Fortinet NSE6_FAC-6.4 Exam Practice Test Instant Access

Question 1

You are the administrator of a global enterprise with three FortiAuthenticator devices. You would like to deploy them to provide active-passive HA at headquarters, with geographically distributed load balancing.

What would the role settings be?

AOne standalone and two load balancers

BOne standalone primary, one cluster member, and one load balancer

CTwo cluster members and one backup

DTwo cluster members and one load balancer

Answer : B

To deploy three FortiAuthenticator devices to provide active-passive HA at headquarters, with geographically distributed load balancing, the role settings would be:

One standalone primary, which acts as the master device for HA and load balancing

One cluster member, which acts as the backup device for HA and load balancing

One load balancer, which acts as a remote device that forwards authentication requests to the primary or cluster member device

Question 2

Which EAP method is known as the outer authentication method?

APEAP

BEAP-GTC

CEAP-TLS

DMSCHAPV2

Answer : A

PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.

Question 3

Which two types of digital certificates can you create in Fortiauthenticator? (Choose two)

AUser certificate

BOrganization validation certificate

CThird-party root certificate

DLocal service certificate

Answer : A, D

FortiAuthenticator can create two types of digital certificates: user certificates and local service certificates. User certificates are issued to users or devices for authentication purposes, such as VPN, wireless, or web access. Local service certificates are issued to FortiAuthenticator itself for securing its own services, such as HTTPS, RADIUS, or LDAP.

Question 4

Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?

AService provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal

BPrincipal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider

CPrincipal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider

DPrincipal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication

Answer : C

SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:

Principal contacts service provider, requesting access to a protected resource.

Service provider redirects principal to identity provider, sending a SAML authentication request.

Principal authenticates with identity provider using their credentials.

After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.

Service provider validates the SAML response and assertion, and grants access to the principal.

Question 5

An administrator wants to keep local CA cryptographic keys stored in a central location.

Which FortiAuthenticator feature would provide this functionality?

ASCEP support

BREST API

CNetwork HSM

DSFTP server

Answer : C

Network HSM is a feature that allows FortiAuthenticator to keep local CA cryptographic keys stored in a central location. HSM stands for Hardware Security Module, which is a physical device that provides secure storage and generation of cryptographic keys. Network HSM allows FortiAuthenticator to use an external HSM device to store and manage the private keys of its local CAs, instead of storing them locally on the FortiAuthenticator device.

Question 6

Why would you configure an OCSP responder URL in an end-entity certificate?

ATo designate the SCEP server to use for CRL updates for that certificate

BTo identify the end point that a certificate has been assigned to

CTo designate a server for certificate status checking

DTo provide the CRL location for the certificate

Answer : C

An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.

Question 7

You are a FortiAuthenticator administrator for a large organization. Users who are configured to use FortiToken 200 for two-factor authentication can no longer authenticate. You have verified that only the users with two-factor authentication are experiencing the issue.

What can cause this issue?

AFortiToken 200 license has expired

BOne of the FortiAuthenticator devices in the active-active cluster has failed

CTime drift between FortiAuthenticator and hardware tokens

DFortiAuthenticator has lost contact with the FortiToken Cloud servers

Answer : C

One possible cause of the issue is time drift between FortiAuthenticator and hardware tokens. Time drift occurs when the internal clocks of FortiAuthenticator and hardware tokens are not synchronized. This can result in mismatched one-time passwords (OTPs) generated by the hardware tokens and expected by FortiAuthenticator. To prevent this issue, FortiAuthenticator provides a time drift tolerance option that allows a certain number of seconds of difference between the clocks.

Fortinet NSE6_FAC-6.4 Fortinet NSE 6 - FortiAuthenticator 6.4 Exam Practice Test