NEW QUESTION 1
What capability does the inbound proxy setting provide?

• A. It allows FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access,
• B. It allows FortiAuthenticator to act as a proxy for remote authentication servers.
• C. It allows FortiAuthenticator the ability to round robin load balance remote authentication servers.
• D. It allows FortiAuthenticator system access to authenticating users, based on a geo IP address designation.

Answer: A

Explanation:
The inbound proxy setting provides the ability for FortiAuthenticator to determine the origin source IP address after traffic passes through a proxy for system access. The inbound proxy setting allows FortiAuthenticator to use the X-Forwarded-For header in the HTTP request to identify the original client IP address. This can help FortiAuthenticator apply the correct authentication policy or portal policy based on the source IP address.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/system-settings#inboun

NEW QUESTION 2
What are three key features of FortiAuthenticator? (Choose three)

• A. Identity management device
• B. Log server
• C. Certificate authority
• D. Portal services
• E. RSSO Server

Answer: ACD

Explanation:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management,
self-service password reset, and device registration. It is not a log server or an RSSO server. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes

NEW QUESTION 3
You are the administrator of a large network that includes a large local user datadabase on the current Fortiauthenticatior. You want to import all the local users into a new Fortiauthenticator device.
Which method should you use to migrate the local users?

• A. Import users using RADIUS accounting updates.
• B. Import the current directory structure.
• C. Import users from RADUIS.
• D. Import users using a CSV file.

Answer: D

Explanation:
The best method to migrate local users from one FortiAuthenticator device to another is to export the users from the current device as a CSV file and then import the CSV file into the new device. This method preserves all the user attributes and settings and allows you to modify them if needed before importing. The other methods are not suitable for migrating local users because they either require an external RADIUS server or do not transfer all the user information. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372409/user-management

NEW QUESTION 4
Which two are supported captive or guest portal authentication methods? (Choose two)

• A. Linkedln
• B. Apple ID
• C. Instagram
• D. Email

Answer: AD

Explanation:
FortiAuthenticator supports various captive or guest portal authentication methods, including social media login with Linkedln, Facebook, Twitter, Google+, or WeChat; email verification; SMS verification; voucher code; username and password; and MAC address bypass. Apple ID and Instagram are not supported as authentication methods. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/37240

NEW QUESTION 5
Which of the following is an OATH-based standard to generate event-based, one-time password tokens?

• A. HOTP
• B. SOTP
• C. TOTP
• D. OLTP

Answer: A

NEW QUESTION 6
You are a Wi-Fi provider and host multiple domains.
How do you delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device?

• A. Create realms.
• B. Create user groups
• C. Create multiple directory trees on FortiAuthenticator
• D. Automatically import hosts from each domain as they authenticate.

Answer: A

Explanation:
Realms are a way to delegate user accounts, user groups and permissions per domain when they are authenticating on a single FortiAuthenticator device. A realm is a logical grouping of users and groups based on a common attribute, such as a domain name or an IP address range. Realms allow administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/user-management#real

NEW QUESTION 7
Which statement about the guest portal policies is true?

• A. Guest portal policies apply only to authentication requests coming from unknown RADIUS clients
• B. Guest portal policies can be used only for BYODs
• C. Conditions in the policy apply only to guest wireless users
• D. All conditions in the policy must match before a user is presented with the guest portal

Answer: D

Explanation:
Guest portal policies are rules that determine when and how to present the guest portal to users who want to access the network. Each policy has a set of conditions that can be based on various factors, such as the source IP address, MAC address, RADIUS client, user agent, or SSID. All conditions in the policy must match before a user is presented with the guest portal. Guest portal policies can apply to any authentication request coming from any RADIUS client, not just unknown ones. They can also be used for any type of device, not just BYODs. They can also apply to wired or VPN users, not just wireless users. References:
https://docs.fortinet.com/document/fortiauthenticator/6.4/administration-guide/372404/guest-management/37240

NEW QUESTION 8
What are three key features of FortiAuthenticator? (Choose three)

• A. Identity management device
• B. Log server
• C. Certificate authority
• D. Portal services
• E. RSSO Server

Answer: ACD

Explanation:
FortiAuthenticator is a user and identity management solution that provides strong authentication, wireless 802.1X authentication, certificate management, RADIUS AAA (authentication, authorization, and accounting), and Fortinet Single Sign-On (FSSO). It also offers portal services for guest management,
self-service password reset, and device registration. It is not a log server or an RSSO server. References: https://docs.fortinet.com/document/fortiauthenticator/6.4/release-notes

NEW QUESTION 9
Which two statements about the self-service portal are true? (Choose two)

• A. Self-registration information can be sent to the user through email or SMS
• B. Realms can be used to configure which seld-registered users or groups can authenticate on the network
• C. Administrator approval is required for all self-registration
• D. Authenticating users must specify domain name along with username

Answer: AB

Explanation:
Two statements about the self-service portal are true:
Self-registration information can be sent to the user through email or SMS using the notification templates feature. This feature allows administrators to customize the messages that are sent to users when they register or perform other actions on the self-service portal.
Realms can be used to configure which self-registered users or groups can authenticate on the network using the realm-based authentication feature. This feature allows administrators to apply different authentication policies and settings to different groups of users based on their realm membership.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/user-management#self- https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/user-management#real

NEW QUESTION 10
Which option correctly describes an SP-initiated SSO SAML packet flow for a host without a SAML assertion?

• A. Service provider contacts idendity provider, idendity provider validates principal for service provider, service provider establishes communication with principal
• B. Principal contacts idendity provider and is redirected to service provider, principal establishes connection with service provider, service provider validates authentication with identify provider
• C. Principal contacts service provider, service provider redirects principal to idendity provider, after succesfull authentication identify provider redirects principal to service provider
• D. Principal contacts idendity provider and authenticates, identity provider relays principal to service provider after valid authentication

Answer: C

Explanation:
SP-initiated SSO SAML packet flow for a host without a SAML assertion is as follows:
Principal contacts service provider, requesting access to a protected resource.
Service provider redirects principal to identity provider, sending a SAML authentication request.
Principal authenticates with identity provider using their credentials.
After successful authentication, identity provider redirects principal back to service provider, sending a SAML response with a SAML assertion containing the principal’s attributes.
Service provider validates the SAML response and assertion, and grants access to the principal.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/saml-service-provider#

NEW QUESTION 11
Which two types of digital certificates can you create in Fortiauthenticator? (Choose two)

• A. User certificate
• B. Organization validation certificate
• C. Third-party root certificate
• D. Local service certificate

Answer: AD

Explanation:
FortiAuthenticator can create two types of digital certificates: user certificates and local service certificates. User certificates are issued to users or devices for authentication purposes, such as VPN, wireless, or web access. Local service certificates are issued to FortiAuthenticator itself for securing its own services, such as HTTPS, RADIUS, or LDAP.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/certificate-management

NEW QUESTION 12
You are an administrator for a large enterprise and you want to delegate the creation and management of guest users to a group of sponsors.
How would you associate the guest accounts with individual sponsors?

• A. As an administrator, you can assign guest groups to individual sponsors.
• B. Guest accounts are associated with the sponsor that creates the guest account.
• C. You can automatically add guest accounts to groups associated with specific sponsors.
• D. Select the sponsor on the guest portal, during registration.

Answer: B

Explanation:
Guest accounts are associated with the sponsor that creates the guest account. A sponsor is a user who has permission to create and manage guest accounts on behalf of other users3. A sponsor can create guest accounts using the sponsor portal or the REST API3. The sponsor’s username is recorded as a field in the guest account’s profile3.
References: 3 https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/guest

NEW QUESTION 13
When generating a TOTP for two-factor authentication, what two pieces of information are used by the algorithm to generate the TOTP?

• A. UUID and time
• B. Time and seed
• C. Time and mobile location
• D. Time and FortiAuthenticator serial number

Answer: B

Explanation:
TOTP stands for Time-based One-time Password, which is a type of OTP that is generated based on two
pieces of information: time and seed. The time is the current timestamp that is synchronized between the client and the server. The seed is a secret key that is shared between the client and the server. The TOTP algorithm combines the time and the seed to generate a unique and short-lived OTP that can be used for two-factor authentication.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/two-factor-authenticati

NEW QUESTION 14
An administrator has an active directory (AD) server integrated with FortiAuthenticator. They want members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls.
How does the administrator accomplish this goal?

• A. Configure a FortiGate filter on FortiAuthenticatoc
• B. Configure a domain groupings list to identify the desired AD groups.
• C. Configure fine-grained controls on FortiAuthenticator to designate AD groups.
• D. Configure SSO groups and assign them to FortiGate groups.

Answer: D

Explanation:
To allow members of only specific AD groups to participate in FSSO with their corporate FortiGate firewalls, the administrator can configure SSO groups and assign them to FortiGate groups. SSO groups are groups of users or devices that are defined on FortiAuthenticator based on various criteria, such as user group membership, source IP address, MAC address, or device type. FortiGate groups are groups of users or devices that are defined on FortiGate based on various criteria, such as user group membership, firewall policy, or authentication method. By mapping SSO groups to FortiGate groups, the administrator can control which users or devices can access the network resources protected by FortiGate.
References:
https://docs.fortinet.com/document/fortiauthenticator/6.4.0/administration-guide/906179/single-sign-on#sso-gro

NEW QUESTION 15
......