[2024年01月14日] NSE6_FAC-6.4テストエンジンお試しセット、NSE6_FAC-6.4問題集PDF [Q28-Q51]

[2024年01月14日] NSE6_FAC-6.4テストエンジンお試しセット、NSE6_FAC-6.4問題集PDF

最新のFortinet NSE6_FAC-6.4のPDFと問題集で（2024）無料試験問題解答

Fortinet NSE6_FAC-6.4試験は、FortiAuthenticatorの展開と構成、ユーザー認証、および他のセキュリティ製品との統合など、幅広いトピックをカバーしています。この試験は、複数選択問題から構成され、候補者がFortiAuthenticatorの機能と機能性を示す必要があります。試験に合格した候補者は、FortiAuthenticatorを構成および管理して、ネットワークインフラストラクチャの安全な認証サービスを提供することができます。さらに、この試験に合格することで、雇用主やクライアントに対して、候補者がFortiAuthenticatorを使用してネットワークセキュリティと認証を管理するために必要なスキルと専門知識を持っていることを示すことができます。

 

質問 # 28
Which of the following is an OATH-based standard to generate event-based, one-time password tokens?

• A. HOTP
• B. OLTP
• C. TOTP
• D. SOTP

正解：A

解説：
Reference:
HOTP stands for HMAC-based One-time Password, which is an OATH-based standard to generate event-based OTP tokens. HOTP uses a cryptographic hash function called HMAC (Hash-based Message Authentication Code) to generate OTPs based on two pieces of information: a secret key and a counter. The counter is incremented by one after each OTP generation, creating an event-based sequence of OTPs.

質問 # 29
Which two are supported captive or guest portal authentication methods? (Choose two)

• A. Linkedln
• B. Instagram
• C. Apple ID
• D. Email

正解：A、D

解説：
FortiAuthenticator supports various captive or guest portal authentication methods, including social media login with Linkedln, Facebook, Twitter, Google+, or WeChat; email verification; SMS verification; voucher code; username and password; and MAC address bypass. Apple ID and Instagram are not supported as authentication methods. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/372405/authentication-methods

質問 # 30
When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)

• A. Enable syslog on the FortiAuthenticator interface.
• B. Set the same password on both the FortiAuthenticator and the syslog server.
• C. Select a syslog rule for message parsing.
• D. Define a syslog source.
• E. Set the syslog UDP port on FortiAuthenticator.

正解：C、D、E

解説：
To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:
Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.
Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.
Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.

質問 # 31
You are the administrator of a global enterprise with three FortiAuthenticator devices. You would like to deploy them to provide active-passive HA at headquarters, with geographically distributed load balancing.
What would the role settings be?

• A. One standalone primary, one cluster member, and one load balancer
• B. Two cluster members and one backup
• C. Two cluster members and one load balancer
• D. One standalone and two load balancers

正解：A

解説：
To deploy three FortiAuthenticator devices to provide active-passive HA at headquarters, with geographically distributed load balancing, the role settings would be:
One standalone primary, which acts as the master device for HA and load balancing One cluster member, which acts as the backup device for HA and load balancing One load balancer, which acts as a remote device that forwards authentication requests to the primary or cluster member device

質問 # 32
Which two statement about the RADIUS service on FortiAuthenticator are true? (Choose two)

• A. Only local users can be authenticated through RADIUS
• B. RADIUS users can migrated to LDAP users
• C. FortiAuthenticator answers only to RADIUS client that are registered with FortiAuthenticator
• D. Two-factor authentication cannot be enforced when using RADIUS authentication

正解：B、C

解説：
Two statements about the RADIUS service on FortiAuthenticator are true:
RADIUS users can be migrated to LDAP users using the RADIUS learning mode feature. This feature allows FortiAuthenticator to learn user credentials from an existing RADIUS server and store them locally as LDAP users for future authentication requests.
FortiAuthenticator answers only to RADIUS clients that are registered with FortiAuthenticator. A RADIUS client is a device that sends RADIUS authentication or accounting requests to FortiAuthenticator. A RADIUS client must be added and configured on FortiAuthenticator before it can communicate with it.

質問 # 33
An administrator is integrating FortiAuthenticator with an existing RADIUS server with the intent of eventually replacing the RADIUS server with FortiAuthenticator.
How can FortiAuthenticator help facilitate this process?

• A. By importing the RADIUS user records
• B. By configuring the RADIUS accounting proxy
• C. By enabling learning mode in the RADIUS server configuration
• D. By enabling automatic REST API calls from the RADIUS server

正解：C

解説：
FortiAuthenticator can help facilitate the process of replacing an existing RADIUS server by enabling learning mode in the RADIUS server configuration. This allows FortiAuthenticator to learn user credentials from the existing RADIUS server and store them locally for future authentication requests2. This way, FortiAuthenticator can gradually take over the role of the RADIUS server without disrupting the user experience.

質問 # 34
Which three of the following can be used as SSO sources? (Choose three)

• A. FortiAuthenticator in SAML SP role
• B. SSH Sessions
• C. RADIUS accounting
• D. Fortigate
• E. FortiClient SSO Mobility Agent

正解：C、D、E

解説：
FortiAuthenticator supports various SSO sources that can provide user identity information to other devices in the network, such as FortiGate firewalls or FortiAnalyzer log servers. Some of the supported SSO sources are:
FortiClient SSO Mobility Agent: A software agent that runs on Windows devices and sends user login information to FortiAuthenticator.
FortiGate: A firewall device that can send user login information from various sources, such as FSSO agents, captive portals, VPNs, or LDAP servers, to FortiAuthenticator.
RADIUS accounting: A protocol that can send user login information from RADIUS servers or clients, such as wireless access points or VPN concentrators, to FortiAuthenticator.
SSH sessions and FortiAuthenticator in SAML SP role are not valid SSO sources because they do not provide user identity information to other devices in the network. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372410/single-sign-on

質問 # 35
An administrator wants to keep local CA cryptographic keys stored in a central location.
Which FortiAuthenticator feature would provide this functionality?

• A. REST API
• B. SCEP support
• C. Network HSM
• D. SFTP server

正解：C

解説：
Network HSM is a feature that allows FortiAuthenticator to keep local CA cryptographic keys stored in a central location. HSM stands for Hardware Security Module, which is a physical device that provides secure storage and generation of cryptographic keys. Network HSM allows FortiAuthenticator to use an external HSM device to store and manage the private keys of its local CAs, instead of storing them locally on the FortiAuthenticator device.

質問 # 36
Which two SAML roles can Fortiauthenticator be configured as? (Choose two)

• A. Idendity provider
• B. Service provider
• C. Assertion server
• D. Principal

正解：A、B

解説：
FortiAuthenticator can be configured as a SAML identity provider (IdP) or a SAML service provider (SP). As an IdP, FortiAuthenticator authenticates users and issues SAML assertions to SPs. As an SP, FortiAuthenticator receives SAML assertions from IdPs and grants access to users based on the attributes in the assertions. Principal and assertion server are not valid SAML roles. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372407/saml

質問 # 37
What capability does the inbound proxy setting provide?

• A. It allows FortiAuthenticator to act as a proxy for remote authentication servers.
• B. It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
• C. It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
• D. It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.

正解：B

解説：
The inbound proxy setting provides the ability for FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access. The inbound proxy setting allows FortiAuthenticator to use the X-Forwarded-For header in the HTTP request to identify the original client IP address. This can help FortiAuthenticator apply the correct authentication policy or portal policy based on the source IP address.

質問 # 38
Why would you configure an OCSP responder URL in an end-entity certificate?

• A. To identify the end point that a certificate has been assigned to
• B. To designate a server for certificate status checking
• C. To provide the CRL location for the certificate
• D. To designate the SCEP server to use for CRL updates for that certificate

正解：B

解説：
An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.

質問 # 39
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

• A. UUID and time
• B. Time and mobile location
• C. Time and FortiAuthenticator serial number
• D. Time and seed

正解：D

解説：
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.

質問 # 40
Which statement about the guest portal policies is true?

• A. All conditions in the policy must match before a user is presented with the guest portal
• B. Conditions in the policy apply only to guest wireless users
• C. Guest portal policies apply only to authentication requests coming from unknown RADIUS clients
• D. Guest portal policies can be used only for BYODs

正解：A

解説：
Guest portal policies are rules that determine when and how to present the guest portal to users who want to access the network. Each policy has a set of conditions that can be based on various factors, such as the source IP address, MAC address, RADIUS client, user agent, or SSID. All conditions in the policy must match before a user is presented with the guest portal. Guest portal policies can apply to any authentication request coming from any RADIUS client, not just unknown ones. They can also be used for any type of device, not just BYODs. They can also apply to wired or VPN users, not just wireless users. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/372406/portal-policies

質問 # 41
How can a SAML metada file be used?

• A. To import the required IDP configuration
• B. To defined a list of trusted user names
• C. To resolve the IDP realm for authentication
• D. To correlate the IDP address to its hostname

正解：A

解説：
A SAML metadata file can be used to import the required IDP configuration for SAML service provider mode. A SAML metadata file is an XML file that contains information about the identity provider (IDP) and the service provider (SP), such as their entity IDs, endpoints, certificates, and attributes. By importing a SAML metadata file from the IDP, FortiAuthenticator can automatically configure the necessary settings for SAML service provider mode.

質問 # 42
Which two features of FortiAuthenticator are used for EAP deployment? (Choose two)

• A. LDAP server
• B. MAC authentication bypass
• C. Certificate authority
• D. RADIUS server

正解：C、D

解説：
Two features of FortiAuthenticator that are used for EAP deployment are certificate authority and RADIUS server. Certificate authority allows FortiAuthenticator to issue and manage digital certificates for EAP methods that require certificate-based authentication, such as EAP-TLS or PEAP-EAP-TLS. RADIUS server allows FortiAuthenticator to act as an authentication server for EAP methods that use RADIUS as a transport protocol, such as EAP-GTC or PEAP-MSCHAPV2.

質問 # 43
You want to monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP.
Which two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface? (Choose two)

• A. Associate an ASN, 1 mapping rule to the receiving host
• B. Set the tresholds to trigger SNMP traps
• C. Enable logging services
• D. Upload management information base (MIB) files to SNMP server

正解：B、D

解説：
To monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP, two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface:
Set the thresholds to trigger SNMP traps for various system events, such as CPU usage, disk usage, memory usage, or temperature.
Upload management information base (MIB) files to SNMP server to enable the server to interpret the SNMP traps sent by FortiAuthenticator.

質問 # 44
A device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentialis.
In this case, which user idendity discovery method can Fortiauthenticator use?

• A. Portal authentication
• B. Syslog messaging or SAML IDP
• C. Radius accounting
• D. Kerberos-base authentication

正解：A

解説：
Portal authentication is a user identity discovery method that can be used when a device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentials. Portal authentication requires users to enter their credentials on a web page before accessing network resources. The other methods are used for transparent identification of domain devices or users. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372406/user-identity-discovery

質問 # 45
A system administrator wants to integrate FortiAuthenticator with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO.
What feature does FortiAuthenticator offer for this type of integration?

• A. SNMP monitoring and traps
• B. The ability to import and export users from CSV files
• C. RADIUS learning mode for migrating users
• D. REST API

正解：D

解説：
REST API is a feature that allows FortiAuthenticator to integrate with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO. REST API stands for Representational State Transfer Application Programming Interface, which is a method of exchanging data between different systems using HTTP requests and responses. FortiAuthenticator provides a REST API that can be used by external systems to perform various actions, such as creating, updating, deleting, or querying users and groups, or sending FSSO logon or logoff events.

質問 # 46
Which FSSO discovery method transparently detects logged off users without having to rely on external features such as WMI polling?

• A. Windows AD polling
• B. Radius Accounting
• C. DC Polling
• D. FortiClient SSO Mobility Agent

正解：D

解説：
FortiClient SSO Mobility Agent is a FSSO discovery method that transparently detects logged off users without having to rely on external features such as WMI polling. FortiClient SSO Mobility Agent is a software agent that runs on Windows devices and communicates with FortiAuthenticator to provide FSSO information. The agent can detect user logon and logoff events without using WMI polling, which can reduce network traffic and improve performance.

質問 # 47
......

あなたを合格させるNSE 6 Network Security Specialist NSE6_FAC-6.4試験問題集で2024年01月14日には49問あります：https://www.jpntest.com/shiken/NSE6_FAC-6.4-mondaishu