The Secret Of Fortinet NSE6_FAC-6.4 Test Preparation

NEW QUESTION 1
How can a SAML metada file be used?

• A. To defined a list of trusted user names
• B. To import the required IDP configuration
• C. To correlate the IDP address to its hostname
• D. To resolve the IDP realm for authentication

Answer: B

Explanation:
A SAML metadata file can be used to import the required IDP configuration for SAML service provider mode. A SAML metadata file is an XML file that contains information about the identity provider (IDP) and the service provider (SP), such as their entity IDs, endpoints, certificates, and attributes. By importing a SAML metadata file from the IDP, FortiAuthenticator can automatically configure the necessary settings for SAML service provider mode.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/saml-service-provider#

NEW QUESTION 2
Which interface services must be enabled for the SCEP client to connect to Authenticator?

• A. OCSP
• B. REST API
• C. SSH
• D. HTTP/HTTPS

Answer: D

Explanation:
HTTP/HTTPS are the interface services that must be enabled for the SCEP client to connect to FortiAuthenticator. SCEP stands for Simple Certificate Enrollment Protocol, which is a method of requesting and issuing digital certificates over HTTP or HTTPS. FortiAuthenticator supports SCEP as a certificate authority (CA) and can process SCEP requests from SCEP clients. To enable SCEP on FortiAuthenticator, the HTTP or HTTPS service must be enabled on the interface that receives the SCEP requests.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 3
Which FSSO discovery method transparently detects logged off users without having to rely on external features such as WMI polling?

• A. Windows AD polling
• B. FortiClient SSO Mobility Agent
• C. Radius Accounting
• D. DC Polling

Answer: B

Explanation:
FortiClient SSO Mobility Agent is a FSSO discovery method that transparently detects logged off users without having to rely on external features such as WMI polling. FortiClient SSO Mobility Agent is a software agent that runs on Windows devices and communicates with FortiAuthenticator to provide FSSO information. The agent can detect user logon and logoff events without using WMI polling, which can reduce network traffic and improve performance.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/single-sign-on#forticlie

NEW QUESTION 4
You are an administrator for a large enterprise and you want to delegate the creation and management of guest users to a group of sponsors.
How would you associate the guest accounts with individual sponsors?

• A. As an administrator, you can assign guest groups to individual sponsors.
• B. Guest accounts are associated with the sponsor that creates the guest account.
• C. You can automatically add guest accounts to groups associated with specific sponsors.
• D. Select the sponsor on the guest portal, during registration.

Answer: B

Explanation:
Guest accounts are associated with the sponsor that creates the guest account. A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3. A sponsor can create guest accounts using the sponsor portal or the REST API3. The sponsor’s username is recorded as a field in the guest account’s profile3.
References: 3 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/guest

NEW QUESTION 5
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)

• A. Configuring a portal policy
• B. Configuring at least on post-login service
• C. Configuring a RADIUS client
• D. Configuring an external authentication portal

Answer: AB

Explanation:
To enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management

NEW QUESTION 6
What capability does the inbound proxy setting provide?

• A. It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
• B. It allows FortiAuthenticator to act as a proxy for remote authentication servers.
• C. It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
• D. It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.

Answer: A

Explanation:
The inbound proxy setting provides the ability for FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access. The inbound proxy setting allows FortiAuthenticator to use the X-Forwarded-For header in the HTTP request to identify the original client IP address. This can help FortiAuthenticator apply the correct authentication policy or portal policy based on the source IP address.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/system-settings#inboun

NEW QUESTION 7
Which two statements about the EAP-TTLS authentication method are true? (Choose two)

• A. Uses mutual authentication
• B. Uses digital certificates only on the server side
• C. Requires an EAP server certificate
• D. Support a port access control (wired) solution only

Answer: BC

Explanation:
EAP-TTLS is an authentication method that uses digital certificates only on the server side to establish a secure tunnel between the server and the client. The client does not need a certificate but can use any inner authentication method supported by the server, such as PAP, CHAP, MS-CHAP, or EAP-MD5. EAP-TTLS requires an EAP server certificate that is issued by a trusted CA and installed on the FortiAuthenticator device acting as the EAP server. EAP-TTLS supports both wireless and wired solutions for port access control. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372412/eap-ttls

NEW QUESTION 8
An administrator is integrating FortiAuthenticator with an existing RADIUS server with the intent of eventually replacing the RADIUS server with FortiAuthenticator.
How can FortiAuthenticator help facilitate this process?

• A. By configuring the RADIUS accounting proxy
• B. By enabling automatic REST API calls from the RADIUS server
• C. By enabling learning mode in the RADIUS server configuration
• D. By importing the RADIUS user records

Answer: C

Explanation:
FortiAuthenticator can help facilitate the process of replacing an existing RADIUS server by enabling learning mode in the RADIUS server configuration. This allows FortiAuthenticator to learn user credentials from the existing RADIUS server and store them locally for future authentication requests2. This way, FortiAuthenticator can gradually take over the role of the RADIUS server without disrupting the user experience.
References: 2 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/radiu

NEW QUESTION 9
Which statement about captive portal policies is true, assuming a single policy has been defined?

• A. All conditions in the policy must match before a user is presented with the captive portal.
• B. Conditions in the policy apply only to wireless users.
• C. Portal policies can be used only for BYODs.

Answer: B

Explanation:
Captive portal policies are used to define the conditions and settings for presenting a captive portal to users who need to authenticate before accessing the network. A captive portal policy consists of a set of conditions and a set of actions. The conditions can be based on various attributes, such as source IP address, MAC address, user group, device type, or RADIUS client. The actions can include redirecting the user to a specific portal, applying a specific authentication method, or assigning a specific VLAN or firewall policy. A single policy can have multiple conditions, and all conditions in the policy must match before a user is presented with the captive portal.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/portal-services#captive

NEW QUESTION 10
You want to monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP.
Which two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface? (Choose two)

• A. Enable logging services
• B. Set the tresholds to trigger SNMP traps
• C. Upload management information base (MIB) files to SNMP server
• D. Associate an ASN, 1 mapping rule to the receiving host

Answer: BC

Explanation:
To monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP, two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface:
Set the thresholds to trigger SNMP traps for various system events, such as CPU usage, disk usage, memory usage, or temperature.
Upload management information base (MIB) files to SNMP server to enable the server to interpret the SNMP traps sent by FortiAuthenticator.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/system-settings#snmp

NEW QUESTION 11
Which statement about the guest portal policies is true?

• A. Guest portal policies apply only to authentication requests coming from unknown RADIUS clients
• B. Guest portal policies can be used only for BYODs
• C. Conditions in the policy apply only to guest wireless users
• D. All conditions in the policy must match before a user is presented with the guest portal

Answer: D

Explanation:
Guest portal policies are rules that determine when and how to present the guest portal to users who want to access the network. Each policy has a set of conditions that can be based on various factors, such as the source IP address, MAC address, RADIUS client, user agent, or SSID. All conditions in the policy must match before a user is presented with the guest portal. Guest portal policies can apply to any authentication request coming from any RADIUS client, not just unknown ones. They can also be used for any type of device, not just BYODs. They can also apply to wired or VPN users, not just wireless users. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/37240

NEW QUESTION 12
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)

• A. Telnet
• B. HTTPS
• C. SSH
• D. SNMP

Answer: BC

Explanation:
HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/system-settings#manag

NEW QUESTION 13
Which two features of FortiAuthenticator are used for EAP deployment? (Choose two)

• A. Certificate authority
• B. LDAP server
• C. MAC authentication bypass
• D. RADIUS server

Answer: AD

Explanation:
Two features of FortiAuthenticator that are used for EAP deployment are certificate authority and RADIUS server. Certificate authority allows FortiAuthenticator to issue and manage digital certificates for EAP methods that require certificate-based authentication, such as EAP-TLS or PEAP-EAP-TLS. RADIUS server allows FortiAuthenticator to act as an authentication server for EAP methods that use RADIUS as a transport protocol, such as EAP-GTC or PEAP-MSCHAPV2.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/wireless-802-1x-authen

NEW QUESTION 14
Which two capabilities does FortiAuthenticator offer when acting as a self-signed or local CA? (Choose two)

• A. Validating other CA CRLs using OSCP
• B. Importing other CA certificates and CRLs
• C. Merging local and remote CRLs using SCEP
• D. Creating, signing, and revoking of X.509 certificates

Answer: BD

Explanation:
FortiAuthenticator can act as a self-signed or local CA that can issue certificates to users, devices, or other CAs. It can also import other CA certificates and CRLs to trust them and validate their certificates. It can also create, sign, and revoke X.509 certificates for various purposes, such as VPN authentication, web server encryption, or wireless security. It cannot validate other CA CRLs using OCSP or merge local and remote CRLs using SCEP because these are protocols that require communication with external CAs. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management

NEW QUESTION 15
......