Question 1

A customer's cybersecurity department needs to implement security for the traffic between two VPCs in AWS,

but these belong to different departments within the company. The company uses a single region for all their

VPCs.

Which two actions will achieve this requirement while keeping separate management of each department's

VPC? (Choose two.)

Options :

A : Create a transit VPC with a FortiGate HA cluster, connect to the other two using VPC peering, and use routing tables to force traffic through the FortiGate cluster.

B : Create an 1AM account for the cybersecurity department to manage both existing VPC, create a FortiGate HA Cluster on each VPC and IPSEC VPN to force traffic between the VPCs through the FortiGate clusters

C : Migrate all the instances to the same VPC and create 1AM accounts for each department, then implement a new subnet for a FortiGate auto-scaling group and use routing tables to force the traffic through the FortiGate cluster.

D : Create a VPC with a FortiGate auto-scaling group with a Transit Gateway attached to the three VPC to force routing through the FortiGate cluster

Answer: A,D

Question 2

A FortiGate deployment contains the following configuration:

What is the result of this configuration?

Options :

A : Route-maps are not configurable in VDOM SERVICES

B : Route-maps for VDOM SERVICES are excluded from HA configuration synchronization

C : Route-maps from VDOM SERVICES are available in all other VDOMs

D : Route-maps from the Root VDOM configuration are available in VDOM SERVICES

Answer: B

Question 3

Refer to the exhibit showing FortiGate configurations

FortiManager VM high availability (HA) is not functioning as expected after being added to an existing

deployment.

The administrator finds that VRRP HA mode is selected, but primary and secondary roles are greyed out in the

GUI The managed devices never show online when FMG-B becomes primary, but they will show online

whenever the FMG-A becomes primary.

What change will correct HA functionality in this scenario?

Options :

A : Change the FortiManager IP address on the managed FortiGate to 10.3.106.65.

B : Make the monitored IP to match on both FortiManager devices.

C : Unset the primary and secondary roles in the FortiManager CLI configuration so VRRP will decide who is primary.

D : Change the priority of FMG-A to be numerically lower for higher preference

Answer: B

Question 4

Refer to the exhibit.

To facilitate a large-scale deployment of SD-WAN/ADVPN with FortiGate devices, you are tasked with

configuring the FortiGate devices to support injecting of IKE routes on the ADVPN shortcut tunnels.

Which three commands must be added or changed to the FortiGate spoke config vpn ipsec phasei-interface

options referenced in the exhibit for the VPN interface to enable this capability? (Choose three.)

Options :

A : set net-device disable

B : set mode-cfg enable

C : set ike-version 1

D : set add-route enable

E : set mode-cfg-allow-client-selector enable

Answer: A,D

Question 5

Refer to the exhibit, which shows diagnostic output.

A customer reports that ICMP traffic flow from 192.168.1.11 to 93.190.134.171 is not corresponding to the SD-WAN setup. What is the problem in this scenario?

Options :

A : SD-WAN Rule is matching only DNS traffic.

B : Port1 is used because it has more available bandwidth.

C : Traffic is matched by policy route.

D : Route for the destination IP is missing in the routing table.

Answer: C

Confidently Practice Online with Free NSE8_812 Exam Cram

Buying Options: