NEW QUESTION 1
Which two statements about the MAC-based 802 1X security mode available on FortiSwitch are true? (Choose two.)

• A. FortiSwitch authenticates a single device and opens the port to other devices connected to the port
• B. FortiSwitch authenticates each device connected to the port
• C. It cannot be used in conjunction with MAC authentication bypass
• D. FortiSwitch can grant different access levels to each device connected to the port

Answer: BD

Explanation:
According to the FortiSwitch Administration Guide, “MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password.” Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.

NEW QUESTION 2
An administrator has configured an SSID in bridge mode for corporate employees All APs are online and provisioned using default AP profiles Employees are unable to locate the SSID to conned
Which two configurations can the administrator verify? (Choose two)

• A. Verify that the broadcast SSID option is enabled in the SSID configuration
• B. Verify that the Block Intra-SSID Traffic (intra-vap-privacy) option in the SSID configuration is disabled
• C. Verify that the SSID to an AP group that should be broadcasting the SSID is applied
• D. Verify that the SSID is manually applied on AP profiles for both 2 4 GHz and 5 GHz radios

Answer: AC

Explanation:
According to the FortiAP Configuration Guide1, “To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled. You must also enable Broadcast SSID.” Therefore, option A is true because the broadcast SSID option allows the SSID to be visible to wireless clients. Option C is also true because the SSID must be applied to an AP group that contains the APs that should be broadcasting the SSID. According to the same guide1, “You can create AP groups and assign them to different locations or departments. You can then apply different settings, such as SSIDs, to each group.” Option B is false because blocking intra-SSID traffic prevents wireless clients on the same SSID from communicating with each other, which is not related to broadcasting the SSID. Option D is false because the SSID can be applied to an AP group or a global profile, which will automatically apply to all APs, without manually configuring each AP profile.

NEW QUESTION 3
You are configuring a FortiGate wireless network to support automated wireless client quarantine using IOC Which two configurations must you put in place for a wireless client to be quarantined successfully? (Choose two)

• A. Configure the wireless network to be in tunnel mode
• B. Configure the FortiGate device in the Security Fabric with a FortiAnalyzer device
• C. Configure a firewall policy to allow communication
• D. Configure the wireless network to be in bridge mode

Answer: AB

Explanation:
According to the FortiGate Administration Guide, “To enable automated wireless client quarantine using IOC, you must configure the following settings: Configure your wireless network to be in tunnel mode. This allows FortiGate to inspect all wireless traffic and applysecurity policies. Configure your FortiGate device in the Security Fabric with a FortiAnalyzer device. This allows FortiAnalyzer to detect indicators of compromise (IOC) from wireless traffic and send quarantine commands to FortiGate.” Therefore, options A and B are true because they describe the configurations that must be put in place for a wireless client to be quarantined successfully using IOC. Option C is false because configuring a firewall policy to allow communication is not required, as the default firewall policy for tunnel mode wireless networks is to allow all traffic. Option D is false because configuring the wireless network to be in bridge mode is not supported, as FortiGate cannot inspect or quarantine wireless traffic in bridge mode.

NEW QUESTION 4
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate
While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work
Which scenario is likely to cause this issue?

• A. Access VLAN is enabled on the VLAN
• B. The native VLAN configured on the ports is incorrect
• C. The FortiSwitch MAC address table is missing entries
• D. The FortiGate ARP table is missing entries

Answer: C

Explanation:
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.

NEW QUESTION 5
Refer to the exhibit

Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page.This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser

Which two settings are the likely causes of the issue? (Choose two.)

• A. The external server FQDN is incorrect
• B. The wireless user's browser is missing a CA certificate
• C. The FortiGate authentication interface address is using HTTPS
• D. The user address is not in DDNS form

Answer: AB

Explanation:
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page. Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user’s browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate. Option C is false because the FortiGate authentication interface address is using HTTPS, which is a secure protocol that encrypts the communication between the browser and the server. Option D is false because the user address is not in DDNS form, which is not related to the certificate error.

NEW QUESTION 6
You are setting up an SSID (VAP) to perform RADlUS-authenticated dynamic VLAN allocation Which three RADIUS attributes must be supplied by the RADIUS server to enable successful VLAN
allocation'' (Choose three.)

• A. Tunnel-Private-Group-ID
• B. Tunnel-Pvt-Group-ID
• C. Tunnel-Preference
• D. Tunnel-Type
• E. Tunnel-Medium-Type

Answer: ADE

Explanation:
According to the FortiAP Configuration Guide, "To perform RADIUS-authenticated dynamic VLAN allocation, the RADIUS server must supply the following RADIUS attributes: Tunnel-Private-Group-ID, which specifies the VLAN ID to assign to the user. Tunnel-Type, which specifies the tunneling protocol used for the VLAN. The value must be 13 (VLAN). Tunnel-Medium-Type, which specifies the transport medium used for the VLAN. The value must be 6 (802). Therefore, options A, D, and E are true because they describe the RADIUS attributes that must be supplied by the RADIUS server to enable successful VLAN allocation.
Option B is false because Tunnel-Pvt-Group-ID is not a valid RADIUS attribute name, but rather a typo for Tunnel-Private-Group-ID. Option C is false because Tunnel-Preference is not a required RADIUS attribute for dynamic VLAN allocation, but rather an optional attribute that specifies the priority of the VLAN.

NEW QUESTION 7
Refer to the exhibit

A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit
Which two scenarios are likely to cause this issue? (Choose two.)

• A. The device is not configured for 802 IX authentication.
• B. The device has been quarantined for 3600 seconds.
• C. The device has been assigned the guest VLAN
• D. The device does not support 802 1X authentication

Answer: AD

Explanation:
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP-Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server. Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication. Option B is false because the device has not been quarantined for 3600 seconds, but rather has a session timeout of 3600 seconds, which is the default value for 802.1X sessions. Option C is false because the device has not been assigned the guest VLAN, but rather has been assigned the default VLAN, which is VLAN 1.

NEW QUESTION 8
Refer to the exhibit.

Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit
An administrator is testing the NAC feature The test device is connected to a managed FortiSwitch device
{S224EPTF19"53€7)onpOrt2
After applying the NAC policy on port2 and generating traffic on the test device the test device is not matching the NAC policy therefore the test device remains m the onboarding VLAN
Based on the information shown in the exhibit which two scenarios are likely to cause this issue? (Choose two.)

• A. Management communication between FortiGate and FortiSwitch is down
• B. The MAC address configured on the NAC policy is incorrect
• C. The device operating system detected by FortiGate is not Linux
• D. Device detection is not enabled on VLAN 4089

Answer: AB

Explanation:
According to the FortiManager configuration, the NAC policy is set to match devices with the MAC address of 00:0c:29:6a:2b:3c and the operating system of Linux.However, according to the FortiGate CLI output, the test device has a different MAC address of 00:0c:29:6a:2b:3d. Therefore, option B is true. Option A is also true because the FortiSwitch device status is shown as down, which means that the management
communication between FortiGate and FortiSwitch is not working properly. This could prevent the NAC policy from being applied correctly. Option C is false because the device operating system detected by FortiGate is Linux, which matches the NAC policy. Option D is false because device detection is enabled on VLAN 4089, as shown by the command “config switch-controller vlan”.

NEW QUESTION 9
Which FortiSwitch VLANs are automatically created on FortGate when the first FortiSwitch device is discovered1?

• A. default quarantine, rspan voice video onboarding and nac_segment
• B. access, quarantine, rspa
• C. voice, video, and onboarding
• D. default quarantine rspan voice video and nac_segment
• E. fortilin
• F. quarantine erspan voice video and onboarding

Answer: D

Explanation:
According to the FortiGate Administration Guide, “When you add a FortiSwitch device to the Security Fabric, FortiGate automatically creates the following VLANs on theFortiSwitch device: fortilink, quarantine, erspan, voice, video, and onboarding.” Therefore, option D is true because it lists the FortiSwitch VLANs that are automatically created on FortiGate when the first FortiSwitch device is discovered. Option A is false because default and nac_segment are not among the automatically created VLANs. Option B is false because access and rspan are not among the automatically created VLANs. Option C is false because default and nac_segment are not among the automatically created VLANs.

NEW QUESTION 10
Refer to the exhibit.

By default FortiOS creates the following DHCP server scope for the FortiLink interface as shown in the exhibit
What is the objective of the vci-string setting?

• A. To ignore DHCP requests coming from FortiSwitch and FortiExtender devices
• B. To reserve IP addresses for FortiSwitch and FortiExtender devices
• C. To restrict the IP address assignment to FortiSwitch and FortiExtender devices
• D. To restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname

Answer: C

Explanation:
According to the exhibit, the DHCP server scope for the FortiLink interface has a vci-string setting with the value “Cisco AP c2700”. This setting is used to match the vendor class identifier (VCI) of the DHCP clients that request an IP address from the DHCP server. The VCI is a text string that uniquely identifies a type of vendor device. Therefore, option C is true because the vci-string setting restricts the IP address assignment to FortiSwitch and FortiExtender devices, which use the VCI “Cisco AP c2700”. Option A is false because the vci-string setting does not ignore DHCP requests coming from FortiSwitch and FortiExtender devices, but rather accepts them. Option B is false because the vci-string setting does not reserve IP addresses for FortiSwitch and FortiExtender devices, but rather assigns them dynamically. Option D is false because the vci-string setting does not restrict the IP address assignment to devices that have FortiSwitch or FortiExtender as their hostname, but rather to devices that have “Cisco AP c2700” as their VCI.

NEW QUESTION 11
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

• A. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
• B. Administrators must approve all guest accounts before they can be used
• C. The guest portal provides pre and post-log in services
• D. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal

Answer: CD

Explanation:
According to the FortiAuthenticator Administration Guide2, “The guest portal provides pre and post-log in services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured.” Therefore, option C is true. The same guide also states that “Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal.” Therefore, option D is true. Option A is false because remote users can sponsor any number of guest accounts, as long as they do not
exceed the maximum number of guest accounts allowed by the license. Option B is false because administrators can choose to approve or reject guest accounts, or enable auto-approval.

NEW QUESTION 12
......