[Q14-Q29] 100% 高得点合格保証NSE7_LED-7.0無制限40解答で[2024]

Share

100% 高得点合格保証NSE7_LED-7.0無制限40解答で[2024]

NSE7_LED-7.0問題集でPDF、NSE7_LED-7.0最速合格したいならここ


NSE7_LED-7.0認定試験は、認定Fortinetネットワークセキュリティエキスパートになるための重要なステップです。この認定資格は、候補者がLANエッジ環境のためにFortinetソリューションを展開、構成、管理する専門知識を証明します。この認定資格は、世界的に認められ、ネットワークセキュリティ業界の雇用主から高く評価されています。認定された専門家は、より高い給与を期待し、より多くの求人機会を得ることができます。


Fortinet NSE7_LED-7.0、または Fortinet NSE 7 - LAN Edge 7.0 Exam としても知られるこの認定試験は、ネットワークセキュリティの専門家になりたい IT プロフェッショナル向けに設計された試験です。この試験は、ネットワークインフラセキュリティ、セキュアアクセス、セキュアコネクティビティ、セキュリティ管理など、LAN エッジセキュリティに関連する幅広いトピックをカバーしています。これは、IT プロフェッショナルの LAN エッジネットワークのセキュリティを確保するための知識とスキルを総合的にテストする試験です。

 

質問 # 14
Refer to the exhibit

Examine the sections of the configuration shown in the output
What action will FortiGate take when verifying the student certificate through OCSP?

  • A. Not verify the OCSP server certificate
  • B. Use the OCSP URL included in the student certificate to verify the student certificate
  • C. Reject the student certificate if the OCSP server replies that the student certificate status is unknown
  • D. Consider the student certificate status as valid if the OCSP server is unreachable

正解:B

解説:
Explanation
According to the exhibit, the FortiGate configuration has ocsp-status enabled and ocsp-option set to certificate.
This means that FortiGate will use OCSP to verify the revocation status of certificates presented by clients. According to the FortiGate Administration Guide2, "If you select certificate, FortiGate uses an OCSP URL included in a certificate to verify that certificate." Therefore, option C is true because it describes what action FortiGate will take when verifying the student certificate through OCSP. Option A is false because FortiGate will not reject the student certificate if the OCSP server replies that the student certificate status is unknown, but rather accept it as valid. Option B is false because FortiGate will verify the OCSPserver certificate by default, unless strict-ocsp-check is disabled. Option D is false because FortiGate will not consider the student certificate status as valid if the OCSP server is unreachable, but rather reject it as invalid.


質問 # 15
Refer to the exhibit.

Examine the debug output shown in the exhibit
Which two statements about the RADIUS debug output are true'' (Choose two)

  • A. User authentication succeeded using MSCHAP
  • B. The RADIUS server sent a vendor-specific attribute in the RADIUS response
  • C. The user student belongs to the SSLVPN group
  • D. User authentication failed

正解:A、C

解説:
Explanation
According to the exhibit, the debug output shows a RADIUS debug output from FortiGate. The output shows that FortiGate sent a RADIUS Access-Request packet to FortiAuthenticator with the username student and received a RADIUS Access-Accept packet from FortiAuthenticator with a Class attribute containing SSLVPN.
Therefore, option A is true because it indicates that the user student belongs to the SSLVPN group on FortiAuthenticator. The output also shows that FortiGate used MSCHAP as the authentication method and received a MS-MPPE-Send-Key and a MS-MPPE-Recv-Key from FortiAuthenticator. Therefore, option D is true because it indicates that user authentication succeeded using MSCHAP. Option B is false because user authentication did not fail, but rather succeeded. Option C is false because FortiAuthenticator did not send a vendor-specific attribute in the RADIUS response, but rather standard attributes defined by RFCs.


質問 # 16
Exhibit.

Refer to the exhibit showing a network topology and SSID settings.
FortiGate is configured to use an external captive portal However wireless users are not able to see the captive portal login page Which configuration change should the administrator make to fix the problem?

  • A. Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services
  • B. Remove the guest.portal user group in the firewall policy with the ID 12
  • C. Enable the captive-portal-exempt option in the firewall policy with the ID 12
  • D. Enable NAT in the firewall policy with the ID 13.

正解:A

解説:
Explanation
According to the exhibit, the network topology and SSID settings show that FortiGate is configured to use an external captive portal hosted on FortiAuthenticator, which is connected to a Windows AD server for user authentication. However, wireless users are not able to see the captive portal login page, which means that they are not redirected to the external captive portal URL. Therefore, option B is true because adding the FortiAuthenticator and WindowsAD address objects as exempt destinations services will allow the wireless users to access the external captive portal URL without being blocked by the firewall policy. Option A is false because enabling NAT in the firewall policy with the ID 13 will not affect the redirection to the external captive portal URL, but rather the source IP address of the wireless traffic. Option C is false because enabling the captive-portal-exempt option in the firewall policy with the ID 12will bypass the captive portal authentication for the wireless users, which is not the desired outcome. Option D is false because removing the guest.portal user group in the firewall policy with the ID 12 will prevent the wireless users from being authenticated by FortiGate, which is required for accessing the external captive portal.


質問 # 17
Refer to the exhibit.

Examine the RADIUS server configuration shown in the exhibit
An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP While testing the configuration the administrator noticed that the diagnosetest authserver command worked with PAP, however authentication requests failed when using MSCHAP2 Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

  • A. On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS
  • B. On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain
  • C. On FortiGate configure the NAS IP setting on the RADIUS
    server
  • D. On FortiGate update the Secret setting on the RADIUS server

正解:A、B

解説:
Explanation
According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server. Option B is false because on FortiGate, configuring the NAS IP setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the source IP address of the RADIUS packets. Option D is false because on FortiGate, updating the Secret setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the shared secret between FortiGate and FortiAuthenticator.


質問 # 18
Refer to the exhibit.

Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit An administrator is testing the NAC feature The test device is connected to a managed FortiSwitch device
{S224EPTF19"53C7)onpOrt2
After applying the NAC policy on port2 and generating traffic on the test device the test device is not matching the NAC policy therefore the test device remains m the onboarding VLAN Based on the information shown in the exhibit which two scenarios are likely to cause this issue? (Choose two.)

  • A. The device operating system detected by FortiGate is not Linux
  • B. The MAC address configured on the NAC policy is incorrect
  • C. Device detection is not enabled on VLAN 4089
  • D. Management communication between FortiGate and FortiSwitch is down

正解:B、D

解説:
Explanation
According to the FortiManager configuration, the NAC policy is set to match devices with the MAC address of 00:0c:29:6a:2b:3c and the operating system of Linux.However, according to the FortiGate CLI output, the test device has a different MAC address of 00:0c:29:6a:2b:3d. Therefore, option B is true. Option A is also true because the FortiSwitch device status is shown as down, which means that the management communication between FortiGate and FortiSwitch is not working properly. This could prevent the NAC policy from being applied correctly. Option C is false because the device operating system detected by FortiGate is Linux, which matches the NAC policy. Option D is false because device detection is enabled on VLAN 4089, as shown by the command "config switch-controller vlan".


質問 # 19
Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

  • A. FortiSwitch can grant different access levels to each device connected to the port
  • B. It cannot be used in conjunction with MAC authentication bypass
  • C. FortiSwitch authenticates a single device and opens the port to other devices connected to the port
  • D. FortiSwitch authenticates each device connected to the port

正解:A、D

解説:
Explanation
According to the FortiSwitch Administration Guide, "MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password." Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.


質問 # 20
Refer to the exhibit.

Examine the FortiGate configuration FortiAnalyzer logs and FortiGate widget shown in the exhibit An administrator is testing the Security Fabric quarantine automation The administrator added FortiAnalyzer to the Security Fabric and configured an automation stitch to automatically quarantine compromised devices The test device (::.:.:.!) s connected to a managed Fort Switch dev :e After trying to access a malicious website from the test device, the administrator verifies that FortiAnalyzer has a log (or the test connection However the device is not getting quarantined by FortiGate as shown in the quarantine widget Which two scenarios are likely to cause this issue? (Choose two)

  • A. FortiAnalyzer does not have a valid threat detection services license
  • B. The device does not have FortiClient installed
  • C. FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)
  • D. The web filtering rating service is not working

正解:A、C

解説:
Explanation
According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer's threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices. Option A is false because the web filtering rating service is working, as shown by the log entry that indicates that the test device accessed a URL with a category of
"Malicious Websites". Option C is false because the device does not need to have FortiClient installed to be quarantined by FortiGate, as long as it is connected to a managed FortiSwitch device.


質問 # 21
Refer to the exhibit.

By default FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit What is the objective of the vci-string setting?

  • A. To ignore DHCP requests coming from FortiSwitch and FortiExtender devices
  • B. To reserve IP addresses for FortiSwitch and FortiExtender devices
  • C. To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname
  • D. To restrict the IP address assignment to FortiSwitch and FortiExtender devices

正解:D

解説:
Explanation
According to the exhibit, the DHCP server scope for the FortiLink interface has a vci-string setting with the value "Cisco AP c2700". This setting is used to match the vendor class identifier (VCI) of the DHCP clients that request an IP address from the DHCP server. The VCI is a text string that uniquely identifies a type of vendor device. Therefore, option C is true because the vci-string setting restricts the IP address assignment to FortiSwitch and FortiExtender devices, which use the VCI "Cisco AP c2700". Option A is false because the vci-string setting does not ignore DHCP requests coming from FortiSwitch and FortiExtender devices, but rather accepts them. Option B is false because the vci-string setting does not reserve IP addresses for FortiSwitch and FortiExtender devices, but rather assigns them dynamically. Option D is false because the vci-string setting does not restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname, but rather to devices that have "Cisco AP c2700" as their VCI.


質問 # 22
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)

  • A. It is the default mode for MAC address quarantine
  • B. The device MACaddress is added to the Quarantined Devices firewall address group
  • C. The quarantined device is kept in the current VLAN
  • D. The quarantined device is moved to the quarantine VLAN

正解:B、C

解説:
Explanation
According to the FortiGate Administration Guide, "MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices.
The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal." Therefore, options B and D are true because they describe the statements about MAC address quarantine by redirect mode. Option A is false because the quarantined device is not moved to the quarantine VLAN, but rather kept in the current VLAN. Option C is false because redirect mode is not the default mode for MAC address quarantine, but rather an alternative mode that can be enabled by setting mac-quarantine-mode to redirect.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/radius-authenticated-dynamic-vlan-: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/734537/mac-address-quarantine


質問 # 23

Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page.This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser

Which two settings are the likely causes of the issue? (Choose two.)

  • A. The wireless user's browser is missing a CA certificate
  • B. The external server FQDN is incorrect
  • C. The user address is not in DDNS form
  • D. The FortiGate authentication interface address is using HTTPS

正解:A、B

解説:
Explanation
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page.
Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user's browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate. Option C is false because the FortiGate authentication interface address is using HTTPS, which is a secure protocol that encrypts the communication between the browser and the server. Option D is false because the user address is not in DDNS form, which is not related to the certificate error.


質問 # 24
A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) Which two changes must the administrator make to enforce HTTPS authentication"? (Choose two >

  • A. Disable HTTP administrative access on the guest SSID to enforce HTTPS connection
  • B. Create a new SSID with the HTTPS captive portal URL
  • C. Enable HTTP redirect in the user authentication settings
  • D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

正解:C、D

解説:
Explanation
According to the FortiGate Administration Guide, "To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator." Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.


質問 # 25
When you configure a FortiAP wireless interface for auto TX power control which statement describes how it configures its transmission power"?

  • A. Every 30 seconds FortiGate measures the signal strength of the weakest associated client The AP will then configure its radio power to match the detected signal strength of the client
  • B. Every 30 seconds FortiGate measures the signal strength of adjacent FortiAP interfaces It will adjust the adjacent AP power to be detectable at -70 dBm
  • C. Every 30 seconds the AP will measure the signal strength of the AP using the client The AP will adjust its signal strength up or down until the AP signal is detected at -70 dBm
  • D. Every 30 seconds FortiGate measures the signal strength of adjacent AP interfaces It will adjust its own AP power to match the adjacent AP signal strength

正解:C

解説:
Explanation
According to the FortiAP Configuration Guide1, "Auto TX power control allows the AP to adjust its transmit power based on the signal strength of the client. The AP will measure the signal strength of the client every 30 seconds and adjust its transmit power up or down until the client signal is detected at -70 dBm." Therefore, option A is true because it describes how the FortiAP wireless interface configures its transmission power when auto TX power control is enabled. Option B is false because FortiGate does not measure the signal strength of adjacent AP interfaces, but rather the FortiAP does. Option C is false because FortiGate does not adjust the adjacent AP power, but rather the FortiAP adjusts its own power. Option D is false becauseFortiGate does not measure the signal strength of the weakest associated client, but rather the FortiAP does.


質問 # 26
Which CLI command should an administrator use to view the certificate verification process in real time?

  • A. diagnose debug application authd -1
  • B. diagnose debug application radiusd -1
  • C. diagnose debug application fnbamd -1
  • D. diagnose debug application foauthd -1

正解:D

解説:
Explanation
According to the FortiOS CLI Reference Guide, "The diagnose debug application foauthd command enables debugging of certificate verification process in real time." Therefore, option A is true because it describes the CLI command that an administrator should use to view the certificate verification process in real time. Option B is false because diagnose debug application radiusd -1 enables debugging of RADIUS authentication process, not certificate verification process. Option C is false because diagnose debug application authd -1 enables debugging of authentication daemon process, not certificate verification process. Option D is false because diagnose debug application fnbamd -1 enables debugging of FSSO daemon process, not certificate verification process.


質問 # 27
Which CLI command should an administrator use to view the certificate verification process in real time?

  • A. diagnose debug application authd -1
  • B. diagnose debug application radiusd -1
  • C. diagnose debug application fnbamd -1
  • D. diagnose debug application foauthd -1

正解:D

解説:
Explanation
According to the FortiOS CLI Reference Guide, "The diagnose debug application foauthd command enables debugging of certificate verification process in real time." Therefore, option A is true because it describes the CLI command that an administrator should use to view the certificate verification process in real time. Option B is false because diagnose debug application radiusd -1 enables debugging of RADIUS authentication process, not certificate verification process. Option C is false because diagnose debug application authd -1 enables debugging of authentication daemon process, not certificate verification process. Option D is false because diagnose debug application fnbamd -1 enables debugging of FSSO daemon process, not certificate verification process.


質問 # 28
Refer to the exhibit.

Examine the FortiManager information shown in the exhibit
Which two statements about the FortiManager status are true'' (Choose two)

  • A. FortiSwitch is not authorized
  • B. FortiSwitch is authorized and offline
  • C. FortiSwitch manager is working in per-device management mode
  • D. FortiSwitch manager is working in central management mode

正解:B、D

解説:
Explanation
According to the FortiManager Administration Guide, "Central management mode allows you to manage all FortiSwitch devices from a single interface on the FortiManager device." Therefore, option C is true because the exhibit shows that the FortiSwitch manager is enabled and the FortiSwitch device is managed by the FortiManager device. Option D is also true because the exhibit shows that the FortiSwitch device status is offline, which means that it is not reachable by the FortiManager device, but it is authorized, which means that it has been added to the FortiManager device. Option A is false because per-device management mode allows you to manage each FortiSwitch device individually from its own web-based manager or CLI, which is not the case in the exhibit. Option B is false because the FortiSwitch device is authorized, as explained above.


質問 # 29
......

最新の検証済みNSE7_LED-7.0問題と解答合格保証:https://jp.fast2test.com/NSE7_LED-7.0-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어