Want to know Pass4sure NSE8 Exam practice test features? Want to lear more about Fortinet Fortinet Network Security Expert 8 Written Exam (801) certification experience? Study Vivid Fortinet NSE8 answers to Most up-to-date NSE8 questions at Pass4sure. Gat a success with an absolute guarantee to pass Fortinet NSE8 (Fortinet Network Security Expert 8 Written Exam (801)) test on your first attempt.
Q17. You are asked to implement a wireless network for a conference center and need to provision a high number of access points to support a large number of wireless client
connections.
Which statement describes a valid solution for this requirement?
A. Use a captive portal for guest access. Use both 2.4 GHz and 5 GHz bands. Enable frequency and access point hand-off. Use more channels, thereby supporting more clients.
B. Use an open wireless network with no portal. Use both 2.4 GHz and 5 GHz bands. Use 802.11ac capable access points and configure channel bonding to support greater throughput for wireless clients.
C. Use a pre-shared key only for wireless client security. Use the 5 GHz band only for greater security. Use 802.11ac capable access points and configure channel bonding to support greater throughput for wireless clients.
D. Use a captive portal for guest access. Use both the 2.4 GHz and 5 GHz bands, and configure frequency steering. Configure rogue access point detection in order to automatically control the transmit power of each AP.
Answer: D
Q18. You are an administrator of FortiGate devices that use FortiManager for central management. You need to add a policy on an ADOM, but upon selecting the ADOM drop- down list, you notice that the ADOM is in locked state. Workflow mode is enabled on your FortiManager to define approval or notification workflow when creating and installing policy changes.
What caused this problem?
A. Another administrator has locked the ADOM and is currently working on it.
B. There is pending approval waiting from a previous modification.
C. You need to use set workspace-mode workflow on the CLI.
D. You have read-only permission on Workflow Approve in the administrator profile.
Answer: D
Explanation:
http://docs.fortinet.com/uploaded/files/2250/FortiManager-5.2.1-Administration-Guide.pdf
Q19. There is an interface-mode IPsec tunnel configured between FortiGate1 and FortiGate2. You want to run OSPF over the IPsec tunnel. On both FortiGates. the IPsec tunnel is based on physical interface port1. Port1 has the default MTU setting on both FortiGate units.
Which statement is true about this scenario?
A. A multicast firewall policy must be added on FortiGate1 and FortiGate2 to allow protocol 89.
B. The MTU must be set manually in the OSPF interface configuration.
C. The MTU must be set manually on the IPsec interface.
D. An IP address must be assigned to the IPsec interface on FortiGate1 and FortiGate2.
Answer: B
Explanation:
If MTU doesn’t match then the neighbour ship gets stuck in exchange state.
Q20. A customer has the following requirements:
- local peer with two Internet links
- remote peer with one Internet link
- secure traffic between the two peers
- granular control with Accept policies
Which solution provides security and redundancy for traffic between the two peers?
A. a fully redundant VPN with interface mode configuration
B. a partially redundant VPN with interface mode configuration
C. a partially redundant VPN with tunnel mode configuration
D. a fully redundant VPN with tunnel mode configuration
Answer: B
Q21. Referring to the diagram shown in the exhibit, you deployed VRRP load balancing using two FortiGate units and two VRRP groups with a VRRP virtual MAC address enabled on both FortiGate’s port2 interface. During normal operation, both FortiGate units are processing traffic and the VRRP groups are used to load balance the traffic between the two FortiGate units.
If FortiGate unit A fails, what would happen?
A. The FortiGate Unit B port2 interface sends gratuitous ARPs to associate the VRRP
virtual router IP address with its own MAC address, and all traffic fails over to it.
B. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-00-5e-00-01- 05 and 00-00-5e-00-01-0a, and all traffic fails over to it.
C. The FortiGate Unit B port2 interface will use virtual MAC addresses of 00-a0-5e-00-01- 05 and 00-a0-5e-00-01-0a, and all traffic fails over to it.
D. The FortiGate Unit B port2 interface will use the physical MAC addresses of the FortiGate Unit A port2 interface, and all traffic fails over to it.
Answer: B
Explanation:
If primary fails secondary device uses virtual mac address to forward traffic
Q22. A customer is authenticating users using a FortiGate and an external LDAP server. The LDAP user, John Smith, cannot authenticate. The administrator runs the debug command diagnose debug application fnbamd 255 while John Smith attempts the authentication:
Based on the output shown in the exhibit, what is causing the problem?
A. The LDAP administrator password in the FortiGate configuration is incorrect.
B. The user, John Smith, does have an account in the LDAP server.
C. The user, John Smith, does not belong to any allowed user group.
D. The user, John Smith, is using an incorrect password.
Answer: A
Explanation:
Fortigate not binded with LDAP server because of failed authentication. References:
Q23. You are investigating a problem related to FTP active mode. You use a test PC with IP address 10.100.60.5 to connect to the FTP server at 172.16.133.50 and transfer a large file. The FortiGate translates source address (SNAT) in network 10.100.60.0/24 to the IP address 172.16.133.1.
Which two groups of CLI commands allow you to see information related to this FTP connection (Choose two.)
A.
B.
C.
D.
Answer: A,D
Explanation:
FTP active on port 21 and passive uses port 20
Q24. You are asked to establish a VPN tunnel with a service provider using a third-party VPN device. The service provider has assigned subnet 30.30.30.0/24 for your outgoing traffic going towards the services hosted by the provider on network 20.20.20.0/24. You have multiple computers which will be accessing the remote services hosted by the service provider.
Which three configuration components meet these requirements? (Choose three.)
A. Configure an IP Pool of type Overload for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN forwards the VPN tunnel and select that pool.
B. Configure IPsec phase 2 proxy IDs for a source of 10.10.10.0/24 and destination of 20.20.20.0/24.
C. Configure an IP Pool of Type One-to-One for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN towards the VPN tunnel and select that pool.
D. Configure a static route towards the VPN tunnel for 20.20.20.0/24.
E. Configure IPsec phase 2 proxy IDs for a source of 30.30.30.0/24 and destination of 20.20.20.0/24.
Answer: C,D,E