• Home
  • Blogs
  • Prepare Top Fortinet NSE7_LED-7.0 Exam Study Guide Practice Questions Edition [Q16-Q41]

Prepare Top Fortinet NSE7_LED-7.0 Exam Study Guide Practice Questions Edition [Q16-Q41]

Share

Prepare Top Fortinet NSE7_LED-7.0 Exam Study Guide Practice Questions Edition

Go to NSE7_LED-7.0 Questions - Try NSE7_LED-7.0 dumps pdf

NEW QUESTION # 16
Which two statements about MAC address quarantine by redirect mode are true? (Choose two)

  • A. The device MACaddress is added to the Quarantined Devices firewall address group
  • B. The quarantined device is kept in the current VLAN
  • C. It is the default mode for MAC address quarantine
  • D. The quarantined device is moved to the quarantine VLAN

Answer: A,B

Explanation:
Explanation
According to the FortiGate Administration Guide, "MAC address quarantine by redirect mode allows you to quarantine devices by adding their MAC addresses to a firewall address group called Quarantined Devices.
The quarantined devices are kept in their current VLANs, but their traffic is redirected to a quarantine portal." Therefore, options B and D are true because they describe the statements about MAC address quarantine by redirect mode. Option A is false because the quarantined device is not moved to the quarantine VLAN, but rather kept in the current VLAN. Option C is false because redirect mode is not the default mode for MAC address quarantine, but rather an alternative mode that can be enabled by setting mac-quarantine-mode to redirect.
https://docs.fortinet.com/document/fortiap/7.0.0/configuration-guide/734537/radius-authenticated-dynamic-vlan-: https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/734537/mac-address-quarantine


NEW QUESTION # 17
Refer to the exhibit. Examine the FortiManager configuration and FortiGate CLI output shown in the exhibit.
An administrator is testing the NAC feature. The test device is connected to a managed FortiSwitch device (S224EPTF19005867) on port2.
After applying the NAC policy on port2 and generating traffic on the test device, the test device is not matching the NAC policy; therefore, the test device remains in the onboarding VLAN.
Based on the information shown in the exhibit, which two scenarios are likely to cause this issue?
(Choose two.)

  • A. The device operating system detected by FortiGate is not Linux
  • B. The MAC address configured on the NAC policy is incorrect
  • C. Management communication between FortiGate and FortiSwitch is down
  • D. Device detection is not enabled on VLAN 4089

Answer: A,B

Explanation:
https://docs.fortinet.com/document/fortiswitch/7.4.2/fortilink-guide/173271/fortiswitch-network- access-control


NEW QUESTION # 18
You are investigating a report of poor wireless performance in a network that you manage. The issue is related to an AP interface in the 5 GHz range. You are monitoring the channel utilization over time.
What is the recommended maximum utilization value that an interface should not exceed?

  • A. 75%
  • B. 95%
  • C. 65%
  • D. 85%

Answer: A

Explanation:


NEW QUESTION # 19
Which two statements about the guest portal on FortiAuthenticator are true? (Choose two.)

  • A. The guest portal provides pre and post-log in services
  • B. Each remote user on FortiAuthenticator can sponsor up to 10 guest accounts
  • C. Administrators must approve all guest accounts before they can be used
  • D. Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal

Answer: A,D

Explanation:
Explanation
According to the FortiAuthenticator Administration Guide2, "The guest portal provides pre and post-log in services for users (such as password reset and token registration abilities), and rules and replacement messages can be configured." Therefore, option C is true. The same guide also states that "Administrators can use one or more incoming parameters to configure a mapping rule for the guest portal." Therefore, option D is true.
Option A is false because remote users can sponsor any number of guest accounts, as long as they do not exceed the maximum number of guest accounts allowed by the license. Option B is false because administrators can choose to approve or reject guest accounts, or enable auto-approval.


NEW QUESTION # 20
You are setting up an SSID (VAP) to perform RADlUS-authenticated dynamic VLAN allocation Which three RADIUS attributes must be supplied by the RADIUS server to enable successful VLAN allocation'' (Choose three.)

  • A. Tunnel-Type
  • B. Tunnel-Pvt-Group-ID
  • C. Tunnel-Private-Group-ID
  • D. Tunnel-Medium-Type
  • E. Tunnel-Preference

Answer: A,C,D

Explanation:
Explanation
According to the FortiAP Configuration Guide, "To perform RADIUS-authenticated dynamic VLAN allocation, the RADIUS server must supply the following RADIUS attributes: Tunnel-Private-Group-ID, which specifies the VLAN ID to assign to the user. Tunnel-Type, which specifies the tunneling protocol used for the VLAN. The value must be 13 (VLAN). Tunnel-Medium-Type, which specifies the transport medium used for the VLAN. The value must be 6 (802). Therefore, options A, D, and E are true because they describe the RADIUS attributes that must be supplied by the RADIUS server to enable successful VLAN allocation.
Option B is false because Tunnel-Pvt-Group-ID is not a valid RADIUS attribute name, but rather a typo for Tunnel-Private-Group-ID. Option C is false because Tunnel-Preference is not a required RADIUS attribute for dynamic VLAN allocation, but rather an optional attribute that specifies the priority of the VLAN.


NEW QUESTION # 21
Refer to the exhibit.

Examine the debug output shown in the exhibit
Which two statements about the RADIUS debug output are true'' (Choose two)

  • A. The user student belongs to the SSLVPN group
  • B. User authentication failed
  • C. The RADIUS server sent a vendor-specific attribute in the RADIUS response
  • D. User authentication succeeded using MSCHAP

Answer: A,D

Explanation:
Explanation
According to the exhibit, the debug output shows a RADIUS debug output from FortiGate. The output shows that FortiGate sent a RADIUS Access-Request packet to FortiAuthenticator with the username student and received a RADIUS Access-Accept packet from FortiAuthenticator with a Class attribute containing SSLVPN.
Therefore, option A is true because it indicates that the user student belongs to the SSLVPN group on FortiAuthenticator. The output also shows that FortiGate used MSCHAP as the authentication method and received a MS-MPPE-Send-Key and a MS-MPPE-Recv-Key from FortiAuthenticator. Therefore, option D is true because it indicates that user authentication succeeded using MSCHAP. Option B is false because user authentication did not fail, but rather succeeded. Option C is false because FortiAuthenticator did not send a vendor-specific attribute in the RADIUS response, but rather standard attributes defined by RFCs.


NEW QUESTION # 22
Refer to the exhibit

Examine the sections of the configuration shown in the output
What action will FortiGate take when verifying the student certificate through OCSP?

  • A. Not verify the OCSP server certificate
  • B. Consider the student certificate status as valid if the OCSP server is unreachable
  • C. Use the OCSP URL included in the student certificate to verify the student certificate
  • D. Reject the student certificate if the OCSP server replies that the student certificate status is unknown

Answer: C

Explanation:
Explanation
According to the exhibit, the FortiGate configuration has ocsp-status enabled and ocsp-option set to certificate.
This means that FortiGate will use OCSP to verify the revocation status of certificates presented by clients. According to the FortiGate Administration Guide2, "If you select certificate, FortiGate uses an OCSP URL included in a certificate to verify that certificate." Therefore, option C is true because it describes what action FortiGate will take when verifying the student certificate through OCSP. Option A is false because FortiGate will not reject the student certificate if the OCSP server replies that the student certificate status is unknown, but rather accept it as valid. Option B is false because FortiGate will verify the OCSPserver certificate by default, unless strict-ocsp-check is disabled. Option D is false because FortiGate will not consider the student certificate status as valid if the OCSP server is unreachable, but rather reject it as invalid.


NEW QUESTION # 23
Which FortiSwitch VLANs are automatically created on FortGate when the first FortiSwitch device is discovered1?

  • A. access, quarantine, rspan. voice, video, and onboarding
  • B. default quarantine, rspan voice video onboarding and nac_segment
  • C. default quarantine rspan voice video and nac_segment
  • D. fortilink. quarantine erspan voice video and onboarding

Answer: D

Explanation:
Explanation
According to the FortiGate Administration Guide, "When you add a FortiSwitch device to the Security Fabric, FortiGate automatically creates the following VLANs on theFortiSwitch device: fortilink, quarantine, erspan, voice, video, and onboarding." Therefore, option D is true because it lists the FortiSwitch VLANs that are automatically created on FortiGate when the first FortiSwitch device is discovered. Option A is false because default and nac_segment are not among the automatically created VLANs. Option B is false because access and rspan are not among the automatically created VLANs. Option C is false because default and nac_segment are not among the automatically created VLANs.


NEW QUESTION # 24
What is the purpose of enabling Windows Active Directory Domain Authentication on FortiAuthenticator?

  • A. It enables FortiAuthenticator to use Windows administrator credentials to perform an LDAP lookup for a user search
  • B. It enables FortiAuthenticator to register itself as a Windows trusted device to proxy authentication using Kerberos
  • C. It enables FortiAuthenticator to import users from Windows AD
  • D. It enables FortiAuthenticator to use a Windows CA certificate when authenticating RADIUS users

Answer: B

Explanation:
Windows Active Directory domain authentication enables FortiAuthenticator to join a Windows Active Directory domain as a machine entity and proxy authentication requests using Kerberos.


NEW QUESTION # 25
Refer to the exhibit showing a network topology and SSID settings. FortiGate is configured to use an external captive portal. However, wireless users are not able to see the captive portal login page.
Which configuration change should the administrator make to fix the problem?

  • A. Add the FortiAuthenticator and WindowsAD address objects as exempt destinations services.
  • B. Enable the captive-portal-exempt option in the firewall policy with the ID 12.
  • C. Remove the guest.portal user group in the firewall policy with the ID 12.
  • D. Enable NAT in the firewall policy with the ID 13.

Answer: A

Explanation:
According to the exhibit, the network topology and SSID settings show that FortiGate is configured to use an external captive portal hosted on FortiAuthenticator, which is connected to a Windows AD server for user authentication. However, wireless users are not able to see the captive portal login page, which means that they are not redirected to the external captive portal URL. Therefore, option B is true because adding the FortiAuthenticator and WindowsAD address objects as exempt destinations services will allow the wireless users to access the external captive portal URL without being blocked by the firewall policy.


NEW QUESTION # 26
Refer to the exhibit. Examine the sections of the configuration shown in the output.
What action will FortiGate take when verifying the student certificate through OCSP?

  • A. Not verify the OCSP server certificate
  • B. Reject the student certificate if the OCSP server replies that the student certificate status is unknown
  • C. Consider the student certificate status as valid if the OCSP server is unreachable
  • D. Use the OCSP URL included in the student certificate to verify the student certificate

Answer: B

Explanation:


NEW QUESTION # 27

Wireless guest users are unable to authenticate because they are getting a certificate error while loading the captive portal login page.This URL string is the HTTPS POST URL guest wireless users see when attempting to access the network using the web browser

Which two settings are the likely causes of the issue? (Choose two.)

  • A. The FortiGate authentication interface address is using HTTPS
  • B. The external server FQDN is incorrect
  • C. The wireless user's browser is missing a CA certificate
  • D. The user address is not in DDNS form

Answer: B,C

Explanation:
Explanation
According to the exhibit, the wireless guest users are getting a certificate error while loading the captive portal login page. This means that the browser cannot verify the identity of the server that is hosting the login page.
Therefore, option A is true because the external server FQDN is incorrect, which means that it does not match the common name or subject alternative name of the server certificate. Option B is also true because the wireless user's browser is missing a CA certificate, which means that it does not have the root or intermediate certificate that issued the server certificate. Option C is false because the FortiGate authentication interface address is using HTTPS, which is a secure protocol that encrypts the communication between the browser and the server. Option D is false because the user address is not in DDNS form, which is not related to the certificate error.


NEW QUESTION # 28
Refer to the exhibits.


Examine the firewall policy configuration and SSID settings. An administrator has configured a guest wireless network on FortiGate using the external captive portal. The administrator has verified that the external captive portal URL is correct. However wireless users are not able to see the captive portal login page. Given the configuration shown in the exhibit and the SSID settings, which configuration change should the administrator make to fix the problem?

  • A. Disable the user group from the SSID configuration.
  • B. Include the wireless client subnet range in the Exempt Source section.
  • C. Apply a guest.portal user group in the firewall policy with the ID 11.
  • D. Enable the captive-portal-exempt option in the firewall policy with the ID 11.

Answer: D

Explanation:
If using external captive portal configure policy and exempt web traffic to external captive portal.


NEW QUESTION # 29
Refer to the exhibit. In the wireless configuration shown in the exhibits, an AP is deployed in a remote site and has a wireless network (VAP) called Corporate deployed to it. The network is a tunneled network however clients connecting to a wireless network require access to a local printer. Clients are trying to print to a printer on the remote site but are unable to do so.
Which configuration change is required to allow clients connected to the Corporate SSID to print locally?

  • A. Configure the printer as a wireless client on the Corporate wireless network
  • B. Configure split-tunneling in the wtp-profile configuration
  • C. Configure split-tunneling in the vap configuration
  • D. Disable the Block Intra-SSID Traffic (intra-vap-privacy) setting on the SSID (VAP) profile

Answer: C

Explanation:
Split tunneling allows you to specify which traffic is tunneled to the FortiGate and which traffic is sent directly to the Internet. This can improve performance and reduce bandwidth usage.
Therefore, by configuring split-tunneling in the vap configuration, you can allow the clients connected to the Corporate SSID to access both the corporate network and the local printer.


NEW QUESTION # 30
An administrator is testing the connectivity for a new VLAN The devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate Quarantine is disabled on FortiGate While testing the administrator noticed that devices can ping FortiGate and FortiGate can ping the devices The administrator also noticed that inter-VLAN communication works However intra-VLAN communication does not work Which scenario is likely to cause this issue?

  • A. The FortiGate ARP table is missing entries
  • B. Access VLAN is enabled on the VLAN
  • C. The native VLAN configured on the ports is incorrect
  • D. The FortiSwitch MAC address table is missing entries

Answer: D

Explanation:
Explanation
According to the scenario, the devices in the VLAN are connected to a FortiSwitch device that is managed by FortiGate. Quarantine is disabled on FortiGate, which means that the devices are not blocked by any security policy. The devices can ping FortiGate and FortiGate can ping the devices, which means that the IP connectivity is working. Inter-VLAN communication works, which means that the routing between VLANs is working. However, intra-VLAN communication does not work, which means that the switching within the VLAN is not working. Therefore, option C is true because the FortiSwitch MAC address table is missing entries, which means that the FortiSwitch does not know how to forward frames to the destination MAC addresses within the VLAN. Option A is false because access VLAN is enabled on the VLAN, which means that the VLAN ID is added to the frames on ingress and removed on egress. This does not affect intra-VLAN communication. Option B is false because the native VLAN configured on the ports is incorrect, which means that the frames on the native VLAN are not tagged with a VLAN ID. This does not affect intra-VLAN communication. Option D is false because the FortiGate ARP table is missing entries, which means that FortiGate does not know how to map IP addresses to MAC addresses. This does not affect intra-VLAN communication.


NEW QUESTION # 31
Refer to the exhibit.

Examine the RADIUS server configuration shown in the exhibit
An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP While testing the configuration the administrator noticed that the diagnosetest authserver command worked with PAP, however authentication requests failed when using MSCHAP2 Which two solutions can the administrator implement to get MSCHAP2 authentication to work'' (Choose two.)

  • A. On FortiGate update the Secret setting on the RADIUS server
  • B. On FortiGate configure the NAS IP setting on the RADIUS
    server
  • C. On FortiAuthenticator enable Windows Active Directory Domain Authentication to add FortiAuthenticator to the Windows domain
  • D. On FortiAuthenticator change the back-end authentication server from LDAP to RADIUS

Answer: C,D

Explanation:
Explanation
According to the exhibit, the RADIUS server configuration on FortiGate points to FortiAuthenticator, which is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP. However, LDAP does not support MSCHAP2 authentication, which is required for RADIUS. Therefore, option A is true because on FortiAuthenticator, enabling Windows Active Directory Domain Authentication will add FortiAuthenticator to the Windows domain and allow it to use MSCHAP2 authentication with the AD server. Option C is also true because on FortiAuthenticator, changing the back-end authentication server from LDAP to RADIUS will allow it to use MSCHAP2 authentication with the AD server. Option B is false because on FortiGate, configuring the NAS IP setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the source IP address of the RADIUS packets. Option D is false because on FortiGate, updating the Secret setting on the RADIUS server will not affect the MSCHAP2 authentication, but rather the shared secret between FortiGate and FortiAuthenticator.


NEW QUESTION # 32
Which FortiSwitch VLANs are automatically created on FortiGate when the first FortiSwitch device is discovered?

  • A. access, quarantine, rspan. voice, video, and onboarding
  • B. default quarantine, rspan voice video onboarding and nac_segment
  • C. default quarantine rspan voice video and nac_segment
  • D. fortilink. quarantine erspan voice video and onboarding

Answer: B

Explanation:


NEW QUESTION # 33
Refer to the exhibit. Examine the debug output shown in the exhibit.

Which two statements about the RADIUS debug output are true? (Choose two)

  • A. User authentication succeeded using MSCHAP
  • B. The RADIUS server sent a vendor-specific attribute in the RADIUS response
  • C. The user student belongs to the SSLVPN group
  • D. User authentication failed

Answer: B,C


NEW QUESTION # 34
You are configuring a FortiGate wireless network to support automated wireless client quarantine using IOC. Which two configurations must you put in place for a wireless client to be quarantined successfully? (Choose two)

  • A. Configure the wireless network to be in tunnel mode
  • B. Configure the FortiGate device in the Security Fabric with a FortiAnalyzer device
  • C. Configure a firewall policy to allow communication
  • D. Configure the wireless network to be in bridge mode

Answer: A,B

Explanation:
To enable automated wireless client quarantine using IOC, you must configure the following settings: Configure your wireless network to be in tunnel mode. This allows FortiGate to inspect all wireless traffic and apply security policies. Configure your FortiGate device in the Security Fabric with a FortiAnalyzer device. This allows FortiAnalyzer to detect indicators of compromise (IOC) from wireless traffic and send quarantine commands to FortiGate.


NEW QUESTION # 35
Refer to the exhibit. Examine the FortiManager information shown in the exhibit.
Which two statements about the FortiManager status are true? (Choose two)

  • A. FortiSwitch manager is working in per-device management mode
  • B. FortiSwitch manager is working in central management mode
  • C. FortiSwitch is not authorized
  • D. FortiSwitch is authorized and offline

Answer: A,D

Explanation:


NEW QUESTION # 36
Refer to the exhibit. Examine the FortiGate configuration, FortiAnalyzer logs, and FortiGate widget shown in the exhibit.
An administrator is testing the Security Fabric quarantine automation. The administrator added FortiAnalyzer to the Security Fabric, and configured an automation stitch to automatically quarantine compromised devices. The test device (10.0.2.1) is connected to a managed FortiSwitch device.
After trying to access a malicious website from the test device, the administrator verifies that FortiAnalyzer has a log for the test connection. However, the device is not getting quarantined by FortiGate, as shown in the quarantine widget.
Which two scenarios are likely to cause this issue? (Choose two.)

  • A. The device does not have FortiClient installed
  • B. FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC)
  • C. FortiAnalyzer does not have a valid threat detection services license
  • D. The web filtering rating service is not working

Answer: B,C

Explanation:
According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer's threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices.


NEW QUESTION # 37
An administrator has configured an SSID in bridge mode for corporate employees All APs are online and provisioned using default AP profiles Employees are unable to locate the SSID to conned Which two configurations can the administrator verify? (Choose two)

  • A. Verify that the broadcast SSID option is enabled in the SSID configuration
  • B. Verify that the SSID to an AP group that should be broadcasting the SSID is applied
  • C. Verify that the Block Intra-SSID Traffic (intra-vap-privacy) option in the SSID configuration is disabled
  • D. Verify that the SSID is manually applied on AP profiles for both 2 4 GHz and 5 GHz radios

Answer: A,B

Explanation:
Explanation
According to the FortiAP Configuration Guide1, "To enable the SSID, you must select at least one channel for the radio. If no channels are selected, the SSID will not be enabled. You must also enable Broadcast SSID." Therefore, option A is true because the broadcast SSID option allows the SSID to be visible to wireless clients.
Option C is also true because the SSID must be applied to an AP group that contains the APs that should be broadcasting the SSID. According to the same guide1, "You can create AP groups and assign them to different locations or departments. You can then apply different settings, such as SSIDs, to each group." Option B is false because blocking intra-SSID traffic prevents wireless clients on the same SSID from communicating with each other, which is not related to broadcasting the SSID. Option D is false because the SSID can be applied to an AP group or a global profile, which will automatically apply to all APs, without manually configuring each AP profile.


NEW QUESTION # 38
Refer to the exhibit. A device connected to port2 on FortiSwitch cannot access the network. The port is assigned a security policy to enforce 802.1X authentication. While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit.
Which two scenarios are likely to cause this issue? (Choose two.)

  • A. The device is not configured for 802.1X authentication.
  • B. The device does not support 802.1X authentication.
  • C. The device has been assigned the guest VLAN.
  • D. The device has been quarantined for 3600 seconds.

Answer: A,B

Explanation:
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP- Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server.
Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication.


NEW QUESTION # 39
Refer to the exhibit

A device connected to port2 on FortiSwitch cannot access the network The port is assigned a security policy to enforce 802 1X authentication While troubleshooting the issue, the administrator obtains the debug output shown in the exhibit Which two scenarios are likely to cause this issue? (Choose two.)

  • A. The device does not support 802 1X authentication
  • B. The device is not configured for 802 IX authentication.
  • C. The device has been assigned the guest VLAN
  • D. The device has been quarantined for 3600 seconds.

Answer: A,B

Explanation:
Explanation
According to the exhibit, the debug output shows that the device connected to port2 on FortiSwitch is sending an EAPOL-Start message, which is the first step of the 802.1X authentication process. However, the output also shows that the device is not sending any EAP-Response messages, which are required to complete the authentication process. Therefore, option A is true because the device is not configured for 802.1X authentication, which means that it does not have the correct credentials or settings to authenticate with the RADIUS server. Option D is also true because the device does not support 802.1X authentication, which means that it does not have the capability or software to perform 802.1X authentication. Option B is false because the device has not been quarantined for 3600 seconds, but rather has a session timeout of 3600 seconds, which is the default value for 802.1X sessions. Option C is false because the device has not been assigned the guest VLAN, but rather has been assigned the default VLAN, which is VLAN 1.


NEW QUESTION # 40
Refer to the exhibit

Examine the FortiGate RSSO configuration shown in the exhibit
FortiGate is configured to receive RADIUS accounting messages on port3 to authenticate RSSO users The users are located behind port3 and the internet link is connected to port1 FortiGate is processing incoming RADIUS accounting messages successfully and RSSO users are getting associated with the RSSO Group user group However all the users are able to access the internet, and the administrator wants to restrict internet access to RSSO users only Which configuration change should the administrator make to fix the problem?

  • A. Change the RADIUS Attribute Value selling to match the name of the RADIUS attribute containing the group membership information of the RSSO users
  • B. Create a second firewall policy from port3 lo port1 and select the target destination subnets
  • C. Enable Security Fabric Connection on port3
  • D. Add RSSO Group to the firewall policy

Answer: D

Explanation:
Explanation
According to the exhibit, the firewall policy from port3 to port1 has no user group specified, which means that it allows all users to access the internet. Therefore, option B is true because adding RSSO Group to the firewall policy will restrict internet access to RSSO users only. Option A is false because changing the RADIUS Attribute Value setting will not affect the firewall policy, but rather the RSSO user group membership. Option C is false because enabling Security Fabric Connection on port3 will not affect the firewall policy, but rather the communication between FortiGate and other Security Fabric devices. Option D is false because creating a second firewall policy from port3 to port1 will not affect the existing firewall policy, but rather create a redundant or conflicting policy.


NEW QUESTION # 41
......

Free NSE 7 Network Security Architect NSE7_LED-7.0 Exam Question: https://actual4test.exam4labs.com/NSE7_LED-7.0-practice-torrent.html

Related Blogs

more
Fortinet NSE7_LED-7.0 Certification Practice Exam

Copyright © 2026 EXAM4LABS.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.