Which two statements about MAC address quarantine by redirect mode are true? (Choose two)

The device MAC address is added to the Quarantined Devices firewall address group

The quarantined device is kept in the current VLAN

The quarantined device is moved to the quarantine VLAN

The device MAC address is added to the Quarantined Devices firewall address group

It is the default mode for MAC address quarantine

The quarantined device is kept in the current VLAN

Refer to the exhibit. Refer to the exhibit showing a network topology and SSID settings.FortiGate is configured to use an external captive portal However wireless users are not able to see the captive portal login pageWhich configuration change should the administrator make to fix the problem?

Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services

Enable NAT in the firewall policy with the ID 13.

Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services

Enable the captive-portal-exempt option in the firewall policy with the ID 12

Remove the guest.portal user group in the firewall policy with the ID 12

Refer to the exhibit. Examine the debug output shown in the exhibitWhich two statements about the RADIUS debug output are true'' (Choose two)

The user student belongs to the SSLVPN group

User authentication succeeded using MSCHAP

The user student belongs to the SSLVPN group

The RADIUS server sent a vendor-specific attribute in the RADIUS response

User authentication succeeded using MSCHAP

An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGateWhile testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not workWhich scenario is likely to cause this issue?

The FortiSwitch MAC address table is missing entries

Access VLAN is enabled on the VLAN

The native VLAN configured on the ports is incorrect

The FortiSwitch MAC address table is missing entries

The FortiGate ARP table is missing entries

Refer to the exhibit A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibitWhich two scenarios are likely to cause this issue? (Choose two.)

The device is not configured for 802 IX authentication.

The device does not support 802 1X authentication

The device is not configured for 802 IX authentication.

The device has been quarantined for 3600 seconds.

The device has been assigned the guest VLAN

The device does not support 802 1X authentication

Which two pieces of information can the diagnose test authserver ldap command provide? (Choose two.)

It displays whether the user credentials are correct

It displays the LDAP codes returned by the LDAP server

It displays whether the admin bind user credentials are correct

It displays whether the user credentials are correct

It displays the LDAP codes returned by the LDAP server

It displays the LDAP groups found for the user

Refer to the exhibit. By default FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibitWhat is the objective of the vci-string setting?

To restrict the IP address assignment to FortiSwitch and FortiExtender devices

To ignore DHCP requests coming from FortiSwitch and FortiExtender devices

To reserve IP addresses for FortiSwitch and FortiExtender devices

To restrict the IP address assignment to FortiSwitch and FortiExtender devices

To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname

Refer to the exhibit. Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page. This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser Which two settings are the likely causes of the issue? (Choose two.)

The external server FQDN is incorrect

The wireless user's browser is missing a CA certificate

The external server FQDN is incorrect

The wireless user's browser is missing a CA certificate

The FortiGate authentication interface address is using HTTPS

The user address is not in DDNS form

When you configure a FortiAP wireless interface for auto TX power control which statement describes how it configures its transmission power'?

Every 30 seconds the AP will measure the signal strength of the AP using the client The AP will adjust its signal strength up or down until the AP signal is detected at -70 dBm

Every 30 seconds FortiGate measures the signal strength of adjacent AP interfaces It will adjust its own AP power to match the adjacent AP signal strength

Every 30 seconds FortiGate measures the signal strength of adjacent FortiAP interfaces It will adjust the adjacent AP power to be detectable at -70 dBm

Every 30 seconds FortiGate measures the signal strength of the weakest associated client The AP will then configure its radio power to match the detected signal strength of the client

Refer to the exhibit Examine the sections of the configuration shown in the outputWhat action will FortiGate take when verifying the student certificate through OCSP?

Use the OCSP URL included in the student certificate to verify the student certificate

Reject the student certificate if the OCSP server replies that the student certificate status is unknown

Not verify the OCSP server certificate

Use the OCSP URL included in the student certificate to verify the student certificate

Consider the student certificate status as valid if the OCSP server is unreachable

Refer to the exhibit. Examine the IPsec VPN phase 1 configuration shown in the exhibitAn administrator wants to use certificate-based authentication for an IPsec VPN userWhich three configuration changes must you make on FortiGate to perform certificate-based authentication for the IPsec VPN user? (Choose three)

In the Authentication section of the IPsec VPN tunnel in the Method drop-down list select Signature and then select the certificate that FortiGate will use for IPsec VPN

Import the CA that signed the user certificate

Enable XAUTH on the IPsec VPN tunnel

Create a PKI user for the IPsec VPN user, and then configure the IPsec VPN tunnel to accept the PKI user as peer certificate

In the Authentication section of the IPsec VPN tunnel in the Method drop-down list select Signature and then select the certificate that FortiGate will use for IPsec VPN

In the IKE section of the IPsec VPN tunnel in the Mode field select Main (ID protection)

Import the CA that signed the user certificate

Enable XAUTH on the IPsec VPN tunnel

You are configuring a FortiGate wireless network to support automated wireless client quarantine using IOC Which two configurations must you put in place for a wireless client to be quarantined successfully? (Choose two)

Configure the wireless network to be in tunnel mode

Configure the FortiGate device in the Security Fabric with a FortiAnalyzer device

Configure the wireless network to be in tunnel mode

Configure the FortiGate device in the Security Fabric with a FortiAnalyzer device

Configure a firewall policy to allow communication

Configure the wireless network to be in bridge mode

Refer to the exhibits The exhibits show the wireless network (VAP) SSID profiles defined on FortiManager and an AP profile assigned to a group of APs that are supported by FortiGateNone of the APs are broadcasting the SSlDs defined by the AP profileWhich changes do you need to make to enable the SSIDs to broadcast?

Enable one channel in the Channels section

In the SSIDs section enable Tunnel

Enable one channel in the Channels section

Enable multiple channels in the Channels section and enable Radio Resource Provision

In the SSIDs section enable Manual and assign the networks manually

Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

The guest portal provides pre and post-log in services

Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal

Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts

Administrators must approve all guest accounts before they can be used

The guest portal provides pre and post-log in services

Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal

Refer to the exhibit. Exhibit. Refer to the exhibitsIn the wireless configuration shown in the exhibits, an AP is deployed in a remote site and has a wireless network (VAP) called Corporate deployed to itThe network is a tunneled network however clients connecting to a wireless network require access to a local printer Clients are trying to print to a printer on the remote site but are unable to do soWhich configuration change is required to allow clients connected to the Corporate SSID to print locally?

Configure split-tunneling in the vap configuration

Configure split-tunneling in the wtp-profile configuration

Disable the Block Intra-SSID Traffic (intra-vap-privacy) setting on the SSID (VAP) profile

Configure the printer as a wireless client on the Corporate wireless network

Which two statements about FortiSwitch manager are true1? (Choose two)

FortiManager obtains the FortiSwitch status information by querying the FortiGate REST API every three minutes

If the administrator makes any changes on FortiSwitch manager they must also install those changes on FortiGate so that those changes are applied on the managed switches

Per-device management is the default management mode on FortiManager

FortiManager obtains the FortiSwitch status information by querying the FortiGate REST API every three minutes

If the administrator makes any changes on FortiSwitch manager they must also install those changes on FortiGate so that those changes are applied on the managed switches

Any switch discovered or authorized on FortiGate must be added manually on FortiSwitch manager

A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS)Which two changes must the administrator make to enforce HTTPS authentication'? (Choose two >

Enable HTTP redirect in the user authentication settings

Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

Create a new SSID with the HTTPS captive portal URL

Enable HTTP redirect in the user authentication settings

Disable HTTP administrative access on the guest SSID to enforce HTTPS connection

Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

Refer to the exhibit. Examine the FortiManager configuration and FortiGate CLI output shown in the exhibitAn administrator is testing the NAC feature The test device is connected to a managed FortiSwitch device {S224EPTF19'537)onpOrt2After applying the NAC policy on port2 and generating traffic on the test device the test device is not matching the NAC policy therefore the test device remains m the onboarding VLANBased on the information shown in the exhibit which two scenarios are likely to cause this issue? (Choose two.)

Management communication between FortiGate and FortiSwitch is down

The MAC address configured on the NAC policy is incorrect

Management communication between FortiGate and FortiSwitch is down

The MAC address configured on the NAC policy is incorrect

The device operating system detected by FortiGate is not Linux

Device detection is not enabled on VLAN 4089

Refer to the exhibit. Examine the FortiManager information shown in the exhibitWhich two statements about the FortiManager status are true'' (Choose two)

FortiSwitch manager is working in central management mode

FortiSwitch is authorized and offline

FortiSwitch manager is working in per-device management mode

FortiSwitch manager is working in central management mode

FortiSwitch is authorized and offline

An administrator has configured an SSID in bridge mode for corporate employees All APs are online and provisioned using default AP profiles Employees are unable to locate the SSID to connedWhich two configurations can the administrator verify? (Choose two)

Verify that the broadcast SSID option is enabled in the SSID configuration

Verify that the SSID to an AP group that should be broadcasting the SSID is applied

Verify that the broadcast SSID option is enabled in the SSID configuration

Verify that the Block Intra-SSID Traffic (intra-vap-privacy) option in the SSID configuration is disabled

Verify that the SSID to an AP group that should be broadcasting the SSID is applied

Verify that the SSID is manually applied on AP profiles for both 2 4 GHz and 5 GHz radios

What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?

It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos

It enables FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search

It enables FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users

It enables FortiAuthenticator to import users from Windows AD

It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos

Refer to the exhibit. Examine the FortiGate configuration FortiAnalyzer logs and FortiGate widget shown in the exhibitAn administrator is testing the Security Fabric quarantine automation The administrator added FortiAnalyzer to the Security Fabric and configured an automation stitch to automatically quarantine compromised devices The test device (::.:.:.!) s connected to a managed Fort Switch dev :eAfter trying to access a malicious website from the test device, the administrator verifies that FortiAnalyzer has a log (or the test connection However the device is not getting quarantined by FortiGate as shown in the quarantine widgetWhich two scenarios are likely to cause this issue? (Choose two)

FortiAnalyzer does not have a valid threat detection services license

FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)

The web filtering rating service is not working

FortiAnalyzer does not have a valid threat detection services license

The device does not have FortiClient installed

FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)

Which FortiSwitch VLANs are automatically created on FortGate when the first FortiSwitch device is discovered1?

fortilink. quarantine erspan voice video and onboarding

default quarantine, rspan voice video onboarding and nac_segment

access, quarantine, rspan. voice, video, and onboarding

default quarantine rspan voice video and nac_segment

fortilink. quarantine erspan voice video and onboarding

Refer to the exhibit. Examine the network diagram and packet capture shown in the exhibitThe packet capture was taken between FortiGate and FortiAuthenticator and shows a RADIUS Access-Request packet sent by FortiSwitch to FortiAuthenticator through FortiGateWhy does the User-Name attribute in the RADIUS Access-Request packet contain the client MAC address?

FortiSwitch is authenticating the client using MAC authentication bypass

The client is performing AD machine authentication

FortiSwitch is authenticating the client using MAC authentication bypass

The client is performing user authentication

FortiSwitch is sending a RADIUS accounting message to FortiAuthenticator

Refer to the exhibit. Examine the RADIUS server configuration shown in the exhibitAn administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAPWhile testing the configuration the administrator noticed that the diagnose test authserver command worked with PAP, however authentication requests failed when using MSCHAP2Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain

On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS

On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain

On FortiGate configure the NAS IP setting on the RADIUS server

On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS

On FortiGate update the Secret setting on the RADIUS server

Which CLI command should an administrator use to view the certificate verification process in real time?

diagnose debug application foauthd -1

diagnose debug application radiusd -1

diagnose debug application authd -1

diagnose debug application fnbamd -1

Refer to the exhibits. Firewall Policy Examine the firewall policy configuration and SSID settingsAn administrator has configured a guest wireless network on FortiGate using the external captive portal The administrator has verified that the external captive portal URL is correct However wireless users are not able to see the captive portal login pageGiven the configuration shown in the exhibit and the SSID settings which configuration change should the administrator make to fix the problem?

Apply a guest.portal user group in the firewall policy with the ID 11.

Disable the user group from the SSID configuration

Enable the captivs-portal-exempt option in the firewall policy with the ID 11.

Apply a guest.portal user group in the firewall policy with the ID 11.

Include the wireless client subnet range in the Exempt Source section

Refer to the exhibit. Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibitFortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP The administrator configured the SSL VPN user group for SSL VPN users However the administrator noticed that both the student and j smith users can connect to SSL VPNWhich change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?

In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN='users, DC-trainingAD, DC-training, DC-lab

In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.

In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.

In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)

Refer to the exhibits. Exhibit. Examine the troubleshooting outputs shown in the exhibitsUsers have been reporting issues with the speed of their wireless connection in a particular part of the wireless network The interface that is having issues is the 2 4 GHz interface that is currently configured on channel 6The administrator of the wireless network has investigated and surveyed the local RF environment using the tools available at the AP and FortiGateWhich configuration would improve the wireless connection?

Change the AP 2 4 GHz channel to 1.

Change the AP 2 4 GHz channel to 11

Change the AP 2 4 GHz channel to 1.

Change the AP 2 4 GHz channel to 9.

Change the AP 2 4 GHz channel to 13.

Refer to the exhibit. Examine the FortiSwitch security policy shown in the exhibitIf the security profile shown in the exhibit is assigned to all ports on a FortiSwitch device for 802 1X authentication which statement about the switch is correct?

FortiSwitch will assign non-802 1X devices to the onboarding VLAN

FortiSwitch cannot authenticate multiple devices connected to the same port

FortiSwitch will try to authenticate non-802 1X devices using the device MAC address as the username and password

FortiSwitch will assign non-802 1X devices to the onboarding VLAN

All EAP messages will be terminated on FortiSwitch

Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

FortiSwitch authenticates each device connected to the port

FortiSwitch can grant different access levels to each device connected to the port

FortiSwitch authenticates a single device and opens the port to other devices connected to the port

FortiSwitch authenticates each device connected to the port

It cannot be used in conjunction with MAC authentication bypass

FortiSwitch can grant different access levels to each device connected to the port

Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?

From a DNS server using A or AAAA records

From an LDAP server using a simple bind operation

From a DHCP server using options 240 and 241

From a DNS server using A or AAAA records

Fortinet NSE7_LED-7.0 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 37

Refer to the exhibit

Fortinet NSE7_LED-7.0 image Question 1 27003 09182024190743000000

Examine the FortiGate RSSO configuration shown in the exhibit

FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users The users are located behind port3 and the internet link is connected to port1 FortiGate is processing incoming RADIUS accounting messages successfully and RSSO users are getting associated with the RSSO Group user group However all the users are able to access the internet, and the administrator wants to restrict internet access to RSSO users only

Which configuration change should the administrator make to fix the problem?

Change the RADIUS Attribute Value selling to match the name of the RADIUS attribute containing the group membership information of the RSSO users

Add RSSO Group to the firewall policy

Enable Security Fabric Connection on port3

Create a second firewall policy from port3 lo port1 and select the target destination subnets

Comment (0)

Fortinet NSE7_LED-7.0 Practice Test 1

Question

Fortinet NSE7_LED-7.0 Practice Tests

Practice Tests