[Aug 01, 2023] Get New NSE6_FAC-6.4 Practice Test Questions Answers NSE6_FAC-6.4 Dumps and Exam Test Engine NEW QUESTION # 21 How can a SAML metada file be used? A. To defined a list of trusted user names B. To import the required IDP configuration C. To resolve the IDP realm for authentication D. To correlate the IDP address to its hostname Answer: B Explanation:A SAML metadata file can be used to [...]

All Products Contact now

[Aug 01, 2023] Get New NSE6_FAC-6.4 Practice Test Questions Answers [Q21-Q43]

Share

[Aug 01, 2023] Get New NSE6_FAC-6.4 Practice Test Questions Answers

NSE6_FAC-6.4 Dumps and Exam Test Engine

NEW QUESTION # 21
How can a SAML metada file be used?

  • A. To defined a list of trusted user names
  • B. To import the required IDP configuration
  • C. To resolve the IDP realm for authentication
  • D. To correlate the IDP address to its hostname

Answer: B

Explanation:
A SAML metadata file can be used to import the required IDP configuration for SAML service provider mode. A SAML metadata file is an XML file that contains information about the identity provider (IDP) and the service provider (SP), such as their entity IDs, endpoints, certificates, and attributes. By importing a SAML metadata file from the IDP, FortiAuthenticator can automatically configure the necessary settings for SAML service provider mode.


NEW QUESTION # 22
Which two features of FortiAuthenticator are used for EAP deployment? (Choose two)

  • A. RADIUS server
  • B. Certificate authority
  • C. LDAP server
  • D. MAC authentication bypass

Answer: A,B

Explanation:
Two features of FortiAuthenticator that are used for EAP deployment are certificate authority and RADIUS server. Certificate authority allows FortiAuthenticator to issue and manage digital certificates for EAP methods that require certificate-based authentication, such as EAP-TLS or PEAP-EAP-TLS. RADIUS server allows FortiAuthenticator to act as an authentication server for EAP methods that use RADIUS as a transport protocol, such as EAP-GTC or PEAP-MSCHAPV2.


NEW QUESTION # 23
When you are setting up two FortiAuthenticator devices in active-passive HA, which HA role must you select on the master FortiAuthenticator?

  • A. Active-passive master
  • B. Load balancing master
  • C. Standalone master
  • D. Cluster member

Answer: A

Explanation:
When you are setting up two FortiAuthenticator devices in active-passive HA, you need to select the active-passive master role on the master FortiAuthenticator device. This role means that the device will handle all requests and synchronize data with the slave device until a failover occurs. The slave device must be configured as an active-passive slave role. The other roles are used for different HA modes, such as standalone (no HA), cluster (active-active), or load balancing (active-active with load balancing). Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372411/high-availability


NEW QUESTION # 24
What capability does the inbound proxy setting provide?

  • A. It allows FortiAuthenticator to act as a proxy for remote authentication servers.
  • B. It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
  • C. It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
  • D. It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.

Answer: C

Explanation:
The inbound proxy setting provides the ability for FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access. The inbound proxy setting allows FortiAuthenticator to use the X-Forwarded-For header in the HTTP request to identify the original client IP address. This can help FortiAuthenticator apply the correct authentication policy or portal policy based on the source IP address.


NEW QUESTION # 25
Why would you configure an OCSP responder URL in an end-entity certificate?

  • A. To designate the SCEP server to use for CRL updates for that certificate
  • B. To provide the CRL location for the certificate
  • C. To identify the end point that a certificate has been assigned to
  • D. To designate a server for certificate status checking

Answer: D

Explanation:
An OCSP responder URL in an end-entity certificate is used to designate a server for certificate status checking. OCSP stands for Online Certificate Status Protocol, which is a method of verifying whether a certificate is valid or revoked in real time. An OCSP responder is a server that responds to OCSP requests from clients with the status of the certificate in question. The OCSP responder URL in an end-entity certificate points to the location of the OCSP responder that can provide the status of that certificate.


NEW QUESTION # 26
You are the administrator of a global enterprise with three FortiAuthenticator devices. You would like to deploy them to provide active-passive HA at headquarters, with geographically distributed load balancing.
What would the role settings be?

  • A. One standalone and two load balancers
  • B. Two cluster members and one backup
  • C. One standalone primary, one cluster member, and one load balancer
  • D. Two cluster members and one load balancer

Answer: C

Explanation:
To deploy three FortiAuthenticator devices to provide active-passive HA at headquarters, with geographically distributed load balancing, the role settings would be:
One standalone primary, which acts as the master device for HA and load balancing One cluster member, which acts as the backup device for HA and load balancing One load balancer, which acts as a remote device that forwards authentication requests to the primary or cluster member device


NEW QUESTION # 27
Which two statement about the RADIUS service on FortiAuthenticator are true? (Choose two)

  • A. FortiAuthenticator answers only to RADIUS client that are registered with FortiAuthenticator
  • B. Only local users can be authenticated through RADIUS
  • C. RADIUS users can migrated to LDAP users
  • D. Two-factor authentication cannot be enforced when using RADIUS authentication

Answer: A,C

Explanation:
Two statements about the RADIUS service on FortiAuthenticator are true:
RADIUS users can be migrated to LDAP users using the RADIUS learning mode feature. This feature allows FortiAuthenticator to learn user credentials from an existing RADIUS server and store them locally as LDAP users for future authentication requests.
FortiAuthenticator answers only to RADIUS clients that are registered with FortiAuthenticator. A RADIUS client is a device that sends RADIUS authentication or accounting requests to FortiAuthenticator. A RADIUS client must be added and configured on FortiAuthenticator before it can communicate with it.


NEW QUESTION # 28
A system administrator wants to integrate FortiAuthenticator with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO.
What feature does FortiAuthenticator offer for this type of integration?

  • A. The ability to import and export users from CSV files
  • B. REST API
  • C. SNMP monitoring and traps
  • D. RADIUS learning mode for migrating users

Answer: B

Explanation:
REST API is a feature that allows FortiAuthenticator to integrate with an existing identity management system with the goal of authenticating and deauthenticating users into FSSO. REST API stands for Representational State Transfer Application Programming Interface, which is a method of exchanging data between different systems using HTTP requests and responses. FortiAuthenticator provides a REST API that can be used by external systems to perform various actions, such as creating, updating, deleting, or querying users and groups, or sending FSSO logon or logoff events.


NEW QUESTION # 29
When configuring syslog SSO, which three actions must you take, in addition to enabling the syslog SSO method? (Choose three.)

  • A. Define a syslog source.
  • B. Set the syslog UDP port on FortiAuthenticator.
  • C. Select a syslog rule for message parsing.
  • D. Enable syslog on the FortiAuthenticator interface.
  • E. Set the same password on both the FortiAuthenticator and the syslog server.

Answer: A,B,C

Explanation:
To configure syslog SSO, three actions must be taken, in addition to enabling the syslog SSO method:
Define a syslog source, which is a device that sends syslog messages to FortiAuthenticator containing user logon or logoff information.
Select a syslog rule for message parsing, which is a predefined or custom rule that defines how to extract the user name, IP address, and logon or logoff action from the syslog message.
Set the syslog UDP port on FortiAuthenticator, which is the port number that FortiAuthenticator listens on for incoming syslog messages.


NEW QUESTION # 30
Which network configuration is required when deploying FortiAuthenticator for portal services?

  • A. One of the DNS servers must be a FortiGuard DNS server
  • B. Policies must have specific ports open between FortiAuthenticator and the authentication clients
  • C. Fortigate must be setup as default gateway for FortiAuthenticator
  • D. FortiAuthenticator must have the REST API access enable on port1

Answer: B

Explanation:
When deploying FortiAuthenticator for portal services, such as guest portal, sponsor portal, user portal or FortiToken activation portal, the network configuration must allow specific ports to be open between FortiAuthenticator and the authentication clients. These ports are:
TCP 80 for HTTP access
TCP 443 for HTTPS access
TCP 389 for LDAP access
TCP 636 for LDAPS access
UDP 1812 for RADIUS authentication
UDP 1813 for RADIUS accounting


NEW QUESTION # 31
You are a FortiAuthenticator administrator for a large organization. Users who are configured to use FortiToken 200 for two-factor authentication can no longer authenticate. You have verified that only the users with two-factor authentication are experiencing the issue.
What can cause this issue?

  • A. One of the FortiAuthenticator devices in the active-active cluster has failed
  • B. Time drift between FortiAuthenticator and hardware tokens
  • C. FortiAuthenticator has lost contact with the FortiToken Cloud servers
  • D. FortiToken 200 license has expired

Answer: B

Explanation:
One possible cause of the issue is time drift between FortiAuthenticator and hardware tokens. Time drift occurs when the internal clocks of FortiAuthenticator and hardware tokens are not synchronized. This can result in mismatched one-time passwords (OTPs) generated by the hardware tokens and expected by FortiAuthenticator. To prevent this issue, FortiAuthenticator provides a time drift tolerance option that allows a certain number of seconds of difference between the clocks.


NEW QUESTION # 32
Which two capabilities does FortiAuthenticator offer when acting as a self-signed or local CA? (Choose two)

  • A. Creating, signing, and revoking of X.509 certificates
  • B. Validating other CA CRLs using OSCP
  • C. Importing other CA certificates and CRLs
  • D. Merging local and remote CRLs using SCEP

Answer: A,C

Explanation:
FortiAuthenticator can act as a self-signed or local CA that can issue certificates to users, devices, or other CAs. It can also import other CA certificates and CRLs to trust them and validate their certificates. It can also create, sign, and revoke X.509 certificates for various purposes, such as VPN authentication, web server encryption, or wireless security. It cannot validate other CA CRLs using OCSP or merge local and remote CRLs using SCEP because these are protocols that require communication with external CAs. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372408/certificate-management


NEW QUESTION # 33
Which two statements about the self-service portal are true? (Choose two)

  • A. Realms can be used to configure which seld-registered users or groups can authenticate on the network
  • B. Administrator approval is required for all self-registration
  • C. Authenticating users must specify domain name along with username
  • D. Self-registration information can be sent to the user through email or SMS

Answer: A,D

Explanation:
Two statements about the self-service portal are true:
Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.
Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.


NEW QUESTION # 34
An administrator is integrating FortiAuthenticator with an existing RADIUS server with the intent of eventually replacing the RADIUS server with FortiAuthenticator.
How can FortiAuthenticator help facilitate this process?

  • A. By configuring the RADIUS accounting proxy
  • B. By enabling automatic REST API calls from the RADIUS server
  • C. By enabling learning mode in the RADIUS server configuration
  • D. By importing the RADIUS user records

Answer: C

Explanation:
FortiAuthenticator can help facilitate the process of replacing an existing RADIUS server by enabling learning mode in the RADIUS server configuration. This allows FortiAuthenticator to learn user credentials from the existing RADIUS server and store them locally for future authentication requests2. This way, FortiAuthenticator can gradually take over the role of the RADIUS server without disrupting the user experience.


NEW QUESTION # 35
Which two statements about the EAP-TTLS authentication method are true? (Choose two)

  • A. Support a port access control (wired) solution only
  • B. Uses digital certificates only on the server side
  • C. Requires an EAP server certificate
  • D. Uses mutual authentication

Answer: B,C

Explanation:
EAP-TTLS is an authentication method that uses digital certificates only on the server side to establish a secure tunnel between the server and the client. The client does not need a certificate but can use any inner authentication method supported by the server, such as PAP, CHAP, MS-CHAP, or EAP-MD5. EAP-TTLS requires an EAP server certificate that is issued by a trusted CA and installed on the FortiAuthenticator device acting as the EAP server. EAP-TTLS supports both wireless and wired solutions for port access control. Reference: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372412/eap-ttls


NEW QUESTION # 36
Which two protocols are the default management access protocols for administrative access for FortiAuthenticator? (Choose two)

  • A. SNMP
  • B. HTTPS
  • C. Telnet
  • D. SSH

Answer: B,D

Explanation:
HTTPS and SSH are the default management access protocols for administrative access for FortiAuthenticator. HTTPS allows administrators to access the web-based GUI of FortiAuthenticator using a web browser and a secure connection. SSH allows administrators to access the CLI of FortiAuthenticator using an SSH client and an encrypted connection. Both protocols require the administrator to enter a valid username and password to log in.


NEW QUESTION # 37
You are an administrator for a large enterprise and you want to delegate the creation and management of guest users to a group of sponsors.
How would you associate the guest accounts with individual sponsors?

  • A. As an administrator, you can assign guest groups to individual sponsors.
  • B. Select the sponsor on the guest portal, during registration.
  • C. You can automatically add guest accounts to groups associated with specific sponsors.
  • D. Guest accounts are associated with the sponsor that creates the guest account.

Answer: D

Explanation:
Guest accounts are associated with the sponsor that creates the guest account. A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3. A sponsor can create guest accounts using the sponsor portal or the REST API3. The sponsor's username is recorded as a field in the guest account's profile3.


NEW QUESTION # 38
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

  • A. Time and mobile location
  • B. Time and seed
  • C. UUID and time
  • D. Time and FortiAuthenticator serial number

Answer: B

Explanation:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.


NEW QUESTION # 39
You are a Wi-Fi provider and host multiple domains.
How do you delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device?

  • A. Create realms.
  • B. Create user groups
  • C. Automatically import hosts from each domain as they authenticate.
  • D. Create multiple directory trees on FortiAuthenticator

Answer: A

Explanation:
Realms are a way to delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device. A realm is a logical grouping of users and groups based on a common attribute, such as a domain name or an IP address range. Realms allow administrators to apply different authentication policies and settings to different groups of users based on their realm membership.


NEW QUESTION # 40
......

2023 New RealValidExam NSE6_FAC-6.4 PDF Recently Updated Questions: https://actualtests.realvalidexam.com/NSE6_FAC-6.4-real-exam-dumps.html

Related Articles

more
Fortinet NSE6_FAC-6.4 Certification Practice Exam

Our Study Torrent has reached high pass rate can help you pass the exam. Our Practice materials will be the best choice for you to prepare your actual. Our Exam Questions have been widely praised by all of our customers in many countries.

Tags

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 RealValidExam NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy