NSE8_812 Online Practice Questions

Home / Fortinet / NSE8_812

Latest NSE8_812 Exam Practice Questions

The practice questions for NSE8_812 exam was last updated on 2025-06-01 .

Viewing page 1 out of 4 pages.

Viewing questions 1 out of 21 questions.

Question#1

Refer to the exhibits.



A customer has deployed a FortiGate with iBGP and eBGP routing enabled. HQ is receiving routes over eBGP from ISP 2; however, only certain routes are showing up in the routing table-Assume that BGP is working perfectly and that the only possible modifications to the routing table are solely due to the prefix list that is applied on HQ.
Given the exhibits, which two routes will be active in the routing table on the HQ firewall? (Choose two.)

A. 172.16.204.128/25
B. 172.16.201.96/29
C. 172,620,64,27
D. 172.16.204.64/27

Explanation:
The prefix list in the exhibit is configured to match prefixes that are either in the 172.16.204.0/24 subnet or in the 172.62.0.0/16 subnet. The routes that match these prefixes will be active in the
routing table on the HQ firewall.
The routes that match the following prefixes will not be active in the routing table:

Question#2

Refer to the exhibit containing the configuration snippets from the FortiGate.
Customer requirements:



• SSLVPN Portal must be accessible on standard HTTPS port (TCP/443)
• Public IP address (129.11.1.100) is assigned to portl
• Datacenter.acmecorp.com resolves to the public IP address assigned to portl
The customer has a Let's Encrypt certificate that is going to expire soon and it reports that subsequent attempts to renew that certificate are failing.
Reviewing the requirement and the exhibit, which configuration change below will resolve this issue?
A)



B)



C)



D)


A. Option A
B. Option B
C. Option C
D. Option D

Explanation:
The customer's SSLVPN Portal is currently configured to use a self-signed certificate. This means that
the certificate is not trusted by any browsers, and users will have to accept a security warning before they can connect to the portal.
To resolve this issue, the customer needs to configure the FortiGate to use a Let's Encrypt certificate. Let's Encrypt is a free certificate authority that provides trusted certificates for websites and other applications.
The configuration change in option B will configure the FortiGate to use a Let's Encrypt certificate for the SSLVPN Portal. This will allow users to connect to the portal without having to accept a security warning.
The other configuration changes are not necessary to resolve the issue. Option A will configure the FortiGate to use a different port for the SSLVPN Portal, but this will not resolve the issue with the self-signed certificate. Option C will configure the FortiGate to use a different DNS name for the SSLVPN Portal, but this will also not resolve the issue with the self-signed certificate. Option D will configure the FortiGate to use a different certificate authority for the SSLVPN Portal, but this will also not resolve the issue because the customer still needs to use a trusted certificate.
References:
Configuring SSLVPN with Let's Encrypt: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/822087/acme-certificate-support
Let's Encrypt: https://letsencrypt.org/

Question#3

Refer to the exhibit.



FortiManager is configured with the Jinja Script under CLI Templates shown in the exhibit.
Which two statements correctly describe the expected behavior when running this template? (Choose two.)

A. The Jinja template will automatically map the interface with "WAN" role on the managed FortiGate.
B. The template will work if you change the variable format to $(WAN).
C. The template will work if you change the variable format to {{ WAN }}.
D. The administrator must first manually map the interface for each device with a meta field.
E. The template will fail because this configuration can only be applied with a CLI or TCL script.

Explanation:
D. The administrator must first manually map the interface for each device with a meta field.
The Jinja template in the exhibit is expecting a meta field called WAN to be set on the managed FortiGate. This meta field will specify which interface on the FortiGate should be assigned the "WAN" role. If the meta field is not set, then the template will fail.
E. The template will fail because this configuration can only be applied with a CLI or TCL script.
The Jinja template in the exhibit is trying to configure the interface role on the managed FortiGate. This type of configuration can only be applied with a CLI or TCL script. The Jinja template will fail
because it is not a valid CLI or TCL script.

Question#4

Refer to the exhibit, which shows a Branch1 configuration and routing table.



In the SD-WAN implicit rule, you do not want the traffic load balance for the overlay interface when all members are available.
In this scenario, which configuration change will meet this requirement?

A. Change the load-balance-mode to source-ip-based.
B. Create a new static route with the internet sdwan-zone only
C. Configure the cost in each overlay member to 10.
D. Configure the priority in each overlay member to 10.

Explanation:
The default load balancing mode for the SD-WAN implicit rule is source IP based. This means that traffic will be load balanced evenly between the overlay members, regardless of the member's priority.
To prevent traffic from being load balanced, you can configure the priority of each overlay member to 10. This will make the member ineligible for load balancing.
The other options are not correct. Changing the load balancing mode to source-IP based will still result in traffic being load balanced. Creating a new static route with the internet sdwan-zone only will not affect the load balancing of the overlay interface. Configuring the cost in each overlay member to 10 will also not affect the load balancing, as the cost is only used when the implicit rule cannot find a match for the destination IP address.


Question#5

A retail customer with a FortiADC HA cluster load balancing five webservers in L7 Full NAT mode is receiving reports of users not able to access their website during a sale event. But for clients that were able to connect, the website works fine.
CPU usage on the FortiADC and the web servers is low, application and database servers are still able to handle more traffic, and the bandwidth utilization is under 30%.
Which two options can resolve this situation? (Choose two.)

A. Change the persistence rule to LB_PERSIS_SSL_SESSJ
B. Add more web servers to the real server poof
C. Disable SSL between the FortiADC and the web servers
D. Add a connection-pool to the FortiADC virtual server

Explanation:
Option B: Adding more web servers to the real server pool will increase the overall capacity of the load balancer, which should help to resolve the issue of users not being able to access the website. Option D: Adding a connection-pool to the FortiADC virtual server will allow the load balancer to cache connections to the web servers, which can help to improve performance and reduce the number of dropped connections.
Option A: Changing the persistence rule to LB_PERSIS_SSL_SESSJD would only be necessary if the current persistence rule is not working properly. In this case, the CPU usage on the FortiADC and the web servers is low, so the persistence rule is likely not the issue.
Option C: Disabling SSL between the FortiADC and the web servers would reduce the load on the FortiADC, but it would also make the website less secure. Since the bandwidth utilization is under 30%, it is unlikely that disabling SSL would resolve the issue.
Reference: https://docs.fortinet.com/document/fortiadc/7.2.1/handbook/970956/configuring-virtual-servers

Exam Code: NSE8_812Q & A: 60 Q&AsUpdated:  2025-06-01

 Get All NSE8_812 Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.