Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
Fortinet
NSE 7 Network Security Architect
NSE7_LED-7.0
Fortinet NSE 7 - LAN Edge 7.0 Questions and Answers

Pass the Fortinet NSE 7 Network Security Architect NSE7_LED-7.0 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam NSE7_LED-7.0 Premium Access

View all detail and faqs for the NSE7_LED-7.0 exam

Go to Exam

396 Students Passed

95% Average Score

97% Same Questions

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions

Questions # 1:

Refer to the exhibit.

Question # 1

Examine the network diagram and packet capture shown in the exhibit

The packet capture was taken between FortiGate and FortiAuthenticator and shows a RADIUS Access-Request packet sent by FortiSwitch to FortiAuthenticator through FortiGate

Why does the User-Name attribute in the RADIUS Access-Request packet contain the client MAC address?

Options:

The client is performing AD machine authentication

FortiSwitch is authenticating the client using MAC authentication bypass

The client is performing user authentication

FortiSwitch is sending a RADIUS accounting message to FortiAuthenticator

Answer

Explanation

According to the exhibit, the User-Name attribute in the RADIUS Access-Request packet contains the client MAC address of 00:0c:29:6a:2b:3d. This indicates that FortiSwitch is authenticating the client using MAC authentication bypass (MAB), which is a method of authenticating devices that do not support 802.1X by using their MAC address as the username and password. Therefore, option B is true because it explains why the User-Name attribute contains the client MAC address. Option A is false because AD machine authentication uses a computer account name and password, not a MAC address. Option C is false because userauthentication uses a user name and password, not a MAC address. Option D is false because FortiSwitch is sending a RADIUS Access-Request message to FortiAuthenticator, not a RADIUS accounting message.

Questions # 2:

Refer to the exhibit

Question # 2

Examine the FortiGate RSSO configuration shown in the exhibit

FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users The users are located behind port3 and the internet link is connected to port1 FortiGate is processing incoming RADIUS accounting messages successfully and RSSO users are getting associated with the RSSO Group user group However all the users are able to access the internet, and the administrator wants to restrict internet access to RSSO users only

Which configuration change should the administrator make to fix the problem?

Options:

Change the RADIUS Attribute Value selling to match the name of the RADIUS attribute containing the group membership information of the RSSO users

Add RSSO Group to the firewall policy

Enable Security Fabric Connection on port3

Create a second firewall policy from port3 lo port1 and select the target destination subnets

Answer

Explanation

According to the exhibit, the firewall policy from port3 to port1 has no user group specified, which means that it allows all users to access the internet. Therefore, option B is true because adding RSSO Group to the firewall policy will restrict internet access to RSSO users only. Option A is false because changing the RADIUS Attribute Value setting will not affect the firewall policy, but rather the RSSO user group membership. Option C is false because enabling Security Fabric Connection on port3 will not affect the firewall policy, but rather the communication between FortiGate and other Security Fabric devices. Option D is false because creating a second firewall policy from port3 to port1 will not affect the existing firewall policy, but rather create a redundant or conflicting policy.

Questions # 3:

Where can FortiGate learn the FortiManager IP address or FQDN for zero-touch provisioning'?

Options:

From an LDAP server using a simple bind operation

From a TFTP server

From a DHCP server using options 240 and 241

From a DNS server using A or AAAA records

Answer

Explanation

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/861490/zero-touch-provisioning-with-fortimanager "A DHCP server includes option 240 and 241 which records FortiManager IP and domain name. FortiGate has an interface with the default DHCP client mode that is connected to the DHCP server in the intranet."

Questions # 4:

A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS)

Which two changes must the administrator make to enforce HTTPS authentication"? (Choose two >

Options:

Create a new SSID with the HTTPS captive portal URL

Enable HTTP redirect in the user authentication settings

Disable HTTP administrative access on the guest SSID to enforce HTTPS connection

Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator

Answer

B, D

Explanation

According to the FortiGate Administration Guide, “To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator.” Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-FortiGate/ta-p/192486

Questions # 5:

Which FortiSwitch VLANs are automatically created on FortGate when the first FortiSwitch device is discovered1?

Options:

default quarantine, rspan voice video onboarding and nac_segment

access, quarantine, rspan. voice, video, and onboarding

default quarantine rspan voice video and nac_segment

fortilink. quarantine erspan voice video and onboarding

Answer

Explanation

Based on LAN Edge 7.0 Study Guide page 217 When FortiGate discovers the first switch, it automatically adds to its configuration some settings that are default, quarantine, rspan, voice, video, onboarding, and nac_segment

Questions # 6:

Which two statements about FortiSwitch trunks are true? (Choose two.)

Options:

A trunk is a link aggregation group interface.

By default, when connecting two FortiSwitch devices to each other, a trunk is automatically created between the switches.

Trunks do not support tagged Ethernet frames.

LACP is not supported.

Answer

A, B

Questions # 7:

Refer to the exhibit.

Question # 7

Examine the IPsec VPN phase 1 configuration shown in the exhibit

An administrator wants to use certificate-based authentication for an IPsec VPN user

Which three configuration changes must you make on FortiGate to perform certificate-based authentication for the IPsec VPN user? (Choose three)

Options:

Create a PKI user for the IPsec VPN user, and then configure the IPsec VPN tunnel to accept the PKI user as peer certificate.

In the IKE section of the IPsec VPN tunnel, in the Mode field, select Main (ID protection).

Import the CA that signed the user certificate.

Enable XAUTH on the IPsec VPN tunnel.

In the Authentication section of the IPsec VPN tunnel, in the Method drop-down list, select Signature, and then select the certificate that FortiGate will use for IPsec VPN.

Answer

C, D, E

Questions # 8:

Refer to the exhibit.

Question # 8

Examine the debug output shown in the exhibit

Which two statements about the RADIUS debug output are true'' (Choose two)

Options:

The user student belongs to the SSLVPN group

User authentication failed

The RADIUS server sent a vendor-specific attribute in the RADIUS response

User authentication succeeded using MSCHAP

Answer

A, C

Questions # 9:

Refer to the exhibits.

Question # 9

Examine the LDAP server configuration and output shown in the exhibits.

Question # 9

Note that the Distinguished Name and Username settings on the LDAP server configuration have been expanded to display their full contents.

An LDAP user named student cannot authenticate. While testing the student account, the administrator gets the CLI output shown in the exhibit.

According to the output, which FortiGate LDAP server settings must the administrator check?

Options:

Distinguished Name

Bind Type

Common Name Identifier

Username

Answer

Questions # 10:

An administrator is deploying AP's that are connecting over an IPsec network. All APs have been configured to connect to FortiGate manually. FortiGate can discover the APs and authorize them. However, FortiGate is unable to establish CAPWAP tunnels to manage the APs.

Which configuration setting can the administrator perform to resolve the problem?

Options:

Upgrade the FortiAP firmware image to ensure compatibility with the FortiOS version.

Decrease the CAPWAP tunnel MTU size for APs to prevent fragmentation.

Enable CAPWAP administrative access on the IPsec interface.

Assign a custom AP profile for the remote APs with the set mpls-connection option enabled.

Answer

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions

Modal title

Registered Required

In order to participate in the comments you need to be logged-in.
You can sign-up or login (it's free).

TOP CODES

Top selling exam codes in the certification world, popular, in demand and updated to help you pass on the first try.

2V0-11.25

ADM-201

Agentforce-Specialist

CMMC-CCP

Data-Cloud-Consultant

PCNSE

PDI

PSE-Strata-Pro-24

Secure-Software-Design

Sharing-and-Visibility-Architect

Workday-Pro-Integrations

ZDTA