Fortinet NSE6_FAC-6.4 Exam Practice Test Instant Access

Question 1

Which two SAML roles can Fortiauthenticator be configured as? (Choose two)

AIdendity provider

BPrincipal

CAssertion server

DService provider

Answer : A, D

FortiAuthenticator can be configured as a SAML identity provider (IdP) or a SAML service provider (SP). As an IdP, FortiAuthenticator authenticates users and issues SAML assertions to SPs. As an SP, FortiAuthenticator receives SAML assertions from IdPs and grants access to users based on the attributes in the assertions. Principal and assertion server are not valid SAML roles. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372407/saml

Question 2

Which EAP method is known as the outer authentication method?

APEAP

BEAP-GTC

CEAP-TLS

DMSCHAPV2

Answer : A

PEAP is known as the outer authentication method because it establishes a secure tunnel between the client and the server using TLS. The inner authentication method, such as EAP-GTC, EAP-TLS, or MSCHAPV2, is then used to authenticate the client within the tunnel.

Question 3

Which two types of digital certificates can you create in Fortiauthenticator? (Choose two)

AUser certificate

BOrganization validation certificate

CThird-party root certificate

DLocal service certificate

Answer : A, D

FortiAuthenticator can create two types of digital certificates: user certificates and local service certificates. User certificates are issued to users or devices for authentication purposes, such as VPN, wireless, or web access. Local service certificates are issued to FortiAuthenticator itself for securing its own services, such as HTTPS, RADIUS, or LDAP.

Question 4

Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?

AService provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal

BPrincipal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider

CPrincipal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider

DPrincipal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication

Answer : C

SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:

Principal contacts service provider, requesting access to a protected resource.

Service provider redirects principal to identity provider, sending a SAML authentication request.

Principal authenticates with identity provider using their credentials.

After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal's attributes.

Service provider validates the SAML response and assertion, and grants access to the principal.

Question 5

An administrator wants to keep local CA cryptographic keys stored in a central location.

Which FortiAuthenticator feature would provide this functionality?

ASCEP support

BREST API

CNetwork HSM

DSFTP server

Answer : C

Network HSM is a feature that allows FortiAuthenticator to keep local CA cryptographic keys stored in a central location. HSM stands for Hardware Security Module, which is a physical device that provides secure storage and generation of cryptographic keys. Network HSM allows FortiAuthenticator to use an external HSM device to store and manage the private keys of its local CAs, instead of storing them locally on the FortiAuthenticator device.

Question 6

You are a Wi-Fi provider and host multiple domains.

How do you delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device?

ACreate realms.

BCreate user groups

CCreate multiple directory trees on FortiAuthenticator

DAutomatically import hosts from each domain as they authenticate.

Answer : A

Realms are a way to delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device. A realm is a logical grouping of users and groups based on a common attribute, such as a domain name or an IP address range. Realms allow administrators to apply different authentication policies and settings to different groups of users based on their realm membership.

Question 7

Examine the screenshot shown in the exhibit.

Which two statements regarding the configuration are true? (Choose two.)

AAll guest accounts created using the account registration feature will be placed under the Guest_Portal_Users group

BAll accounts registered through the guest portal must be validated through email

CGuest users must fill in all the fields on the registration form

DGuest user account will expire after eight hours

Answer : A, B

The screenshot shows that the account registration feature is enabled for the guest portal and that the guest group is set to Guest_Portal_Users.This means that all guest accounts created using this feature will be placed under that group1. The screenshot also shows that email validation is enabled for the guest portal and that the email validation link expires after 24 hours.This means that all accounts registered through the guest portal must be validated through email within that time frame1.

Fortinet NSE6_FAC-6.4 Fortinet NSE 6 - FortiAuthenticator 6.4 Exam Practice Test