最近更新の2023年12月テストエンジンとPDF Fortinet NSE6_FAC-6.4テストあなたの最速Fortinet合格準備を保証させる!
完全版NSE6_FAC-6.4練習テスト49別格な問題と解釈が待ってます。今すぐゲット!
質問 # 10
Which method is the most secure way of delivering FortiToken data once the token has been seeded?
- A. Shipment of the seed files on a CD using a tamper-evident envelope
- B. Automatic token generation using FortiAuthenticator
- C. Using the in-house token provisioning tool
- D. Online activation of the tokens through the FortiGuard network
正解:D
解説:
Online activation of the tokens through the FortiGuard network is the most secure way of delivering FortiToken data once the token has been seeded because it eliminates the risk of seed files being compromised during transit or storage. The other methods involve physical or manual delivery of seed files which can be intercepted, lost, or stolen. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372403/fortitoken
質問 # 11
Which of the following is an OATH-based standard to generate event-based, one-time password tokens?
- A. HOTP
- B. OLTP
- C. TOTP
- D. SOTP
正解:A
解説:
Reference:
HOTP stands for HMAC-based One-time Password, which is an OATH-based standard to generate event-based OTP tokens. HOTP uses a cryptographic hash function called HMAC (Hash-based Message Authentication Code) to generate OTPs based on two pieces of information: a secret key and a counter. The counter is incremented by one after each OTP generation, creating an event-based sequence of OTPs.
質問 # 12
Which two are supported captive or guest portal authentication methods? (Choose two)
- A. Linkedln
- B. Apple ID
- C. Instagram
- D. Email
正解:A、D
解説:
FortiAuthenticator supports various captive or guest portal authentication methods, including social media login with Linkedln, Facebook, Twitter, Google+, or WeChat; email verification; SMS verification; voucher code; username and password; and MAC address bypass. Apple ID and Instagram are not supported as authentication methods. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/372405/authentication-methods
質問 # 13
An administrator is integrating FortiAuthenticator with an existing RADIUS server with the intent of eventually replacing the RADIUS server with FortiAuthenticator.
How can FortiAuthenticator help facilitate this process?
- A. By enabling learning mode in the RADIUS server configuration
- B. By importing the RADIUS user records
- C. By enabling automatic REST API calls from the RADIUS server
- D. By configuring the RADIUS accounting proxy
正解:A
解説:
FortiAuthenticator can help facilitate the process of replacing an existing RADIUS server by enabling learning mode in the RADIUS server configuration. This allows FortiAuthenticator to learn user credentials from the existing RADIUS server and store them locally for future authentication requests2. This way, FortiAuthenticator can gradually take over the role of the RADIUS server without disrupting the user experience.
質問 # 14
Which statement about the assignment of permissions for sponsor and administrator accounts is true?
- A. Only administrator accounts permissions are assigned using admin profiles.
- B. Both sponsor and administrator account permissions are assigned using admin profiles.
- C. Sponsor permissions are assigned using group settings.
- D. Administrator capabilities are assigned by applying permission sets to admin groups.
正解:B
解説:
Both sponsor and administrator account permissions are assigned using admin profiles. An admin profile is a set of permissions that defines what actions an administrator or a sponsor can perform on FortiAuthenticator. An admin profile can be assigned to an admin group or an individual admin user. A sponsor is a special type of admin user who can create and manage guest accounts on behalf of other users.
質問 # 15
What are three key features of FortiAuthenticator? (Choose three)
- A. Identity management device
- B. Portal services
- C. RSSO Server
- D. Certificate authority
- E. Log server
正解:A、B、D
解説:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management, self-service password reset, and device registration. It is not a log server or an RSSO server. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes
質問 # 16
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)
- A. Configuring a RADIUS client
- B. Configuring a portal policy
- C. Configuring an external authentication portal
- D. Configuring at least on post-login service
正解:B、D
解説:
enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management
質問 # 17
Which EAP method is known as the outer authentication method?
- A. MSCHAPV2
- B. EAP-TLS
- C. PEAP
- D. EAP-GTC
正解:C
解説:
PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.
質問 # 18
Which FSSO discovery method transparently detects logged off users without having to rely on external features such as WMI polling?
- A. Windows AD polling
- B. FortiClient SSO Mobility Agent
- C. Radius Accounting
- D. DC Polling
正解:B
解説:
FortiClient SSO Mobility Agent is a FSSO discovery method that transparently detects logged off users without having to rely on external features such as WMI polling. FortiClient SSO Mobility Agent is a software agent that runs on Windows devices and communicates with FortiAuthenticator to provide FSSO information. The agent can detect user logon and logoff events without using WMI polling, which can reduce network traffic and improve performance.
質問 # 19
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)
- A. Configuring a RADIUS client
- B. Configuring a portal policy
- C. Configuring an external authentication portal
- D. Configuring at least on post-login service
正解:B、D
解説:
To enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management
質問 # 20
Which two features of FortiAuthenticator are used for EAP deployment? (Choose two)
- A. RADIUS server
- B. LDAP server
- C. Certificate authority
- D. MAC authentication bypass
正解:A、C
解説:
Two features of FortiAuthenticator that are used for EAP deployment are certificate authority and RADIUS server. Certificate authority allows FortiAuthenticator to issue and manage digital certificates for EAP methods that require certificate-based authentication, such as EAP-TLS or PEAP-EAP-TLS. RADIUS server allows FortiAuthenticator to act as an authentication server for EAP methods that use RADIUS as a transport protocol, such as EAP-GTC or PEAP-MSCHAPV2.
質問 # 21
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)
- A. SSH
- B. SNMP
- C. HTTPS
- D. Telnet
正解:A、C
解説:
HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.
質問 # 22
Which behaviors exist for certificate revocation lists (CRLs) on FortiAuthenticator? (Choose two)
- A. CRLs contain the serial number of the certificate that has been revoked
- B. All local CAs share the same CRLs
- C. CRLs can be exported only through the SCEP server
- D. Revoked certificates are automaticlly placed on the CRL
正解:A、D
解説:
CRLs are lists of certificates that have been revoked by the issuing CA and should not be trusted by any entity. CRLs contain the serial number of the certificate that has been revoked, the date and time of revocation, and the reason for revocation. Revoked certificates are automatically placed on the CRL by the CA and the CRL is updated periodically. CRLs can be exported through various methods, such as HTTP, LDAP, or SCEP. Each local CA has its own CRL that is specific to its issued certificates. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management/372413/certificate-revocation-lists
質問 # 23
How can a SAML metada file be used?
- A. To import the required IDP configuration
- B. To defined a list of trusted user names
- C. To resolve the IDP realm for authentication
- D. To correlate the IDP address to its hostname
正解:A
解説:
A SAML metadata file can be used to import the required IDP configuration for SAML service provider mode. A SAML metadata file is an XML file that contains information about the identity provider (IDP) and the service provider (SP), such as their entity IDs, endpoints, certificates, and attributes. By importing a SAML metadata file from the IDP, FortiAuthenticator can automatically configure the necessary settings for SAML service provider mode.
質問 # 24
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?
- A. UUID and time
- B. Time and mobile location
- C. Time and seed
- D. Time and FortiAuthenticator serial number
正解:C
解説:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.
質問 # 25
When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?
- A. Cluster member
- B. Active-passive master
- C. Load balancing master
- D. Standalone master
正解:B
解説:
When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability
質問 # 26
Which two statements about the self-service portal are true? (Choose two)
- A. Authenticating users must specify domain name along with username
- B. Realms can be used to configure which seld-registered users or groups can authenticate on the network
- C. Self-registration information can be sent to the user through email or SMS
- D. Administrator approval is required for all self-registration
正解:B、C
解説:
Two statements about the self-service portal are true:
Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.
Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
質問 # 27
An administrator wants to keep local CA cryptographic keys stored in a central location.
Which FortiAuthenticator feature would provide this functionality?
- A. REST API
- B. SFTP server
- C. Network HSM
- D. SCEP support
正解:C
解説:
Network HSM is a feature that allows FortiAuthenticator to keep local CA cryptographic keys stored in a central location. HSM stands for Hardware Security Module, which is a physical device that provides secure storage and generation of cryptographic keys. Network HSM allows FortiAuthenticator to use an external HSM device to store and manage the private keys of its local CAs, instead of storing them locally on the FortiAuthenticator device.
質問 # 28
What happens when a certificate is revoked? (Choose two)
- A. Revoked certificates are automatically added to the CRL
- B. Revoked certificates cannot be reinstated for any reason
- C. External CAs will priodically query Fortiauthenticator and automatically download revoked certificates
- D. All certificates signed by a revoked CA certificate are automatically revoked
正解:A、D
解説:
When a certificate is revoked, it means that it is no longer valid and should not be trusted by any entity. Revoked certificates are automatically added to the certificate revocation list (CRL) which is published by the issuing CA and can be checked by other parties. If a CA certificate is revoked, all certificates signed by that CA are also revoked and added to the CRL. Revoked certificates can be reinstated if the reason for revocation is resolved, such as a compromised private key being recovered or a misissued certificate being corrected. External CAs do not query FortiAuthenticator for revoked certificates, but they can use protocols such as SCEP or OCSP to exchange certificate information with FortiAuthenticator. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management
質問 # 29
......
完全版NSE6_FAC-6.4練習テスト49別格な問題と解釈が待ってます。:https://www.jpntest.com/shiken/NSE6_FAC-6.4-mondaishu