ExamGecko
Search Search Login
Home Home / Fortinet / NSE7_LED-7.0

Fortinet NSE7_LED-7.0 Practice Test - Questions Answers, Page 4

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. Examine the debug output shown in the exhibit Which two statements about the RADIUS debug output are true'' (Choose two)
A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) Which two changes must the administrator make to enforce HTTPS authentication'? (Choose two >
Which two pieces of information can the diagnose test authserver ldap command provide? (Choose two.)
What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?
Refer to the exhibit Examine the FortiGate RSSO configuration shown in the exhibit FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users The users are located behind port3 and the internet link is connected to port1 FortiGate is processing incoming RADIUS accounting messages successfully and RSSO users are getting associated with the RSSO Group user group However all the users are able to access the internet, and the administrator wants to restrict internet access to RSSO users only Which configuration change should the administrator make to fix the problem?
Which EAP method requires the use of a digital certificate on both the server end and the client end?
Refer to the exhibits. Exhibit. Examine the troubleshooting outputs shown in the exhibits Users have been reporting issues with the speed of their wireless connection in a particular part of the wireless network The interface that is having issues is the 2 4 GHz interface that is currently configured on channel 6 The administrator of the wireless network has investigated and surveyed the local RF environment using the tools available at the AP and FortiGate Which configuration would improve the wireless connection?
Refer to the exhibit. By default FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit What is the objective of the vci-string setting?
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)
Refer to the exhibit A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit Which two scenarios are likely to cause this issue? (Choose two.)

Question 31

Report
Export
Collapse

Refer to the exhibit.

Examine the FortiGate user group configuration and the Windows AD LDAP group membership information shown in the exhibit

FortiGate is configured to authenticate SSL VPN users against Windows AD using LDAP The administrator configured the SSL VPN user group for SSL VPN users However the administrator noticed that both the student and j smith users can connect to SSL VPN

Which change can the administrator make on FortiGate to restrict the SSL VPN service to the student user only?

A.
In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN='users, DC-trainingAD, DC-training, DC-lab
A.
In the SSL VPN user group configuration set Group Nam to CN-SSLVPN, CN='users, DC-trainingAD, DC-training, DC-lab
Answers
B.
In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.
B.
In the SSL VPN user group configuration, change Name to cn=sslvpn, CN=users, DC=trainingAD, Detraining, DC-lab.
Answers
C.
In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.
C.
In the SSL VPN user group configuration set Group Name to ::;=Domain users.CN-Users/DC=trainingAD, DC-training, DC=lab.
Answers
D.
In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)
D.
In the SSL VPN user group configuration change Type to Fortinet Single Sign-On (FSSO)
Answers
Suggested answer: A

Explanation:

According to the FortiGate Administration Guide, ''The Group Name is the name of the LDAP group that you want to use for authentication. The name must match exactly the name of the LDAP group on the LDAP server.'' Therefore, option A is true because it will set the Group Name to match the LDAP group that contains only the student user. Option B is false because changing the Name will not affect the authentication process, as it is only a local identifier for the user group on FortiGate. Option C is false because setting the Group Name to Domain Users will include all users in the domain, not just the student user. Option D is false because changing the Type to FSSO will require a different configuration method and will not solve the problem.

Question 32

Report
Export
Collapse

Refer to the exhibits.

Exhibit.

Examine the troubleshooting outputs shown in the exhibits

Users have been reporting issues with the speed of their wireless connection in a particular part of the wireless network The interface that is having issues is the 2 4 GHz interface that is currently configured on channel 6

The administrator of the wireless network has investigated and surveyed the local RF environment using the tools available at the AP and FortiGate

Which configuration would improve the wireless connection?

A.
Change the AP 2 4 GHz channel to 11
A.
Change the AP 2 4 GHz channel to 11
Answers
B.
Change the AP 2 4 GHz channel to 1.
B.
Change the AP 2 4 GHz channel to 1.
Answers
C.
Change the AP 2 4 GHz channel to 9.
C.
Change the AP 2 4 GHz channel to 9.
Answers
D.
Change the AP 2 4 GHz channel to 13.
D.
Change the AP 2 4 GHz channel to 13.
Answers
Suggested answer: B

Explanation:

According to the exhibits, the AP 2.4 GHz interface is currently configured on channel 6, which is overlapping with other nearby APs on channels 4 and 8. This can cause interference and reduce the wireless performance. Therefore, changing the AP 2.4 GHz channel to 1 would improve the wireless connection, as it would avoid the overlapping channels and use a non-overlapping channel instead. Option A is false because changing the AP 2.4 GHz channel to 11 would still overlap with other nearby APs on channels 9 and 13. Option C is false because changing the AP 2.4 GHz channel to 9 would still overlap with other nearby APs on channels 6, 8, and 11. Option D is false because changing the AP 2.4 GHz channel to 13 would still overlap with other nearby APs on channels 9 and 11.

Question 33

Report
Export
Collapse

Refer to the exhibit.

Examine the FortiSwitch security policy shown in the exhibit

If the security profile shown in the exhibit is assigned to all ports on a FortiSwitch device for 802 1X authentication which statement about the switch is correct?

A.
FortiSwitch cannot authenticate multiple devices connected to the same port
A.
FortiSwitch cannot authenticate multiple devices connected to the same port
Answers
B.
FortiSwitch will try to authenticate non-802 1X devices using the device MAC address as the username and password
B.
FortiSwitch will try to authenticate non-802 1X devices using the device MAC address as the username and password
Answers
C.
FortiSwitch will assign non-802 1X devices to the onboarding VLAN
C.
FortiSwitch will assign non-802 1X devices to the onboarding VLAN
Answers
D.
All EAP messages will be terminated on FortiSwitch
D.
All EAP messages will be terminated on FortiSwitch
Answers
Suggested answer: C

Explanation:

According to the FortiSwitch Administration Guide, ''If a device does not support 802.1X authentication, you can configure the switch to assign the device to an onboarding VLAN. The onboarding VLAN is a separate VLAN that you can use to provide limited network access to non-802.1X devices.'' Therefore, option C is true because it describes the behavior of FortiSwitch when the security profile shown in the exhibit is assigned to all ports. Option A is false because FortiSwitch can authenticate multiple devices connected to the same port using MAC-based or MAB-EAP modes. Option B is false because FortiSwitch will not try to authenticate non-802.1X devices using the device MAC address as the username and password, but rather use MAC authentication bypass (MAB) or EAP pass-through modes. Option D is false because all EAP messages will be terminated on FortiGate, not FortiSwitch, when using 802.1X authentication.

Question 34

Report
Export
Collapse

Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

A.
FortiSwitch authenticates a single device and opens the port to other devices connected to the port
A.
FortiSwitch authenticates a single device and opens the port to other devices connected to the port
Answers
B.
FortiSwitch authenticates each device connected to the port
B.
FortiSwitch authenticates each device connected to the port
Answers
C.
It cannot be used in conjunction with MAC authentication bypass
C.
It cannot be used in conjunction with MAC authentication bypass
Answers
D.
FortiSwitch can grant different access levels to each device connected to the port
D.
FortiSwitch can grant different access levels to each device connected to the port
Answers
Suggested answer: B, D

Explanation:

According to the FortiSwitch Administration Guide, ''MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password.'' Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.

Question 35

Report
Export
Collapse

Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?

A.
From an LDAP server using a simple bind operation
A.
From an LDAP server using a simple bind operation
Answers
B.
From a TFTP server
B.
From a TFTP server
Answers
C.
From a DHCP server using options 240 and 241
C.
From a DHCP server using options 240 and 241
Answers
D.
From a DNS server using A or AAAA records
D.
From a DNS server using A or AAAA records
Answers
Suggested answer: D

Explanation:

According to the FortiGate Administration Guide, ''FortiGate can learn the FortiManager IP address or FQDN for zero-touch provisioning from a DNS server using A or AAAA records. The DNS server must be configured to resolve the hostname fortimanager.fortinet.com to the IP address or FQDN of the FortiManager device.'' Therefore, option D is true because it describes the method for FortiGate to learn the FortiManager IP address or FQDN for zero-touch provisioning. Option A is false because LDAP is not used for zero-touch provisioning. Option B is false because TFTP is not used for zero-touch provisioning. Option C is false because DHCP options 240 and 241 are not used for zero-touch provisioning.

Question 36

Report
Export
Collapse

Refer to the exhibit.

Examine the LDAP server configuration shown in the exhibit Note that the Username setting has been expanded to display Its full content

On the Windows AD server 10.0.1.10, the administrator used dsquery. which returned the following output:

According to the output which FortiGate LDAP setting is configured incorrectly''

A.
Common Name Identifier
A.
Common Name Identifier
Answers
B.
Bind Type
B.
Bind Type
Answers
C.
Distinguished Name
C.
Distinguished Name
Answers
D.
Username
D.
Username
Answers
Suggested answer: C

Explanation:

According to the exhibits, the LDAP server configuration on FortiGate has the Distinguished Name set to ''dc=training,dc=lab''. However, according to the output of the dsquery command on the Windows AD server, the Distinguished Name of the domain should be ''dc=trainingAD,dc=training,dc=lab''. Therefore, option C is true because the Distinguished Name on FortiGate is configured incorrectly and does not match the actual Distinguished Name of the domain. Option A is false because the Common Name Identifier on FortiGate is configured correctly as ''cn''. Option B is false because the Bind Type on FortiGate is configured correctly as ''Regular''. Option D is false because the Username on FortiGate is configured correctly as ''cn=admin,cn=users,dc=trainingAD,dc=training,dc=lab''.

Question 37

Report
Export
Collapse

Which EAP method requires the use of a digital certificate on both the server end and the client end?

A.
EAP-TTLS
A.
EAP-TTLS
Answers
B.
PEAP
B.
PEAP
Answers
C.
EAP-GTC
C.
EAP-GTC
Answers
D.
EAP-TLS
D.
EAP-TLS
Answers
Suggested answer: D

Explanation:

According to the FortiGate Administration Guide, ''EAP-TLS is the most secure EAP method. It requires a digital certificate on both the server end and the client end. The server and client authenticate each other using their certificates.'' Therefore, option D is true because it describes the EAP method that requires the use of a digital certificate on both the server end and the client end. Option A is false because EAP-TTLS only requires a digital certificate on the server end, not the client end. Option B is false because PEAP also only requires a digital certificate on the server end, not the client end. Option C is false because EAP-GTC does not require a digital certificate on either the server end or the client end.

Total 37 questions
Go to page: of 4
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms