New Year Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Fortinet NSE7_LED-7.0 Fortinet NSE 7 - LAN Edge 7.0 Exam Practice Test

Page: 1 / 4
Total 37 questions

Fortinet NSE 7 - LAN Edge 7.0 Questions and Answers

Question 1

Refer to the exhibit.

Question # 1

By default FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit

What is the objective of the vci-string setting?

Options:

A.

To ignore DHCP requests coming from FortiSwitch and FortiExtender devices

B.

To reserve IP addresses for FortiSwitch and FortiExtender devices

C.

To restrict the IP address assignment to FortiSwitch and FortiExtender devices

D.

To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname

Question 2

Which FortiSwitch VLANs are automatically created on FortGate when the first FortiSwitch device is discovered1?

Options:

A.

default quarantine, rspan voice video onboarding and nac_segment

B.

access, quarantine, rspan. voice, video, and onboarding

C.

default quarantine rspan voice video and nac_segment

D.

fortilink. quarantine erspan voice video and onboarding

Question 3

Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?

Options:

A.

From an LDAP server using a simple bind operation

B.

From a TFTP server

C.

From a DHCP server using options 240 and 241

D.

From a DNS server using A or AAAA records

Question 4

Exhibit.

Question # 4

Refer to the exhibit showing a network topology and SSID settings.

FortiGate is configured to use an external captive portal However wireless users are not able to see the captive portal login page

Which configuration change should the administrator make to fix the problem?

Options:

A.

Enable NAT in the firewall policy with the ID 13.

B.

Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services

C.

Enable the captive-portal-exempt option in the firewall policy with the ID 12

D.

Remove the guest.portal user group in the firewall policy with the ID 12

Question 5

Refer to the exhibit.

Question # 5

Examine the IPsec VPN phase 1 configuration shown in theexhibit

An administrator wants to use certificate-based authentication for an IPsec VPN user

Which three configuration changes must you make on FortiGate to perform certificate-based authentication for the IPsec VPN user? (Choose three)

Options:

A.

Create a PKI user for the IPsec VPN user, and then configure the IPsec VPN tunnel to accept the PKI user as peer

certificate

B.

In the Authentication section of the IPsec VPN tunnel in the Method drop-down list select Signature and then select the certificate that FortiGate will use for IPsec VPN

C.

In the IKE section of the IPsec VPN tunnel in the Mode field select Main (ID protection)

D.

Import the CA that signed the user certificate

E.

Enable XAUTH on the IPsec VPN tunnel

Question 6

You are configuring a FortiGate wireless network to support automated wireless client quarantine using IOC Which two configurations must you put in place for a wireless client to be quarantined successfully? (Choose two)

Options:

A.

Configure the wireless network to be in tunnel mode

B.

Configure the FortiGate device in the Security Fabric with a FortiAnalyzer device

C.

Configure a firewall policy to allow communication

D.

Configure the wireless network to be in bridge mode

Question 7

Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

Options:

A.

FortiSwitch authenticates a single device and opens the port to other devices connected to the port

B.

FortiSwitch authenticates each device connected to the port

C.

It cannot be used in conjunction with MAC authentication bypass

D.

FortiSwitch can grant different access levels to each device connected to the port

Question 8

You are investigating a report of poor wireless performance in a network that you manage. The issue is related to an AP interface in the 5 GHz range You are monitoring the channel utilization over time.

What is the recommended maximum utilization value that an interface should not exceed?

Options:

A.

85%

B.

95%

C.

75%

D.

65%

Question 9

Refer to the exhibit.

Question # 9

Examine the network diagram and packet capture shown in the exhibit

The packet capture was taken between FortiGate and FortiAuthenticator and shows a RADIUS Access-Request packet sent by FortiSwitch to FortiAuthenticator through FortiGate

Why does the User-Name attribute in the RADIUS Access-Request packet contain the client MAC address?

Options:

A.

The client is performing AD machine authentication

B.

FortiSwitch is authenticating the client using MAC authentication bypass

C.

The client is performing user authentication

D.

FortiSwitch is sending a RADIUS accounting message to FortiAuthenticator

Question 10

Refer to the exhibit.

Question # 10

Examine the RADIUS server configuration shown in the exhibit

An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP

While testing the configuration the administrator noticed that the diagnosetest authserver command worked with PAP, however authentication requests failed when using MSCHAP2

Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

Options:

A.

On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain

B.

On FortiGate configure the NAS IP setting on the RADIUS

server

C.

On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS

D.

On FortiGate update the Secret setting on the RADIUS server

Question 11

An administrator has configured an SSID in bridge mode for corporate employees All APs are online and provisioned using default AP profiles Employees are unable to locate the SSID to conned

Which two configurations can the administrator verify? (Choose two)

Options:

A.

Verify that the broadcast SSID option is enabled in the SSID configuration

B.

Verify that the Block Intra-SSID Traffic (intra-vap-privacy) option in the SSID configuration is disabled

C.

Verify that the SSID to an AP group that should be broadcasting the SSID is applied

D.

Verify that the SSID is manually applied on AP profiles for both 2 4 GHz and 5 GHz radios

Page: 1 / 4
Total 37 questions