2023年更新のNSE 7 Network Security Architectが有効なNSE7_LED-7.0問題集を無料提供しています [Q22-Q42]

Share

2023年更新のNSE 7 Network Security Architectが有効なNSE7_LED-7.0問題集を無料提供しています

最新のFast2test NSE7_LED-7.0のPDF問題集をダウンロードしちゃおう:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html(40問題と解答)


Fortinet NSE7_LED-7.0試験は、FortinetのLANエッジソリューションの展開と管理において専門的な知識を証明したいネットワークセキュリティ専門家にとって有用な認定試験です。この認定は、世界的に認められ、IT業界の雇用主に高く評価されています。認定は、LANインフラストラクチャをセキュリティで保護し、Secure SD-WANを構成し、FortinetのLANエッジソリューションを管理する候補者の知識とスキルを検証します。Fortinet NSE7_LED-7.0試験に合格した候補者は、ネットワークセキュリティにおける専門的な能力と熟練度を証明するFortinet NSE 7認定を受けます。

 

質問 # 22
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work Which scenario is likely to cause this issue?

  • A. Access VLAN is enabled on the VLAN
  • B. The FortiGate ARP table is missing entries
  • C. The FortiSwitch MAC address table is missing entries
  • D. The native VLAN configured on the ports is incorrect

正解:C

解説:
Explanation
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.


質問 # 23
Refer to the exhibit.

Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibit FortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP The administrator configured the SSL VPN user group for SSL VPN users However the administrator noticed that both the student and j smith users can connect to SSL VPN Which change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?

  • A. In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.
  • B. In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)
  • C. In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN="users, DC-trainingAD, DC-training, DC-lab
  • D. In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.

正解:C

解説:
Explanation
According to the FortiGate Administration Guide, "The Group Name is the name of the LDAP group that you want to use for authentication. The name must match exactly the name of the LDAP group on the LDAP server." Therefore, option A is true because it will set the Group Name to match the LDAP group that contains only the student user. Option B is false because changing the Name will not affect the authentication process, as it is only a local identifier for the user group on FortiGate. Option C is false because setting the Group Name to Domain Users will include all users in the domain, not just the student user. Option D is false because changing the Type to FSSO will require a different configuration method and will not solve the problem.


質問 # 24
Refer to the exhibit.

Examine the LDAP server configuration shown in the exhibit Note that the Username setting has been expanded to display Its full content On the Windows AD server 10.0.1.10, the administrator used dsquery. which returned the following output:

According to the output which FortiGate LDAP setting is configured incorrectly''

  • A. Distinguished Name
  • B. Bind Type
  • C. Username
  • D. Common Name Identifier

正解:A

解説:
Explanation
According to the exhibits, the LDAP server configuration on FortiGate has the Distinguished Name set to
"dc=training,dc=lab". However, according to the output of the dsquery command on the Windows AD server, the Distinguished Name of the domain should be "dc=trainingAD,dc=training,dc=lab". Therefore, option C is true because the Distinguished Name on FortiGate is configured incorrectly and does not match the actual Distinguished Name of the domain. Option A is false because the Common Name Identifier on FortiGate is configured correctly as "cn". Option B is false because the Bind Type on FortiGate is configured correctly as
"Regular". Option D is false because the Username on FortiGate is configured correctly as
"cn=admin,cn=users,dc=trainingAD,dc=training,dc=lab".


質問 # 25
Which two pieces of information can the diagnose test authserver ldap command provide? (Choose two.)

  • A. It displays the LDAP groups found for the user
  • B. It displays whether the user credentials are correct
  • C. It displays the LDAP codes returned by the LDAP server
  • D. It displays whether the admin bind user credentials are correct

正解:B、C

解説:
Explanation
According to the FortiGate CLI Reference Guide, "The diagnose test authserver ldap command tests LDAP authentication with a specific LDAP server. The command displays whether the user credentials are correct and whether the user belongs to any groups that match a firewall policy. The command also displays the LDAP codes returned by the LDAP server." Therefore, options B and C are true because they describe the information that the diagnose test authserver ldap command can provide. Option A is false because the command does not display whether the admin bind user credentials are correct, but rather whether the user credentials are correct. Option D is false because the command does not display the LDAP groups found for the user, but rather whether the user belongs to any groups that match a firewall policy.


質問 # 26
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

  • A. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal
  • B. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
  • C. The guest portal provides pre and post-log in services
  • D. Administrators must approve all guest accounts before they can be used

正解:A、C

解説:
Explanation
According to the FortiAuthenticator Administration Guide2, "The guest portal provides pre and post-log in services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured." Therefore, option C is true. The same guide also states that "Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal." Therefore, option D is true.
Option A is false because remote users can sponsor any number of guest accounts, as long as they do not exceed the maximum number of guest accounts allowed by the license. Option B is false because administrators can choose to approve or reject guest accounts, or enable auto-approval.


質問 # 27
What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?

  • A. It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos
  • B. It enables FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search
  • C. It enables FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users
  • D. It enables FortiAuthenticator to import users from Windows AD

正解:A

解説:
Explanation
According to the FortiAuthenticator Administration Guide2, "Windows Active Directory domain authentication enables FortiAuthenticator to join a Windows Active Directory domain as a machine entity and proxy authentication requests using Kerberos." Therefore, option D is true because it describes the purpose of enabling Windows Active Directory domain authentication on FortiAuthenticator. Option A is false because FortiAuthenticator does not need Windows administrator credentials to perform an LDAP lookup for a user search. Option B is false because FortiAuthenticator does not use a Windows CA certificate when authenticating RADIUS users, but rather its own CA certificate. Option C is false because FortiAuthenticator does not import users from Windows AD, but rather synchronizes them using LDAP or FSSO.


質問 # 28
Refer to the exhibit.

By default FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit What is the objective of the vci-string setting?

  • A. To reserve IP addresses for FortiSwitch and FortiExtender devices
  • B. To ignore DHCP requests coming from FortiSwitch and FortiExtender devices
  • C. To restrict the IP address assignment to FortiSwitch and FortiExtender devices
  • D. To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname

正解:C

解説:
Explanation
According to the exhibit, the DHCP server scope for the FortiLink interface has a vci-string setting with the value "Cisco AP c2700". This setting is used to match the vendor class identifier (VCI) of the DHCP clients that request an IP address from the DHCP server. The VCI is a text string that uniquely identifies a type of vendor device. Therefore, option C is true because the vci-string setting restricts the IP address assignment to FortiSwitch and FortiExtender devices, which use the VCI "Cisco AP c2700". Option A is false because the vci-string setting does not ignore DHCP requests coming from FortiSwitch and FortiExtender devices, but rather accepts them. Option B is false because the vci-string setting does not reserve IP addresses for FortiSwitch and FortiExtender devices, but rather assigns them dynamically. Option D is false because the vci-string setting does not restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname, but rather to devices that have "Cisco AP c2700" as their VCI.


質問 # 29
Refer to the exhibit

Examine the sections of the configuration shown in the output
What action will FortiGate take when verifying the student certificate through OCSP?

  • A. Reject the student certificate if the OCSP server replies that the student certificate status is unknown
  • B. Not verify the OCSP server certificate
  • C. Consider the student certificate status as valid if the OCSP server is unreachable
  • D. Use the OCSP URL included in the student certificate to verify the student certificate

正解:D

解説:
Explanation
According to the exhibit, the FortiGate configuration has ocsp-status enabled and ocsp-option set to certificate.
This means that FortiGate will use OCSP to verify the revocation status of certificates presented by clients. According to the FortiGate Administration Guide2, "If you select certificate, FortiGate uses an OCSP URL included in a certificate to verify that certificate." Therefore, option C is true because it describes what action FortiGate will take when verifying the student certificate through OCSP. Option A is false because FortiGate will not reject the student certificate if the OCSP server replies that the student certificate status is unknown, but rather accept it as valid. Option B is false because FortiGate will verify the OCSPserver certificate by default, unless strict-ocsp-check is disabled. Option D is false because FortiGate will not consider the student certificate status as valid if the OCSP server is unreachable, but rather reject it as invalid.


質問 # 30
Which CLI command should an administrator use to view the certificate verification process in real time?

  • A. diagnose debug application foauthd -1
  • B. diagnose debug application authd -1
  • C. diagnose debug application radiusd -1
  • D. diagnose debug application fnbamd -1

正解:A

解説:
Explanation
According to the FortiOS CLI Reference Guide, "The diagnose debug application foauthd command enables debugging of certificate verification process in real time." Therefore, option A is true because it describes the CLI command that an administrator should use to view the certificate verification process in real time. Option B is false because diagnose debug application radiusd -1 enables debugging of RADIUS authentication process, not certificate verification process. Option C is false because diagnose debug application authd -1 enables debugging of authentication daemon process, not certificate verification process. Option D is false because diagnose debug application fnbamd -1 enables debugging of FSSO daemon process, not certificate verification process.


質問 # 31
A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) Which two changes must the administrator make to enforce HTTPS authentication"? (Choose two >

  • A. Enable HTTP redirect in the user authentication settings
  • B. Disable HTTP administrative access on the guest SSID to enforce HTTPS connection
  • C. Create a new SSID with the HTTPS captive portal URL
  • D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

正解:A、D

解説:
Explanation
According to the FortiGate Administration Guide, "To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator." Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.


質問 # 32
You are setting up an SSID (VAP) to perform RADlUS-authenticated dynamic VLAN allocation Which three RADIUS attributes must be supplied by the RADIUS server to enable successful VLAN allocation'' (Choose three.)

  • A. Tunnel-Medium-Type
  • B. Tunnel-Private-Group-ID
  • C. Tunnel-Preference
  • D. Tunnel-Pvt-Group-ID
  • E. Tunnel-Type

正解:A、B、E

解説:
Explanation
According to the FortiAP Configuration Guide, "To perform RADIUS-authenticated dynamic VLAN allocation, the RADIUS server must supply the following RADIUS attributes: Tunnel-Private-Group-ID, which specifies the VLAN ID to assign to the user. Tunnel-Type, which specifies the tunneling protocol used for the VLAN. The value must be 13 (VLAN). Tunnel-Medium-Type, which specifies the transport medium used for the VLAN. The value must be 6 (802). Therefore, options A, D, and E are true because they describe the RADIUS attributes that must be supplied by the RADIUS server to enable successful VLAN allocation.
Option B is false because Tunnel-Pvt-Group-ID is not a valid RADIUS attribute name, but rather a typo for Tunnel-Private-Group-ID. Option C is false because Tunnel-Preference is not a required RADIUS attribute for dynamic VLAN allocation, but rather an optional attribute that specifies the priority of the VLAN.


質問 # 33
Refer to the exhibit.

Examine the FortiSwitch security policy shown in the exhibit
If the security profile shown in the exhibit is assigned to all ports on a FortiSwitch device for 802 1X authentication which statement about the switch is correct?

  • A. All EAP messages will be terminated on FortiSwitch
  • B. FortiSwitch will try to authenticate non-802 1X devices using the device MAC address as the username and password
  • C. FortiSwitch cannot authenticate multiple devices connected to the same port
  • D. FortiSwitch will assign non-802 1X devices to the onboarding VLAN

正解:D

解説:
Explanation
According to the FortiSwitch Administration Guide, "If a device does not support 802.1X authentication, you can configure the switch to assign the device to an onboarding VLAN. The onboarding VLAN is a separate VLAN that you can use to provide limited network access to non-802.1X devices." Therefore, option C is true because it describes the behavior of FortiSwitch when the security profile shown in the exhibit is assigned to all ports. Option A is false because FortiSwitch can authenticate multiple devices connected to the same port using MAC-based or MAB-EAP modes. Option B is false because FortiSwitch will not try to authenticate non-802.1X devices using the device MAC address as the username and password, but rather use MAC authentication bypass (MAB) or EAP pass-through modes. Option D is false because all EAP messages will be terminated on FortiGate, not FortiSwitch, when using 802.1X authentication.


質問 # 34
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)

  • A. The device MACaddress is added to the Quarantined Devices firewall address group
  • B. The quarantined device is kept in the current VLAN
  • C. The quarantined device is moved to the quarantine VLAN
  • D. It is the default mode for MAC address quarantine

正解:A、B

解説:
Explanation
According to the FortiGate Administration Guide, "MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices.
The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal." Therefore, options B and D are true because they describe the statements about MAC address quarantine by redirect mode. Option A is false because the quarantined device is not moved to the quarantine VLAN, but rather kept in the current VLAN. Option C is false because redirect mode is not the default mode for MAC address quarantine, but rather an alternative mode that can be enabled by setting mac-quarantine-mode to redirect.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/radius-authenticated-dynamic-vlan-: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/734537/mac-address-quarantine


質問 # 35
Refer to the exhibit.

Examine the IPsec VPN phase 1 configuration shown in theexhibit
An administrator wants to use certificate-based authentication for an IPsec VPN user Which three configuration changes must you make on FortiGate to perform certificate-based authentication for the IPsec VPN user? (Choose three)

  • A. Enable XAUTH on the IPsec VPN tunnel
  • B. Create a PKI user for the IPsec VPN user, and then configure the IPsec VPN tunnel to accept the PKI user as peer certificate
  • C. In the IKE section of the IPsec VPN tunnel in the Mode field select Main (ID protection)
  • D. Import the CA that signed the user certificate
  • E. In the Authentication section of the IPsec VPN tunnel in the Method drop-down list select Signature and then select the certificate that FortiGate will use for IPsec VPN

正解:A、D、E

解説:
Explanation
According to the FortiGate Administration Guide, "To use certificate-based authentication, you must configure the following settings on both peers: Select Signature as the authentication method and select a certificate to use for authentication. Import the CA certificate that issued the peer's certificate. Enable XAUTH on the phase 1 configuration." Therefore, options B, D, and E are true because they describe the configuration changes that must be made on FortiGate to perform certificate-based authentication for the IPsec VPN user.
Option A is false because creating a PKI user for the IPsec VPN user is not required, as the user certificate can be verified by the CA certificate. Option C is false because changing the IKE mode to Main (ID protection) is not required, as the IKE mode can be either Main or Aggressive for certificate-based authentication.


質問 # 36
Refer to the exhibit.

Examine the FortiGate configuration FortiAnalyzer logs and FortiGate widget shown in the exhibit An administrator is testing the Security Fabric quarantine automation The administrator added FortiAnalyzer to the Security Fabric and configured an automation stitch to automatically quarantine compromised devices The test device (::.:.:.!) s connected to a managed Fort Switch dev :e After trying to access a malicious website from the test device, the administrator verifies that FortiAnalyzer has a log (or the test connection However the device is not getting quarantined by FortiGate as shown in the quarantine widget Which two scenarios are likely to cause this issue? (Choose two)

  • A. FortiAnalyzer does not have a valid threat detection services license
  • B. FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)
  • C. The device does not have FortiClient installed
  • D. The web filtering rating service is not working

正解:A、B

解説:
Explanation
According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer's threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices. Option A is false because the web filtering rating service is working, as shown by the log entry that indicates that the test device accessed a URL with a category of
"Malicious Websites". Option C is false because the device does not need to have FortiClient installed to be quarantined by FortiGate, as long as it is connected to a managed FortiSwitch device.


質問 # 37
You are investigating a report of poor wireless performance in a network that you manage. The issue is related to an AP interface in the 5 GHz range You are monitoring the channel utilization over time.
What is the recommended maximum utilization value that an interface should not exceed?

  • A. 65%
  • B. 95%
  • C. 75%
  • D. 85%

正解:A

解説:
Explanation
According to the FortiAP Configuration Guide, "Channel utilization measures how busy a channel is over a given period of time. It includes both Wi-Fi and non-Wi-Fi interference sources. A high channel utilization indicates a congested channel and can result in poor wireless performance. The recommended maximum utilization value that an interface should not exceed is 65%." Therefore, option D is true because it gives the recommended maximum utilization value for an interface in the 5 GHz range. Options A, B, and C are false because they give higher utilization values that can cause poor wireless performance.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/wireless-radio-settings#channel-uti


質問 # 38
......

実験された試験材料はNSE7_LED-7.0:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어