
お手軽に合格させる 最新Fortinet NSE6_FAC-6.4問題集には49問があります
最新のNSE6_FAC-6.4学習ガイド2023年最新の- 提供するのはテストエンジンとPDF
質問 # 20
Which network configuration is required when deploying FortiAuthenticator for portal services?
- A. Policies must have specific ports open between FortiAuthenticator and the authentication clients
- B. FortiAuthenticator must have the REST API access enable on port1
- C. One of the DNS servers must be a FortiGuard DNS server
- D. Fortigate must be setup as default gateway for FortiAuthenticator
正解:A
解説:
When deploying FortiAuthenticator for portal services, such as guest portal, sponsor portal, user portal or FortiToken activation portal, the network configuration must allow specific ports to be open between FortiAuthenticator and the authentication clients. These ports are:
TCP 80 for HTTP access
TCP 443 for HTTPS access
TCP 389 for LDAP access
TCP 636 for LDAPS access
UDP 1812 for RADIUS authentication
UDP 1813 for RADIUS accounting
質問 # 21
You are the administrator of a large network that includes a large local user datadabase on the current Fortiauthenticatior. You want to import all the local users into a new Fortiauthenticator device.
Which method should you use to migrate the local users?
- A. Import users using RADIUS accounting updates.
- B. Import the current directory structure.
- C. Import users using a CSV file.
- D. Import users from RADUIS.
正解:C
解説:
The best method to migrate local users from one FortiAuthenticator device to another is to export the users from the current device as a CSV file and then import the CSV file into the new device. This method preserves all the user attributes and settings and allows you to modify them if needed before importing. The other methods are not suitable for migrating local users because they either require an external RADIUS server or do not transfer all the user information. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372409/user-management
質問 # 22
What capability does the inbound proxy setting provide?
- A. It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.
- B. It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
- C. It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
- D. It allows FortiAuthenticator to act as a proxy for remote authentication servers.
正解:B
解説:
The inbound proxy setting provides the ability for FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access. The inbound proxy setting allows FortiAuthenticator to use the X-Forwarded-For header in the HTTP request to identify the original client IP address. This can help FortiAuthenticator apply the correct authentication policy or portal policy based on the source IP address.
質問 # 23
Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?
- A. Principal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication
- B. Service provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal
- C. Principal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider
- D. Principal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider
正解:D
解説:
SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:
Principal contacts service provider, requesting access to a protected resource.
Service provider redirects principal to identity provider, sending a SAML authentication request.
Principal authenticates with identity provider using their credentials.
After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.
Service provider validates the SAML response and assertion, and grants access to the principal.
質問 # 24
When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)
- A. Define a syslog source.
- B. Select a syslog rule for message parsing.
- C. Set the same password on both the FortiAuthenticator and the syslog server.
- D. Enable syslog on the FortiAuthenticator interface.
- E. Set the syslog UDP port on FortiAuthenticator.
正解:A、B、E
解説:
To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:
Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.
Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.
Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.
質問 # 25
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?
- A. Time and FortiAuthenticator serial number
- B. UUID and time
- C. Time and seed
- D. Time and mobile location
正解:C
解説:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.
質問 # 26
Which two statements about the self-service portal are true? (Choose two)
- A. Administrator approval is required for all self-registration
- B. Self-registration information can be sent to the user through email or SMS
- C. Realms can be used to configure which seld-registered users or groups can authenticate on the network
- D. Authenticating users must specify domain name along with username
正解:B、C
解説:
Two statements about the self-service portal are true:
Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.
Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
質問 # 27
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)
- A. SNMP
- B. SSH
- C. Telnet
- D. HTTPS
正解:B、D
解説:
HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.
質問 # 28
How can a SAML metada file be used?
- A. To resolve the IDP realm for authentication
- B. To import the required IDP configuration
- C. To defined a list of trusted user names
- D. To correlate the IDP address to its hostname
正解:B
解説:
A SAML metadata file can be used to import the required IDP configuration for SAML service provider mode. A SAML metadata file is an XML file that contains information about the identity provider (IDP) and the service provider (SP), such as their entity IDs, endpoints, certificates, and attributes. By importing a SAML metadata file from the IDP, FortiAuthenticator can automatically configure the necessary settings for SAML service provider mode.
質問 # 29
When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?
- A. Standalone master
- B. Cluster member
- C. Active-passive master
- D. Load balancing master
正解:C
解説:
When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability
質問 # 30
You want to monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP.
Which two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface? (Choose two)
- A. Associate an ASN, 1 mapping rule to the receiving host
- B. Set the tresholds to trigger SNMP traps
- C. Upload management information base (MIB) files to SNMP server
- D. Enable logging services
正解:B、C
解説:
To monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP, two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface:
Set the thresholds to trigger SNMP traps for various system events, such as CPU usage, disk usage, memory usage, or temperature.
Upload management information base (MIB) files to SNMP server to enable the server to interpret the SNMP traps sent by FortiAuthenticator.
質問 # 31
Which FSSO discovery method transparently detects logged off users without having to rely on external features such as WMI polling?
- A. DC Polling
- B. Radius Accounting
- C. FortiClient SSO Mobility Agent
- D. Windows AD polling
正解:C
解説:
FortiClient SSO Mobility Agent is a FSSO discovery method that transparently detects logged off users without having to rely on external features such as WMI polling. FortiClient SSO Mobility Agent is a software agent that runs on Windows devices and communicates with FortiAuthenticator to provide FSSO information. The agent can detect user logon and logoff events without using WMI polling, which can reduce network traffic and improve performance.
質問 # 32
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)
- A. Configuring at least on post-login service
- B. Configuring an external authentication portal
- C. Configuring a RADIUS client
- D. Configuring a portal policy
正解:A、D
解説:
To enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management
質問 # 33
A system administrator wants to integrate FortiAuthenticator with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO.
What feature does FortiAuthenticator offer for this type of integration?
- A. SNMP monitoring and traps
- B. RADIUS learning mode for migrating users
- C. The ability to import and export users from CSV files
- D. REST API
正解:D
解説:
REST API is a feature that allows FortiAuthenticator to integrate with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO. REST API stands for Representational State Transfer Application Programming Interface, which is a method of exchanging data between different systems using HTTP requests and responses. FortiAuthenticator provides a REST API that can be used by external systems to perform various actions, such as creating, updating, deleting, or querying users and groups, or sending FSSO logon or logoff events.
質問 # 34
Which two types of digital certificates can you create in Fortiauthenticator? (Choose two)
- A. Organization validation certificate
- B. User certificate
- C. Third-party root certificate
- D. Local service certificate
正解:B、D
解説:
FortiAuthenticator can create two types of digital certificates: user certificates and local service certificates. User certificates are issued to users or devices for authentication purposes, such as VPN, wireless, or web access. Local service certificates are issued to FortiAuthenticator itself for securing its own services, such as HTTPS, RADIUS, or LDAP.
質問 # 35
A digital certificate, also known as an X.509 certificate, contains which two pieces of information? (Choose two.)
- A. Public key
- B. Shared secret
- C. Private key
- D. Issuer
正解:A、D
解説:
A digital certificate, also known as an X.509 certificate, contains two pieces of information:
Issuer, which is the identity of the certificate authority (CA) that issued the certificate Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject
質問 # 36
An administrator has an active directory (AD) server integrated with FortiAuthenticator. They want members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls.
How does the administrator accomplish this goal?
- A. Configure fine-grained controls on FortiAuthenticator to designate AD groups.
- B. Configure SSO groups and assign them to FortiGate groups.
- C. Configure a domain groupings list to identify the desired AD groups.
- D. Configure a FortiGate filter on FortiAuthenticatoc
正解:B
解説:
To allow members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls, the administrator can configure SSO groups and assign them to FortiGate groups. SSO groups are groups of users or devices that are defined on FortiAuthenticator based on various criteria, such as user group membership, source IP address, MAC address, or device type. FortiGate groups are groups of users or devices that are defined on FortiGate based on various criteria, such as user group membership, firewall policy, or authentication method. By mapping SSO groups to FortiGate groups, the administrator can control which users or devices can access the network resources protected by FortiGate.
質問 # 37
......
Fortinet NSE6_FAC-6.4: Fortinet NSE 6 - FortiAuthenticator 6.4認定試験は、ネットワークエンジニアリング、セキュリティ管理、またはサイバーセキュリティの分野でキャリアを向上させたい人にとって重要な資格です。この認定を持つことは、Fortinetオーセンティケータソリューションの使用と管理に関する専門知識を証明し、就職活動時に競争力を持たせます。
NSE6_FAC-6.4問題集と試験テストエンジン:https://jp.fast2test.com/NSE6_FAC-6.4-premium-file.html