Total 106 Questions
Last Updated On : 26-Nov-2025
Refer to the exhibit showing a firewall policy configuration.
To prevent unauthorized access of their cloud assets, an administrator wants to enforce
authentication on firewall policy ID 1.
What change does the administrator need to make?
A. Option A
B. Option B
C. Option C
D. Option D
Explanation: The firewall policy in the exhibit allows all traffic from the internal network to
the cloud. To enforce authentication on this traffic, the administrator needs to add the authon-
demand option to the policy. This option will force all users to authenticate before they are allowed to access the cloud.
The following is the correct configuration:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set service "all"
set action accept
set auth-on-demand enable
Refer to the exhibit.
You have deployed a security fabric with three FortiGate devices as shown in the exhibit.
FGT_2 has the following configuration:
FGT_1 and FGT_3 are configured with the default setting. Which statement is true for the
synchronization of fabric-objects?
A. Objects from the FortiGate FGT_2 will be synchronized to the upstream FortiGate.
B. Objects from the root FortiGate will only be synchronized to FGT__2.
C. Objects from the root FortiGate will not be synchronized to any downstream FortiGate.
D. Objects from the root FortiGate will only be synchronized to FGT_3.
Explanation: The fabric-object-unification setting on FGT_2 is set to local, which means
that objects will not be synchronized to any other FortiGate devices in the security fabric.
The default setting for fabric-object-unification is default, which means that objects will be
synchronized from the root FortiGate to all downstream FortiGate devices.
Since FGT_2 is not the root FortiGate and the fabric-object-unification setting is set to local,
objects from the root FortiGate will not be synchronized to FGT_2.
On a FortiGate Configured in Transparent mode, which configuration option allows you to
control Multicast traffic passing through the?
A. Option A
B. Option B
C. Option C
D. Option D
Explanation: To control multicast traffic passing through a FortiGate configured in transparent mode, you can use multicast policies. Multicast policies allow you to filter multicast traffic based on source and destination addresses, protocols, and interfaces. You can also apply securityprofiles to scan multicast traffic for threats and violations.
A remote worker requests access to an SSH server inside the network. You deployed a
ZTNA Rule to their FortiClient. You need to follow the security requirements to inspect this
traffic.
Which two statements are true regarding the requirements? (Choose two.)
A. FortiGate can perform SSH access proxy host-key validation.
B. You need to configure a FortiClient SSL-VPN tunnel to inspect the SSH traffic.
C. SSH traffic is tunneled between the client and the access proxy over HTTPS
D. Traffic is discarded as ZTNA does not support SSH connection rules
Explanation: ZTNA supports SSH connection rules that allow remote workers to access SSH servers inside the network through an HTTPS tunnel between the client and the access proxy (FortiGate). The access proxy acts as an SSH client to connect to the real SSH server on behalf of the user, and performs host-key validation to verify the identity of the server. The user can use any SSH client that supports HTTPS proxy settings, such as PuTTY or OpenSSH.
Refer to the exhibit containing the configuration snippets from the FortiGate. Customer
requirements:
• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
• Public IP address (129.11.1.100) is assigned to portl
• Datacenter.acmecorp.com resolves to the public IP address assigned to portl
The customer has a Let's Encrypt certificate that is going to expire soon and it reports that
subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve
this issue?
A. Option A
B. Option B
C. Option C
D. Option D
Explanation: The customer's SSLVPN Portal is currently configured to use a self-signed
certificate. This means that the certificate is not trusted by any browsers, and users will
have to accept a security warning before they can connect to the portal.
To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt
certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for
websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt
certificate for the SSLVPN Portal. This will allow users to connect to the portal without
having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will
configure the FortiGate to use a different port for the SSLVPN Portal, but this will not
resolve the issue with the self-signed certificate. Option C will configure the FortiGate to
use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue
with the self-signed certificate. Option D will configure the FortiGate to use a different
certificate authority for the SSLVPN Portal, but this will also not resolve the issue because
the customer still needs to use a trusted certificate.
Refer to the exhibit.
You are deploying a FortiGate 6000F. The device should be directly connected to a switch.
In the future, a new hardware module providing higher speed will be installed in the switch,
and the connection to the FortiGate must be moved to this higher-speed port.
You must ensure that the initial FortiGate interface connected to the switch does not affect
any other port when the new module is installed and the new port speed is defined.
How should the initial connection be made?
A. Connect the switch on any interface between ports 21 to 24
B. Connect the switch on any interface between ports 25 to 28
C. Connect the switch on any interface between ports 1 to 4
D. Connect the switch on any interface between ports 5 to 8.
Explanation: The FortiGate 6000F has 24 1/10/25-Gbps SFP28 data network interfaces (1
to 24). These interfaces are divided into the following interface groups: 1 to 4, 5 to 8, 9 to
12, 13 to 16, 17 to 20, and 21 to 24. The ports 25 to 28 are 40/100-Gbps QSFP28 data
network interfaces.
The initial connection should be made to any interface between ports 1 to 4. This is
because the ports 21 to 24 are part of the same interface group, and changing the speed of
one of these ports will affect the speeds of all of the ports in the group. The ports 5 to 8 are
also part of the same interface group, so they should not be used for the initial connection.
The new hardware module that will be installed in the switch will provide higher speed
ports. When this module is installed, the speed of the ports 21 to 24 will be increased.
However, this will not affect the ports 1 to 4, because they are not part of the same
interface group.
Therefore, the initial connection should be made to any interface between ports 1 to 4, in
order to ensure that the FortiGate interface connected to the switch does not affect any
other port when the new module is installed and the new port speed is defined.
Refer to the exhibit.
FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this
template? (Choose two.)
A. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
B. The template will work if you change the variable format to $(WAN).
C. The template will work if you change the variable format to {{ WAN }}.
D. The administrator must first manually map the interface for each device with a meta field.
E. The template will fail because this configuration can only be applied with a CLI or TCL script.
Explanation: D. The administrator must first manually map the interface for each device
with a meta field.
The Jinja template in the exhibit is expecting a meta field calledWANto be set on the
managed FortiGate. This meta field will specify which interface on the FortiGate should be
assigned the "WAN" role. If the meta field is not set, then the template will fail.
E. The template will fail because this configuration can only be applied with a CLI or TCL
script.
The Jinja template in the exhibit is trying to configure the interface role on the managed
FortiGate. This type of configuration can only be applied with a CLI or TCL script. The Jinja
template will fail because it is not a valid CLI or TCL script.
| Page 3 out of 16 Pages |
| NSE8_812 Practice Test Home | Previous |
Our new Timed NSE8_812 Exam Simulation replicates the exact format, question count, and strict time limit of the real test.
We don't just test your knowledge; we build your Fortinet exam-day stamina and speed, so you can answer with confidence when it matters most.
Copyright © - All Rights Reserved