[2024年04月] 無料お試しFortinet NSE7_LED-7.0問題集PDFは必ずベストの問題集オプションを使おう [Q15-Q33]

Share

[2024年04月] 無料お試しFortinet NSE7_LED-7.0問題集PDFは必ずベストの問題集オプションを使おう

NSE7_LED-7.0試験資料Fortinet学習ガイド


Fortinet NSE7_LED-7.0認定は、FortinetのLAN Edgeソリューションの展開と管理において候補者の習熟度を示しているため、業界で非常に評価されています。この認定は、ネットワーキング分野での雇用を求める専門家に競争上の優位性を提供します。この認定は、Fortinetコミュニティ内で認識を獲得する機会と、排他的なリソースやイベントへのアクセスも提供します。全体として、Fortinet NSE7_LED-7.0認定は、キャリアの見通しを強化し、競争に先んじているネットワークの専門家にとって優れた投資です。

 

質問 # 15
Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

  • A. FortiSwitch authenticates a single device and opens the port to other devices connected to the port
  • B. It cannot be used in conjunction with MAC authentication bypass
  • C. FortiSwitch authenticates each device connected to the port
  • D. FortiSwitch can grant different access levels to each device connected to the port

正解:C、D

解説:
Explanation
According to the FortiSwitch Administration Guide, "MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password." Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.


質問 # 16
Refer to the exhibit

Examine the sections of the configuration shown in the output
What action will FortiGate take when verifying the student certificate through OCSP?

  • A. Use the OCSP URL included in the student certificate to verify the student certificate
  • B. Not verify the OCSP server certificate
  • C. Reject the student certificate if the OCSP server replies that the student certificate status is unknown
  • D. Consider the student certificate status as valid if the OCSP server is unreachable

正解:A

解説:
Explanation
According to the exhibit, the FortiGate configuration has ocsp-status enabled and ocsp-option set to certificate.
This means that FortiGate will use OCSP to verify the revocation status of certificates presented by clients. According to the FortiGate Administration Guide2, "If you select certificate, FortiGate uses an OCSP URL included in a certificate to verify that certificate." Therefore, option C is true because it describes what action FortiGate will take when verifying the student certificate through OCSP. Option A is false because FortiGate will not reject the student certificate if the OCSP server replies that the student certificate status is unknown, but rather accept it as valid. Option B is false because FortiGate will verify the OCSPserver certificate by default, unless strict-ocsp-check is disabled. Option D is false because FortiGate will not consider the student certificate status as valid if the OCSP server is unreachable, but rather reject it as invalid.


質問 # 17
Refer to the exhibit

Examine the FortiGate RSSO configuration shown in the exhibit
FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users The users are located behind port3 and the internet link is connected to port1 FortiGate is processing incoming RADIUS accounting messages successfully and RSSO users are getting associated with the RSSO Group user group However all the users are able to access the internet, and the administrator wants to restrict internet access to RSSO users only Which configuration change should the administrator make to fix the problem?

  • A. Create a second firewall policy from port3 lo port1 and select the target destination subnets
  • B. Change the RADIUS Attribute Value selling to match the name of the RADIUS attribute containing the group membership information of the RSSO users
  • C. Enable Security Fabric Connection on port3
  • D. Add RSSO Group to the firewall policy

正解:D

解説:
Explanation
According to the exhibit, the firewall policy from port3 to port1 has no user group specified, which means that it allows all users to access the internet. Therefore, option B is true because adding RSSO Group to the firewall policy will restrict internet access to RSSO users only. Option A is false because changing the RADIUS Attribute Value setting will not affect the firewall policy, but rather the RSSO user group membership. Option C is false because enabling Security Fabric Connection on port3 will not affect the firewall policy, but rather the communication between FortiGate and other Security Fabric devices. Option D is false because creating a second firewall policy from port3 to port1 will not affect the existing firewall policy, but rather create a redundant or conflicting policy.


質問 # 18
Refer to the exhibit.

Examine the LDAP server configuration shown in the exhibit Note that the Username setting has been expanded to display Its full content On the Windows AD server 10.0.1.10, the administrator used dsquery. which returned the following output:

According to the output which FortiGate LDAP setting is configured incorrectly''

  • A. Username
  • B. Distinguished Name
  • C. Bind Type
  • D. Common Name Identifier

正解:B

解説:
Explanation
According to the exhibits, the LDAP server configuration on FortiGate has the Distinguished Name set to
"dc=training,dc=lab". However, according to the output of the dsquery command on the Windows AD server, the Distinguished Name of the domain should be "dc=trainingAD,dc=training,dc=lab". Therefore, option C is true because the Distinguished Name on FortiGate is configured incorrectly and does not match the actual Distinguished Name of the domain. Option A is false because the Common Name Identifier on FortiGate is configured correctly as "cn". Option B is false because the Bind Type on FortiGate is configured correctly as
"Regular". Option D is false because the Username on FortiGate is configured correctly as
"cn=admin,cn=users,dc=trainingAD,dc=training,dc=lab".


質問 # 19
When you configure a FortiAP wireless interface for auto TX power control which statement describes how it configures its transmission power"?

  • A. Every 30 seconds FortiGate measures the signal strength of adjacent FortiAP interfaces It will adjust the adjacent AP power to be detectable at -70 dBm
  • B. Every 30 seconds FortiGate measures the signal strength of adjacent AP interfaces It will adjust its own AP power to match the adjacent AP signal strength
  • C. Every 30 seconds the AP will measure the signal strength of the AP using the client The AP will adjust its signal strength up or down until the AP signal is detected at -70 dBm
  • D. Every 30 seconds FortiGate measures the signal strength of the weakest associated client The AP will then configure its radio power to match the detected signal strength of the client

正解:C

解説:
Explanation
According to the FortiAP Configuration Guide1, "Auto TX power control allows the AP to adjust its transmit power based on the signal strength of the client. The AP will measure the signal strength of the client every 30 seconds and adjust its transmit power up or down until the client signal is detected at -70 dBm." Therefore, option A is true because it describes how the FortiAP wireless interface configures its transmission power when auto TX power control is enabled. Option B is false because FortiGate does not measure the signal strength of adjacent AP interfaces, but rather the FortiAP does. Option C is false because FortiGate does not adjust the adjacent AP power, but rather the FortiAP adjusts its own power. Option D is false becauseFortiGate does not measure the signal strength of the weakest associated client, but rather the FortiAP does.


質問 # 20
Refer to the exhibit.

Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibit FortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP The administrator configured the SSL VPN user group for SSL VPN users However the administrator noticed that both the student and j smith users can connect to SSL VPN Which change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?

  • A. In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.
  • B. In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)
  • C. In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.
  • D. In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN="users, DC-trainingAD, DC-training, DC-lab

正解:D

解説:
Explanation
According to the FortiGate Administration Guide, "The Group Name is the name of the LDAP group that you want to use for authentication. The name must match exactly the name of the LDAP group on the LDAP server." Therefore, option A is true because it will set the Group Name to match the LDAP group that contains only the student user. Option B is false because changing the Name will not affect the authentication process, as it is only a local identifier for the user group on FortiGate. Option C is false because setting the Group Name to Domain Users will include all users in the domain, not just the student user. Option D is false because changing the Type to FSSO will require a different configuration method and will not solve the problem.


質問 # 21
What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?

  • A. It enables FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users
  • B. It enables FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search
  • C. It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos
  • D. It enables FortiAuthenticator to import users from Windows AD

正解:C

解説:
Explanation
According to the FortiAuthenticator Administration Guide2, "Windows Active Directory domain authentication enables FortiAuthenticator to join a Windows Active Directory domain as a machine entity and proxy authentication requests using Kerberos." Therefore, option D is true because it describes the purpose of enabling Windows Active Directory domain authentication on FortiAuthenticator. Option A is false because FortiAuthenticator does not need Windows administrator credentials to perform an LDAP lookup for a user search. Option B is false because FortiAuthenticator does not use a Windows CA certificate when authenticating RADIUS users, but rather its own CA certificate. Option C is false because FortiAuthenticator does not import users from Windows AD, but rather synchronizes them using LDAP or FSSO.


質問 # 22
Refer to the exhibit.

Examine the RADIUS server configuration shown in the exhibit
An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP While testing the configuration the administrator noticed that the diagnosetest authserver command worked with PAP, however authentication requests failed when using MSCHAP2 Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

  • A. On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain
  • B. On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS
  • C. On FortiGate update the Secret setting on the RADIUS server
  • D. On FortiGate configure the NAS IP setting on the RADIUS
    server

正解:A、B

解説:
Explanation
According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server. Option B is false because on FortiGate, configuring the NAS IP setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the source IP address of the RADIUS packets. Option D is false because on FortiGate, updating the Secret setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the shared secret between FortiGate and FortiAuthenticator.


質問 # 23
Refer to the exhibits

The exhibits show the wireless network (VAP) SSID profiles defined on FortiManager and an AP profile assigned to a group of APs that are supported by FortiGate None of the APs are broadcasting the SSlDs defined by the AP profile Which changes do you need to make to enable the SSIDs to broadcast?

  • A. Enable one channel in the Channels section
  • B. In the SSIDs section enable Manual and assign the networks manually
  • C. In the SSIDs section enable Tunnel
  • D. Enable multiple channels in the Channels section and enable Radio Resource Provision

正解:A

解説:
Explanation
According to the FortiManager Administration Guide1, "To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled." Therefore, enabling one channel in the Channels section will allow the SSIDs to broadcast.


質問 # 24
A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) Which two changes must the administrator make to enforce HTTPS authentication"? (Choose two >

  • A. Create a new SSID with the HTTPS captive portal URL
  • B. Disable HTTP administrative access on the guest SSID to enforce HTTPS connection
  • C. Enable HTTP redirect in the user authentication settings
  • D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

正解:C、D

解説:
Explanation
According to the FortiGate Administration Guide, "To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator." Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.


質問 # 25
Exhibit.

Exhibit.

Refer to the exhibits
In the wireless configuration shown in the exhibits, an AP is deployed in a remote site and has a wireless network (VAP) called Corporate deployed to it The network is a tunneled network however clients connecting to a wireless network require access to a local printer Clients are trying to print to a printer on the remote site but are unable to do so Which configuration change is required to allow clients connected to the Corporate SSID to print locally?

  • A. Disable the Block Intra-SSID Traffic (intra-vap-privacy) setting on the SSID (VAP) profile
  • B. Configure split-tunneling in the vap configuration
  • C. Configure split-tunneling in the wtp-profile configuration
  • D. Configure the printer as a wireless client on the Corporate wireless network

正解:B

解説:
Explanation
According to the Fortinet documentation1, "Split tunneling allows you to specify which traffic is tunneled to the FortiGate and which traffic is sent directly to the Internet. This can improve performance and reduce bandwidth usage." Therefore, by configuring split-tunneling in the vap configuration, you can allow the clients connected to the Corporate SSID to access both the corporate network and the local printer. Option B is incorrect because split-tunneling is configured at the vap level, not the wtp-profile level. Option C is incorrect because blocking intra-SSID traffic prevents wireless clients on the same SSID from communicating with each other, which is not related to accessing a local printer. Option D is unnecessary and impractical because the printer does not need to be a wireless client on the Corporate wireless network to be accessible by the clients.


質問 # 26
Refer to the exhibit

A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit Which two scenarios are likely to cause this issue? (Choose two.)

  • A. The device is not configured for 802 IX authentication.
  • B. The device does not support 802 1X authentication
  • C. The device has been assigned the guest VLAN
  • D. The device has been quarantined for 3600 seconds.

正解:A、B

解説:
Explanation
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP-Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server. Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication. Option B is false because the device has not been quarantined for 3600 seconds, but rather has a session timeout of 3600 seconds, which is the default value for 802.1X sessions. Option C is false because the device has not been assigned the guest VLAN, but rather has been assigned the default VLAN, which is VLAN 1.


質問 # 27
Which two statements about FortiSwitchmanager are true1? (Choose two)

  • A. Any switch discovered or authorized on FortiGate must be added manually on FortiSwitch manager
  • B. FortiManager obtains the FortiSwitch status information by querying the FortiGate REST API every three minutes
  • C. Per-device management is the default management mode on FortiManager
  • D. If the administrator makes any changes on FortiSwitch manager they must also install those changes on FortiGate so that those changes are applied on the managed switches

正解:B、D

解説:
Explanation
According to the FortiManager Administration Guide1, "FortiManager obtains the FortiSwitch status information by querying the FortiGate REST API every three minutes." Therefore, option B is true because it describes how FortiManager gets the information about the managed switches. According to the same guide2,
"If you make any changes in this module, you must install them on your managed device so that they are applied on your managed switches." Therefore, option C is true because it describes what the administrator must do after making any changes on FortiSwitch manager. Option A is false because central management is the default management mode on FortiManager, not per-device management. Option D is false because anyswitch discovered or authorized on FortiGate will be automatically added on FortiSwitch manager, not manually.
1: https://docs.fortinet.com/document/fortimanager/7.0.0/administration-guide/734537/fortiswitch-manager 2:
https://docs.fortinet.com/document/fortimanager/7.0.0/administration-guide/734537/fortiswitch-manager#fortisw


質問 # 28
Refer to the exhibits.

Exhibit.

Examine the troubleshooting outputs shown in the exhibits
Users have been reporting issues with the speed of their wireless connection in a particular part of the wireless network The interface that is having issues is the 2 4 GHz interface that is currently configured on channel 6 The administrator of the wireless network has investigated and surveyed the local RF environment using the tools available at the AP and FortiGate Which configuration would improve the wireless connection?

  • A. Change the AP 2 4 GHz channel to 1.
  • B. Change the AP 2 4 GHz channel to 11
  • C. Change the AP 2 4 GHz channel to 13.
  • D. Change the AP 2 4 GHz channel to 9.

正解:A

解説:
Explanation
According to the exhibits, the AP 2.4 GHz interface is currently configured on channel 6, which is overlapping with other nearby APs on channels 4 and 8. This can cause interference and reduce the wireless performance.
Therefore, changing the AP 2.4 GHz channel to 1 would improve the wireless connection, as it would avoid the overlapping channels and use a non-overlapping channel instead. Option A is false because changing the AP 2.4 GHz channel to 11 would still overlap with other nearby APs on channels 9 and 13. Option C is false because changing the AP 2.4 GHz channel to 9 would still overlap with other nearby APs on channels 6, 8, and 11. Option D is false because changing the AP 2.4 GHz channel to 13 would still overlap with other nearby APs on channels 9 and 11.


質問 # 29
Refer to the exhibit.

Examine the network diagram and packet capture shown in the exhibit
The packet capture was taken between FortiGate and FortiAuthenticator and shows a RADIUS Access-Request packet sent by FortiSwitch to FortiAuthenticator through FortiGate Why does the User-Name attribute in the RADIUS Access-Request packet contain the client MAC address?

  • A. FortiSwitch is sending a RADIUS accounting message to FortiAuthenticator
  • B. FortiSwitch is authenticating the client using MAC authentication bypass
  • C. The client is performing user authentication
  • D. The client is performing AD machine authentication

正解:B

解説:
Explanation
According to the exhibit, the User-Name attribute in the RADIUS Access-Request packet contains the client MAC address of 00:0c:29:6a:2b:3d. This indicates that FortiSwitch is authenticating the client using MAC authentication bypass (MAB), which is a method of authenticating devices that do not support 802.1X by using their MAC address as the username and password. Therefore, option B is true because it explains why the User-Name attribute contains the client MAC address. Option A is false because AD machine authentication uses a computer account name and password, not a MAC address. Option C is false because user authentication uses a user name and password, not a MAC address. Option D is false because FortiSwitch is sending a RADIUS Access-Request message to FortiAuthenticator, not a RADIUS accounting message.


質問 # 30
Which CLI command should an administrator use to view the certificate verification process in real time?

  • A. diagnose debug application fnbamd -1
  • B. diagnose debug application radiusd -1
  • C. diagnose debug application authd -1
  • D. diagnose debug application foauthd -1

正解:D

解説:
Explanation
According to the FortiOS CLI Reference Guide, "The diagnose debug application foauthd command enables debugging of certificate verification process in real time." Therefore, option A is true because it describes the CLI command that an administrator should use to view the certificate verification process in real time. Option B is false because diagnose debug application radiusd -1 enables debugging of RADIUS authentication process, not certificate verification process. Option C is false because diagnose debug application authd -1 enables debugging of authentication daemon process, not certificate verification process. Option D is false because diagnose debug application fnbamd -1 enables debugging of FSSO daemon process, not certificate verification process.


質問 # 31
......


Fortinet NSE7_LED-7.0 認定試験は、FortinetのLANエッジソリューションでの経験があり、LANエッジセキュリティコンセプトについて良好な理解を持っている個人を対象としています。認定試験に合格した候補者は、Fortinet NSE 7 - LAN Edge 認定プロフェッショナルとして認められ、LANエッジセキュリティソリューションの専門知識を証明します。この認定は、キャリアアップの基盤を提供し、ネットワークセキュリティ分野の高収入ポジションにつながる可能性があります。

 

有効な問題最新版を試そうNSE7_LED-7.0テスト解釈NSE7_LED-7.0有効な試験ガイド:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어