Question 1

Examine the partial fnbamd debug output shown in the following exhibit:

Examine the following user configuration, and then answer the following question:

config user peer

edit "_any_"

set ca "CA_Cert_1"

set ldap-server "Training-Lab"

set ldap-mode principal-name

next

end

Which statement is true regarding user authentication? Select one or more:

 The user certificate is not signed by the CA_Cert_1 certificate.

 The user certificate has expired.
 UPN checking is enabled on FortiGate for the PKI user.
 The LDAPS certificate used by FortiGate is not signed by the LDAP server's CA certificate.

Si observas las primeras líneas de la salida del debug, FGT trata de comprobar la cadena de confianza del certificado
del cliente y no encuentra el certificado de la CA que firmo el certificado del cliente (CA_Cert_1) y que encuentras en
la configuración. También aparece en la configuración set ldap-mode principal-name, lo que indica que usa UPN
Question 2

Examine the following VAP configuration, then answer the following question:

config wireless-controller vap

edit "Corp"

set vdom "root"

set ssid "Corp"

set security wpa2-only-enterprise

set auth radius

set radius-server "FAC-Lab"

set intra-vap-privacy enable

set schedule "always"

set vlan-pooling round-robin

config vlan-pool

edit 101

next

edit 102

next

end

Which statement is true regarding the SSID configuration shown in the exhibit? (Choose two.)

 Clients connected to the SSID will not be able to communicate with other wireless clients on the same
wireless network.
 VLAN Pooling is enabled and wireless client connecting to the SSID will be assigned either VLAN101 or
VLAN102
 This SSID is in bridge mode.
 VLAN 101 and VLAN 102 will be assigned to wireless clients based on RADIUS attributes sent by the RADIUS
server.

En la configuración aparece set intra-vap-privacy enable, que confirma la primera respuesta. También aparece set
vlan-pooling round-robin, y las dos VLANs entre las que repartirá a los usuarios; lo que valida la segunda respuesta.

Question 3

One method that you can use to deploy RADIUS single sign-n using Fortinet solutions is FortiGate RSSO. What other
methods can you consider when using additional Fortinet products and solutions? (Choose two.)

 FortiAuthenticator RSSO to FortiGate RSSO

 FortiAuthenticator RSSO to FSSO
 FortiAuthenticator and Syslog SSO
 FortiAuthenticator and FortiNAC SSO

Hay tres maneras diferentes de desplegar RSSO y una te la dan en la pregunta:

FortiGate RSSO, FortiAuthenticator RSSO to FortiGate RSSO y FortiAuthenticator RSSO to FSSO

Question 4

What FortiSwitch feature is used to allow FortiGate to perform antivirus inspection on traffic between two network
devices in the same FortiSwitch VLAN? Select one:

 Access VLAN
 Switch group
 Untrusted ports
 Switch profiles

Question 5

An organization would like to implement RADIUS authentication using one FortiAuthenticator and multiple FortiGate
devices using the RSSO to FSSO conversion method. The administrator needs to configure a new FortiAuthenticator
and the FortiGate devices to apply the required settings.

What steps are required to configure FortiAuthenticator? (Choose two.)

 Enable RADIUS Account SSO Clients in FSSO general settings

 Configure RADIUS Accounting SSO Client in the FSSO accounting sources
 Use Local Users as the single sign-on type
 Configure User group attribute in the FSSO accounting sources

Convertir mensajes RSSO a FSSO usando FortiAuthenticator puede serte útil en entornos con muchos FGT.

De los pasos que aparecen en las respuestas, solo los dos primeros son válidos. Hay otros pasos como:

1. Configura la interfaz donde se esperan recibir los mensajes/records RADIUS Accounting.

2. Habilita RADIUS Accounting SSO Clients en Fortinet SSO Methods > SSO > General.
3. Configura el servidor RADIUS como una fuente RADIUS accounting proxy.
4. Configura el conjunto de reglas con los atributos RADIUS requeridos.
5. Añade FortiGate como el destino RADIUS accounting proxy.

Question 6

When enabling background scanning for rogue devices on an AP, how should the AP be configured? Select one:

 The AP should be configured to broadcast tunnel mode SSIDs only.

 The AP should be configured for DARRP.
 The AP should be configured as a dedicated monitor AP.
 The AP should be configured to be part of a Security Fabric.

Esta técnica ofrece una pobre detección de AP malicioso, está habilitada cuando usas Distributed Automatic Radio
Resource Provisioning (DARRP).

Question 7

Which measures are considered to be measures of wireless capacity? (Choose two.)

 Link rates.
 Signal strength
 Channel utilisation
 Data throughput

La utilización del canal es el principal indicador de la capacidad alrededor de una interfaz. Se mide en porcentaje, nos
indica cuanto tiempo de aire libre está disponible. Es el indicador más importante de la capacidad wireless.
Otra de las medidas críticas para la interfaz wireless es el número de clientes asociados con cada interfaz. Un
número alto de clientes siempre afectará al rendimiento, pero las aplicaciones en uso y los tipos de clientes también
cuentan en el rendimiento de los datos.

Question 8

Other than FortiGate, what Fortinet devices are required to automatically detect and quarantine compromised wired
host machines using the Security Fabric? (Choose two.)

 FortiAnalyzer
 FortiClient
 FortiSwtich
 FortiManager

Question 9

How does the user traffic travel through the FortiLink trunk? Select one:

 Encapsulated inside an SSL tunnel

 Through VLAN-tagged 802.1q frames
 Encapsulated inside a CAPWAP tunnel
 Encapsulated inside the FortiLink protocol

La interfaz FortiLink entre FGT y FortiSwitch es una interfaz trunk, donde todo el tráfico de control usa la VLAN nativa
(untagged) y el tráfico de usuario es etiquetado con el ID de la VLAN usando el etiquetado VLAN 802.1q.

Question 10

Examine the partial debug output shown in the exhibit, and then answer the following question:
An LDAP user is unable to authenticate. What can cause this LDAP authentication to fail?

Select one:

 The user authentication failed at the admin binding stage.

 The user account password is invalid.
 The user does not belong to any of the authorized user groups.
 The user account does not exist on the LDAP server.

En la imagen se muestra un test de usuario contra LDAP, con el comando diag test authserver ldap
<nombre_del_servidor_LDAP> <usuario> <contraseña>; tras el MESSAGE. ID3, podemos ver el error 49 al probar con
la cuenta del usuario, lo que indica problemas con la password.

Question 11

Default VLANs are created on FortiGate when the FortiLink interface is created. By default, which VLAN is set as
Allowed VLANs on all FortiSwitch ports?

A. Sniffer VLAN

B. Quarantine VLAN

C. Camera VLAN

D. Voice VLAN

Por defecto, una VLAN de cuarentena se configura como permitida en todos los puertos. Se usa para los hosts que
ponemos en cuarentena, mediante las acciones automáticas en Security Fabric, aislando el tráfico malicioso y
evitando que se extienda el ataque desde los hosts infectados.

Question 12

802.1X port authentication is enabled on only those ports that the FortiSwitch security policy is assigned to. Which
configurable items are available when you configure the security policy on FortiSwitch? (Choose two.)

A. Default guest VLAN

B. Security mode

C. User groups

D. FSSO groups
Question 12

Refer to the exhibit

Given the network topology shown in the exhibit, which two ports should be configured as untrusted DHCP ports?
(Choose two.)

A. FortiSwitch B, port1

B. FortiSwitch A, port2

C. FortiSwitch A, port1

D. FortiSwitch B, port2

Los puertos de confianza son los que esperan recibir paquetes oferta DHCP, como los puertos donde servidores
DHCP legítimos están conectados.

Los puertos de no confianza son los que nunca esperan recibir ofertas DHCP, como los puertos donde las estaciones
de trabajo de los usuarios están conectadas.