FortiGate interface facing the default gateway is wan1 and
its IP address is
10.10.10.254/24. During the initial troubleshooting tests, you con�rm that you can ping other IP addresses in the 10.10.10.0/24 subnet from the
FortiGate CLI without packets lost.
Which two CLI commands will help you to troubleshoot this problem? (Choose two.)

A. diagnose debug �ow �lter saddr 10.10.10.1 diagnose debug �ow trace start 10

B. diagnose hardware deviceinfo nic wan1

C. diagnose ip arp list

D. diag sniffer packet wan1 'arp and host 10.10.10.1'

Question #18 Topic 1

An organization has one central site and three remote sites. A FortiSIEM has been installed on the central site and now all devices across the
remote sites must be centrally monitored by the FortiSIEM at the central site.
Which action will reduce the WAN usage by the monitoring system?

A. Enable SD-WAN FEC (Forward Error Correction) on the FortiGate at the remote site.

B. Install both Supervisor and Collector on each remote site.

C. Install local Collectors on each remote site.

D. Disable real-time log upload on the remote sites.

10 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #19 Topic 1

A customer is looking for a way to remove javascripts, macros and hyperlinks from documents traversing the network without affecting the
integrity of the content.
You propose to use the Content disarm and reconstruction (CDR) feature of the FortiGate.
Which two considerations are valid to implement CDR in this scenario? (Choose two.)

A. The inspection mode of the FortiGate is not relevant for CDR to operate.

B. CDR is supported on HTTPS, SMTPS, and IMAPS if deep inspection is enabled.

C. CDR can only be performed on Microsoft O�ce Document and PDF �les.

D. Files processed by CDR can have the original copy quarantined on the FortiGate.

Question #20 Topic 1

Refer to the exhibit.

As shown in the exhibit, a FortiADC is load-balancing IPv4 tra�c between two next-hop routers. The FortiADC does not know the IP addresses of
the servers.
Also, the FortiADC is doing Layer 7 content inspection and modi�cation.
In this scenario, which application delivery control is con�gured in the FortiADC?

A. Layer 3

B. Layer 4

C. Layer 7

D. Layer 2

11 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #21 Topic 1

Refer to the exhibit.

You are trying to con�gure Link-Aggregation Group (LAG), but ports A and B do not appear on the list of member options.
Referring to the exhibit, which statement is correct in this situation?

A. The FortiGate interfaces are defective and require replacement.

B. The FortiGate model does not have an Integrated Switch Fabric (ISF).

C. The FortiGate model being used does not support LAG.

D. The FortiGate SFP+ slot does not have the correct module.

Question #22 Topic 1

You have deployed a FortiGate in NAT/Route mode as a Secure Web Gateway with a few IP-based authentication �rewall policies. Your customer
reports that some users now have different browsing permissions from what is expected. All these users are browsing using Internet Explorer
through a Remote Desktop
Connection to a Terminal Server. When you look at the FortiGate logs, the username for the Terminal Server IP is not consistent.
Which action will correct this problem?

A. Change the FSSO Polling mode to Windows NetAPI.

B. Con�gure FSSO Advanced with LDAP integration.

C. Install the TS/Citrix agent on the terminal server.

D. Make sure the Terminal Server is using the correct DNS server.

12 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #23 Topic 1

Refer to the exhibit.

While deploying a new FortiGate-VMX Security node, an administrator receives the error message shown in the exhibit.
In this scenario, which statement is correct?

A. The NSX Manager is not able to connect on the FortiGate Service Manager RestAPI service.

B. The vCenter is not able to locate the FortiGate-VMX OVF �le.

C. The FortiGate Service Manager does not have the proper permission to register the FortiGate-VMX Service.

D. The vCenter cannot connect to the FortiGate Service Manager.

Question #24 Topic 1

A customer is experiencing problems with a legacy L3/L4 �rewall device and the IPv6 SIP VoIP tra�c. Their device is dropping SIP packets,
consequently, it cannot process SIP voice calls.
Which solution will solve the customer's problem?

A. Replace their legacy device with a FortiGate and deploy a FortiVoice to extract information from the body of the IPv6 SIP packet.

B. Deploy a FortiVoice and enable IPv6 SIP.

C. Deploy a FortiVoice and enable an IPv6 SIP session helper.

D. Replace their legacy device with a FortiGate and con�gure it to extract information from the body of the IPv6 SIP packet.

13 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #25 Topic 1

Refer to the exhibit.

A VPN IPsec is connecting the headquarters o�ce (HQ) with a branch o�ce (BO). OSPF is used to redistribute routes between the o�ces. After
deployment, a server with IP address 10.10.10.35 located on the DMZ network of the BO FortiGate, was reported unreachable from hosts located
on the LAN network of the same
FortiGate.
Referring to the exhibit, which statement is true?

A. The ICMP packets are being blocked by an implicit deny policy.

B. A directly connected subnet is being partially superseded by an OSPF redistributed subnet.

C. Enabling NAT on the VPN �rewall policy will solve the problem.

D. The incoming access list should have an accept action instead of a deny action to solve the problem.

14 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #26 Topic 1

A customer has a SCADA environmental control device that is triggering a false-positive IPS alert whenever the Web GUI of the device is accessed.
You cannot create a functional custom IPS �lter to exempt this behavior, and it appears that the device is so old that it does not have HTTPS
support. You need to prevent the false positive IPS alerts from occurring.
In this scenario, which two actions will accomplish this task? (Choose two.)

A. Create a URL �lter with the Exempt action for that device IP address.

B. Change the relevant �rewall policies to use SSL certi�cate-inspection instead of SSL deep-inspection.

C. Create a very speci�c �rewall policy for that device IP address which does not perform IPS scanning.

D. Recon�gure the FortiGate to operate in proxy-based inspection mode instead of �ow-based.

15 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #27 Topic 1

Refer to the exhibit.

The FortiAP pro�le used by the FortiGate managed AP is shown in the exhibit.
Which two statements in this scenario are correct? (Choose two.)

A. Interference will be prevented between FortiAP devices using this pro�le.

B. This pro�le will map speci�c SSIDs available to the FortiAP devices.

C. All FortiAP devices using this pro�le will have Radio 1 monitor wireless clients.

D. All FortiAP devices using this pro�le will have Radio 1 scan rogue access points.

16 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #28 Topic 1

Refer to the exhibit.

The exhibit shows a topology where a FortiGate is split into two VDOMs, root and vd-lan. The root VDOM provides external SSL-VPN access, where
the users are authenticated by a FortiAuthenticator. The vd-lan VDOM provides internal access to a Web server.
For the remote users to access the internal Web server, there are a few requirements as follows:
"¢ All tra�c must come from the SSL-VPN.
"¢ The vd-lan VDOM only allows authenticated tra�c to the Web server.
"¢ Users must only authenticate once, using the SSL-VPN portal.
"¢ SSL-VPN uses RADIUS-based authentication.
Given these requirements and the topology shown in the exhibit, which two statements are true? (Choose two.)

A. vd-lan connects to FortiAuthenticator as a regular FSSO client.

B. root is con�gured for FSSO while vd-lan is con�gured for RSSO.

C. root sends "RADIUS Accounting Messages" to FortiAuthenticator

D. vd-lan receives authentication messages from root using FSSO.

Question #29 Topic 1

A customer wants to use a central RADIUS server for management authentication when connecting to the FortiGate GUI and to provide different
levels of access for different types of employees.
Which three actions are required to provide the requested functionality? (Choose three.)

A. Create a wildcard administrator on the FortiGate.

B. Enable radius-vdom-override in the CLI.

C. Create multiple administrator pro�les with matching RADIUS VSAs.

D. Enable accpro�le-override in the CLI.

E. Set the RADIUS authentication type to MS-CHAPv2.

17 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #30 Topic 1

Refer to the exhibit.

You need to apply the security features listed below to the network shown in the exhibit.
"¢ High grade DDoS protection
"¢ Web security and load balancing for Server 1 and Server 2
"¢ Solution must be PCI DSS compliant
"¢ Enhanced security to DNS 1 and DNS 2
What are three solutions for this scenario? (Choose three.)

A. FortiDDoS between FG1 and FG2 and the Internet

B. FortiADC for VDOM-A

C. FortiWeb for VDOM-A

D. FortiADC for VDOM-B

E. FortiDDoS between FG1 and FG2 and VDOMs

Question #31 Topic 1

In a FortiGate 5000 series, two FortiControllers are working as an SLBC cluster in a-p mode. The con�guration shown below is applied.

Which statement is true on how new TCP sessions are handled by the Distributor Processor (DP)?

A. The new session added in the DP session table is automatically deleted, if the tra�c is denied by the processing worker.

B. No new session is added in the DP session table until the processing worker accepts the tra�c.

C. A new session added in the DP session table remains in the table even if the tra�c is denied by the processing worker.

D. A new session added in the DP session table remains in the table only if tra�c is accepted by the processing worker.

18 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #32 Topic 1

An administrator reports continuous high CPU utilization on a FortiGate device due to the IPS engine. Consider the global IPS con�guration shown
below.

Which two con�guration actions will reduce the CPU usage? (Choose two.)

A. Reduce the number of packets being logged.

B. Increase engine-count to 2.

C. Enable intelligent mode.

D. Disable fail open.

Question #33 Topic 1

Refer to the exhibit.

You con�gured an IPsec tunnel to a branch o�ce. Now you want to make sure that the encryption of the tunnel is o�oaded to hardware.
Referring to the exhibit, which statement is true?

A. Outgoing tra�c is o�oaded; you cannot determine if incoming tra�c is o�oaded at this time.

B. Outgoing tra�c is o�oaded; incoming tra�c not o�oaded.

C. Incoming and outgoing tra�c is o�oaded.

D. Tra�c is not o�oaded.

19 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #34 Topic 1

Refer to the exhibit.

You have installed a FortiSandbox and con�gured it in your FortiMail.

Referring to the exhibit, which two statements are correct? (Choose two.)

A. If FortiMail is not able to obtain the results from the FortiGuard queries, URIs will not be checked by the FortiSandbox.

B. FortiMail will cache the results for 30 minutes

C. If the FortiSandbox with IP 10.10.10.3 is not available, the e-mail will be checked by the FortiCloud Sandbox.

D. FortiMail will wait up to 30 minutes to obtain the scan results.

20 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #35 Topic 1

A FortiGate with the default con�guration shown below is deployed between two IP telephones. FortiGate receives the INVITE request shown in
the exhibit from
Phone A (internal) to Phone B (external).
NVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.31.101.20:5060
From: PhoneA <sip:[email protected]>
To: PhoneB <sip:[email protected]>

Call-ID: [email protected] -

CSeq: 1 INVITE -
Contact: sip:[email protected]
v=0
o=PhoneA 5462346 332134 IN IP4 10.31.101.20
c=IN IP4 10.31.101.20
m=audio 49170 RTP 0 3
Which two statements are correct after the FortiGate receives the packet? (Choose two.)

A. NAT takes place only in the SIP application layer.

B. A pinhole will be opened to accept tra�c sent to the FortiGate WAN IP address.

C. NAT takes place at both the network and SIP application layers.

D. A pinhole is not required to accept tra�c sent to the FortiGate WAN IP address.

21 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #36 Topic 1

Refer to the exhibit.

You have two data centers with a FortiGate 7000-series chassis connected by VPN. All tra�c �ows over an established generic routing
encapsulation (GRE) tunnel between them. You are troubleshooting tra�c that is traversing between Server VLAN A and Server VLAN B. The
performance is lower than expected and you notice all tra�c is only going through the FPM in slot 3 while nothing through the FPM in slot 4.
Referring to the exhibit, which statement is true?

A. Removing tra�c shaping from the �rewall policy allowing this tra�c will allow for load-balancing to the other module.

B. Changing the algorithm to take source IP, destination IP and port into account will load balance this tra�c to the other module.

C. There is no way to load-balance the tra�c in this scenario.

D. Con�guring a load-balance �ow-rule in the CLI will load-balance this tra�c.

22 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #37 Topic 1

Refer to the exhibit.

A customer is using dynamic routing to exchange the default route between two FortiGate devices using OSPFv2. The output of the get router info
ospf neighbor command shows that the neighbor is up, but the default route does not appear in the routing neighbor shown below.

According to the exhibit, what is causing the problem?

A. FG2 is within the wrong OSPF area.

B. OSPF requires the redistribution of connected networks.

C. There is an OSPF interface network-type mismatch.

D. A pre�x for the default route is missing.

23 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #38 Topic 1

Refer to the exhibit.

Referring to the �rewall polices shown in exhibit, which two statements are true? (Choose two.)

A. The IPv4 policy is allowing security pro�le groups.

B. The IPv6 tra�c for nse8user is �ltered using the DNS pro�le.

C. The IPv4 tra�c for nse8user is �ltered using the DNS pro�le.

D. The Web tra�c for nse8user is being �ltered differently in IPv4 and IPv6.

24 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #39 Topic 1

Refer to the exhibit.

Referring to the exhibit, what will happen if FortiSandbox categorizes an e-mail attachment submitted by FortiMail as a high risk?

A. The high-risk �le will be discarded by attachment analysis.

B. The high-risk �le will go to the system quarantine.

C. The high-risk �le will be received by the recipient.

D. The high-risk �le will be discarded by malware/virus outbreak protection.

Question #40 Topic 1

Consider the following VDOM con�guration:

In which two ways can you establish communication between an existing NAT VDOM and a new transparent VDOM? (Choose two.)

A. Set the set ip 10.10.10.1 command to vlink2l.

B. Set the set ip 10.10.10.1 command to vlink20.

C. Set type ppp to the vdom-link, vlink2.

D. Set type ethernet to the vdom-link, vlink2.

25 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #41 Topic 1

Refer to the exhibit.

You log into FortiManager, access the Device Manager window and notice that one of the managed devices is not in normal status.
Referring to the exhibit, which two statements correctly describe the status and result of the affected device? (Choose two.)

A. The device con�guration was changed on the local FortiGate side only; auto-update is disabled.

B. The changed con�guration on the FortiGate will remain the next time that the device con�guration is pushed from FortiManager.

C. The device con�guration was changed on both the local FortiGate side and the FortiManager side; auto-update is disabled.

D. The changed con�guration on the FortiGate will be overwritten in favor of what is on the FortiManager the next time that the device
con�guration is pushed.

Question #42 Topic 1

A company has just deployed a new FortiMail in gateway mode. The administrator is asked to strengthen e-mail protection by applying the policies
shown below.
"¢ E-mails can only be accepted if a valid e-mail account exists.
"¢ Only authenticated users can send e-mails out.
Which two actions will satisfy the requirements? (Choose two.)

A. Con�gure recipient address veri�cation.

B. Con�gure inbound recipient policies.

C. Con�gure outbound recipient policies.

D. Con�gure access control rules.

26 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #43 Topic 1

Refer to the exhibit.

The exhibit shows the con�guration of a service protection pro�le (SPP) in a FortiDDoS device.
Which two statements are true about the tra�c matching being inspected by this SPP? (Choose two.)

A. Tra�c that does not match any SPP policy will be inspected by this SPP.

B. FortiDDoS will not send a SYN/ACK if a SYN packet is coming from an IP address that is not in the legitimate IP (LIP) address table.

C. FortiDDoS will start dropping packets as soon as the tra�c exceeds the con�gured minimum threshold.

D. SYN packets with payloads will be dropped.

Question #44 Topic 1

FortiMail is con�gured with the protected domain "internal.lab".

Which two envelope addresses will need an access control rule to relay e-mail sent for unauthenticated users? (Choose two.)

A. MAIL FROM: [email protected]; RCPT TO: [email protected]

B. MAIL FROM: [email protected]; RCPT TO: [email protected]

C. MAIL FROM: [email protected]; RCPT TO: [email protected]

D. MAIL FROM: [email protected]; RCPT TO: [email protected]

27 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #45 Topic 1

Anti-Virus Real-Time Protection is enabled without any exclusions.

Referring to the exhibit, which two behaviors will the FortiClient endpoint have after receiving the pro�le update from the FortiClient EMS? (Choose
two.)

A. Access to a downloaded �le will always be allowed after 60 seconds when the FortiSandbox is reachable.

B. The user will not be able to access a downloaded �le for a maximum of 60 seconds if it is not a virus and the FortiSandbox is reachable.

C. Files executed from a mapped network drive will not be inspected by the FortiClient endpoint AntiVirus engine.

D. If the Real-Time Protection does not detect a virus, the user will be able to access a downloaded �le when the FortiSandbox is unreachable.

28 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #46 Topic 1

Refer to the exhibit.

A company has two data centers (DC) connected using a Layer 3 network. Servers in farm A need to connect to servers in farm B as though they
were all in the same Layer 2 segment.
Referring to the exhibit, what is con�gured on the FortiGate devices on each DC to allow this connectivity?

A. Create an IPsec tunnel with VXLAN encapsulation.

B. Create an IPsec tunnel with VLAN encapsulation.

C. Create an IPsec tunnel with transport-mode encapsulation.

D. Create an IPsec tunnel with tunnel-mode encapsulation.

Question #47 Topic 1

Refer to the exhibit.

You have deployed several perimeter FortiGate devices with internal segmentation FortiGate devices behind them. All FortiGate devices are
logging to
FortiAnalyzer. When you search the logs in FortiAnalyzer for denied tra�c, you see numerous log messages, as shown in the exhibit, on your
perimeter FortiGate device only.
Which two actions will reduce the number of these log messages? (Choose two.)

A. Disable DNS events logging from FortiGate in the con�g log fortianalyzer �lter section.

B. Apply an application control pro�le to the perimeter FortiGate devices that does not inspect DNS tra�c to the outbound �rewall policy.

C. Remove DNS signatures from the IPS pro�le applied to the outbound �rewall policy.

D. Con�gure the internal FortiGate devices to communicate to FortiGuard using port 8888.

29 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #48 Topic 1

Consider the following con�guration setting:

Which two statements about local authentication are true? (Choose two.)

A. The FortiGate will allow the TCP connection when a ClientHello message indicating a renegotiation is received.

B. The user's IP address will be blocked 15 seconds after �ve login failures.

C. The user will be blocked 15 seconds after �ve login failures.

D. The user will need to re-authenticate after �ve minutes.

Question #49 Topic 1

You are asked to implement a single FortiGate 5000 chassis using Session-aware Load Balance Cluster (SLBC) with Active-Passive
FortiControllers. Both
FortiControllers have the con�guration shown below, with the rest of the con�guration set to the default values.

Both FortiControllers show Master status.

What is the problem in this scenario?

A. The b1 interface of the two FortiControllers do not see each other.

B. The management interface of both FortiControllers was connected on the same network.

C. The chassis ID settings on FortiController on slot 2 should be set to 2.

D. The priority should be set higher for FortiController on slot-1.

30 of 31 05/10/2024, 9:27 PM
NSE8_811 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8_811/view/

Question #50 Topic 1

You must create a High Availability deployment with two FortiWebs in Amazon Web Services (AWS); each on different Availability Zones (AZ) from
the same region. At the same time, each FortiWeb should be able to deliver content from the Web servers of both of the AZs.
Which deployment would ful�ll this requirement?

A. Con�gure the FortiWebs in Active-Active HA mode and use AWS Elastic Load Balancer (ELB) for the internal Web servers.

B. Use AWS Elastic Load Balancer (ELB) for both the FortiWebs in standalone mode and the internal Web servers in an ELB sandwich.

C. Con�gure the FortiWebs in Active-Active HA mode and use AWS Route 53 to load balance the internal Web servers.

D. Use AWS Route 53 to load balance the FortiWebs in standalone mode and use AWS Virtual Private Cloud (VPC) Peering to load balance the
internal Web servers.

Next Questions 

Unlock free, top-quality video courses on ExamTopics with a simple

registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

31 of 31 05/10/2024, 9:27 PM