Fortinet NSE6_FAC-6.4 Exam Questions Instant Access

Question 1

Which EAP method is known as the outer authentication method?

APEAP

BEAP-GTC

CEAP-TLS

DMSCHAPV2

Answer : A

PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.

Question 2

Which two SAML roles can Fortiauthenticator be configured as? (Choose two)

AIdendity provider

BPrincipal

CAssertion server

DService provider

Answer : A, D

FortiAuthenticator can be configured as a SAML identity provider (IdP) or a SAML service provider (SP). As an IdP, FortiAuthenticator authenticates users and issues SAML assertions to SPs. As an SP, FortiAuthenticator receives SAML assertions from IdPs and grants access to users based on the attributes in the assertions. Principal and assertion server are not valid SAML roles. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372407/saml

Question 3

Which two statements about the self-service portal are true? (Choose two)

ASelf-registration information can be sent to the user through email or SMS

BRealms can be used to configure which seld-registered users or groups can authenticate on the network

CAdministrator approval is required for all self-registration

DAuthenticating users must specify domain name along with username

Answer : A, B

Two statements about the self-service portal are true:

Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.

Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.

Question 4

You want to monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP.

Which two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface? (Choose two)

AEnable logging services

BSet the tresholds to trigger SNMP traps

CUpload management information base (MIB) files to SNMP server

DAssociate an ASN, 1 mapping rule to the receiving host

Answer : B, C

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps through SNMP, two configurations must be performed after enabling SNMP access on the FortiAuthenticator interface:

Set the thresholds to trigger SNMP traps for various system events, such as CPU usage, disk usage, memory usage, or temperature.

Upload management information base (MIB) files to SNMP server to enable the server to interpret the SNMP traps sent by FortiAuthenticator.

Question 5

You have implemented two-factor authentication to enhance security to sensitive enterprise systems.

How could you bypass the need for two-factor authentication for users accessing form specific secured networks?

ACreate an admin realm in the authentication policy

BSpecify the appropriate RADIUS clients in the authentication policy

CEnable Adaptive Authentication in the portal policy

DEnable the Resolve user geolocation from their IP address option in the authentication policy.

Answer : C

Adaptive Authentication is a feature that allows administrators to bypass the need for two-factor authentication for users accessing from specific secured networks. Adaptive Authentication uses geolocation information from IP addresses to determine whether a user is accessing from a trusted network or not. If the user is accessing from a trusted network, FortiAuthenticator can skip the second factor of authentication and grant access based on the first factor only.

Question 6

Which behaviors exist for certificate revocation lists (CRLs) on FortiAuthenticator? (Choose two)

ACRLs contain the serial number of the certificate that has been revoked

BRevoked certificates are automaticlly placed on the CRL

CCRLs can be exported only through the SCEP server

DAll local CAs share the same CRLs

Answer : A, B

CRLs are lists of certificates that have been revoked by the issuing CA and should not be trusted by any entity. CRLs contain the serial number of the certificate that has been revoked, the date and time of revocation, and the reason for revocation. Revoked certificates are automatically placed on the CRL by the CA and the CRL is updated periodically. CRLs can be exported through various methods, such as HTTP, LDAP, or SCEP. Each local CA has its own CRL that is specific to its issued certificates. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management/372413/certificate-revocation-lists

Question 7

You are an administrator for a large enterprise and you want to delegate the creation and management of guest users to a group of sponsors.

How would you associate the guest accounts with individual sponsors?

AAs an administrator, you can assign guest groups to individual sponsors.

BGuest accounts are associated with the sponsor that creates the guest account.

CYou can automatically add guest accounts to groups associated with specific sponsors.

DSelect the sponsor on the guest portal, during registration.

Answer : B

Guest accounts are associated with the sponsor that creates the guest account.A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3.A sponsor can create guest accounts using the sponsor portal or the REST API3.The sponsor's username is recorded as a field in the guest account's profile3.

Fortinet NSE 6 - FortiAuthenticator 6.4 NSE6_FAC-6.4 Exam Questions