NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.

com/exams/fortinet/nse8-812/view/

- Expert Veri�ed, Online, .

 Custom View Settings

1 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #1 Topic 1

Review the VPN con�guration shown in the exhibit.

What is the Forward Error Correction behavior if the SD-WAN network tra�c download is 500 Mbps and has 8% of packet loss in the environment?

A. 1 redundant packet for every 10 base packets

B. 3 redundant packet for every 5 base packets

C. 2 redundant packet for every 8 base packets

D. 3 redundant packet for every 9 base packets

2 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #2 Topic 1

You are running a diagnose command continuously as tra�c �ows through a platform with NP6 and you obtain the following output:

Given the information shown in the output, which two statements are true? (Choose two.)

A. Enabling bandwidth control between the ISF and the NP will change the output

B. The output is showing a packet descriptor queue accumulated counter

C. Enable HPE shaper for the NP6 will change the output

D. Host-shortcut mode is enabled

E. There are packet drops at the XAUI

Question #3 Topic 1

Which two methods are supported for importing user de�ned Lookup Table Data into the FortiSIEM? (Choose two.)

A. Report

B. FTP

C. API

D. SCP

Question #4 Topic 1

What is the bene�t of using FortiGate NAC LAN Segments?

A. It provides support for multiple DHCP servers within the same VLAN

B. It provides physical isolation without changing the IP address of hosts

C. It provides support for IGMP snooping between hosts within the same VLAN

D. It allows for assignment of dynamic address objects matching NAC policy

3 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #5 Topic 1

You are troubleshooting a FortiMail Cloud service integrated with O�ce 365 where outgoing emails are not reaching the recipients’ mail.
What are two possible reasons for this problem? (Choose two.)

A. The FortiMail access control rule to relay from O�ce 365 servers FQDN is missing

B. The FortiMail DKIM key was not set using the Auto Generation option

C. The FortiMail access control rules to relay from O�ce 365 servers public IPs are missing.

D. A Mail Flow connector from the Exchange Admin Center has not been set properly to the FortiMail Cloud FQDN

Question #6 Topic 1

Refer to the exhibit.

FortiManager is con�gured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)

A. The Jinja template will automatically map the interface with “WAN” role on the managed FortiGate

B. The template will work if you change the variable format to $(WAN).

C. The template will work if you change the variable format to {{ WAN }}.

D. The administrator must �rst manually map the interface for each device with a meta �eld

E. The template will fail because this con�guration can only be applied with a CLI or TCL script.

4 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #7 Topic 1

SD-WAN is con�gured on a FortiGate. You notice that when one of the internet links has high latency the time to resolve names using DNS from
FortiGate is very high.
You must ensure that the FortiGate DNS resolution times are as low as possible with the least amount of work.
What should you con�gure?

A. Con�gure local out tra�c to use the outgoing interface based on SD-WAN rules with a manual de�ned IP associated to a loopback interface
and con�gure an SD-WAN rule from the loopback to the DNS server.

B. Con�gure an SD-WAN rule to the DNS server and use the FortiGate interface IPs in the source address.

C. Con�gure two DNS servers and use DNS servers recommended by the two internet providers.

D. Con�gure local out tra�c to use the outgoing interface based on SD-WAN rules with the interface IP and con�gure an SD-WAN rule to the
DNS server.

5 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #8 Topic 1

Refer to the exhibits.

Exhibit A -

Exhibit B -

6 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Exhibit C -

A customer is trying to set up a VPN with a FortiGate, but they do not have a backup of the con�guration. Output during a troubleshooting session
is shown in the exhibits A and B and a baseline VPN con�guration is shown in Exhibit C.
Referring to the exhibits, which con�guration will restore VPN connectivity?

A.

B.

7 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

C.

D.

8 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #9 Topic 1

An HA topology is using the following con�guration:

Based on this con�guration, how long will it take for a failover to be detected by the secondary cluster member?

A. 600ms

B. 200ms

C. 300ms

D. 100ms

9 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #10 Topic 1

Refer to the exhibit.

You have deployed a security fabric with three FortiGate devices as shown in the exhibit.
FGT_2 has the following con�guration:

FGT_1 and FGT_3 are con�gured with the default setting.

Which statement is true for the synchronization of fabric-objects?

A. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate

B. Objects from the root FortiGate will only be synchronized to FGT_2

C. Objects from the root FortiGate will not be synchronized to any downstream FortiGate

D. Objects from the root FortiGate will only be synchronized to FGT_3

10 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #11 Topic 1

Refer to the exhibit.

You are operation an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and
has the con�guration shown in the exhibit. FGT_3 is not establishing any OSPF connection.
What needs to be changed to the con�guration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?

A.

11 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

B.

C.

D.

Question #12 Topic 1

A retail customer with a FortiADC HA cluster load balancing �ve webservers in L7 Full NAT mode is receiving reports of users not able to access
their website during a sale event. But for clients that were able to connect, the website works �ne.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more tra�c, and the bandwidth
utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

A. Change the persistence rule to LB_PERSIS_SSL_SESS_ID

B. Add more web servers to the real server pool

C. Disable SSL between the FortiADC and the web servers

D. Add a connection-pool to the FortiADC virtual server

12 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #13 Topic 1

Refer to the CLI output:

Given the information shown in the output, which two statements are correct? (Choose two.)

A. Geographical IP policies are enabled and evaluated after local techniques

B. Attackers can be blocked before they target the servers behind the FortiWeb

C. The IP Reputation feature has been manually updated

D. An IP address that was previously used by an attacker will always be blocked

E. Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored

13 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #14 Topic 1

Refer to the exhibit.

You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher
speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and
the new port speed is de�ned.
How should the initial connection be made?

A. Connect the switch on any interface between ports 21 to 24

B. Connect the switch on any interface between ports 25 to 28

C. Connect the switch on any interface between ports 1 to 4

D. Connect the switch on any interface between ports 5 to 8

Question #15 Topic 1

You are designing a setup where the FortiGate device is connected to two upstream ISPs using BGP. Part of the requirement is that you must be
able to refresh the route advertisements manually without disconnecting the BGP neighborships.
Which feature must you enable on the BGP neighbors to accomplish this goal?

A. Graceful-restart

B. Deterministic-med

C. Synchronization

D. Soft-recon�guration

14 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #16 Topic 1

Refer to the exhibit, which shows a Branch1 con�guration and routing table.

In the SD-WAN implicit rule, you do not want the tra�c load balance for the overlay interface when all members are available.

15 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

In this scenario, which con�guration change will meet this requirement?

A. Change the load-balance-mode to source-ip-based.

B. Create a new static route with the internet sdwan-zone only.

C. Con�gure the cost in each overlay member to 10.

D. Con�gure the priority in each overlay member to 10.

16 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #17 Topic 1

Refer to the exhibits.

GUI Access -

Con�guration -

Topology -

17 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

An administrator has con�gured a FortiGate and FortiAuthenticator for two-factor authentication with FortiToken push noti�cations for their SSL
VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and
authenticate but push noti�cations.
Based on the information given in the exhibits, what must be done to �x this?

A. On FG-1 port1, the ftm access protocol must be enabled.

B. FAC-1 must have an internet routable IP address for push noti�cations.

C. On FG-1 CLI, the ftm-push server setting must point to 100.64.1.41.

D. On FAC-1, the FortiToken public IP setting must point to 100.64.1.41.

Question #18 Topic 1

Refer to the exhibit.

A customer has deployed a FortiGate 300E with virtual domains (VDOMs) enabled in the multi-VDOM mode. There are three VDOMs: Root is for
management and internet access, while VDOM 1 and VDOM 2 are used for segregating internal tra�c. AccountVInk and SalesVInk are standard
VDOM links in Ethernet mode.
Given the exhibit, which two statements below about VDOM behavior are correct? (Choose two.)

A. You can apply OSPF routing on the VDOM link in either PPP or Ethernet mode

B. Tra�c on AccountVInk and SalesVInk will not be accelerated

C. The VDOM links are in Ethernet mode because they have IP addressed assigned on both sides

D. Root VDOM is an Admin type VDOM, while VDOM 1 and VDOM 2 are Tra�c type VDOMs

E. OSPF routing can be con�gured between VDOM 1 and Root VDOM without any con�guration changes to AccountVInk

18 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #19 Topic 1

You are responsible for recommending an adapter type for NICs on a FortiGate VM that will run on an ESXi Hypervisor.
Your recommendation must consider performance as the main concern, cost is not a factor.
Which adapter type for the NICs will you recommend?

A. Native ESXi Networking with E1000

B. Virtual Function (VF) PCI Passthrough

C. Native ESXi Networking with VMXNET3

D. Physical Function (PF) PCI Passthrough

Question #20 Topic 1

You are deploying a FortiExtender (FEX) on a ForiGate-60F. The FEX will be managed by the FortiGate. You anticipate high utilization. The
requirement is to minimize the overhead on the device for WAN tra�c.
Which action achieves the requirement in this scenario?

A. Add a switch between the FortiGate and FEX.

B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender

C. Change connectivity between the FortiGate and the FortiExtender to use VLAN Mode

D. Add a VLAN under the FEX-WAN interface on the FortiGate

19 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #21 Topic 1

Refer to the exhibits.

Exhibit A -

Exhibit B -

A customer wants to deploy 12 FortiAP 431F devices on high density conference center, but they do not currently have any PoE switches to
connect them to. They want to be able to run them at full power while having network redundancy.
From the FortiSwitch models and sample retail prices shown in the exhibit, which build of materials would have the lowest cost, while ful�lling the
customer’s requirements?

A. 1x FortiSwitch 248E-FPOE

B. 2x FortiSwitch 224E-POE

C. 2x FortiSwitch 248E-FPOE

D. 2x FortiSwitch 124E-FPOE

20 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #22 Topic 1

Refer to the exhibits.

Exhibit A -

Exhibit B -

A customer is looking for a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E.
Referring to the exhibits, which two conditions allow authentication to the client devices before assigning an IP address? (Choose two.)

A. FortiGate devices with NP6 and hardware switch interfaces cannot support 802.1X authentication

B. Devices connected directly to ports 3 and 4 can perform 802.1X authentication

C. Ports 3 and 4 can be part of different switch interfaces

21 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

D. Client devices must have 802.1X authentication enabled

Question #23 Topic 1

You want to use the MTA adapter feature on FortiSandbox in an HA-Cluster.

Which statement about this solution is true?

A. The con�guration of the MTA Adapter Local Interface is different than on port1

B. The MTA adapter is only available in the primary node

C. The MTA adapter mode is only detection mode

D. The con�guration is different than on a standalone device

Question #24 Topic 1

Refer to the exhibit showing the history logs from a FortiMail device.

Which FortiMail email security feature can an administrator enable to treat these emails as spam?

A. DKIM validation in a session pro�le

B. Sender domain validation in a session pro�le

C. Impersonation analysis in an antispam pro�le

D. Soft fail SPF validation in an antispam pro�le

22 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #25 Topic 1

Refer to the exhibits, which show a �rewall policy con�guration and a network topology.

Con�guration -

Topology -

23 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

An administrator has con�gured an inbound SSL inspection pro�le on a FortiGate device (FG-1) that is protecting a data center hosting multiple
web pages.
Given the scenario shown in the exhibits, which certi�cate will FortiGate use to handle requests to xyz.com?

A. FortiGate will fall-back to the default Fortinet_CA_SSL certi�cate

B. FortiGate will reject the connection since no certi�cate is de�ned

C. FortiGate will use the Fortmet_CA_Untrusted certi�cate for the untrusted connection

D. FortiGate will use the �rst certi�cate in the server-cert list—the abc.com certi�cate

24 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #26 Topic 1

Refer to the exhibits.

Con�guration -

Topology -

25 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

A FortiGate cluster (CL-1) protects a data center hosting multiple web applications. A pair of FortiADC devices are already con�gured for SSL
decryption (FAD-1), and re-encryption (FAD-2). CL-1 must accept unencrypted tra�c from FAD-1, perform application detection on the plain-text
tra�c, and forward the inspected tra�c to FAD-2.
The SSL-O�oad-App-Detect application list and SSL-O�oad protocol options pro�le are applied to the �rewall policy handling the web application
tra�c on CL-1.
Given this scenario, which two con�guration tasks must the administrator perform on CL-1? (Choose two.)

A.

B.

C.

D.

26 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

E.

Question #27 Topic 1

You are migrating the branches of a customer to FortiGate devices. They require independent routing tables on the LAN side of the network.
After reviewing the design, you notice the �rewall will have many BGP sessions as you have two data centers (DC) and two ISPs per DC while each
branch is using at least 10 internal segments.
Based on this scenario, what would you suggest as the more e�cient solution, considering that in the future the number of internal segments, DCs
or internet links per DC will increase?

A. No change in design is needed as even small FortiGate devices have a large memory capacity

B. Acquire a FortiGate model with more capacity, considering the next 5 years growth

C. Implement network-id, neighbor-group and increase the advertisement-interval

D. Redesign the SD-WAN deployment to only use a single VPN tunnel and segment tra�c using VRFs on BGP

27 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #28 Topic 1

You must analyze an event that happened at 20:37 UTC.

One log relevant to the event is extracted from FortiGate logs:

The devices and the administrator are all located in different time zones Daylight savings time (DST) is disabled.

The FortiGate is at GMT-10:00 -

The FortiAnalyzer is at GMT-08:00
Your browser local time zone is at GMT-03:00
You want to review this log on FortiAnalyzer GUI, what time should you use as a �lter?

A. 20:37:08

B. 10:37:08

C. 17:37:08

D. 12:37:08

Question #29 Topic 1

A customer is planning on moving their secondary data center to a cloud-based IaaS. They want to place all the Oracle-based systems on Oracle
Cloud, while the other systems will be on Microsoft Azure with ExpressRoute service to their main data center.
They have about 200 branches with two internet services as their only WAN connections. As a security consultant you are asked to design an
architecture using Fortinet products with security, redundancy, and performance as a priority.
Which two design options are true based on these requirements? (Choose two.)

A. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud.

B. Use FortiGate VM for IPSEC over ExpressRoute, as tra�c is not encrypted by Azure.

C. Branch FortiGate devices must be con�gured as VPN clients for the branches’ internal network to be able to access Oracle services without
using public IPs.

D. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate
device at the data center edge.

28 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #30 Topic 1

Refer to the exhibit, which shows the high availability con�guration for the FortiAuthenticator (FAC1).

GUI Access -

Based on this information, which statement is true about the next FortiAuthenticator (FAC2) member that will join an HA cluster with this
FortiAuthenticator (FAC1)?

A. FAC2 can only process requests when FAC1 fails.

B. FAC2 can have its HA interface on a different network than FAC1

C. The FortiToken license will need to be installed on the FAC2

D. FSSO sessions from FAC1 will be synchronized to FAC2

Question #31 Topic 1

Which two statements are correct on a FortiGate using the FortiGuard Outbreak Protection Service (VOS)? (Choose two.)

A. The FortiGuard VOS can be used only with proxy-base policy inspections.

B. If third-party AV database returns a match the scanned �le is deemed to be malicious.

C. The antivirus database queries FortiGuard with the hash of a scanned �le

D. The AV engine scan must be enabled to use the FortiGuard VOS feature

E. The hash signatures are obtained from the FortiGuard Global Threat Intelligence database

Question #32 Topic 1

A remote worker requests access to an SSH server inside the network. You deployed a ZTNA Rule to their FortiClient. You need to follow the
security requirements to inspect this tra�c.
Which two statements are true regarding the requirements? (Choose two.)

A. FortiGate can perform SSH access proxy host-key validation.

B. You need to con�gure a FortiClient SSL-VPN tunnel to inspect the SSH tra�c.

C. SSH tra�c is tunneled between the client and the access proxy over HTTPS.

D. Tra�c is discarded as ZTNA does not support SSH connection rules.

29 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #33 Topic 1

On a FortiGate con�gured in Transparent mode, which con�guration option allows you to control Multicast tra�c passing through the device?

A.

B.

C.

D.

Question #34 Topic 1

Refer to the CLI con�guration of an SSL inspection pro�le from a FortiGate device con�gured to protect a web server:

Based on the information shown, what is the expected behavior when an HTTP/2 request comes in?

A. FortiGate will reject all HTTP/2 ALPN headers.

B. FortiGate will strip the ALPN header and forward the tra�c.

C. FortiGate will rewrite the ALPN header to request HTTP/1.

D. FortiGate will forward the tra�c without modifying the ALPN header.

30 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #35 Topic 1

Refer to the exhibits.

Topology -

Con�guration -

The exhibits show a FortiGate network topology and the output of the status of high availability on the FortiGate.
Given this information, which statement is correct?

A. The ethertype values of the HA packets are 0x8890, 0x8891, and 0x8892.

B. The cluster mode can support a maximum of four (4) FortiGate VMs.

C. The cluster members are on the same network and the IP addresses were statically assigned.

D. FGVMEVLQOG33WM3D and FGVMEVGCJNHFYI4A share a virtual MAC address.

31 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #36 Topic 1

Refer to the exhibit showing an SD-WAN con�guration.

32 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

33 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

According to the exhibit, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, which outgoing interfaces will be
used?

A. port16 and port1

B. port1 and port1

C. port16 and port15

D. port1 and port15

Question #37 Topic 1

A customer’s cybersecurity department needs to implement security for the tra�c between two VPCs in AWS, but these belong to different
departments within the company. The company uses a single region for all their VPCs.
Which two actions will achieve this requirement while keeping separate management of each departments VPC? (Choose two.)

A. Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force tra�c through
the FortiGate cluster.

B. Create an IAM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and
IPSEC VPN to force tra�c between the VPCs through the FortiGate clusters.

C. Migrate all the instances to the same VPC and create IAM accounts for each department, then implement a new subnet for a FortiGate
auto-scaling group and use routing tables to force the tra�c through the FortiGate cluster.

D. Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate
cluster.

34 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #38 Topic 1

Refer to the exhibit containing the con�guration snippets from the FortiGate.

35 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

36 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Customer requirements:
SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
Public IP address (129.11.1.100) is assigned to port1
Datacenter.acmecorp.com resolves to the public IP address assigned to port1
The customer has a Let’s Encrypt certi�cate that is going to expire soon and it reports that subsequent attempts to renew that certi�cate are
failing.
Reviewing the requirement and the exhibit, which con�guration change below will resolve this issue?

A.

B.

C.

D.

37 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #39 Topic 1

Refer to the exhibit.

The exhibit shows the forensics analysis of an event detected by the FortiEDR core.
In this scenario, which statement is correct regarding the threat?

A. This is an ex�ltration attack and has been stopped by FortiEDR

B. This is an ex�ltration attack and has not been stopped by FortiEDR

C. This is a ransomware attack and has not been stopped by FortiEDR

D. This is a ransomware attack and has been stopped by FortiEDR

Question #40 Topic 1

An automation stitch was con�gured using an incoming webhook as the trigger named ‘my_incoming_webhook’.
The action is con�gured to execute the CLI Script shown:

The base Curl command starts with: curl -k -x POST -H ‘Authorization: Bearer ’ --data <data> <url>
Which Curl command will successfully work with the con�gured automation stitch?

A. data: ‘{ “hostname”: “bad_host_1”, “ip”: [“1.1.1.1”]}’

url: http://192.168.226.129/api/v2/monitor/system/automation-stitch/webhook/my_incoming_webhook

B. data: ‘{ “hostname”: “bad_host_1”, “ip”: “1.1.1.1”}’

url: http://192.168.226.129/api/v2/monitor/system/automation-stitch/webhook/my_incoming_webhook

C. data: ‘{ “hostname”: “bad_host_1”, “ip”: [“1.1.1.1”]}’

url: http://192.168.226.129/api/v2/cmdb/system/automation-stitch/webhook/my_incoming_webhook

D. data: ‘{ “hostname”: “bad_host_1”, “ip”: “1.1.1.1”}’

url: http://192.168.226.129/api/v2/cmdb/system/automation-stitch/webhook/my_incoming_webhook

38 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #41 Topic 1

A customer wants to use the FortiAuthenticator REST API to retrieve an SSO group called SalesGroup. The following API call is being made with
the ‘curl’ utility:

Which two statements correctly describe the expected behavior of the FortiAuthenticator REST API? (Choose two.)

A. Only users with the “Full permission” role can access the REST API

B. This API call will fail because it requires that API version 2

C. If the REST API web service access key is lost, it cannot be retrieved and must be changed.

D. The syntax is incorrect because the API calls needs the get method

Question #42 Topic 1

Refer to the exhibit.

A customer has deployed a FortiGate 200F high-availability (HA) cluster that contains a TPM chip. The exhibit shows output from the FortiGate
CLI session where the administrator enabled TPM.
Following these actions, the administrator immediately notices that both FortiGate high availability (HA) status and FortiManager status for the
FortiGate are negatively impacted.
What are the two reasons for this behavior? (Choose two.)

A. The private-data-encryption key entered on the primary did not match the value that the TPM expected.

B. Con�guration for TPM is not synchronized between FortiGate HA cluster members.

C. The FortiGate has not �nished the auto-update process to synchronize the new con�guration to FortiManager yet.

D. TPM functionality is not yet compatible with FortiGate HA.

E. The administrator needs to manually enter the hex private data encryption key in FortiManager.

39 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #43 Topic 1

Refer to the exhibits.

Dictionary -

Recipient -

Topology -

The exhibits show a FortiMail network topology, Inbound con�guration settings, and a Dictionary Pro�le.
You are required to integrate a third-party’s host service (srv.thirdparty.com) into the e-mail processing path.
All inbound e-mails must be processed by FortiMail antispam and antivirus with FortiSandbox integration. If the email is clean, FortiMail must
forward it to the third-party service, which will send the email back to FortiMail for �nal delivery. FortiMail must not scan the e-mail again.
Which three con�guration tasks must be performed to meet these requirements? (Choose three.)

A. Change the scan order in FML-GW to antispam-sandbox-content

B. Apply the Catch-All pro�le to the CF_Inbound pro�le and con�gure a content action pro�le to deliver to the srv.thirdparty.com FQDN

C. Create an access receive rule with a Sender value of srv.thirdparty.com, Recipient value of *@acme.com, and action value of Safe

D. Apply the Catch-All pro�le to the AS_Inbound pro�le and con�gure an access delivery rule to deliver to the 100.64.0.72 host

E. Create an IP policy with a Source value of 100.64.0.72/32, enable precedence, and place the policy at the top of the list

40 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #44 Topic 1

Refer to the exhibit showing a FortiSOAR playbook.

You are investigating a suspicious e-mail alert on FortiSOAR, and after reviewing the executed playbook, you can see that it requires intervention.
What should be your next step?

A. Go to the Incident Response tasks dashboard and run the pending actions

B. Click on the noti�cation icon on FortiSOAR GUI and run the pending input action

C. Run the Mark Drive by Download playbook action

D. Reply to the e-mail with the requested Playbook action

Question #45 Topic 1

Review the following FortiGate-6000 con�guration excerpt:

Based on the con�guration, which statement is correct regarding SNAT source port partitioning behavior?

A. It dynamically distributes SNAT source ports to operating FPCs or FPMs.

B. It is the default SNAT con�guration and preserves active sessions when an FPC or FPM goes down.

C. It statically distributes SNAT source ports to operating FPCs or FPMs.

D. It equally distributes SNAT source ports across chassis slots.

41 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #46 Topic 1

Refer to the exhibit.

You have been tasked with replacing the managed switch FortiSwitch 2 shown in the topology.
Which two actions are correct regarding the replacement process? (Choose two.)

A. After replacing the FortiSwitch unit, the automatically created trunk name does not change.

B. MCLAG-ICL needs to be manually recon�gured once the new switch is connected to the FortiGate.

C. After replacing the FortiSwitch unit, the automatically created trunk name changes.

D. MCLAG-ICL will be automatically recon�gured once the new switch is connected to the FortiGate.

Question #47 Topic 1

A customer with a FortiDDoS 200F protecting their �bre optic internet connection from incoming tra�c sees that all the tra�c was dropped by the
device even though they were not under a DoS attack. The tra�c �ow was restored after it was rebooted using the GUI.
Which two options will prevent this situation in the future? (Choose two.)

A. Change the Adaptive Mode.

B. Create an HA setup with a second FortiDDoS 200F.

C. Move the internet connection from the SFP interfaces to the LC interfaces.

D. Replace with a FortiDDoS 1500F.

42 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #48 Topic 1

Refer to the exhibit.

The exhibit shows two error messages from a FortiGate root Security Fabric device when you try to con�gure a new connection to a FortiClient
EMS Server.
Referring to the exhibit, which two actions will �x these errors? (Choose two.)

A. Verify that the CRL is accessible from the root FortiGate.

B. Export and import the FortiClient EMS server certi�cate to the root FortiGate.

C. Install a new known CA on the Win2K16-EMS server.

D. Authorize the root FortiGate on the FortiClient EMS.

43 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #49 Topic 1

An administrator has con�gured a FortiGate device to authenticate SSL VPN users using dogotal certi�cates. A FortiAuthenticator is the
certi�cate authority (CA) and the Online Certi�cate Status Protocol (OCSP) server.
Part of the FortiGate con�guration is shown below:

Based on this con�guration, which two statements are true? (Choose two.)

A. OCSP checks will always go to the con�gured FortiAuthenticator

B. The OCSP check of the certi�cate can be combined with a certi�cate revocation list

C. OCSP certi�cate responses are never cached by the FortiGate

D. If the OCSP server is unreachable, authentication will succeed if the certi�cate matches the CA

44 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Question #50 Topic 1

Refer to the exhibit.

To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with con�guring the FortiGate devices to support
injecting of IKE routes on the ADVPN shortcut tunnels.
Which three commands must be added or changed to the FortiGate spoke con�g vpn ipsec phase1-interface options referenced in the exhibit for
the VPN interface to enable this capability? (Choose three.)

A. set net-device disable

B. set mode-cfg enable

C. set ike-version 1

D. set add-route enable

E. set mode-cfg-allow-client-selector enable

Next Questions 

45 of 46 05/10/2024, 9:30 PM
NSE8_812 Exam - Free Actual Q&As, Page 1 | ExamTopics https://www.examtopics.com/exams/fortinet/nse8-812/view/

Unlock free, top-quality video courses on ExamTopics with a simple

registration. Elevate your learning journey with our expertly curated content.
Register now to access a diverse range of educational resources designed for
your success. Start learning today with ExamTopics!

46 of 46 05/10/2024, 9:30 PM