ExamGecko
Search Search Login
Home Home / Fortinet / NSE6_FAC-6.4

Fortinet NSE6_FAC-6.4 Practice Test - Questions Answers, Page 3

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)
What are three key features of FortiAuthenticator? (Choose three)
Which statement about the guest portal policies is true?
Which three of the following can be used as SSO sources? (Choose three)
Which of the following is an OATH-based standard to generate event-based, one-time password tokens?
Which statement about the assignment of permissions for sponsor and administrator accounts is true?
Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?
You have implemented two-factor authentication to enhance security to sensitive enterprise systems. How could you bypass the need for two-factor authentication for users accessing form specific secured networks?
A device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentialis. In this case, which user idendity discovery method can Fortiauthenticator use?
What capability does the inbound proxy setting provide?

Question 21

Report
Export
Collapse

You are the administrator of a global enterprise with three FortiAuthenticator devices. You would like to deploy them to provide active-passive HA at headquarters, with geographically distributed load balancing.

What would the role settings be?

A.
One standalone and two load balancers B One standalone primary, one cluster member, and one load balancer
A.
One standalone and two load balancers B One standalone primary, one cluster member, and one load balancer
Answers
B.
Two cluster members and one backup
B.
Two cluster members and one backup
Answers
C.
Two cluster members and one load balancer
C.
Two cluster members and one load balancer
Answers
Suggested answer: B

Explanation:

To deploy three FortiAuthenticator devices to provide active-passive HA at headquarters, with geographically distributed load balancing, the role settings would be:

One standalone primary, which acts as the master device for HA and load balancing One cluster member, which acts as the backup device for HA and load balancing One load balancer, which acts as a remote device that forwards authentication requests to the primary or cluster member device

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/high-availability#ha-and-load-balancing

Question 22

Report
Export
Collapse

An administrator has an active directory (AD) server integrated with FortiAuthenticator. They want members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls.

How does the administrator accomplish this goal?

A.
Configure a FortiGate filter on FortiAuthenticatoc
A.
Configure a FortiGate filter on FortiAuthenticatoc
Answers
B.
Configure a domain groupings list to identify the desired AD groups.
B.
Configure a domain groupings list to identify the desired AD groups.
Answers
C.
Configure fine-grained controls on FortiAuthenticator to designate AD groups.
C.
Configure fine-grained controls on FortiAuthenticator to designate AD groups.
Answers
D.
Configure SSO groups and assign them to FortiGate groups.
D.
Configure SSO groups and assign them to FortiGate groups.
Answers
Suggested answer: D

Explanation:

To allow members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls, the administrator can configure SSO groups and assign them to FortiGate groups. SSO groups are groups of users or devices that are defined on FortiAuthenticator based on various criteria, such as user group membership, source IP address, MAC address, or device type. FortiGate groups are groups of users or devices that are defined on FortiGate based on various criteria, such as user group membership, firewall policy, or authentication method. By mapping SSO groups to FortiGate groups, the administrator can control which users or devices can access the network resources protected by FortiGate.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/single-sign-on#sso-groups

Question 23

Report
Export
Collapse

Which FSSO discovery method transparently detects logged off users without having to rely on external features such as WMI polling?

A.
Windows AD polling
A.
Windows AD polling
Answers
B.
FortiClient SSO Mobility Agent
B.
FortiClient SSO Mobility Agent
Answers
C.
Radius Accounting
C.
Radius Accounting
Answers
D.
DC Polling
D.
DC Polling
Answers
Suggested answer: B

Explanation:

FortiClient SSO Mobility Agent is a FSSO discovery method that transparently detects logged off users without having to rely on external features such as WMI polling. FortiClient SSO Mobility Agent is a software agent that runs on Windows devices and communicates with FortiAuthenticator to provide FSSO information. The agent can detect user logon and logoff events without using WMI polling, which can reduce network traffic and improve performance.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/single-sign-on#forticlient-sso-mobility-agent

Question 24

Report
Export
Collapse

When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

A.
UUID and time
A.
UUID and time
Answers
B.
Time and seed
B.
Time and seed
Answers
C.
Time and mobile location
C.
Time and mobile location
Answers
D.
Time and FortiAuthenticator serial number
D.
Time and FortiAuthenticator serial number
Answers
Suggested answer: B

Explanation:

TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/two-factor-authentication#totp

Question 25

Report
Export
Collapse

Which of the following is an OATH-based standard to generate event-based, one-time password tokens?

A.
HOTP
A.
HOTP
Answers
B.
SOTP
B.
SOTP
Answers
C.
TOTP
C.
TOTP
Answers
D.
OLTP
D.
OLTP
Answers
Suggested answer: A

Explanation:

Reference: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortitoken.pdf HOTP stands for HMAC-based One-time Password, which is an OATH-based standard to generate event-based OTP tokens. HOTP uses a cryptographic hash function called HMAC (Hash-based Message Authentication Code) to generate OTPs based on two pieces of information: a secret key and a counter. The counter is incremented by one after each OTP generation, creating an eventbased sequence of OTPs.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/two-factor-authentication#hotp

Question 26

Report
Export
Collapse

When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)

A.
Enable syslog on the FortiAuthenticator interface.
A.
Enable syslog on the FortiAuthenticator interface.
Answers
B.
Define a syslog source.
B.
Define a syslog source.
Answers
C.
Select a syslog rule for message parsing.
C.
Select a syslog rule for message parsing.
Answers
D.
Set the same password on both the FortiAuthenticator and the syslog server.
D.
Set the same password on both the FortiAuthenticator and the syslog server.
Answers
E.
Set the syslog UDP port on FortiAuthenticator.
E.
Set the syslog UDP port on FortiAuthenticator.
Answers
Suggested answer: B, C, E

Explanation:

To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:

Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.

Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.

Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/single-sign-on#syslog-sso

Question 27

Report
Export
Collapse

What capability does the inbound proxy setting provide?

A.
It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
A.
It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
Answers
B.
It allows FortiAuthenticator to act as a proxy for remote authentication servers.
B.
It allows FortiAuthenticator to act as a proxy for remote authentication servers.
Answers
C.
It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
C.
It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
Answers
D.
It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.
D.
It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.
Answers
Suggested answer: A

Explanation:

The inbound proxy setting provides the ability for FortiAuthenticator to determine the origin source

IP address after traffic passes through a proxy for system access. The inbound proxy setting allows FortiAuthenticator to use the X-Forwarded-For header in the HTTP request to identify the original client IP address. This can help FortiAuthenticator apply the correct authentication policy or portal policy based on the source IP address.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/system-settings#inbound-proxy

Question 28

Report
Export
Collapse

Which two statement about the RADIUS service on FortiAuthenticator are true? (Choose two)

A.
Two-factor authentication cannot be enforced when using RADIUS authentication
A.
Two-factor authentication cannot be enforced when using RADIUS authentication
Answers
B.
RADIUS users can migrated to LDAP users
B.
RADIUS users can migrated to LDAP users
Answers
C.
Only local users can be authenticated through RADIUS
C.
Only local users can be authenticated through RADIUS
Answers
D.
FortiAuthenticator answers only to RADIUS client that are registered with FortiAuthenticator
D.
FortiAuthenticator answers only to RADIUS client that are registered with FortiAuthenticator
Answers
Suggested answer: B, D

Explanation:

Two statements about the RADIUS service on FortiAuthenticator are true:

RADIUS users can be migrated to LDAP users using the RADIUS learning mode feature. This feature allows FortiAuthenticator to learn user credentials from an existing RADIUS server and store them locally as LDAP users for future authentication requests.

FortiAuthenticator answers only to RADIUS clients that are registered with FortiAuthenticator. A RADIUS client is a device that sends RADIUS authentication or accounting requests to FortiAuthenticator. A RADIUS client must be added and configured on FortiAuthenticator before it can communicate with it.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/radius-service

Question 29

Report
Export
Collapse

Which two statements about the self-service portal are true? (Choose two)

A.
Self-registration information can be sent to the user through email or SMS
A.
Self-registration information can be sent to the user through email or SMS
Answers
B.
Realms can be used to configure which seld-registered users or groups can authenticate on the network
B.
Realms can be used to configure which seld-registered users or groups can authenticate on the network
Answers
C.
Administrator approval is required for all self-registration
C.
Administrator approval is required for all self-registration
Answers
D.
Authenticating users must specify domain name along with username
D.
Authenticating users must specify domain name along with username
Answers
Suggested answer: A, B

Explanation:

Two statements about the self-service portal are true:

Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.

Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/user-management#self-registration

https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/usermanagement# realms

Question 30

Report
Export
Collapse

A digital certificate, also known as an X.509 certificate, contains which two pieces of information?

(Choose two.)

A.
Issuer
A.
Issuer
Answers
B.
Shared secret
B.
Shared secret
Answers
C.
Public key
C.
Public key
Answers
D.
Private key
D.
Private key
Answers
Suggested answer: A, C

Explanation:

A digital certificate, also known as an X.509 certificate, contains two pieces of information:

Issuer, which is the identity of the certificate authority (CA) that issued the certificate

Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject

Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administrationguide/ 906179/certificate-management#certificate-components

Total 47 questions
Go to page: of 5
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms