[2024年03月12日]NSE6_FAC-6.4試験問題集でリアル試験と100%同じ問題と解答
NSE6_FAC-6.4テストエンジン問題集トレーニングには49問あります
NSE6_FAC-6.4認定プログラムでは、候補者はFortiAuthenticator 6.4を使用してユーザーID、認証ポリシー、アクセス制御を構成および管理する方法を学びます。このプログラムでは、ユーザー認証、シングルサインオン(SSO)、二要素認証(2FA)、パスワード管理などのトピックがカバーされます。候補者はまた、FortiGate、FortiAnalyzer、FortiSandboxなどの他のFortinetサイバーセキュリティソリューションとFortiAuthenticator 6.4を統合する方法を学びます。
Fortinet NSE6_FAC-6.4認定試験は、システム管理者、ネットワーク管理者、セキュリティプロフェッショナルなど、日々Fortinet NSE 6 - FortiAuthenticator 6.4を使用するITプロフェッショナルに適しています。この認定試験は、Fortinet NSE 6 - FortiAuthenticator 6.4のスキルと知識を確認し、キャリアの見通しを向上させる絶好の機会です。
質問 # 13
Which interface services must be enabled for the SCEP client to connect to Authenticator?
- A. OCSP
- B. REST API
- C. SSH
- D. HTTP/HTTPS
正解:D
解説:
HTTP/HTTPS are the interface services that must be enabled for the SCEP client to connect to FortiAuthenticator. SCEP stands for Simple Certificate Enrollment Protocol, which is a method of requesting and issuing digital certificates over HTTP or HTTPS. FortiAuthenticator supports SCEP as a certificate authority (CA) and can process SCEP requests from SCEP clients. To enable SCEP on FortiAuthenticator, the HTTP or HTTPS service must be enabled on the interface that receives the SCEP requests.
質問 # 14
A system administrator wants to integrate FortiAuthenticator with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO.
What feature does FortiAuthenticator offer for this type of integration?
- A. RADIUS learning mode for migrating users
- B. The ability to import and export users from CSV files
- C. SNMP monitoring and traps
- D. REST API
正解:D
解説:
REST API is a feature that allows FortiAuthenticator to integrate with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO. REST API stands for Representational State Transfer Application Programming Interface, which is a method of exchanging data between different systems using HTTP requests and responses. FortiAuthenticator provides a REST API that can be used by external systems to perform various actions, such as creating, updating, deleting, or querying users and groups, or sending FSSO logon or logoff events.
質問 # 15
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)
- A. HTTPS
- B. SNMP
- C. Telnet
- D. SSH
正解:A、D
解説:
HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.
質問 # 16
A digital certificate, also known as an X.509 certificate, contains which two pieces of information? (Choose two.)
- A. Private key
- B. Issuer
- C. Shared secret
- D. Public key
正解:B、D
解説:
A digital certificate, also known as an X.509 certificate, contains two pieces of information:
Issuer, which is the identity of the certificate authority (CA) that issued the certificate Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject
質問 # 17
You are a Wi-Fi provider and host multiple domains.
How do you delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device?
- A. Create user groups
- B. Create multiple directory trees on FortiAuthenticator
- C. Create realms.
- D. Automatically import hosts from each domain as they authenticate.
正解:C
解説:
Realms are a way to delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device. A realm is a logical grouping of users and groups based on a common attribute, such as a domain name or an IP address range. Realms allow administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
質問 # 18
An administrator has an active directory (AD) server integrated with FortiAuthenticator. They want members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls.
How does the administrator accomplish this goal?
- A. Configure a domain groupings list to identify the desired AD groups.
- B. Configure a FortiGate filter on FortiAuthenticatoc
- C. Configure SSO groups and assign them to FortiGate groups.
- D. Configure fine-grained controls on FortiAuthenticator to designate AD groups.
正解:C
解説:
To allow members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls, the administrator can configure SSO groups and assign them to FortiGate groups. SSO groups are groups of users or devices that are defined on FortiAuthenticator based on various criteria, such as user group membership, source IP address, MAC address, or device type. FortiGate groups are groups of users or devices that are defined on FortiGate based on various criteria, such as user group membership, firewall policy, or authentication method. By mapping SSO groups to FortiGate groups, the administrator can control which users or devices can access the network resources protected by FortiGate.
質問 # 19
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?
- A. Time and mobile location
- B. Time and FortiAuthenticator serial number
- C. UUID and time
- D. Time and seed
正解:D
解説:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.
質問 # 20
When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)
- A. Set the syslog UDP port on FortiAuthenticator.
- B. Select a syslog rule for message parsing.
- C. Define a syslog source.
- D. Set the same password on both the FortiAuthenticator and the syslog server.
- E. Enable syslog on the FortiAuthenticator interface.
正解:A、B、C
解説:
To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:
Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.
Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.
Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.
質問 # 21
Examine the screenshot shown in the exhibit.
Which two statements regarding the configuration are true? (Choose two.)
- A. All guest accounts created using the account registration feature will be placed under the Guest_Portal_Users group
- B. Guest user account will expire after eight hours
- C. Guest users must fill in all the fields on the registration form
- D. All accounts registered through the guest portal must be validated through email
正解:A、D
解説:
The screenshot shows that the account registration feature is enabled for the guest portal and that the guest group is set to Guest_Portal_Users. This means that all guest accounts created using this feature will be placed under that group1. The screenshot also shows that email validation is enabled for the guest portal and that the email validation link expires after 24 hours. This means that all accounts registered through the guest portal must be validated through email within that time frame1.
質問 # 22
What are three key features of FortiAuthenticator? (Choose three)
- A. Portal services
- B. Certificate authority
- C. RSSO Server
- D. Log server
- E. Identity management device
正解:A、B、E
解説:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management, self-service password reset, and device registration. It is not a log server or an RSSO server. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes
質問 # 23
Which two capabilities does FortiAuthenticator offer when acting as a self-signed or local CA? (Choose two)
- A. Merging local and remote CRLs using SCEP
- B. Importing other CA certificates and CRLs
- C. Validating other CA CRLs using OSCP
- D. Creating, signing, and revoking of X.509 certificates
正解:B、D
解説:
FortiAuthenticator can act as a self-signed or local CA that can issue certificates to users, devices, or other CAs. It can also import other CA certificates and CRLs to trust them and validate their certificates. It can also create, sign, and revoke X.509 certificates for various purposes, such as VPN authentication, web server encryption, or wireless security. It cannot validate other CA CRLs using OCSP or merge local and remote CRLs using SCEP because these are protocols that require communication with external CAs. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management
質問 # 24
Which two are supported captive or guest portal authentication methods? (Choose two)
- A. Email
- B. Linkedln
- C. Instagram
- D. Apple ID
正解:A、B
解説:
FortiAuthenticator supports various captive or guest portal authentication methods, including social media login with Linkedln, Facebook, Twitter, Google+, or WeChat; email verification; SMS verification; voucher code; username and password; and MAC address bypass. Apple ID and Instagram are not supported as authentication methods. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/372405/authentication-methods
質問 # 25
When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?
- A. Load balancing master
- B. Active-passive master
- C. Standalone master
- D. Cluster member
正解:B
解説:
When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability
質問 # 26
Which EAP method is known as the outer authentication method?
- A. PEAP
- B. EAP-TLS
- C. EAP-GTC
- D. MSCHAPV2
正解:A
解説:
PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.
質問 # 27
Which two SAML roles can Fortiauthenticator be configured as? (Choose two)
- A. Service provider
- B. Principal
- C. Idendity provider
- D. Assertion server
正解:A、C
解説:
FortiAuthenticator can be configured as a SAML identity provider (IdP) or a SAML service provider (SP). As an IdP, FortiAuthenticator authenticates users and issues SAML assertions to SPs. As an SP, FortiAuthenticator receives SAML assertions from IdPs and grants access to users based on the attributes in the assertions. Principal and assertion server are not valid SAML roles. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372407/saml
質問 # 28
Which behaviors exist for certificate revocation lists (CRLs) on FortiAuthenticator? (Choose two)
- A. CRLs can be exported only through the SCEP server
- B. CRLs contain the serial number of the certificate that has been revoked
- C. All local CAs share the same CRLs
- D. Revoked certificates are automaticlly placed on the CRL
正解:B、D
解説:
CRLs are lists of certificates that have been revoked by the issuing CA and should not be trusted by any entity. CRLs contain the serial number of the certificate that has been revoked, the date and time of revocation, and the reason for revocation. Revoked certificates are automatically placed on the CRL by the CA and the CRL is updated periodically. CRLs can be exported through various methods, such as HTTP, LDAP, or SCEP. Each local CA has its own CRL that is specific to its issued certificates. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management/372413/certificate-revocation-lists
質問 # 29
Why would you configure an OCSP responder URL in an end-entity certificate?
- A. To identify the end point that a certificate has been assigned to
- B. To designate the SCEP server to use for CRL updates for that certificate
- C. To provide the CRL location for the certificate
- D. To designate a server for certificate status checking
正解:D
解説:
An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.
質問 # 30
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)
- A. Configuring a RADIUS client
- B. Configuring an external authentication portal
- C. Configuring at least on post-login service
- D. Configuring a portal policy
正解:C、D
解説:
enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management
質問 # 31
Which statement about captive portal policies is true, assuming a single policy has been defined?
- A. All conditions in the policy must match before a user is presented with the captive portal.
- B. Portal policies can be used only for BYODs.
- C. Portal policies apply only to authentication requests coming from unknown RADIUS clients
- D. Conditions in the policy apply only to wireless users.
正解:A
解説:
Captive portal policies are used to define the conditions and settings for presenting a captive portal to users who need to authenticate before accessing the network. A captive portal policy consists of a set of conditions and a set of actions. The conditions can be based on various attributes, such as source IP address, MAC address, user group, device type, or RADIUS client. The actions can include redirecting the user to a specific portal, applying a specific authentication method, or assigning a specific VLAN or firewall policy. A single policy can have multiple conditions, and all conditions in the policy must match before a user is presented with the captive portal.
質問 # 32
......
NSE6_FAC-6.4練習テストPDF試験材料:https://jp.fast2test.com/NSE6_FAC-6.4-premium-file.html