NSE8_812 Network Security Expert 8 Written Exam Questions and Answers

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthenticator-operation/ta-p/190810

The default load balancing mode for the SD-WAN implicit rule is source IP based. This means that traffic will be load balanced evenly between the overlay members, regardless of the member's priority.

To prevent traffic from being load balanced, you can configure the priority of each overlay member to 10. This will make the member ineligible for load balancing.

The other options are not correct. Changing the load balancing mode to source-IP based will still result in traffic being load balanced. Creating a new static route with the internet sdwan-zone only will not affect the load balancing of the overlay interface. Configuring the cost in each overlay member to 10 will also not affect the load balancing, as the cost is only used when the implicit rule cannot find a match for the destination IP address.

https://docs.fortinet.com/document/fortigate/6.4.0/sd-wan-deployment-for-mssps/775385/defining-interface-members

The FortiGate VM is a virtual firewall appliance that can run on various hypervisors, such as ESXi, Hyper-V, KVM, etc. The adapter type for NICs on a FortiGate VM determines the performance and compatibility of the network interface cards with the hypervisor and the physical network. There are different adapter types available for NICs on a FortiGate VM, such as E1000, VMXNET3, SR-IOV, etc. If performance is the main concern and cost is not a factor, one option is to use native ESXi networking with VMXNET3 adapter type for NICs on a FortiGate VM that will run on an ESXi hypervisor. VMXNET3 is a paravirtualized network interface card that is optimized for performance in virtual machines and supports features such as multiqueue support, Receive Side Scaling (RSS), Large Receive Offload (LRO), IPv6 offloads, and MSI/MSI-X interrupt delivery. Native ESXi networking means that the FortiGate VM uses the standard virtual switch (vSwitch) or distributed virtual switch (dvSwitch) provided by the ESXi hypervisor to connect to the physical network. This option can provide high performance and compatibility for NICs on a FortiGate VM without requiring additional hardware or software components. References: https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/installing-fortigate-vm-on-vmware-esxi https://docs.fortinet.com/document/fortigate/7.0.0/vm-installation-for-vmware-esxi/19662/networking

The customer wants to deploy a solution to authenticate the clients connected to a hardware switch interface of a FortiGate 400E device. A hardware switch interface is an interface that combines multiple physical interfaces into one logical interface, allowing them to act as a singleswitch with one IP address and one set of security policies. The customer wants to use 802.1X authentication for this solution, which is a standard protocol for port-based network access control (PNAC) that authenticates clients based on their credentials before granting them access to network resources. One condition that allows authentication to the client devices before assigning an IP address is that devices connected directly to ports 3 and 4 can perform 802.1X authentication. This is because ports 3 and 4 are part of the hardware switch interface named “lan”, which has an IP address of 10.10.10.254/24 and an inbound SSL inspection profile named “ssl-inspection”. The inbound SSL inspection profile enables the FortiGate device to intercept and inspect SSL/TLS traffic from clients before forwarding it to servers, which allows it to apply security policies and features such as antivirus, web filtering, application control, etc. However, before performing SSL inspection, the FortiGate device needs to authenticate the clients using 802.1X authentication, which requires the clients to send their credentials (such as username and password) to the FortiGate device over a secure EAP (Extensible Authentication Protocol) channel. The FortiGate device then verifies the credentials with an authentication server (such as RADIUS or LDAP) and grants or denies access to the clients based on the authentication result. Therefore, devices connected directly to ports 3 and 4 can perform 802.1X authentication before assigning an IP address. Another condition that allows authentication to the client devices before assigning an IP address is that client devices must have 802.1X authentication enabled. This is because 802.1X authentication is a mutual process that requires both the client devices and the FortiGate device to support and enable it. The client devices must have 802.1X authentication enabled in their network settings, which allows them to initiate the authentication process when they connect to the hardware switch interface of the FortiGate device. The client devices must also have an 802.1X supplicant software installed, which is a program that runs on the client devices and handles the communication with the FortiGate device using EAP messages. The client devices must also have a trusted certificate installed, which is used to verify the identity of the FortiGate device and establish a secure EAP channel. Therefore, client devices must have 802.1X authentication enabled before assigning an IP address. References: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/hardware-switch-interfaces https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/19662/802-1x-authentication

https://docs.fortinet.com/document/fortigate/7.2.0/new-features/959502/support-802-1x-on-virtual-switch-for-certain-np6-platforms

the access point will require about 24.5 W of power and the 124E-FPOE has a Capacity of about 370 meaning 25x12 = 300 so you left with about 70 W on the switch meaning you can still add two more access point on that switch.

https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/822087/automatically-provision-a-certificate

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/520820/improvements-to-synchronizing-objects-across-the-security-fabric-6-4-4

VLAN Mode is a more efficient way to connect a FortiExtender to a FortiGate than CAPWAP Mode. This is because VLAN Mode does not require the FortiExtender to send additional control traffic to the FortiGate.

The other options are not correct.

A. Add a switch between the FortiGate and FEX. This will add overhead to the network, as the switch will need to process the traffic.

B. Enable CAPWAP connectivity between the FortiGate and the FortiExtender. This will increase the overhead on the FortiGate, as it will need to process additional control traffic.

D. Add a VLAN under the FEX-WAN interface on the FortiGate. This will not affect the overhead on the FortiGate.

http://docs.fortinet.com/document/fortiextender/7.0.3/admin-guide-fgt-managed/394272/vlan-mode

http://docs.fortinet.com/document/fortiextender/7.0.3/admin-guide-fgt-managed/618684/vlan-mode-and-performance

https://docs.fortinet.com/document/fortigate/7.4.1/fortigate-6000-administration-guide/81276/controlling-snat-port-partitioning-behavior

"chassis-slots this option statically allocates SNAT source ports to all FPCs that are enabled when you enter the command. If you disable an FPC from the CLI, the SNAT source ports assigned to that FPC will not be re-allocated to the remaining FPCs. All FPCs that are still operating will maintain the same SNAT source port allocation and active sessions being processed by the still operating FPCs will not be affected."

The exhibited playbook requires intervention, which means that the playbook has reached a point where it needs a human operator to take action. The next step should be to go to the Incident Response tasks dashboard and run the pending actions. This will allow you to see the pending actions that need to be taken and to take those actions.

The other options are not correct. Option B will only show you the notification icon, but it will not allow you to run the pending input action. Option C will run the Mark Drive by Download playbook action, but this is not the correct action to take in this case. Option D is not a valid option.

Here are some additional details about pending actions in FortiSOAR:

Pending actions are actions that need to be taken by a human operator.

Pending actions are displayed in the Incident Response tasks dashboard.

Pending actions can be run by clicking on the action in the dashboard.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-perform-zero-touch-provisioning-with/ta-p/197623

The MTA adapter feature on FortiSandbox is a feature that allows FortiSandbox to act as a mail transfer agent (MTA) that can receive, inspect, and forward email messages from external sources. The MTA adapter feature can be used to integrate FortiSandbox with third-party email security solutions that do not support direct integration with FortiSandbox, such as Microsoft Exchange Server or Cisco Email Security Appliance (ESA). The MTA adapter feature can also be used to enhance email security by adding an additional layer of inspection and filtering before delivering email messages to the final destination. The MTA adapter feature can be enabled on FortiSandbox in an HA-Cluster, which is a configuration that allows two FortiSandbox units to synchronize their settings and data and provide high availability and load balancing for sandboxing services. However, one statement about this solution that is true is that the MTA adapter is only available in the primary node. This means that only one FortiSandbox unit in the HA-Cluster can act as an MTA and receive email messages from external sources, while the other unit acts as a backup node that can take over the MTA role if the primary node fails or loses connectivity. This also means that only one IP address or FQDN can be used to configure the external sources to send email messages to the FortiSandbox MTA, which is the IP address or FQDN of the primary node. References: https://docs.fortinet.com/document/fortisandbox/3.2.0/administration-guide/19662/mail-transfer-agent-mta https://docs.fortinet.com/document/fortisandbox/3.2.0/administration-guide/19662/high-availability-ha

https://docs.fortinet.com/document/fortisandbox/4.4.3/administration-guide/877925/mta-adapter

A. Systems running on Azure will need to go through the main data center to access the services on Oracle Cloud. This is because the Oracle Cloud is not directly connected to the Azure Cloud. The traffic will need to go through the main data center in order to reach the Oracle Cloud.

C. Branch FortiGate devices must be configured as VPN clients for the branches' internal network to be able to access Oracle services without using public IPs. This is because the Oracle Cloud does not allow direct connections from the internet. The traffic will need to go through the FortiGate devices in order to reach the Oracle Cloud.

The other options are not correct.

B. Use FortiGate VM for IPSEC over ExpressRoute, as traffic is not encrypted by Azure. This is not necessary. Azure does encrypt traffic over ExpressRoute.

D. Two ExpressRoute services to the main data center are required to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge. This is not necessary. A single ExpressRoute service can be used to implement SD-WAN between a FortiGate VM in Azure and a FortiGate device at the data center edge.

https://learn.microsoft.com/en-us/azure/expressroute/expressroute-about-encryption

The output of the status of high availability on the FortiGate shows that the cluster mode is active-passive, which means that only one FortiGate unit is active at a time, while the other unit is in standby mode. The active unit handles all traffic and also sends HA heartbeat packets to monitor the standby unit. The standby unit becomes active if it stops receiving heartbeat packets from the active unit, or if it receives a higher priority from another cluster unit. In active-passive mode, all cluster units share a virtual MAC address for each interface, which is used as the source MAC address for all packets forwarded by the cluster. References:https://docs.fortinet.com/document/fortigate/6.4.0/cookbook/103439/high-availability-with-two-fortigates

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/834664/route-leaking-between-vrfs-with-bgp

https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-VRRP-HA-configuration-in-Azure-Public/ta-p/267503 https://community.fortinet.com/t5/FortiManager/Technical-Tip-FortiManager-HA-setup-and-troubleshooting/ta-p/222998

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/489324/failover-protection

According to the exhibit, the SD-WAN configuration has two rules: one for traffic to 10.1.100.0/24 subnet, and one for traffic to 10.1.100.16/28 subnet. The first rule uses the best quality strategy, which selects the SD-WAN member with the best measured quality based on performance SLA metrics. The second rule uses the manual strategy, which specifies port1 as the SD-WAN member to select. Therefore, if an internal user pings 10.1.100.2 and 10.1.100.22 from subnet 172.16.205.0/24, the outgoing interfaces will be port16 and port1 respectively, assuming that port16 has the best quality among the SD-WAN members. References:https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/218559/configuring-the-sd-wan-interface

https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/686587/ecmp-support-for-the-longest-match-in-sd-wan-rule-matching