Fortinet NSE6_FAC-6.4 Exam Questions Instant Access

Question 1

When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?

AActive-passive master

BStandalone master

CCluster member

DLoad balancing master

Answer : A

When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability

Question 2

When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

AUUID and time

BTime and seed

CTime and mobile location

DTime and FortiAuthenticator serial number

Answer : B

TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.

Question 3

Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?

AService provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal

BPrincipal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider

CPrincipal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider

DPrincipal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication

Answer : C

SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:

Principal contacts service provider, requesting access to a protected resource.

Service provider redirects principal to identity provider, sending a SAML authentication request.

Principal authenticates with identity provider using their credentials.

After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.

Service provider validates the SAML response and assertion, and grants access to the principal.

Question 4

At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)

AConfiguring a portal policy

BConfiguring at least on post-login service

CConfiguring a RADIUS client

DConfiguring an external authentication portal

Answer : A, B

enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management

Question 5

What happens when a certificate is revoked? (Choose two)

ARevoked certificates cannot be reinstated for any reason

BAll certificates signed by a revoked CA certificate are automatically revoked

CRevoked certificates are automatically added to the CRL

DExternal CAs will priodically query Fortiauthenticator and automatically download revoked certificates

Answer : B, C

When a certificate is revoked, it means that it is no longer valid and should not be trusted by any entity. Revoked certificates are automatically added to the certificate revocation list (CRL) which is published by the issuing CA and can be checked by other parties. If a CA certificate is revoked, all certificates signed by that CA are also revoked and added to the CRL. Revoked certificates can be reinstated if the reason for revocation is resolved, such as a compromised private key being recovered or a misissued certificate being corrected. External CAs do not query FortiAuthenticator for revoked certificates, but they can use protocols such as SCEP or OCSP to exchange certificate information with FortiAuthenticator. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management

Question 6

Which two statement about the RADIUS service on FortiAuthenticator are true? (Choose two)

ATwo-factor authentication cannot be enforced when using RADIUS authentication

BRADIUS users can migrated to LDAP users

COnly local users can be authenticated through RADIUS

DFortiAuthenticator answers only to RADIUS client that are registered with FortiAuthenticator

Answer : B, D

Two statements about the RADIUS service on FortiAuthenticator are true:

RADIUS users can be migrated to LDAP users using the RADIUS learning mode feature. This feature allows FortiAuthenticator to learn user credentials from an existing RADIUS server and store them locally as LDAP users for future authentication requests.

FortiAuthenticator answers only to RADIUS clients that are registered with FortiAuthenticator. A RADIUS client is a device that sends RADIUS authentication or accounting requests to FortiAuthenticator. A RADIUS client must be added and configured on FortiAuthenticator before it can communicate with it.

Question 7

Which statement about captive portal policies is true, assuming a single policy has been defined?

APortal policies apply only to authentication requests coming from unknown RADIUS clients

BAll conditions in the policy must match before a user is presented with the captive portal.

CConditions in the policy apply only to wireless users.

DPortal policies can be used only for BYODs.

Answer : B

Captive portal policies are used to define the conditions and settings for presenting a captive portal to users who need to authenticate before accessing the network. A captive portal policy consists of a set of conditions and a set of actions. The conditions can be based on various attributes, such as source IP address, MAC address, user group, device type, or RADIUS client. The actions can include redirecting the user to a specific portal, applying a specific authentication method, or assigning a specific VLAN or firewall policy. A single policy can have multiple conditions, and all conditions in the policy must match before a user is presented with the captive portal.

Fortinet NSE 6 - FortiAuthenticator 6.4 NSE6_FAC-6.4 Exam Questions