無料Fortinet NSE7_LED-7.0学習ガイド試験問題と解答
NSE7_LED-7.0試験問題集、NSE7_LED-7.0練習テスト問題
NSE7_LED-7.0認定試験は、認定Fortinetネットワークセキュリティエキスパートになるための重要なステップです。この認定資格は、候補者がLANエッジ環境のためにFortinetソリューションを展開、構成、管理する専門知識を証明します。この認定資格は、世界的に認められ、ネットワークセキュリティ業界の雇用主から高く評価されています。認定された専門家は、より高い給与を期待し、より多くの求人機会を得ることができます。
質問 # 12
Refer to the exhibit.
Examine the network diagram and packet capture shown in the exhibit
The packet capture was taken between FortiGate and FortiAuthenticator and shows a RADIUS Access-Request packet sent by FortiSwitch to FortiAuthenticator through FortiGate Why does the User-Name attribute in the RADIUS Access-Request packet contain the client MAC address?
- A. FortiSwitch is authenticating the client using MAC authentication bypass
- B. The client is performing AD machine authentication
- C. FortiSwitch is sending a RADIUS accounting message to FortiAuthenticator
- D. The client is performing user authentication
正解:A
解説:
Explanation
According to the exhibit, the User-Name attribute in the RADIUS Access-Request packet contains the client MAC address of 00:0c:29:6a:2b:3d. This indicates that FortiSwitch is authenticating the client using MAC authentication bypass (MAB), which is a method of authenticating devices that do not support 802.1X by using their MAC address as the username and password. Therefore, option B is true because it explains why the User-Name attribute contains the client MAC address. Option A is false because AD machine authentication uses a computer account name and password, not a MAC address. Option C is false because user authentication uses a user name and password, not a MAC address. Option D is false because FortiSwitch is sending a RADIUS Access-Request message to FortiAuthenticator, not a RADIUS accounting message.
質問 # 13
Refer to the exhibit.
Examine the FortiManager information shown in the exhibit
Which two statements about the FortiManager status are true'' (Choose two)
- A. FortiSwitch manager is working in per-device management mode
- B. FortiSwitch is not authorized
- C. FortiSwitch manager is working in central management mode
- D. FortiSwitch is authorized and offline
正解:C、D
解説:
Explanation
According to the FortiManager Administration Guide, "Central management mode allows you to manage all FortiSwitch devices from a single interface on the FortiManager device." Therefore, option C is true because the exhibit shows that the FortiSwitch manager is enabled and the FortiSwitch device is managed by the FortiManager device. Option D is also true because the exhibit shows that the FortiSwitch device status is offline, which means that it is not reachable by the FortiManager device, but it is authorized, which means that it has been added to the FortiManager device. Option A is false because per-device management mode allows you to manage each FortiSwitch device individually from its own web-based manager or CLI, which is not the case in the exhibit. Option B is false because the FortiSwitch device is authorized, as explained above.
質問 # 14
Refer to the exhibit.
Examine the RADIUS server configuration shown in the exhibit
An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP While testing the configuration the administrator noticed that the diagnosetest authserver command worked with PAP, however authentication requests failed when using MSCHAP2 Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)
- A. On FortiGate update the Secret setting on the RADIUS server
- B. On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS
- C. On FortiGate configure the NAS IP setting on the RADIUS
server - D. On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain
正解:B、D
解説:
Explanation
According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server. Option B is false because on FortiGate, configuring the NAS IP setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the source IP address of the RADIUS packets. Option D is false because on FortiGate, updating the Secret setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the shared secret between FortiGate and FortiAuthenticator.
質問 # 15
Refer to the exhibits.
Firewall Policy
Examine the firewall policy configuration and SSID settings
An administrator has configured a guest wireless network on FortiGate using the external captive portal The administrator has verified that the external captive portal URL is correct However wireless users are not able to see the captive portal login page Given the configuration shown in the exhibit and the SSID settings which configuration change should the administrator make to fix the problem?
- A. Enable the captivs-portal-exempt option in the firewall policy with the ID 11.
- B. Disable the user group from the SSID configuration
- C. Apply a guest.portal user group in the firewall policy with the ID 11.
- D. Include the wireless client subnet range in the Exempt Source section
正解:C
解説:
Explanation
According to the FortiGate Administration Guide, "To use an external captive portal, you must configure a user group that uses the external captive portal as the authentication method and apply it to a firewall policy." Therefore, option C is true because it will allow the wireless users to be redirected to the external captive portal URL when they try to access the Internet. Option A is false because disabling the user group from the SSID configuration will prevent the wireless users from being authenticated by the FortiGate device. Option B is false because enabling the captive-portal-exempt option in the firewall policy will bypass the captive portal authentication for the wireless users, which is not the desired outcome. Option D is false because including the wireless client subnet range in the Exempt Source section will also bypass the captive portal authentication for the wireless users, which is not the desired outcome.
質問 # 16
Refer to the exhibit.
Examine the FortiGate configuration FortiAnalyzer logs and FortiGate widget shown in the exhibit An administrator is testing the Security Fabric quarantine automation The administrator added FortiAnalyzer to the Security Fabric and configured an automation stitch to automatically quarantine compromised devices The test device (::.:.:.!) s connected to a managed Fort Switch dev :e After trying to access a malicious website from the test device, the administrator verifies that FortiAnalyzer has a log (or the test connection However the device is not getting quarantined by FortiGate as shown in the quarantine widget Which two scenarios are likely to cause this issue? (Choose two)
- A. The web filtering rating service is not working
- B. FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)
- C. The device does not have FortiClient installed
- D. FortiAnalyzer does not have a valid threat detection services license
正解:B、D
解説:
Explanation
According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer's threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices. Option A is false because the web filtering rating service is working, as shown by the log entry that indicates that the test device accessed a URL with a category of
"Malicious Websites". Option C is false because the device does not need to have FortiClient installed to be quarantined by FortiGate, as long as it is connected to a managed FortiSwitch device.
質問 # 17
Which EAP method requires the use of a digital certificate on both the server end and the client end?
- A. EAP-TTLS
- B. EAP-TLS
- C. EAP-GTC
- D. PEAP
正解:B
解説:
Explanation
According to the FortiGate Administration Guide, "EAP-TLS is the most secure EAP method. It requires a digital certificate on both the server end and the client end. The server and client authenticate each other using their certificates." Therefore, option D is true because it describes the EAP method that requires the use of a digital certificate on both the server end and the client end. Option A is false because EAP-TTLS only requires a digital certificate on the server end, not the client end. Option B is false because PEAP also only requires a digital certificate on the server end, not the client end. Option C is false because EAP-GTC does not require a digital certificate on either the server end or the client end.
質問 # 18
An administrator has configured an SSID in bridge mode for corporate employees All APs are online and provisioned using default AP profiles Employees are unable to locate the SSID to conned Which two configurations can the administrator verify? (Choose two)
- A. Verify that the Block Intra-SSID Traffic (intra-vap-privacy) option in the SSID configuration is disabled
- B. Verify that the SSID is manually applied on AP profiles for both 2 4 GHz and 5 GHz radios
- C. Verify that the broadcast SSID option is enabled in the SSID configuration
- D. Verify that the SSID to an AP group that should be broadcasting the SSID is applied
正解:C、D
解説:
Explanation
According to the FortiAP Configuration Guide1, "To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled. You must also enable Broadcast SSID." Therefore, option A is true because the broadcast SSID option allows the SSID to be visible to wireless clients.
Option C is also true because the SSID must be applied to an AP group that contains the APs that should be broadcasting the SSID. According to the same guide1, "You can create AP groups and assign them to different locations or departments. You can then apply different settings, such as SSIDs, to each group." Option B is false because blocking intra-SSID traffic prevents wireless clients on the same SSID from communicating with each other, which is not related to broadcasting the SSID. Option D is false because the SSID can be applied to an AP group or a global profile, which will automatically apply to all APs, without manually configuring each AP profile.
質問 # 19
Refer to the exhibit.
Examine the LDAP server configuration shown in the exhibit Note that the Username setting has been expanded to display Its full content On the Windows AD server 10.0.1.10, the administrator used dsquery. which returned the following output:
According to the output which FortiGate LDAP setting is configured incorrectly''
- A. Common Name Identifier
- B. Username
- C. Bind Type
- D. Distinguished Name
正解:D
解説:
Explanation
According to the exhibits, the LDAP server configuration on FortiGate has the Distinguished Name set to
"dc=training,dc=lab". However, according to the output of the dsquery command on the Windows AD server, the Distinguished Name of the domain should be "dc=trainingAD,dc=training,dc=lab". Therefore, option C is true because the Distinguished Name on FortiGate is configured incorrectly and does not match the actual Distinguished Name of the domain. Option A is false because the Common Name Identifier on FortiGate is configured correctly as "cn". Option B is false because the Bind Type on FortiGate is configured correctly as
"Regular". Option D is false because the Username on FortiGate is configured correctly as
"cn=admin,cn=users,dc=trainingAD,dc=training,dc=lab".
質問 # 20
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work Which scenario is likely to cause this issue?
- A. The FortiSwitch MAC address table is missing entries
- B. Access VLAN is enabled on the VLAN
- C. The FortiGate ARP table is missing entries
- D. The native VLAN configured on the ports is incorrect
正解:A
解説:
Explanation
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.
質問 # 21
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)
- A. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal
- B. Administrators must approve all guest accounts before they can be used
- C. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
- D. The guest portal provides pre and post-log in services
正解:A、D
解説:
Explanation
According to the FortiAuthenticator Administration Guide2, "The guest portal provides pre and post-log in services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured." Therefore, option C is true. The same guide also states that "Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal." Therefore, option D is true.
Option A is false because remote users can sponsor any number of guest accounts, as long as they do not exceed the maximum number of guest accounts allowed by the license. Option B is false because administrators can choose to approve or reject guest accounts, or enable auto-approval.
質問 # 22
Refer to the exhibit.
Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit An administrator is testing the NAC feature The test device is connected to a managed FortiSwitch device
{S224EPTF19"53C7)onpOrt2
After applying the NAC policy on port2 and generating traffic on the test device the test device is not matching the NAC policy therefore the test device remains m the onboarding VLAN Based on the information shown in the exhibit which two scenarios are likely to cause this issue? (Choose two.)
- A. The MAC address configured on the NAC policy is incorrect
- B. Management communication between FortiGate and FortiSwitch is down
- C. Device detection is not enabled on VLAN 4089
- D. The device operating system detected by FortiGate is not Linux
正解:A、B
解説:
Explanation
According to the FortiManager configuration, the NAC policy is set to match devices with the MAC address of 00:0c:29:6a:2b:3c and the operating system of Linux.However, according to the FortiGate CLI output, the test device has a different MAC address of 00:0c:29:6a:2b:3d. Therefore, option B is true. Option A is also true because the FortiSwitch device status is shown as down, which means that the management communication between FortiGate and FortiSwitch is not working properly. This could prevent the NAC policy from being applied correctly. Option C is false because the device operating system detected by FortiGate is Linux, which matches the NAC policy. Option D is false because device detection is enabled on VLAN 4089, as shown by the command "config switch-controller vlan".
質問 # 23
Which two pieces of information can the diagnose test authserver ldap command provide? (Choose two.)
- A. It displays whether the user credentials are correct
- B. It displays whether the admin bind user credentials are correct
- C. It displays the LDAP codes returned by the LDAP server
- D. It displays the LDAP groups found for the user
正解:A、C
解説:
Explanation
According to the FortiGate CLI Reference Guide, "The diagnose test authserver ldap command tests LDAP authentication with a specific LDAP server. The command displays whether the user credentials are correct and whether the user belongs to any groups that match a firewall policy. The command also displays the LDAP codes returned by the LDAP server." Therefore, options B and C are true because they describe the information that the diagnose test authserver ldap command can provide. Option A is false because the command does not display whether the admin bind user credentials are correct, but rather whether the user credentials are correct. Option D is false because the command does not display the LDAP groups found for the user, but rather whether the user belongs to any groups that match a firewall policy.
質問 # 24
Refer to the exhibit.
Examine the debug output shown in the exhibit
Which two statements about the RADIUS debug output are true'' (Choose two)
- A. The user student belongs to the SSLVPN group
- B. User authentication failed
- C. The RADIUS server sent a vendor-specific attribute in the RADIUS response
- D. User authentication succeeded using MSCHAP
正解:A、D
解説:
Explanation
According to the exhibit, the debug output shows a RADIUS debug output from FortiGate. The output shows that FortiGate sent a RADIUS Access-Request packet to FortiAuthenticator with the username student and received a RADIUS Access-Accept packet from FortiAuthenticator with a Class attribute containing SSLVPN.
Therefore, option A is true because it indicates that the user student belongs to the SSLVPN group on FortiAuthenticator. The output also shows that FortiGate used MSCHAP as the authentication method and received a MS-MPPE-Send-Key and a MS-MPPE-Recv-Key from FortiAuthenticator. Therefore, option D is true because it indicates that user authentication succeeded using MSCHAP. Option B is false because user authentication did not fail, but rather succeeded. Option C is false because FortiAuthenticator did not send a vendor-specific attribute in the RADIUS response, but rather standard attributes defined by RFCs.
質問 # 25
You are investigating a report of poor wireless performance in a network that you manage. The issue is related to an AP interface in the 5 GHz range You are monitoring the channel utilization over time.
What is the recommended maximum utilization value that an interface should not exceed?
- A. 85%
- B. 95%
- C. 65%
- D. 75%
正解:C
解説:
Explanation
According to the FortiAP Configuration Guide, "Channel utilization measures how busy a channel is over a given period of time. It includes both Wi-Fi and non-Wi-Fi interference sources. A high channel utilization indicates a congested channel and can result in poor wireless performance. The recommended maximum utilization value that an interface should not exceed is 65%." Therefore, option D is true because it gives the recommended maximum utilization value for an interface in the 5 GHz range. Options A, B, and C are false because they give higher utilization values that can cause poor wireless performance.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/wireless-radio-settings#channel-uti
質問 # 26
Which CLI command should an administrator use to view the certificate verification process in real time?
- A. diagnose debug application radiusd -1
- B. diagnose debug application authd -1
- C. diagnose debug application foauthd -1
- D. diagnose debug application fnbamd -1
正解:C
解説:
Explanation
According to the FortiOS CLI Reference Guide, "The diagnose debug application foauthd command enables debugging of certificate verification process in real time." Therefore, option A is true because it describes the CLI command that an administrator should use to view the certificate verification process in real time. Option B is false because diagnose debug application radiusd -1 enables debugging of RADIUS authentication process, not certificate verification process. Option C is false because diagnose debug application authd -1 enables debugging of authentication daemon process, not certificate verification process. Option D is false because diagnose debug application fnbamd -1 enables debugging of FSSO daemon process, not certificate verification process.
質問 # 27 
Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page.This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser
Which two settings are the likely causes of the issue? (Choose two.)
- A. The external server FQDN is incorrect
- B. The user address is not in DDNS form
- C. The wireless user's browser is missing a CA certificate
- D. The FortiGate authentication interface address is using HTTPS
正解:A、C
解説:
Explanation
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page.
Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user's browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate. Option C is false because the FortiGate authentication interface address is using HTTPS, which is a secure protocol that encrypts the communication between the browser and the server. Option D is false because the user address is not in DDNS form, which is not related to the certificate error.
質問 # 28
......
Fortinet NSE7_LED-7.0試験の準備には、学習ガイド、オンラインコース、模擬試験など、さまざまなリソースを活用することができます。Fortinetは、試験のトピックを詳細にカバーするトレーニングプログラムも提供しています。候補者はまた、LANエッジセキュリティプロジェクトに取り組むことで、試験でカバーされる概念やテクニックについてより深い理解を得ることができます。
試験は、120分以内に完了する必要のある60の多肢選択問題で構成されています。これらの問題は、Fortinet Security Fabricの知識を持ち、LAN Edgeネットワークを安全にするためにそれを適用する能力をテストするように設計されています。試験に合格し、NSE 7認定を取得するには、最低50%のスコアが必要です。
最新のNSE7_LED-7.0実際の無料試験問題は更新された40問があります:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html