[2024年12月12日]NSE7_LED-7.0試験問題集でFortinet練習テスト問題 [Q10-Q35]

Share

[2024年12月12日]NSE7_LED-7.0試験問題集でFortinet練習テスト問題

最新でリアルなNSE7_LED-7.0試験問題集解答

質問 # 10
What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?

  • A. It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos
  • B. It enables FortiAuthenticator to import users from Windows AD
  • C. It enables FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users
  • D. It enables FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search

正解:A

解説:
Explanation
According to the FortiAuthenticator Administration Guide2, "Windows Active Directory domain authentication enables FortiAuthenticator to join a Windows Active Directory domain as a machine entity and proxy authentication requests using Kerberos." Therefore, option D is true because it describes the purpose of enabling Windows Active Directory domain authentication on FortiAuthenticator. Option A is false because FortiAuthenticator does not need Windows administrator credentials to perform an LDAP lookup for a user search. Option B is false because FortiAuthenticator does not use a Windows CA certificate when authenticating RADIUS users, but rather its own CA certificate. Option C is false because FortiAuthenticator does not import users from Windows AD, but rather synchronizes them using LDAP or FSSO.


質問 # 11
A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) Which two changes must the administrator make to enforce HTTPS authentication"? (Choose two >

  • A. Disable HTTP administrative access on the guest SSID to enforce HTTPS connection
  • B. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator
  • C. Enable HTTP redirect in the user authentication settings
  • D. Create a new SSID with the HTTPS captive portal URL

正解:B、C

解説:
Explanation
According to the FortiGate Administration Guide, "To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator." Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.


質問 # 12
Refer to the exhibit. Examine the FortiManager information shown in the exhibit.
Which two statements about the FortiManager status are true? (Choose two)

  • A. FortiSwitch is authorized and offline
  • B. FortiSwitch is not authorized
  • C. FortiSwitch manager is working in central management mode
  • D. FortiSwitch manager is working in per-device management mode

正解:A、D

解説:


質問 # 13
Which FortiSwitch VLANs are automatically created on FortiGate when the first FortiSwitch device is discovered?

  • A. default quarantine, rspan voice video onboarding and nac_segment
  • B. access, quarantine, rspan. voice, video, and onboarding
  • C. fortilink. quarantine erspan voice video and onboarding
  • D. default quarantine rspan voice video and nac_segment

正解:A

解説:


質問 # 14
Refer to the exhibit. In the wireless configuration shown in the exhibits, an AP is deployed in a remote site and has a wireless network (VAP) called Corporate deployed to it. The network is a tunneled network however clients connecting to a wireless network require access to a local printer. Clients are trying to print to a printer on the remote site but are unable to do so.
Which configuration change is required to allow clients connected to the Corporate SSID to print locally?

  • A. Disable the Block Intra-SSID Traffic (intra-vap-privacy) setting on the SSID (VAP) profile
  • B. Configure split-tunneling in the wtp-profile configuration
  • C. Configure the printer as a wireless client on the Corporate wireless network
  • D. Configure split-tunneling in the vap configuration

正解:D

解説:
Split tunneling allows you to specify which traffic is tunneled to the FortiGate and which traffic is sent directly to the Internet. This can improve performance and reduce bandwidth usage.
Therefore, by configuring split-tunneling in the vap configuration, you can allow the clients connected to the Corporate SSID to access both the corporate network and the local printer.


質問 # 15
Refer to the exhibit.

Examine the RADIUS server configuration shown in the exhibit
An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP While testing the configuration the administrator noticed that the diagnosetest authserver command worked with PAP, however authentication requests failed when using MSCHAP2 Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

  • A. On FortiGate update the Secret setting on the RADIUS server
  • B. On FortiGate configure the NAS IP setting on the RADIUS
    server
  • C. On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain
  • D. On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS

正解:C、D

解説:
Explanation
According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server. Option B is false because on FortiGate, configuring the NAS IP setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the source IP address of the RADIUS packets. Option D is false because on FortiGate, updating the Secret setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the shared secret between FortiGate and FortiAuthenticator.


質問 # 16
Refer to the exhibit

A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit Which two scenarios are likely to cause this issue? (Choose two.)

  • A. The device has been assigned the guest VLAN
  • B. The device is not configured for 802 IX authentication.
  • C. The device has been quarantined for 3600 seconds.
  • D. The device does not support 802 1X authentication

正解:B、D

解説:
Explanation
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP-Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server. Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication. Option B is false because the device has not been quarantined for 3600 seconds, but rather has a session timeout of 3600 seconds, which is the default value for 802.1X sessions. Option C is false because the device has not been assigned the guest VLAN, but rather has been assigned the default VLAN, which is VLAN 1.


質問 # 17
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)

  • A. The device MAC address is added to the Quarantined Devices firewall address group
  • B. The quarantined device is moved to the quarantine VLAN
  • C. The quarantined device is kept in the current VLAN
  • D. It is the default mode for MAC address quarantine

正解:A、C

解説:
MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices. The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal.


質問 # 18
Which two pieces of information can the diagnose test authserver ldap command provide?
(Choose two.)

  • A. It displays the LDAP codes returned by the LDAP server
  • B. It displays whether the user credentials are correct
  • C. It displays whether the admin bind user credentials are correct
  • D. It displays the LDAP groups found for the user

正解:B、D

解説:


質問 # 19
Refer to the exhibit.

Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibit FortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP The administrator configured the SSL VPN user group for SSL VPN users However the administrator noticed that both the student and j smith users can connect to SSL VPN Which change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?

  • A. In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN="users, DC-trainingAD, DC-training, DC-lab
  • B. In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.
  • C. In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)
  • D. In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.

正解:A

解説:
Explanation
According to the FortiGate Administration Guide, "The Group Name is the name of the LDAP group that you want to use for authentication. The name must match exactly the name of the LDAP group on the LDAP server." Therefore, option A is true because it will set the Group Name to match the LDAP group that contains only the student user. Option B is false because changing the Name will not affect the authentication process, as it is only a local identifier for the user group on FortiGate. Option C is false because setting the Group Name to Domain Users will include all users in the domain, not just the student user. Option D is false because changing the Type to FSSO will require a different configuration method and will not solve the problem.


質問 # 20
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

  • A. Administrators must approve all guest accounts before they can be used
  • B. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
  • C. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal
  • D. The guest portal provides pre and post-log in services

正解:C、D

解説:
The guest portal on FortiAuthenticator can offer services both before and after a guest logs in, such as displaying terms of use before login and providing access to network resources after successful authentication.
Administrators have the ability to configure mapping rules for the guest portal using various incoming parameters. This allows for flexible and dynamic handling of guest account creation and access permissions based on different criteria.


質問 # 21
Refer to the exhibit. By default, FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit.
What is the objective of the vci-string setting?

  • A. To ignore DHCP requests coming from FortiSwitch and FortiExtender devices
  • B. To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname
  • C. To restrict the IP address assignment to FortiSwitch and FortiExtender devices
  • D. To reserve IP addresses for FortiSwitch and FortiExtender devices

正解:C

解説:
According to the exhibit, the DHCP server scope for the FortiLink interface has a vci-string setting with the value "Cisco AP c2700". This setting is used to match the vendor class identifier (VCI) of the DHCP clients that request an IP address from the DHCP server. The VCI is a text string that uniquely identifies a type of vendor device.


質問 # 22
Refer to the exhibits.


Examine the firewall policy configuration and SSID settings. An administrator has configured a guest wireless network on FortiGate using the external captive portal. The administrator has verified that the external captive portal URL is correct. However wireless users are not able to see the captive portal login page. Given the configuration shown in the exhibit and the SSID settings, which configuration change should the administrator make to fix the problem?

  • A. Include the wireless client subnet range in the Exempt Source section.
  • B. Disable the user group from the SSID configuration.
  • C. Apply a guest.portal user group in the firewall policy with the ID 11.
  • D. Enable the captive-portal-exempt option in the firewall policy with the ID 11.

正解:D

解説:
If using external captive portal configure policy and exempt web traffic to external captive portal.


質問 # 23
Refer to the exhibit. Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibit.
FortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP. The administrator configured the SSL VPN user group for SSL VPN users. However the administrator noticed that both the student and j.smith users can connect to SSL VPN.
Which change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?

  • A. In the SSL VPN user group configuration, set Group Name to
    CN=SSLVPN,CN=Users,DC=trainingAD,DC=training,DC=lab.
  • B. In the SSL VPN user group configuration, set Group Name to CN=Domain Users,CN=Users,DC=trainingAD,DC=training,DC=lab.
  • C. In the SSL VPN user group configuration, change Type to Fortinet Single Sign-On (FSSO).
  • D. In the SSL VPN user group configuration, change Name to
    CN=SSLVPN,CN=Users,DC=trainingAD,DC=training,DC=lab.

正解:A

解説:
The Group Name is the name of the LDAP group that you want to use for authentication. The name must match exactly the name of the LDAP group on the LDAP server.


質問 # 24
You are investigating a report of poor wireless performance in a network that you manage. The issue is related to an AP interface in the 5 GHz range. You are monitoring the channel utilization over time.
What is the recommended maximum utilization value that an interface should not exceed?

  • A. 75%
  • B. 95%
  • C. 65%
  • D. 85%

正解:A

解説:


質問 # 25
Refer to the exhibits. The exhibits show the wireless network (VAP) SSID profiles defined on FortiManager and an AP profile assigned to a group of APs that are supported by FortiGate.
None of the APs are broadcasting the SSlDs defined by the AP profile.

Which changes do you need to make to enable the SSIDs to broadcast?

  • A. Enable one channel in the Channels section
  • B. In the SSIDs section, enable Manual and assign the networks manually
  • C. Enable multiple channels in the Channels section and enable Radio Resource Provision
  • D. In the SSIDs section enable Tunnel

正解:A

解説:
To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled. Therefore, enabling one channel in the Channels section will allow the SSIDs to broadcast.


質問 # 26

Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page.This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser

Which two settings are the likely causes of the issue? (Choose two.)

  • A. The external server FQDN is incorrect
  • B. The user address is not in DDNS form
  • C. The wireless user's browser is missing a CA certificate
  • D. The FortiGate authentication interface address is using HTTPS

正解:A、C

解説:
Explanation
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page.
Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user's browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate. Option C is false because the FortiGate authentication interface address is using HTTPS, which is a secure protocol that encrypts the communication between the browser and the server. Option D is false because the user address is not in DDNS form, which is not related to the certificate error.


質問 # 27
When you configure a FortiAP wireless interface for auto TX power control which statement describes how it configures its transmission power?

  • A. Every 30 seconds FortiGate measures the signal strength of the weakest associated client The AP will then configure its radio power to match the detected signal strength of the client
  • B. Every 30 seconds FortiGate measures the signal strength of adjacent AP interfaces It will adjust its own AP power to match the adjacent AP signal strength
  • C. Every 30 seconds the AP will measure the signal strength of the AP using the client The AP will adjust its signal strength up or down until the AP signal is detected at -70 dBm
  • D. Every 30 seconds FortiGate measures the signal strength of adjacent FortiAP interfaces It will adjust the adjacent AP power to be detectable at -70 dBm

正解:D

解説:


質問 # 28
When you configure a FortiAP wireless interface for auto TX power control which statement describes how it configures its transmission power"?

  • A. Every 30 seconds FortiGate measures the signal strength of the weakest associated client The AP will then configure its radio power to match the detected signal strength of the client
  • B. Every 30 seconds FortiGate measures the signal strength of adjacent AP interfaces It will adjust its own AP power to match the adjacent AP signal strength
  • C. Every 30 seconds FortiGate measures the signal strength of adjacent FortiAP interfaces It will adjust the adjacent AP power to be detectable at -70 dBm
  • D. Every 30 seconds the AP will measure the signal strength of the AP using the client The AP will adjust its signal strength up or down until the AP signal is detected at -70 dBm

正解:D

解説:
Explanation
According to the FortiAP Configuration Guide1, "Auto TX power control allows the AP to adjust its transmit power based on the signal strength of the client. The AP will measure the signal strength of the client every 30 seconds and adjust its transmit power up or down until the client signal is detected at -70 dBm." Therefore, option A is true because it describes how the FortiAP wireless interface configures its transmission power when auto TX power control is enabled. Option B is false because FortiGate does not measure the signal strength of adjacent AP interfaces, but rather the FortiAP does. Option C is false because FortiGate does not adjust the adjacent AP power, but rather the FortiAP adjusts its own power. Option D is false becauseFortiGate does not measure the signal strength of the weakest associated client, but rather the FortiAP does.


質問 # 29
Which CLI command should an administrator use to view the certificate verification process in real time?

  • A. diagnose debug application fnbamd -1
  • B. diagnose debug application authd -1
  • C. diagnose debug application radiusd -1
  • D. diagnose debug application foauthd -1

正解:D

解説:
Explanation
According to the FortiOS CLI Reference Guide, "The diagnose debug application foauthd command enables debugging of certificate verification process in real time." Therefore, option A is true because it describes the CLI command that an administrator should use to view the certificate verification process in real time. Option B is false because diagnose debug application radiusd -1 enables debugging of RADIUS authentication process, not certificate verification process. Option C is false because diagnose debug application authd -1 enables debugging of authentication daemon process, not certificate verification process. Option D is false because diagnose debug application fnbamd -1 enables debugging of FSSO daemon process, not certificate verification process.


質問 # 30
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

  • A. Administrators must approve all guest accounts before they can be used
  • B. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
  • C. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal
  • D. The guest portal provides pre and post-log in services

正解:C、D

解説:
Explanation
According to the FortiAuthenticator Administration Guide2, "The guest portal provides pre and post-log in services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured." Therefore, option C is true. The same guide also states that "Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal." Therefore, option D is true.
Option A is false because remote users can sponsor any number of guest accounts, as long as they do not exceed the maximum number of guest accounts allowed by the license. Option B is false because administrators can choose to approve or reject guest accounts, or enable auto-approval.


質問 # 31
Refer to the exhibit showing a network topology and SSID settings. FortiGate is configured to use an external captive portal. However, wireless users are not able to see the captive portal login page.
Which configuration change should the administrator make to fix the problem?

  • A. Enable the captive-portal-exempt option in the firewall policy with the ID 12.
  • B. Remove the guest.portal user group in the firewall policy with the ID 12.
  • C. Enable NAT in the firewall policy with the ID 13.
  • D. Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services.

正解:D

解説:
According to the exhibit, the network topology and SSID settings show that FortiGate is configured to use an external captive portal hosted on FortiAuthenticator, which is connected to a Windows AD server for user authentication. However, wireless users are not able to see the captive portal login page, which means that they are not redirected to the external captive portal URL. Therefore, option B is true because adding the FortiAuthenticator and WindowsAD address objects as exempt destinations services will allow the wireless users to access the external captive portal URL without being blocked by the firewall policy.


質問 # 32
Refer to the exhibits.

Firewall Policy

Examine the firewall policy configuration and SSID settings
An administrator has configured a guest wireless network on FortiGate using the external captive portal The administrator has verified that the external captive portal URL is correct However wireless users are not able to see the captive portal login page Given the configuration shown in the exhibit and the SSID settings which configuration change should the administrator make to fix the problem?

  • A. Include the wireless client subnet range in the Exempt Source section
  • B. Apply a guest.portal user group in the firewall policy with the ID 11.
  • C. Disable the user group from the SSID configuration
  • D. Enable the captivs-portal-exempt option in the firewall policy with the ID 11.

正解:B

解説:
Explanation
According to the FortiGate Administration Guide, "To use an external captive portal, you must configure a user group that uses the external captive portal as the authentication method and apply it to a firewall policy." Therefore, option C is true because it will allow the wireless users to be redirected to the external captive portal URL when they try to access the Internet. Option A is false because disabling the user group from the SSID configuration will prevent the wireless users from being authenticated by the FortiGate device. Option B is false because enabling the captive-portal-exempt option in the firewall policy will bypass the captive portal authentication for the wireless users, which is not the desired outcome. Option D is false because including the wireless client subnet range in the Exempt Source section will also bypass the captive portal authentication for the wireless users, which is not the desired outcome.


質問 # 33
Refer to the exhibit.

Examine the FortiManager information shown in the exhibit
Which two statements about the FortiManager status are true'' (Choose two)

  • A. FortiSwitch is authorized and offline
  • B. FortiSwitch manager is working in central management mode
  • C. FortiSwitch is not authorized
  • D. FortiSwitch manager is working in per-device management mode

正解:A、B

解説:
Explanation
According to the FortiManager Administration Guide, "Central management mode allows you to manage all FortiSwitch devices from a single interface on the FortiManager device." Therefore, option C is true because the exhibit shows that the FortiSwitch manager is enabled and the FortiSwitch device is managed by the FortiManager device. Option D is also true because the exhibit shows that the FortiSwitch device status is offline, which means that it is not reachable by the FortiManager device, but it is authorized, which means that it has been added to the FortiManager device. Option A is false because per-device management mode allows you to manage each FortiSwitch device individually from its own web-based manager or CLI, which is not the case in the exhibit. Option B is false because the FortiSwitch device is authorized, as explained above.


質問 # 34
Refer to the exhibit.

Examine the FortiGate configuration FortiAnalyzer logs and FortiGate widget shown in the exhibit An administrator is testing the Security Fabric quarantine automation The administrator added FortiAnalyzer to the Security Fabric and configured an automation stitch to automatically quarantine compromised devices The test device (::.:.:.!) s connected to a managed Fort Switch dev :e After trying to access a malicious website from the test device, the administrator verifies that FortiAnalyzer has a log (or the test connection However the device is not getting quarantined by FortiGate as shown in the quarantine widget Which two scenarios are likely to cause this issue? (Choose two)

  • A. The web filtering rating service is not working
  • B. FortiAnalyzer does not have a valid threat detection services license
  • C. FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)
  • D. The device does not have FortiClient installed

正解:B、C

解説:
Explanation
According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer's threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices. Option A is false because the web filtering rating service is working, as shown by the log entry that indicates that the test device accessed a URL with a category of
"Malicious Websites". Option C is false because the device does not need to have FortiClient installed to be quarantined by FortiGate, as long as it is connected to a managed FortiSwitch device.


質問 # 35
......

あなたを簡単に合格させるNSE7_LED-7.0試験正確なPDF問題:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어