NSE6_FAC-6.4 | A Review Of Tested NSE6_FAC-6.4 Training

NEW QUESTION 1
You are a Wi-Fi provider and host multiple domains.
How do you delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device?

• A. Create realms.
• B. Create user groups
• C. Create multiple directory trees on FortiAuthenticator
• D. Automatically import hosts from each domain as they authenticate.

Answer: A

Explanation:
Realms are a way to delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device. A realm is a logical grouping of users and groups based on a common attribute, such as a domain name or an IP address range. Realms allow administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/user-management#real

NEW QUESTION 2
Which of the following is an OATH-based standard to generate event-based, one-time password tokens?

• A. HOTP
• B. SOTP
• C. TOTP
• D. OLTP

Answer: A

NEW QUESTION 3
Which EAP method is known as the outer authentication method?

• A. PEAP
• B. EAP-GTC
• C. EAP-TLS
• D. MSCHAPV2

Answer: A

Explanation:
PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/wireless-802-1x-authen

NEW QUESTION 4
Which two statements about the self-service portal are true? (Choose two)

• A. Self-registration information can be sent to the user through email or SMS
• B. Realms can be used to configure which seld-registered users or groups can authenticate on the network
• C. Administrator approval is required for all self-registration
• D. Authenticating users must specify domain name along with username

Answer: AB

Explanation:
Two statements about the self-service portal are true:
Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.
Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/user-management#self- https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/user-management#real

NEW QUESTION 5
At a minimum, which two configurations are required to enable guest portal services on FortiAuthenticator? (Choose two)

• A. Configuring a portal policy
• B. Configuring at least on post-login service
• C. Configuring a RADIUS client
• D. Configuring an external authentication portal

Answer: AB

Explanation:
enable guest portal services on FortiAuthenticator, you need to configure a portal policy that defines the conditions for presenting the guest portal to users and the authentication methods to use. You also need to configure at least one post-login service that defines what actions to take after a user logs in successfully, such as sending an email confirmation, assigning a VLAN, or creating a user account. Configuring a RADIUS client or an external authentication portal are optional steps that depend on your network setup and requirements. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management

NEW QUESTION 6
Which method is the most secure way of delivering FortiToken data once the token has been seeded?

• A. Online activation of the tokens through the FortiGuard network
• B. Shipment of the seed files on a CD using a tamper-evident envelope
• C. Using the in-house token provisioning tool
• D. Automatic token generation using FortiAuthenticator

Answer: A

Explanation:
Online activation of the tokens through the FortiGuard network is the most secure way of delivering FortiToken data once the token has been seeded because it eliminates the risk of seed files being compromised during transit or storage. The other methods involve physical or manual delivery of seed files which can be intercepted, lost, or stolen. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372403/fortitoken

NEW QUESTION 7
A digital certificate, also known as an X.509 certificate, contains which two pieces of information? (Choose two.)

• A. Issuer
• B. Shared secret
• C. Public key
• D. Private key

Answer: AC

Explanation:
A digital certificate, also known as an X.509 certificate, contains two pieces of information:
Issuer, which is the identity of the certificate authority (CA) that issued the certificate
Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 8
What happens when a certificate is revoked? (Choose two)

• A. Revoked certificates cannot be reinstated for any reason
• B. All certificates signed by a revoked CA certificate are automatically revoked
• C. Revoked certificates are automatically added to the CRL
• D. External CAs will priodically query Fortiauthenticator and automatically download revoked certificates

Answer: BC

Explanation:
When a certificate is revoked, it means that it is no longer valid and should not be trusted by any entity. Revoked certificates are automatically added to the certificate revocation list (CRL) which is published by the issuing CA and can be checked by other parties. If a CA certificate is revoked, all certificates signed by that CA are also revoked and added to the CRL. Revoked certificates can be reinstated if the reason for revocation is resolved, such as a compromised private key being recovered or a misissued certificate being corrected. External CAs do not query FortiAuthenticator for revoked certificates, but they can use protocols such as SCEP or OCSP to exchange certificate information with FortiAuthenticator. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management

NEW QUESTION 9
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)

• A. Telnet
• B. HTTPS
• C. SSH
• D. SNMP

Answer: BC

Explanation:
HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/system-settings#manag

NEW QUESTION 10
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

• A. UUID and time
• B. Time and seed
• C. Time and mobile location
• D. Time and FortiAuthenticator serial number

Answer: B

Explanation:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two
pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/two-factor-authenticati

NEW QUESTION 11
What are three key features of FortiAuthenticator? (Choose three)

• A. Identity management device
• B. Log server
• C. Certificate authority
• D. Portal services
• E. RSSO Server

Answer: ACD

Explanation:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management,
self-service password reset, and device registration. It is not a log server or an RSSO server. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes

NEW QUESTION 12
Which network configuration is required when deploying FortiAuthenticator for portal services?

• A. FortiAuthenticator must have the REST API access enable on port1
• B. One of the DNS servers must be a FortiGuard DNS server
• C. Fortigate must be setup as default gateway for FortiAuthenticator
• D. Policies must have specific ports open between FortiAuthenticator and the authentication clients

Answer: D

Explanation:
When deploying FortiAuthenticator for portal services, such as guest portal, sponsor portal, user portal or FortiToken activation portal, the network configuration must allow specific ports to be open between FortiAuthenticator and the authentication clients. These ports are:
TCP 80 for HTTP access
TCP 443 for HTTPS access
TCP 389 for LDAP access
TCP 636 for LDAPS access
UDP 1812 for RADIUS authentication
UDP 1813 for RADIUS accounting
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/portal-services#networ

NEW QUESTION 13
Why would you configure an OCSP responder URL in an end-entity certificate?

• A. To designate the SCEP server to use for CRL updates for that certificate
• B. To identify the end point that a certificate has been assigned to
• C. To designate a server for certificate status checking
• D. To provide the CRL location for the certificate

Answer: C

Explanation:
An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 14
Which two SAML roles can Fortiauthenticator be configured as? (Choose two)

• A. Idendity provider
• B. Principal
• C. Assertion server
• D. Service provider

Answer: AD

Explanation:
FortiAuthenticator can be configured as a SAML identity provider (IdP) or a SAML service provider (SP). As an IdP, FortiAuthenticator authenticates users and issues SAML assertions to SPs. As an SP, FortiAuthenticator receives SAML assertions from IdPs and grants access to users based on the attributes in the assertions. Principal and assertion server are not valid SAML roles. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372407/saml

NEW QUESTION 15
......