[2024年11月30日] 最新更新されたのはNSE7_LED-7.0試験問題2024年更新
無料更新されたFortinet NSE7_LED-7.0テストエンジン問題には38問題と解答
フォーティネットNSE7_LED-7.0認定試験は、VPN、SSL、IPSec、およびマルウェア保護などの高度なセキュリティ技術を含む幅広いトピックをカバーしています。この試験は、支店や小規模事業所など、さまざまなLANエッジ環境でフォーティネットフォーティゲートソリューションを展開および管理する能力を調査します。
Fortinet NSE7_LED -7.0(Fortinet NSE 7 -LAN Edge 7.0)認定試験は、FortinetのLAN Edgeソリューションの実装と管理に必要なスキルと知識を検証するために設計された包括的な認定プログラムです。この試験は、Fortinet製品に基づいたLAN Edgeソリューションの設計、実装、および管理を担当するネットワークの専門家を対象としています。この認定は、Fortigate、Fortiswitch、およびFortiapデバイスの展開と管理に関する候補者の専門知識を示して、安全で信頼できるLANエッジ接続を提供します。
質問 # 12
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work Which scenario is likely to cause this issue?
- A. The FortiSwitch MAC address table is missing entries
- B. The FortiGate ARP table is missing entries
- C. Access VLAN is enabled on the VLAN
- D. The native VLAN configured on the ports is incorrect
正解:A
解説:
Explanation
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.
質問 # 13
Refer to the exhibit. Examine the LDAP server configuration shown in the exhibit. Note that the Username setting has been expanded to display its full content.
On the Windows AD server 10.0.1.10, the administrator used dsquery, which returned the following output:
>dsquery user -samid student
"CN=student,CN=Users,DC=trainingAD,DC=training,DC=lab"
According to the output, which FortiGate LDAP setting is configured incorrectly?
- A. Bind Type
- B. Common Name Identifier
- C. Distinguished Name
- D. Username
正解:C
解説:
According to the exhibits, the LDAP server configuration on FortiGate has the Distinguished Name set to "dc=training,dc=lab". However, according to the output of the dsquery command on the Windows AD server, the Distinguished Name of the domain should be
"dc=trainingAD,dc=training,dc=lab".
質問 # 14
Which two statements about the MAC-based 802.1X security mode available on FortiSwitch are true? (Choose two.)
- A. FortiSwitch authenticates a single device and opens the port to other devices connected to the port
- B. It cannot be used in conjunction with MAC authentication bypass
- C. FortiSwitch authenticates each device connected to the port
- D. FortiSwitch can grant different access levels to each device connected to the port
正解:C、D
解説:
MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password. Therefore, Option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them.
質問 # 15
Refer to the exhibit. By default, FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit.
What is the objective of the vci-string setting?
- A. To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname
- B. To restrict the IP address assignment to FortiSwitch and FortiExtender devices
- C. To ignore DHCP requests coming from FortiSwitch and FortiExtender devices
- D. To reserve IP addresses for FortiSwitch and FortiExtender devices
正解:B
解説:
According to the exhibit, the DHCP server scope for the FortiLink interface has a vci-string setting with the value "Cisco AP c2700". This setting is used to match the vendor class identifier (VCI) of the DHCP clients that request an IP address from the DHCP server. The VCI is a text string that uniquely identifies a type of vendor device.
質問 # 16
Refer to the exhibit.
Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibit FortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP The administrator configured the SSL VPN user group for SSL VPN users However the administrator noticed that both the student and j smith users can connect to SSL VPN Which change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?
- A. In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.
- B. In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN="users, DC-trainingAD, DC-training, DC-lab
- C. In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.
- D. In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)
正解:B
解説:
Explanation
According to the FortiGate Administration Guide, "The Group Name is the name of the LDAP group that you want to use for authentication. The name must match exactly the name of the LDAP group on the LDAP server." Therefore, option A is true because it will set the Group Name to match the LDAP group that contains only the student user. Option B is false because changing the Name will not affect the authentication process, as it is only a local identifier for the user group on FortiGate. Option C is false because setting the Group Name to Domain Users will include all users in the domain, not just the student user. Option D is false because changing the Type to FSSO will require a different configuration method and will not solve the problem.
質問 # 17
Refer to the exhibit.
Examine the IPsec VPN phase 1 configuration shown in theexhibit
An administrator wants to use certificate-based authentication for an IPsec VPN user Which three configuration changes must you make on FortiGate to perform certificate-based authentication for the IPsec VPN user? (Choose three)
- A. Create a PKI user for the IPsec VPN user, and then configure the IPsec VPN tunnel to accept the PKI user as peer certificate
- B. In the Authentication section of the IPsec VPN tunnel in the Method drop-down list select Signature and then select the certificate that FortiGate will use for IPsec VPN
- C. Import the CA that signed the user certificate
- D. Enable XAUTH on the IPsec VPN tunnel
- E. In the IKE section of the IPsec VPN tunnel in the Mode field select Main (ID protection)
正解:B、C、D
解説:
Explanation
According to the FortiGate Administration Guide, "To use certificate-based authentication, you must configure the following settings on both peers: Select Signature as the authentication method and select a certificate to use for authentication. Import the CA certificate that issued the peer's certificate. Enable XAUTH on the phase 1 configuration." Therefore, options B, D, and E are true because they describe the configuration changes that must be made on FortiGate to perform certificate-based authentication for the IPsec VPN user.
Option A is false because creating a PKI user for the IPsec VPN user is not required, as the user certificate can be verified by the CA certificate. Option C is false because changing the IKE mode to Main (ID protection) is not required, as the IKE mode can be either Main or Aggressive for certificate-based authentication.
質問 # 18
An administrator has configured an SSID in bridge mode for corporate employees. All APs are online and provisioned using default AP profiles. Employees are unable to locate the SSID to connect.
Which two configurations can the administrator verify? (Choose two.)
- A. Verify that the broadcast SSID option is enabled in the SSID configuration
- B. Verify that the SSID is manually applied on AP profiles for both 2.4 GHz and 5 GHz radios
- C. Verify that the SSID to an AP group that should be broadcasting the SSID is applied
- D. Verify that the Block Intra-SSID Traffic (intra-vap-privacy) option in the SSID configuration is disabled
正解:A、B
解説:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-and-disable-broadcast- of-SSID/ta-p/191840
質問 # 19
Which EAP method requires the use of a digital certificate on both the server end and the client end?
- A. EAP-GTC
- B. EAP-TLS
- C. EAP-TTLS
- D. PEAP
正解:B
解説:
EAP-TLS is the most secure EAP method. It requires a digital certificate on both the server end and the client end. The server and client authenticate each other using their certificates.
質問 # 20
An administrator is testing the connectivity for a new VLAN. The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate.
While testing, the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices. The administrator also noticed that inter-VLAN communication works. However, intra-VLAN communication does not work.
Which scenario is likely to cause this issue?
- A. The FortiGate ARP table is missing entries
- B. The native VLAN configured on the ports is incorrect
- C. Access VLAN is enabled on the VLAN
- D. The FortiSwitch MAC address table is missing entries
正解:C
質問 # 21
Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?
- A. From a DHCP server using options 240 and 241
- B. From an LDAP server using a simple bind operation
- C. From a TFTP server
- D. From a DNS server using A or AAAA records
正解:D
解説:
Explanation
According to the FortiGate Administration Guide, "FortiGate can learn the FortiManager IP address or FQDN for zero-touch provisioning from a DNS server using A or AAAA records. The DNS server must be configured to resolve the hostname fortimanager.fortinet.com to the IP address or FQDN of the FortiManager device." Therefore, option D is true because it describes the method for FortiGate to learn the FortiManager IP address or FQDN for zero-touch provisioning. Option A is false because LDAP is not used for zero-touch provisioning. Option B is false because TFTP is not used for zero-touch provisioning. Option C is false because DHCP options 240 and 241 are not used for zero-touch provisioning.
質問 # 22
Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?
- A. From an LDAP server using a simple bind operation
- B. From a DNS server using A or AAAA records
- C. From a DHCP server using options 240 and 241
- D. From a TFTP server
正解:C
解説:
FG retrieves the FortiManager IP address or FQDN through DHCP options 240 or 241 respectively.
質問 # 23
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)
- A. The device MAC address is added to the Quarantined Devices firewall address group
- B. The quarantined device is kept in the current VLAN
- C. It is the default mode for MAC address quarantine
- D. The quarantined device is moved to the quarantine VLAN
正解:A、B
解説:
MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices. The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal.
質問 # 24
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)
- A. The quarantined device is kept in the current VLAN
- B. The device MACaddress is added to the Quarantined Devices firewall address group
- C. It is the default mode for MAC address quarantine
- D. The quarantined device is moved to the quarantine VLAN
正解:A、B
解説:
Explanation
According to the FortiGate Administration Guide, "MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices.
The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal." Therefore, options B and D are true because they describe the statements about MAC address quarantine by redirect mode. Option A is false because the quarantined device is not moved to the quarantine VLAN, but rather kept in the current VLAN. Option C is false because redirect mode is not the default mode for MAC address quarantine, but rather an alternative mode that can be enabled by setting mac-quarantine-mode to redirect.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/radius-authenticated-dynamic-vlan-: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/734537/mac-address-quarantine
質問 # 25
Which CLI command should an administrator use to view the certificate verification process in real time?
- A. diagnose debug application foauthd -1
- B. diagnose debug application authd -1
- C. diagnose debug application radiusd -1
- D. diagnose debug application fnbamd -1
正解:D
解説:
質問 # 26
Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)
- A. FortiSwitch authenticates a single device and opens the port to other devices connected to the port
- B. It cannot be used in conjunction with MAC authentication bypass
- C. FortiSwitch authenticates each device connected to the port
- D. FortiSwitch can grant different access levels to each device connected to the port
正解:C、D
解説:
Explanation
According to the FortiSwitch Administration Guide, "MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password." Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.
質問 # 27
Refer to the exhibit showing certificate values.
Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page. This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser:
https://fac.trainingad.training.com/guests/login/?
login&post=https://auth.trainingad.training.lab:1003/fgtauth&magic=000a038293d1f411&usermac
=b8:27:eb:d8:50:02&apmac=70:4c:a5:9d:0d:28&apip=10.10.100.2&userip=10.0.3.1&ssid=Guest0
3&apname=PS221ETF18000148&bssid=70:4c:a5:9d:0d:30
Which two settings are the likely causes of the issue? (Choose two.)
- A. The user address is not in DDNS form
- B. The wireless user's browser is missing a CA certificate
- C. The FortiGate authentication interface address is using HTTPS
- D. The external server FQDN is incorrect
正解:B、D
解説:
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page. Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user's browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate.
質問 # 28
Refer to the exhibit. Examine the FortiSwitch security policy shown in the exhibit. If the security profile shown in the exhibit is assigned to all ports on a FortiSwitch device for 802.1X authentication, which statement about the switch is correct?
- A. FortiSwitch will assign non-802.1X devices to the onboarding VLAN
- B. FortiSwitch cannot authenticate multiple devices connected to the same port
- C. All EAP messages will be terminated on FortiSwitch
- D. FortiSwitch will try to authenticate non-802.1X devices using the device MAC address as the username and password
正解:A
解説:
In cases where y device does not support 802.1x you can configure the security profile to place that device in the VLAN selected as GuestVLAN.
質問 # 29
......
NSE7_LED-7.0試験は、FortinetのLAN Edgeセキュリティソリューションを深く理解する必要がある包括的で挑戦的な認証試験です。これは、複数の選択の質問と、候補者がFortinet製品とソリューションを構成、トラブルシューティング、および最適化する必要がある実践的なラボエクササイズで構成されています。試験に合格した候補者は、Fortinet製品とソリューションを使用して複雑なLANエッジセキュリティ環境を設計、実装、および管理する能力を実証しました。
100%の合格率を試そう!更新されたのはNSE7_LED-7.0試験問題 [2024年更新]:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html