How Many Questions Of NSE6_FAC-6.4 Free Practice Exam

NEW QUESTION 1
Which two types of digital certificates can you create in Fortiauthenticator? (Choose two)

• A. User certificate
• B. Organization validation certificate
• C. Third-party root certificate
• D. Local service certificate

Answer: AD

Explanation:
FortiAuthenticator can create two types of digital certificates: user certificates and local service certificates. User certificates are issued to users or devices for authentication purposes, such as VPN, wireless, or web access. Local service certificates are issued to FortiAuthenticator itself for securing its own services, such as HTTPS, RADIUS, or LDAP.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 2
A device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentialis.
In this case, which user idendity discovery method can Fortiauthenticator use?

• A. Syslog messaging or SAML IDP
• B. Kerberos-base authentication
• C. Radius accounting
• D. Portal authentication

Answer: D

Explanation:
Portal authentication is a user identity discovery method that can be used when a device or user identity cannot be established transparently, such as with non-domain BYOD devices, and allow users to create their own credentials. Portal authentication requires users to enter their credentials on a web page before accessing network resources. The other methods are used for transparent identification of domain devices or users. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372406/user-identity-discovery
Examine the screenshot shown in the exhibit.

NEW QUESTION 3
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

• A. UUID and time
• B. Time and seed
• C. Time and mobile location
• D. Time and FortiAuthenticator serial number

Answer: B

Explanation:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two
pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/two-factor-authenticati

NEW QUESTION 4
You are the administrator of a large network that includes a large local user datadabase on the current Fortiauthenticatior. You want to import all the local users into a new Fortiauthenticator device.
Which method should you use to migrate the local users?

• A. Import users using RADIUS accounting updates.
• B. Import the current directory structure.
• C. Import users from RADUIS.
• D. Import users using a CSV file.

Answer: D

Explanation:
The best method to migrate local users from one FortiAuthenticator device to another is to export the users from the current device as a CSV file and then import the CSV file into the new device. This method preserves all the user attributes and settings and allows you to modify them if needed before importing. The other methods are not suitable for migrating local users because they either require an external RADIUS server or do not transfer all the user information. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372409/user-management

NEW QUESTION 5
Which three of the following can be used as SSO sources? (Choose three)

• A. FortiClient SSO Mobility Agent
• B. SSH Sessions
• C. FortiAuthenticator in SAML SP role
• D. Fortigate
• E. RADIUS accounting

Answer: ADE

Explanation:
FortiAuthenticator supports various SSO sources that can provide user identity information to other devices in the network, such as FortiGate firewalls or FortiAnalyzer log servers. Some of the supported SSO sources are:
FortiClient SSO Mobility Agent: A software agent that runs on Windows devices and sends user login information to FortiAuthenticator.
FortiGate: A firewall device that can send user login information from various sources, such as FSSO agents, captive portals, VPNs, or LDAP servers, to FortiAuthenticator.
RADIUS accounting: A protocol that can send user login information from RADIUS servers or clients, such as wireless access points or VPN concentrators, to FortiAuthenticator.
SSH sessions and FortiAuthenticator in SAML SP role are not valid SSO sources because they do not provide user identity information to other devices in the network. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372410/single-sign-on

NEW QUESTION 6
You are a FortiAuthenticator administrator for a large organization. Users who are configured to use FortiToken 200 for two-factor authentication can no longer authenticate. You have verified that only the users with two-factor authentication are experiencing the issue.
What can cause this issue?

• A. FortiToken 200 license has expired
• B. One of the FortiAuthenticator devices in the active-active cluster has failed
• C. Time drift between FortiAuthenticator and hardware tokens
• D. FortiAuthenticator has lost contact with the FortiToken Cloud servers

Answer: C

Explanation:
One possible cause of the issue is time drift between FortiAuthenticator and hardware tokens. Time drift occurs when the internal clocks of FortiAuthenticator and hardware tokens are not synchronized. This can result in mismatched one-time passwords (OTPs) generated by the hardware tokens and expected by FortiAuthenticator. To prevent this issue, FortiAuthenticator provides a time drift tolerance option that allows a certain number of seconds of difference between the clocks.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/two-factor-authenticati

NEW QUESTION 7
When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)

• A. Enable syslog on the FortiAuthenticator interface.
• B. Define a syslog source.
• C. Select a syslog rule for message parsing.
• D. Set the same password on both the FortiAuthenticator and the syslog server.
• E. Set the syslog UDP port on FortiAuthenticator.

Answer: BCE

Explanation:
To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:
Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.
Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.
Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/single-sign-on#syslog-s

NEW QUESTION 8
What happens when a certificate is revoked? (Choose two)

• A. Revoked certificates cannot be reinstated for any reason
• B. All certificates signed by a revoked CA certificate are automatically revoked
• C. Revoked certificates are automatically added to the CRL
• D. External CAs will priodically query Fortiauthenticator and automatically download revoked certificates

Answer: BC

Explanation:
When a certificate is revoked, it means that it is no longer valid and should not be trusted by any entity. Revoked certificates are automatically added to the certificate revocation list (CRL) which is published by the issuing CA and can be checked by other parties. If a CA certificate is revoked, all certificates signed by that CA are also revoked and added to the CRL. Revoked certificates can be reinstated if the reason for revocation is resolved, such as a compromised private key being recovered or a misissued certificate being corrected. External CAs do not query FortiAuthenticator for revoked certificates, but they can use protocols such as SCEP or OCSP to exchange certificate information with FortiAuthenticator. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management

NEW QUESTION 9
Which behaviors exist for certificate revocation lists (CRLs) on FortiAuthenticator? (Choose two)

• A. CRLs contain the serial number of the certificate that has been revoked
• B. Revoked certificates are automaticlly placed on the CRL
• C. CRLs can be exported only through the SCEP server
• D. All local CAs share the same CRLs

Answer: AB

Explanation:
CRLs are lists of certificates that have been revoked by the issuing CA and should not be trusted by any entity. CRLs contain the serial number of the certificate that has been revoked, the date and time of revocation, and the reason for revocation. Revoked certificates are automatically placed on the CRL by the CA and the CRL is updated periodically. CRLs can be exported through various methods, such as HTTP, LDAP, or SCEP. Each local CA has its own CRL that is specific to its issued certificates. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management/3

NEW QUESTION 10
Which interface services must be enabled for the SCEP client to connect to Authenticator?

• A. OCSP
• B. REST API
• C. SSH
• D. HTTP/HTTPS

Answer: D

Explanation:
HTTP/HTTPS are the interface services that must be enabled for the SCEP client to connect to FortiAuthenticator. SCEP stands for Simple Certificate Enrollment Protocol, which is a method of requesting and issuing digital certificates over HTTP or HTTPS. FortiAuthenticator supports SCEP as a certificate authority (CA) and can process SCEP requests from SCEP clients. To enable SCEP on FortiAuthenticator, the HTTP or HTTPS service must be enabled on the interface that receives the SCEP requests.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 11
How can a SAML metada file be used?

• A. To defined a list of trusted user names
• B. To import the required IDP configuration
• C. To correlate the IDP address to its hostname
• D. To resolve the IDP realm for authentication

Answer: B

Explanation:
A SAML metadata file can be used to import the required IDP configuration for SAML service provider mode. A SAML metadata file is an XML file that contains information about the identity provider (IDP) and the service provider (SP), such as their entity IDs, endpoints, certificates, and attributes. By importing a SAML metadata file from the IDP, FortiAuthenticator can automatically configure the necessary settings for SAML service provider mode.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/saml-service-provider#

NEW QUESTION 12
What are three key features of FortiAuthenticator? (Choose three)

• A. Identity management device
• B. Log server
• C. Certificate authority
• D. Portal services
• E. RSSO Server

Answer: ACD

Explanation:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management,
self-service password reset, and device registration. It is not a log server or an RSSO server. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes

NEW QUESTION 13
Why would you configure an OCSP responder URL in an end-entity certificate?

• A. To designate the SCEP server to use for CRL updates for that certificate
• B. To identify the end point that a certificate has been assigned to
• C. To designate a server for certificate status checking
• D. To provide the CRL location for the certificate

Answer: C

Explanation:
An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 14
A digital certificate, also known as an X.509 certificate, contains which two pieces of information? (Choose two.)

• A. Issuer
• B. Shared secret
• C. Public key
• D. Private key

Answer: AC

Explanation:
A digital certificate, also known as an X.509 certificate, contains two pieces of information:
Issuer, which is the identity of the certificate authority (CA) that issued the certificate
Public key, which is the public part of the asymmetric key pair that is associated with the certificate subject
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 15
......