NSE6_FAC-6.4 Practice Exams and Training Solutions for Certifications [Q15-Q35]

September 26, 2023 admin 0 Comments

Rate this post

NSE6_FAC-6.4 Practice Exams and Training Solutions for Certifications

Dumps Free Test Engine Player Verified Answers

NEW QUESTION 15
You want to monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP.
Which two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface? (Choose two)

Enable logging services

Set the tresholds to trigger SNMP traps

Upload management information base (MIB) files to SNMP server

Associate an ASN, 1 mapping rule to the receiving host

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP, two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface:
Set the thresholds to trigger SNMP traps for various system events, such as CPU usage, disk usage, memory usage, or temperature.
Upload management information base (MIB) files to SNMP server to enable the server to interpret the SNMP traps sent by FortiAuthenticator.

NEW QUESTION 16
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)

Configuring a portal policy

Configuring at least on post-login service

Configuring a RADIUS client

Configuring an external authentication portal

enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management

NEW QUESTION 17
You are an administrator for a large enterprise and you want to delegate the creation and management of guest users to a group of sponsors.
How would you associate the guest accounts with individual sponsors?

As an administrator, you can assign guest groups to individual sponsors.

Guest accounts are associated with the sponsor that creates the guest account.

You can automatically add guest accounts to groups associated with specific sponsors.

Select the sponsor on the guest portal, during registration.

Guest accounts are associated with the sponsor that creates the guest account. A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3. A sponsor can create guest accounts using the sponsor portal or the REST API3. The sponsor’s username is recorded as a field in the guest account’s profile3.

NEW QUESTION 18
Which three of the following can be used as SSO sources? (Choose three)

FortiClient SSO Mobility Agent

SSH Sessions

FortiAuthenticator in SAML SP role

Fortigate

RADIUS accounting

FortiAuthenticator supports various SSO sources that can provide user identity information to other devices in the network, such as FortiGate firewalls or FortiAnalyzer log servers. Some of the supported SSO sources are:
FortiClient SSO Mobility Agent: A software agent that runs on Windows devices and sends user login information to FortiAuthenticator.
FortiGate: A firewall device that can send user login information from various sources, such as FSSO agents, captive portals, VPNs, or LDAP servers, to FortiAuthenticator.
RADIUS accounting: A protocol that can send user login information from RADIUS servers or clients, such as wireless access points or VPN concentrators, to FortiAuthenticator.
SSH sessions and FortiAuthenticator in SAML SP role are not valid SSO sources because they do not provide user identity information to other devices in the network. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372410/single-sign-on

NEW QUESTION 19
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)

Telnet

HTTPS

SSH

SNMP

HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.

NEW QUESTION 20
Why would you configure an OCSP responder URL in an end-entity certificate?

To designate the SCEP server to use for CRL updates for that certificate

To identify the end point that a certificate has been assigned to

To designate a server for certificate status checking

To provide the CRL location for the certificate

An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.

NEW QUESTION 21
Examine the screenshot shown in the exhibit.

Which two statements regarding the configuration are true? (Choose two.)

All guest accounts created using the account registration feature will be placed under the Guest_Portal_Users group

All accounts registered through the guest portal must be validated through email

Guest users must fill in all the fields on the registration form

Guest user account will expire after eight hours

The screenshot shows that the account registration feature is enabled for the guest portal and that the guest group is set to Guest_Portal_Users. This means that all guest accounts created using this feature will be placed under that group1. The screenshot also shows that email validation is enabled for the guest portal and that the email validation link expires after 24 hours. This means that all accounts registered through the guest portal must be validated through email within that time frame1.

NEW QUESTION 22
A system administrator wants to integrate FortiAuthenticator with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO.
What feature does FortiAuthenticator offer for this type of integration?

The ability to import and export users from CSV files

RADIUS learning mode for migrating users

REST API

SNMP monitoring and traps

REST API is a feature that allows FortiAuthenticator to integrate with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO. REST API stands for Representational State Transfer Application Programming Interface, which is a method of exchanging data between different systems using HTTP requests and responses. FortiAuthenticator provides a REST API that can be used by external systems to perform various actions, such as creating, updating, deleting, or querying users and groups, or sending FSSO logon or logoff events.

NEW QUESTION 23
What happens when a certificate is revoked? (Choose two)

Revoked certificates cannot be reinstated for any reason

All certificates signed by a revoked CA certificate are automatically revoked

Revoked certificates are automatically added to the CRL

External CAs will priodically query Fortiauthenticator and automatically download revoked certificates

When a certificate is revoked, it means that it is no longer valid and should not be trusted by any entity. Revoked certificates are automatically added to the certificate revocation list (CRL) which is published by the issuing CA and can be checked by other parties. If a CA certificate is revoked, all certificates signed by that CA are also revoked and added to the CRL. Revoked certificates can be reinstated if the reason for revocation is resolved, such as a compromised private key being recovered or a misissued certificate being corrected. External CAs do not query FortiAuthenticator for revoked certificates, but they can use protocols such as SCEP or OCSP to exchange certificate information with FortiAuthenticator. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management

NEW QUESTION 24
When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?

Active-passive master

Standalone master

Cluster member

Load balancing master

When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability

NEW QUESTION 25
Which two statement about the RADIUS service on FortiAuthenticator are true? (Choose two)

Two-factor authentication cannot be enforced when using RADIUS authentication

RADIUS users can migrated to LDAP users

Only local users can be authenticated through RADIUS

FortiAuthenticator answers only to RADIUS client that are registered with FortiAuthenticator

Two statements about the RADIUS service on FortiAuthenticator are true:
RADIUS users can be migrated to LDAP users using the RADIUS learning mode feature. This feature allows FortiAuthenticator to learn user credentials from an existing RADIUS server and store them locally as LDAP users for future authentication requests.
FortiAuthenticator answers only to RADIUS clients that are registered with FortiAuthenticator. A RADIUS client is a device that sends RADIUS authentication or accounting requests to FortiAuthenticator. A RADIUS client must be added and configured on FortiAuthenticator before it can communicate with it.

NEW QUESTION 26
Which behaviors exist for certificate revocation lists (CRLs) on FortiAuthenticator? (Choose two)

CRLs contain the serial number of the certificate that has been revoked

Revoked certificates are automaticlly placed on the CRL

CRLs can be exported only through the SCEP server

All local CAs share the same CRLs

CRLs are lists of certificates that have been revoked by the issuing CA and should not be trusted by any entity. CRLs contain the serial number of the certificate that has been revoked, the date and time of revocation, and the reason for revocation. Revoked certificates are automatically placed on the CRL by the CA and the CRL is updated periodically. CRLs can be exported through various methods, such as HTTP, LDAP, or SCEP. Each local CA has its own CRL that is specific to its issued certificates. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management/372413/certificate-revocation-lists

NEW QUESTION 27
Which FSSO discovery method transparently detects logged off users without having to rely on external features such as WMI polling?

Windows AD polling

FortiClient SSO Mobility Agent

Radius Accounting

DC Polling

FortiClient SSO Mobility Agent is a FSSO discovery method that transparently detects logged off users without having to rely on external features such as WMI polling. FortiClient SSO Mobility Agent is a software agent that runs on Windows devices and communicates with FortiAuthenticator to provide FSSO information. The agent can detect user logon and logoff events without using WMI polling, which can reduce network traffic and improve performance.

NEW QUESTION 28
You have implemented two-factor authentication to enhance security to sensitive enterprise systems.
How could you bypass the need for two-factor authentication for users accessing form specific secured networks?

Create an admin realm in the authentication policy

Specify the appropriate RADIUS clients in the authentication policy

Enable Adaptive Authentication in the portal policy

Enable the Resolve user geolocation from their IP address option in the authentication policy.

Adaptive Authentication is a feature that allows administrators to bypass the need for two-factor authentication for users accessing from specific secured networks. Adaptive Authentication uses geolocation information from IP addresses to determine whether a user is accessing from a trusted network or not. If the user is accessing from a trusted network, FortiAuthenticator can skip the second factor of authentication and grant access based on the first factor only.

NEW QUESTION 29
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

UUID and time

Time and FortiAuthenticator serial number

Time and seed

Time and mobile location

TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.

NEW QUESTION 30
Which two capabilities does FortiAuthenticator offer when acting as a self-signed or local CA? (Choose two)

Validating other CA CRLs using OSCP

Importing other CA certificates and CRLs

Merging local and remote CRLs using SCEP

Creating, signing, and revoking of X.509 certificates

FortiAuthenticator can act as a self-signed or local CA that can issue certificates to users, devices, or other CAs. It can also import other CA certificates and CRLs to trust them and validate their certificates. It can also create, sign, and revoke X.509 certificates for various purposes, such as VPN authentication, web server encryption, or wireless security. It cannot validate other CA CRLs using OCSP or merge local and remote CRLs using SCEP because these are protocols that require communication with external CAs. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management

NEW QUESTION 31
Which statement about the guest portal policies is true?

Guest portal policies apply only to authentication requests coming from unknown RADIUS clients

Guest portal policies can be used only for BYODs

Conditions in the policy apply only to guest wireless users

All conditions in the policy must match before a user is presented with the guest portal

Guest portal policies are rules that determine when and how to present the guest portal to users who want to access the network. Each policy has a set of conditions that can be based on various factors, such as the source IP address, MAC address, RADIUS client, user agent, or SSID. All conditions in the policy must match before a user is presented with the guest portal. Guest portal policies can apply to any authentication request coming from any RADIUS client, not just unknown ones. They can also be used for any type of device, not just BYODs. They can also apply to wired or VPN users, not just wireless users. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/372406/portal-policies

NEW QUESTION 32
What are three key features of FortiAuthenticator? (Choose three)

Identity management device

Log server

Certificate authority

Portal services

RSSO Server

FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management, self-service password reset, and device registration. It is not a log server or an RSSO server. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes

NEW QUESTION 33
Which two features of FortiAuthenticator are used for EAP deployment? (Choose two)

Certificate authority

LDAP server

MAC authentication bypass

RADIUS server

Two features of FortiAuthenticator that are used for EAP deployment are certificate authority and RADIUS server. Certificate authority allows FortiAuthenticator to issue and manage digital certificates for EAP methods that require certificate-based authentication, such as EAP-TLS or PEAP-EAP-TLS. RADIUS server allows FortiAuthenticator to act as an authentication server for EAP methods that use RADIUS as a transport protocol, such as EAP-GTC or PEAP-MSCHAPV2.

Loading …

Q&As with Explanations Verified & Correct Answers: https://www.topexamcollection.com/NSE6_FAC-6.4-vce-collection.html

NSE6_FAC-6.4 Practice Tests

NSE6_FAC-6.4 Practice Exams and Training Solutions for Certifications [Q15-Q35]

Related Certifications

NSE5_FMG-6.4
NSE5_FMG-7.2
NSE6_FWF-6.4
NSE5_FCT-7.0
NSE7_EFW-7.0
NSE4_FGT-6.4
NSE6_FSW-7.2
NSE6_FWB-6.1
NSE5_FMG-7.0
NSE6_FAC-6.1