Fortinet NSE8 Exam Questions

Question 6 of 65

A company wants to protect against Denial of Service attacks and has launched a new project. They want to block the attacks that go above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action. Given the following:
- The interface to the Internet is on WAN1.
- There is no requirement to specify which addresses are being protected or protected from.
- The protection is to extend to all services.
- The tcp_syn_flood attacks are to be recorded and blocked.
- The udp_flood attacks are to be recorded but not blocked.
- The tcp_syn_flood attacks threshold is to be changed from the default to 1000.
The exhibit shows the current DoS-policy.
Exam NSE8: Question 6 - Image 1

Which policy will implement the project requirements?
A)

Exam NSE8: Question 6 - Image 2

Option A

Option B

Option C

Option D

Correct Answer: B, D

Question 7 of 65

Your security department has requested that you implement the OpenSSL.TLS.Heartbeat.Information.Disclosure signature using an IPS sensor to scan traffic destined to the FortiGate. You must log all packets that attempt to exploit this vulnerability.
Referring to the exhibit, which two configurations are required to accomplish this task? (Choose two.)
Exam NSE8: Question 7 - Image 1

Option A

Option B

Option C

Option D

Correct Answer: A, B

Question 8 of 65

Which command syntax would you use to configure the serial number of a FortiGate as its host name?
A)
Exam NSE8: Question 8 - Image 1

Option A

Option B

Option C

Option D

Correct Answer: C

Question 9 of 65

Referring to the exhibit, which statement is true?
Exam NSE8: Question 9 - Image 1

The packet failed the HMAC validation.

The packet did not match any of the local IPsec SAs.

The packet was protected with an unsupported encryption algorithm.

The IPsec negotiation failed because the SPI was unknown.

Correct Answer: A

Question 10 of 65

You are asked to establish a VPN tunnel with a service provider using a third-party VPN device. The service provider has assigned subnet 30.30.30.0/24 for your outgoing traffic going towards the services hosted by the provider on network 20.20.20.0/24. You have multiple computers which will be accessing the remote services hosted by the service provider.
Exam NSE8: Question 10 - Image 1

Which three configuration components meet these requirements? (Choose three.)

Configure an IP Pool of type Overload for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN forwards the VPN tunnel and select that pool.

Configure IPsec phase 2 proxy IDs for a source of 10.10.10.0/24 and destination of 20.20.20.0/24.

Configure an IP Pool of Type One-to-One for range 30.30.30.10-30.30.30.10. Enable NAT on a policy from your LAN towards the VPN tunnel and select that pool.

Configure a static route towards the VPN tunnel for 20.20.20.0/24.

Configure IPsec phase 2 proxy IDs for a source of 30.30.30.0/24 and destination of 20.20.20.0/24.

Correct Answer: C, D, E