Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. NSE8_812

Fortinet NSE8_812 Exam
Fortinet NSE 8 Written (Page 4 )

Updated On: 7-Feb-2026
Page 4 of 22
PDF with 118 Questions

Refer to the exhibit.



You are operating an internal network with multiple OSPF routers on the same LAN segment. FGT_3 needs to be added to the OSPF network and has the configuration shown in the exhibit. FGT_3 is not establishing any OSPF connection.
What needs to be changed to the configuration to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election?
A)



B)



C)



D)

  1. Option A
  2. Option B
  3. Option C
  4. Option D

Answer(s): B

Explanation:

The OSPF configuration shown in the exhibit is using the default priority value of 1 for the interface port1. This means that FGT_3 will participate in the DR/BDR election process with the other OSPF routers on the same LAN segment. However, this is not desirable because FGT_3 is a new device that needs to be added to the OSPF network without affecting the existing DR/BDR election. Therefore, to make sure FGT_3 will establish OSPF neighbors without affecting the DR/BDR election, the priority value of the interface port1 should be changed to 0. This will prevent FGT_3 from becoming a DR or BDR and allow it to form OSPF adjacencies with the current DR and BDR. Option B shows the correct configuration that changes the priority value to 0. Option A is incorrect because it does not change the priority value. Option C is incorrect because it changes the network type to point-to-point, which is not suitable for a LAN segment with multiple OSPF routers. Option D is incorrect because it changes the area ID to 0.0.0.1, which does not match the area ID of the other OSPF routers on the same LAN segment.


Reference:

https://docs.fortinet.com/document/fortigate/7.0.0/administration- guide/358640/basic-ospf-example



A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

  1. Change the persistence rule to LB_PERSIS_SSL_SESSJD.
  2. Add more web servers to the real server poof
  3. Disable SSL between the FortiADC and the web servers
  4. Add a connection-pool to the FortiADC virtual server

Answer(s): A,D



Refer to the CLI output:



Given the information shown in the output, which two statements are correct? (Choose two.)

  1. Geographical IP policies are enabled and evaluated after local techniques.
  2. Attackers can be blocked before they target the servers behind the FortiWeb.
  3. The IP Reputation feature has been manually updated
  4. An IP address that was previously used by an attacker will always be blocked
  5. Reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored

Answer(s): B,E

Explanation:

The CLI output shown in the exhibit indicates that FortiWeb has enabled IP Reputation feature with local techniques enabled and geographical IP policies enabled after local techniques (set geoip- policy-order after-local). IP Reputation feature is a feature that allows FortiWeb to block or allow traffic based on the reputation score of IP addresses, which reflects their past malicious activities or behaviors. Local techniques are methods that FortiWeb uses to dynamically update its own blacklist based on its own detection of attacks or violations from IP addresses (such as signature matches, rate limiting, etc.). Geographical IP policies are rules that FortiWeb uses to block or allow traffic based on the geographical location of IP addresses (such as country, region, city, etc.). Therefore, based on the output, one correct statement is that attackers can be blocked before they target the servers behind the FortiWeb. This is because FortiWeb can use IP Reputation feature to block traffic from IP addresses that have a low reputation score or belong to a blacklisted location, which prevents them from reaching the servers and launching attacks. Another correct statement is that reputation from blacklisted IP addresses from DHCP or PPPoE pools can be restored. This is because FortiWeb can use local techniques to remove IP addresses from its own blacklist if they stop sending malicious traffic for a certain period of time (set local-techniques-expire-time), which allows them to regain their reputation and access the servers. This is useful for IP addresses that are dynamically assigned by DHCP or PPPoE and may change frequently.


Reference:

https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/ip-reputation https://docs.fortinet.com/document/fortiweb/6.4.0/administration-guide/19662/geographical-ip- policies https://docs.fortinet.com/document/fortiweb/7.4.2/administration-guide/608374/ip-reputation- blocklisting-source-ips-with-poor-reputation Fortinet compiles a reputation for each public IP address. Clients will have poor reputations if they have been participating in attacks, willingly or otherwise. Because blacklisting innocent clients is equally undesirable, Fortinet also restores the reputations of clients that improve their behavior. This is crucial when an infected computer is cleaned, or in DHCP or PPPoE pools where an innocent client receives an IP address that was previously leased by an attacker.



Refer to the exhibit.



You are deploying a FortiGate 6000F. The device should be directly connected to a switch. In the future, a new hardware module providing higher speed will be installed in the switch, and the connection to the FortiGate must be moved to this higher-speed port. You must ensure that the initial FortiGate interface connected to the switch does not affect any other port when the new module is installed and the new port speed is defined.

How should the initial connection be made?

  1. Connect the switch on any interface between ports 21 to 24
  2. Connect the switch on any interface between ports 25 to 28
  3. Connect the switch on any interface between ports 1 to 4
  4. Connect the switch on any interface between ports 5 to 8.

Answer(s): B


Reference:

FortiGate 6000F Front Panel Interfaces: https://docs.fortinet.com/document/fortigate- 6000/hardware/fortigate-6000f-system-guide/827055/front-panel-interfaces https://docs.fortinet.com/document/fortigate-6000/7.0.12/fortigate-6000- handbook/633498/interface-groups-and-changing-data-interface-speeds



Which feature must you enable on the BGP neighbors to accomplish this goal?

  1. Graceful-restart
  2. Deterministic-med
  3. Synchronization
  4. Soft-reconfiguration

Answer(s): A

Explanation:

Graceful-restart is a feature that allows BGP neighbors to maintain their routing information during a BGP restart or failover event, without disrupting traffic forwarding or causing route flaps. Graceful- restart works by allowing a BGP speaker (the restarting router) to notify its neighbors (the helper routers) that it is about to restart or failover, and request them to preserve their routing information and forwarding state for a certain period of time (the restart time). The helper routers then mark the routes learned from the restarting router as stale, but keep them in their routing table and continue forwarding traffic based on them until they receive an end-of-RIB marker from the restarting router or until the restart time expires. This way, graceful-restart can minimize traffic disruption and routing instability during a BGP restart or failover event.


Reference:

https://docs.fortinet.com/document/fortigate/7.0.0/cookbook/19662/bgp-graceful-restart






Post your Comments and Discuss Fortinet NSE8_812 exam prep with other Community members:

Join the NSE8_812 Discussion