Fortinet  NSE7_LED-7.0 Exam Dumps & Practice Test Questions

Question 1:

After reviewing the FortiGate user group setup and the Windows Active Directory LDAP group membership shown, FortiGate is configured to authenticate SSL VPN users using LDAP against Windows AD. The administrator has set up the SSL VPN user group, but both the users “student” and “jsmith” are able to connect to the SSL VPN.

What modification should the administrator make on FortiGate to limit SSL VPN access exclusively to the student user?

A. Set the Group Name in the SSL VPN user group configuration to CN=SSLVPN,CN=Users,DC=trainingAD,DC=training,DC=lab.
B. Change the Name field in the SSL VPN user group configuration to CN=SSLVPN,CN=Users,DC=trainingAD,DC=training,DC=lab.
C. Set the Group Name in the SSL VPN user group configuration to CN=Domain Users,CN=Users,DC=trainingAD,DC=training,DC=lab.
D. Change the user group Type to Fortinet Single Sign-On (FSSO).

Correct answer: A

Explanation:

To ensure that only the student user is allowed SSL VPN access, the administrator must correctly configure the SSL VPN user group on FortiGate to filter users based on their LDAP group membership in Active Directory (AD). The current situation where both "student" and "jsmith" can connect indicates that the group membership filter is too broad or improperly specified.

The key to restricting access lies in configuring the Group Name field with the exact distinguished name (DN) of the specific AD group that contains only the desired users — in this case, the group named “SSLVPN.” By setting the Group Name to CN=SSLVPN,CN=Users,DC=trainingAD,DC=training,DC=lab, FortiGate will only allow users who belong to that AD group to authenticate via SSL VPN.

Option A correctly specifies this group name, effectively limiting VPN access to the "student" user if that user is the sole member of the “SSLVPN” group. The Group Name field acts as a filter in LDAP queries, allowing FortiGate to validate that only group members can log in.

Option B is incorrect because it changes the Name field rather than the Group Name. The Name field is merely a label within FortiGate’s configuration and does not influence LDAP filtering or membership validation.

Option C sets Group Name to “Domain Users,” which is a default group containing many users, including "jsmith." This setting would broaden access instead of restricting it.

Option D involves changing the authentication type to Fortinet Single Sign-On (FSSO), which is unrelated to LDAP group filtering and won’t resolve the issue at hand.

In summary, Option A is correct because it ensures FortiGate filters SSL VPN access by the correct LDAP group, restricting the service to only the student user.

Question 2:

An administrator has set up a guest wireless network on a FortiGate device using an external captive portal. Although the captive portal URL has been verified as correct, wireless clients cannot see the captive portal login page. 

Given the firewall policy and SSID configurations, what should the administrator change to resolve this issue?

A. Disable the user group setting in the SSID configuration.
B. Enable the captive-portal-exempt option in the firewall policy with ID 11.
C. Apply a guest.portal user group in the firewall policy with ID 11.
D. Add the wireless client subnet to the Exempt Source list.

Correct answer: B

Explanation:

When deploying a guest wireless network with an external captive portal, one critical aspect is ensuring users are correctly redirected to the portal login page before gaining broader network access. If wireless users cannot see the captive portal, the problem often lies in firewall policy settings that control how traffic is handled during the authentication phase.

Option B is the most appropriate fix. Enabling the captive-portal-exempt option in the firewall policy tells the FortiGate to allow specific traffic related to the captive portal process to bypass normal restrictions. This exemption is crucial because, without it, the firewall might block or fail to redirect user traffic to the external captive portal URL, preventing the login page from appearing.

Examining other options:

• Option A, disabling the user group in the SSID configuration, does not directly affect captive portal behavior. While user groups manage authentication, the issue described is that users never see the portal, indicating a redirection or firewall issue rather than user group membership.

• Option C, applying a guest.portal user group in the firewall policy, is related to access control but would not fix a problem where the portal login page itself is not shown. This option is more about authorizing authenticated users post-login.

• Option D, including the wireless client subnet in the Exempt Source list, allows those IP addresses to bypass captive portal controls. However, this would defeat the purpose of captive portal authentication by allowing clients unrestricted access, and it does not address the failure to show the login page in the first place.

Thus, enabling the captive-portal-exempt flag on the firewall policy (Option B) ensures that initial connection attempts can reach the external captive portal correctly, resolving the issue of the login page not appearing.

Question 3:

Which two statements correctly describe the MAC-based 802.1X security mode available on FortiSwitch? (Choose two.)

A. FortiSwitch authenticates the first device on the port and then allows other devices to connect without additional authentication.
B. FortiSwitch individually authenticates every device connected to the port.
C. MAC-based 802.1X cannot be combined with MAC authentication bypass (MAB).
D. FortiSwitch can assign different access permissions to each device connected to the port.

Correct answers: A and D

Explanation:

MAC-based 802.1X security on FortiSwitch uses the MAC address of devices as the basis for authentication, differing from traditional 802.1X that typically authenticates users with credentials. When a device connects to a port configured for MAC-based 802.1X, FortiSwitch authenticates the MAC address of that first device. Once authenticated, the port is “opened,” meaning other devices can connect through the same port without needing to be individually authenticated. This behavior aligns with Option A, which is true because only the first device undergoes authentication, and the rest benefit from the open port.

Option B is incorrect since MAC-based 802.1X does not authenticate every device on the port—only the initial device’s MAC address is checked. Devices that connect later are not individually authenticated by the switch.

Option C wrongly states that MAC-based 802.1X can’t be used with MAC authentication bypass. In reality, FortiSwitch supports combining both, where devices can be authenticated either by MAC-based 802.1X or bypassed under specific conditions using MAB.

Option D is true because FortiSwitch can apply different access policies or levels to devices based on their MAC addresses, allowing customized access control per device connected to the same port.

In summary, A and D accurately describe how FortiSwitch handles MAC-based 802.1X security, making them the correct choices.

Question 4:

In a school wireless network using a captive portal for guest access, the administrator needs to ensure that captive portal authentication is secured with HTTPS. 

Which two actions are necessary to enforce HTTPS for the captive portal? (Choose two.)

A. Create a new SSID that directs users to the HTTPS captive portal URL.
B. Enable HTTP redirect within user authentication settings.
C. Disable HTTP administrative access on the guest SSID to enforce HTTPS-only connections.
D. Change the captive portal URL on both FortiGate and FortiAuthenticator to use HTTPS.

Correct answers: C and D

Explanation:

Securing guest access on a wireless network using a captive portal typically involves ensuring that authentication traffic is encrypted, which means enforcing HTTPS instead of HTTP. This prevents sensitive information like credentials from being transmitted in plain text.

Option A suggests creating a new SSID for HTTPS captive portal access, but this is unnecessary. You can update the existing SSID’s captive portal configuration to use HTTPS without the complexity of adding a new SSID, so this is not required.

Option B involves enabling HTTP redirect in authentication settings. While redirecting HTTP traffic to HTTPS is a common practice, simply enabling HTTP redirect does not guarantee strict HTTPS enforcement for captive portal authentication. It can still allow unsecured connections initially, which is not ideal when enforcing HTTPS.

Option C is essential because disabling HTTP administrative access on the guest SSID forces all communication to happen over HTTPS. This prevents fallback to unencrypted HTTP, thus strengthening security by mandating encrypted connections for authentication.

Option D is another critical step: updating the captive portal URLs on both FortiGate and FortiAuthenticator to use HTTPS ensures that all authentication sessions are encrypted end-to-end. This step guarantees that the captive portal itself communicates securely with clients.

In conclusion, C and D are the necessary actions to enforce HTTPS authentication on the captive portal, ensuring secure, encrypted guest access.

Question 5:

The exhibits show wireless SSID profiles configured on FortiManager and an AP profile assigned to FortiGate-managed APs. However, none of the APs are broadcasting the SSIDs defined in the profile. 

What configuration change is needed to enable the SSIDs to broadcast?

A. Enable Tunnel in the SSIDs section.
B. Enable at least one channel in the Channels section.
C. Enable multiple channels and activate Radio Resource Provision.
D. Enable Manual in the SSIDs section and assign networks manually.

Correct answer: B

Explanation:

When wireless APs fail to broadcast configured SSIDs, the problem often lies within the radio or channel settings. For an AP to transmit a wireless signal, it must operate on one or more wireless channels. Without any active channel, the AP cannot emit SSIDs or accept client connections.

Option B is the correct and most direct solution: enabling at least one channel in the Channels section of the AP profile. This setting tells the AP which wireless channel(s) to use for broadcasting. Without this, the AP radio remains inactive, and SSIDs will not appear to nearby devices.

Other options, while relevant in different contexts, do not directly solve this broadcasting issue:

Option A: Enabling Tunnel in the SSIDs section configures the SSID traffic to be tunneled to a controller or firewall. This setting is related to traffic forwarding, not whether SSIDs are broadcast. It doesn’t affect the radio’s ability to advertise SSIDs.

Option C: Enabling multiple channels and Radio Resource Provisioning can optimize wireless performance and allow APs to dynamically manage channels, but this is an advanced configuration. The absence of a basic active channel is a more fundamental issue, so this option does not address the core problem.

Option D: Enabling Manual mode to assign networks manually is unnecessary if SSIDs are already defined and assigned. This option deals with explicit SSID-to-interface mapping, not with enabling wireless signal broadcast.

In summary, enabling at least one channel in the AP profile’s Channels section is the foundational step to ensure the AP can broadcast SSIDs. This simple but essential change activates the radio frequency needed for wireless signals to be detected by clients.

Question 6:

An administrator wants to configure an IPsec VPN on FortiGate that uses certificate-based authentication for a VPN user. 

Which three configuration changes are necessary to enable this? (Choose three.)

A. Create a PKI user for the VPN user and configure the tunnel to accept the user’s certificate.
B. Set the Authentication method to Signature and select the certificate FortiGate will use.
C. Set the IKE Mode to Main (ID protection).
D. Import the Certificate Authority (CA) that issued the user’s certificate.
E. Enable XAUTH on the IPsec VPN tunnel.

Correct answers: A, B, D

Explanation:

Configuring certificate-based authentication for an IPsec VPN user on FortiGate requires several essential steps focused on establishing trust and proper certificate usage.

First, option A: creating a PKI (Public Key Infrastructure) user is fundamental. This user object links the VPN client to its certificate. FortiGate uses this to verify the identity of the connecting client based on the certificate presented during tunnel establishment.

Second, option B: the Authentication method for the VPN tunnel must be changed to “Signature.” This setting tells FortiGate to authenticate the VPN peer using digital certificates, verifying the cryptographic signatures rather than relying on pre-shared keys or passwords. Additionally, the administrator must select the specific certificate FortiGate will use to identify itself during the handshake.

Third, option D: FortiGate must trust the Certificate Authority that issued the user’s certificate. Importing the CA’s root certificate ensures FortiGate can verify the authenticity and validity of the client certificate. Without this trust relationship, the certificate cannot be validated, and the VPN connection will fail.

Reviewing the incorrect options:

Option C: Selecting the IKE Mode to Main with ID protection enhances security by protecting identity information during negotiation but is not strictly required for certificate authentication. Certificate-based VPNs can use different IKE modes.

Option E: Enabling XAUTH is used for additional user/password authentication layered on top of the VPN tunnel but is unnecessary when using certificate-based authentication alone.

In summary, successful certificate-based IPsec VPN authentication requires creating a PKI user, configuring the tunnel to use certificate signatures, and importing the relevant CA certificate. These steps establish a secure, trusted connection relying solely on certificates.

Question 7:

While investigating wireless network performance issues on a 5 GHz AP interface, you monitor channel utilization over time. 

What is the recommended maximum channel utilization percentage that should not be exceeded to maintain optimal performance?

A. 85%
B. 95%
C. 75%
D. 65%

Correct answer: C

Explanation:

When managing a wireless network, particularly in the 5 GHz spectrum, channel utilization is a key metric indicating how busy a wireless channel is. It reflects the proportion of time the channel is actively used for transmitting data. High channel utilization signals that the wireless medium is congested, which can degrade user experience by causing increased latency, packet collisions, and reduced throughput.

Network experts generally recommend maintaining channel utilization below a certain threshold to prevent performance bottlenecks. The commonly accepted maximum value for channel utilization on an access point interface is 75%. This threshold provides a balance between efficient spectrum usage and maintaining quality service.

Let’s break down the options:

• A (85%): At this level, the channel is heavily utilized, and while the network might still function, users may start to experience slowdowns and intermittent connectivity issues. Utilization beyond 85% generally means the channel is saturated, risking frequent collisions and retransmissions.

• B (95%): Utilization this high signals severe congestion, with significant packet loss, high latency, and very poor user experience. Network performance at this level is typically unacceptable for any production environment.

• C (75%): This is the preferred upper limit because it allows some buffer for traffic spikes without overloading the channel. Staying below 75% helps ensure stable and consistent wireless performance.

• D (65%): While conservative and ideal for extremely sensitive environments, 65% utilization is often more restrictive than necessary. It limits channel use, potentially leading to inefficient spectrum usage.

In summary, to avoid wireless congestion and maintain optimal throughput and reliability, it is best practice to keep 5 GHz channel utilization below 75%. This guideline helps balance efficient spectrum use with good user experience, making C the correct answer.

Question 8:

Which CLI command enables an administrator to monitor the certificate verification process live on a Fortinet device?

A. diagnose debug application foauthd -1
B. diagnose debug application radiusd -1
C. diagnose debug application authd -1
D. diagnose debug application fnbamd -1

Correct answer: C

Explanation:

When troubleshooting SSL/TLS certificate verification issues on Fortinet devices, it’s crucial to use the correct debug command to monitor the process in real time. The authentication daemon (authd) handles key authentication processes, including certificate verification. Therefore, enabling debugging on this service allows administrators to observe the detailed steps and messages involved in verifying certificates.

The command diagnose debug application authd -1 activates verbose debugging for authd, showing real-time logs related to certificate validation and other authentication procedures. This visibility is essential for diagnosing failures in certificate trust, expired certificates, or misconfigurations affecting SSL/TLS-based connections.

Let’s review why the other options are less applicable:

• A (diagnose debug application foauthd -1): The foauthd process deals with Fortinet’s OAuth authentication, which manages token-based logins rather than certificate validation. It’s not the correct tool for real-time certificate verification.

• B (diagnose debug application radiusd -1): While the radiusd daemon handles RADIUS authentication—which can sometimes involve certificates during certain EAP methods—it is not primarily focused on the certificate verification process itself.

• D (diagnose debug application fnbamd -1): The fnbamd daemon manages Fortinet’s broader authentication and VPN processes but does not directly debug the certificate verification steps.

Thus, the command associated with authd provides the most detailed and relevant insights into certificate verification, enabling administrators to troubleshoot authentication failures accurately. This makes C the correct choice for monitoring the certificate verification process in real time on Fortinet devices.

Question 9:

Which two statements accurately describe the features of the guest portal on FortiAuthenticator? (Select two.)

A. Each remote user on FortiAuthenticator can sponsor a maximum of 10 guest accounts.
B. All guest accounts require administrator approval before use.
C. The guest portal supports services both before and after login.
D. Administrators can set mapping rules using one or more incoming parameters for the guest portal configuration.

Correct answer: C, D

Explanation:

The guest portal on FortiAuthenticator is designed to provide controlled and secure network access to guest users while giving administrators flexibility in managing these accounts. It allows guests to self-register or be sponsored, and offers customizable access policies and controls to ensure secure connectivity.

Option C is correct because the guest portal provides both pre-login and post-login services. Pre-login services typically include authentication mechanisms such as self-registration, login forms, or social media authentication. Post-login services control what happens after a user logs in, such as bandwidth limits, access controls, and redirection to specific web pages or network resources. This dual-phase service model allows administrators to tailor the user experience before and after authentication.

Option D is also correct. FortiAuthenticator administrators can configure mapping rules that use various incoming parameters—such as IP addresses, VLAN IDs, or device types—to dynamically assign access privileges or specific policies to guest users. This ability to tailor access based on incoming parameters enhances flexibility and security, ensuring that guests receive appropriate permissions based on their connection context.

Option A is incorrect because the number of guest accounts a user can sponsor is not fixed to 10 by default; this limit can be configured by administrators to fit organizational needs.

Option B is not necessarily true either. While administrators can choose to require approval before guest accounts are activated, FortiAuthenticator also supports automatic self-registration without manual approval, depending on the settings.

In summary, the guest portal’s pre/post-login service capabilities (C) and flexible mapping rule configurations (D) best capture its core functionality, making these two statements accurate descriptions.

Question 10:

In the provided wireless setup, a remote site has an AP with a tunneled wireless network called Corporate. Clients connected to this SSID cannot print to a local printer. 

What configuration change is needed to enable clients on the Corporate SSID to print to the local printer?

A. Enable split-tunneling in the VAP configuration.
B. Enable split-tunneling in the WTP profile configuration.
C. Disable the Block Intra-SSID Traffic setting in the SSID (VAP) profile.
D. Add the printer as a wireless client on the Corporate wireless network.

Correct answer: A

Explanation:

In this scenario, clients on a tunneled wireless network (Virtual Access Point or VAP) called Corporate are unable to print to a local printer at the remote site. The main issue stems from the tunneling configuration, which sends all wireless client traffic back to a centralized controller or location rather than allowing it to communicate locally.

The correct solution is to enable split-tunneling within the VAP configuration (Option A). Split-tunneling allows traffic destined for certain local resources—like the printer—to bypass the tunnel and be routed directly within the local subnet. This means client requests to the printer won’t be sent to the controller but stay local, allowing printing to function correctly.

Option B, enabling split-tunneling in the WTP profile, is less appropriate because the WTP profile governs the wireless termination point’s behavior more generally, but the VAP controls traffic routing for specific SSIDs, making it the more precise place to enable split-tunneling for this purpose.

Option C, disabling Block Intra-SSID Traffic, would permit communication between wireless clients on the same SSID, but it does not address tunneling issues or traffic routing to local devices. Therefore, it won’t solve the printing problem caused by tunneled traffic.

Option D, configuring the printer as a wireless client, might make the printer visible on the wireless network, but since client traffic is tunneled to a remote controller, clients still cannot communicate locally unless split-tunneling is enabled.

In conclusion, enabling split-tunneling on the VAP configuration is necessary because it lets local traffic flow outside the tunnel, allowing access to resources like printers on the remote site’s network. This balances the benefits of centralized control with the practical need for local resource accessibility.