[2023年10月]更新のNSE6_FAC-6.4試験問題集、NSE6_FAC-6.4練習テスト問題
検証済みNSE6_FAC-6.4問題集PDF資料 [2023]
質問 # 21
Which method is the most secure way of delivering FortiToken data once the token has been seeded?
- A. Using the in-house token provisioning tool
- B. Automatic token generation using FortiAuthenticator
- C. Online activation of the tokens through the FortiGuard network
- D. Shipment of the seed files on a CD using a tamper-evident envelope
正解:C
解説:
Online activation of the tokens through the FortiGuard network is the most secure way of delivering FortiToken data once the token has been seeded because it eliminates the risk of seed files being compromised during transit or storage. The other methods involve physical or manual delivery of seed files which can be intercepted, lost, or stolen. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372403/fortitoken
質問 # 22
An administrator has an active directory (AD) server integrated with FortiAuthenticator. They want members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls.
How does the administrator accomplish this goal?
- A. Configure a domain groupings list to identify the desired AD groups.
- B. Configure fine-grained controls on FortiAuthenticator to designate AD groups.
- C. Configure SSO groups and assign them to FortiGate groups.
- D. Configure a FortiGate filter on FortiAuthenticatoc
正解:C
解説:
To allow members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls, the administrator can configure SSO groups and assign them to FortiGate groups. SSO groups are groups of users or devices that are defined on FortiAuthenticator based on various criteria, such as user group membership, source IP address, MAC address, or device type. FortiGate groups are groups of users or devices that are defined on FortiGate based on various criteria, such as user group membership, firewall policy, or authentication method. By mapping SSO groups to FortiGate groups, the administrator can control which users or devices can access the network resources protected by FortiGate.
質問 # 23
Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?
- A. Principal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider
- B. Principal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication
- C. Principal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider
- D. Service provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal
正解:C
解説:
SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:
Principal contacts service provider, requesting access to a protected resource.
Service provider redirects principal to identity provider, sending a SAML authentication request.
Principal authenticates with identity provider using their credentials.
After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.
Service provider validates the SAML response and assertion, and grants access to the principal.
質問 # 24
You are a FortiAuthenticator administrator for a large organization. Users who are configured to use FortiToken 200 for two-factor authentication can no longer authenticate. You have verified that only the users with two-factor authentication are experiencing the issue.
What can cause this issue?
- A. Time drift between FortiAuthenticator and hardware tokens
- B. FortiToken 200 license has expired
- C. One of the FortiAuthenticator devices in the active-active cluster has failed
- D. FortiAuthenticator has lost contact with the FortiToken Cloud servers
正解:A
解説:
One possible cause of the issue is time drift between FortiAuthenticator and hardware tokens. Time drift occurs when the internal clocks of FortiAuthenticator and hardware tokens are not synchronized. This can result in mismatched one-time passwords (OTPs) generated by the hardware tokens and expected by FortiAuthenticator. To prevent this issue, FortiAuthenticator provides a time drift tolerance option that allows a certain number of seconds of difference between the clocks.
質問 # 25
When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)
- A. Set the same password on both the FortiAuthenticator and the syslog server.
- B. Select a syslog rule for message parsing.
- C. Enable syslog on the FortiAuthenticator interface.
- D. Set the syslog UDP port on FortiAuthenticator.
- E. Define a syslog source.
正解:B、D、E
解説:
To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:
Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.
Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.
Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.
質問 # 26
Which two statements about the self-service portal are true? (Choose two)
- A. Self-registration information can be sent to the user through email or SMS
- B. Administrator approval is required for all self-registration
- C. Realms can be used to configure which seld-registered users or groups can authenticate on the network
- D. Authenticating users must specify domain name along with username
正解:A、C
解説:
Two statements about the self-service portal are true:
Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.
Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
質問 # 27
You are the administrator of a large network that includes a large local user datadabase on the current Fortiauthenticatior. You want to import all the local users into a new Fortiauthenticator device.
Which method should you use to migrate the local users?
- A. Import users using a CSV file.
- B. Import users using RADIUS accounting updates.
- C. Import the current directory structure.
- D. Import users from RADUIS.
正解:A
解説:
The best method to migrate local users from one FortiAuthenticator device to another is to export the users from the current device as a CSV file and then import the CSV file into the new device. This method preserves all the user attributes and settings and allows you to modify them if needed before importing. The other methods are not suitable for migrating local users because they either require an external RADIUS server or do not transfer all the user information. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372409/user-management
質問 # 28
Which two capabilities does FortiAuthenticator offer when acting as a self-signed or local CA? (Choose two)
- A. Creating, signing, and revoking of X.509 certificates
- B. Validating other CA CRLs using OSCP
- C. Importing other CA certificates and CRLs
- D. Merging local and remote CRLs using SCEP
正解:A、C
解説:
FortiAuthenticator can act as a self-signed or local CA that can issue certificates to users, devices, or other CAs. It can also import other CA certificates and CRLs to trust them and validate their certificates. It can also create, sign, and revoke X.509 certificates for various purposes, such as VPN authentication, web server encryption, or wireless security. It cannot validate other CA CRLs using OCSP or merge local and remote CRLs using SCEP because these are protocols that require communication with external CAs. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management
質問 # 29
Which two statements about the EAP-TTLS authentication method are true? (Choose two)
- A. Uses digital certificates only on the server side
- B. Support a port access control (wired) solution only
- C. Requires an EAP server certificate
- D. Uses mutual authentication
正解:A、C
解説:
EAP-TTLS is an authentication method that uses digital certificates only on the server side to establish a secure tunnel between the server and the client. The client does not need a certificate but can use any inner authentication method supported by the server, such as PAP, CHAP, MS-CHAP, or EAP-MD5. EAP-TTLS requires an EAP server certificate that is issued by a trusted CA and installed on the FortiAuthenticator device acting as the EAP server. EAP-TTLS supports both wireless and wired solutions for port access control. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372412/eap-ttls
質問 # 30
What are three key features of FortiAuthenticator? (Choose three)
- A. RSSO Server
- B. Log server
- C. Portal services
- D. Identity management device
- E. Certificate authority
正解:C、D、E
解説:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management, self-service password reset, and device registration. It is not a log server or an RSSO server. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes
質問 # 31
You have implemented two-factor authentication to enhance security to sensitive enterprise systems.
How could you bypass the need for two-factor authentication for users accessing form specific secured networks?
- A. Create an admin realm in the authentication policy
- B. Enable Adaptive Authentication in the portal policy
- C. Specify the appropriate RADIUS clients in the authentication policy
- D. Enable the Resolve user geolocation from their IP address option in the authentication policy.
正解:B
解説:
Adaptive Authentication is a feature that allows administrators to bypass the need for two-factor authentication for users accessing from specific secured networks. Adaptive Authentication uses geolocation information from IP addresses to determine whether a user is accessing from a trusted network or not. If the user is accessing from a trusted network, FortiAuthenticator can skip the second factor of authentication and grant access based on the first factor only.
質問 # 32
What happens when a certificate is revoked? (Choose two)
- A. Revoked certificates cannot be reinstated for any reason
- B. External CAs will priodically query Fortiauthenticator and automatically download revoked certificates
- C. Revoked certificates are automatically added to the CRL
- D. All certificates signed by a revoked CA certificate are automatically revoked
正解:C、D
解説:
When a certificate is revoked, it means that it is no longer valid and should not be trusted by any entity. Revoked certificates are automatically added to the certificate revocation list (CRL) which is published by the issuing CA and can be checked by other parties. If a CA certificate is revoked, all certificates signed by that CA are also revoked and added to the CRL. Revoked certificates can be reinstated if the reason for revocation is resolved, such as a compromised private key being recovered or a misissued certificate being corrected. External CAs do not query FortiAuthenticator for revoked certificates, but they can use protocols such as SCEP or OCSP to exchange certificate information with FortiAuthenticator. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management
質問 # 33
Which two types of digital certificates can you create in Fortiauthenticator? (Choose two)
- A. Local service certificate
- B. Organization validation certificate
- C. Third-party root certificate
- D. User certificate
正解:A、D
解説:
FortiAuthenticator can create two types of digital certificates: user certificates and local service certificates. User certificates are issued to users or devices for authentication purposes, such as VPN, wireless, or web access. Local service certificates are issued to FortiAuthenticator itself for securing its own services, such as HTTPS, RADIUS, or LDAP.
質問 # 34
Which of the following is an OATH-based standard to generate event-based, one-time password tokens?
- A. TOTP
- B. SOTP
- C. HOTP
- D. OLTP
正解:C
解説:
Reference:
HOTP stands for HMAC-based One-time Password, which is an OATH-based standard to generate event-based OTP tokens. HOTP uses a cryptographic hash function called HMAC (Hash-based Message Authentication Code) to generate OTPs based on two pieces of information: a secret key and a counter. The counter is incremented by one after each OTP generation, creating an event-based sequence of OTPs.
質問 # 35
A digital certificate, also known as an X.509 certificate, contains which two pieces of information? (Choose two.)
- A. Issuer
- B. Public key
- C. Private key
- D. Shared secret
正解:A、B
解説:
A digital certificate, also known as an X.509 certificate, contains two pieces of information:
Issuer, which is the identity of the certificate authority (CA) that issued the certificate Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject
質問 # 36
When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?
- A. Cluster member
- B. Active-passive master
- C. Standalone master
- D. Load balancing master
正解:B
解説:
When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability
質問 # 37
......
最新のNSE6_FAC-6.4実際の無料試験問題は更新された49問あります:https://www.jpntest.com/shiken/NSE6_FAC-6.4-mondaishu