New update Lead4Pass NSE7_SAC-6.2 Dumps with PDF and VCE| Fortinet NSE 7 – Secure Access 6.2 Exam

April 16, 2021

New updated Lead4Pass NSE7_SAC-6.2 Dumps with PDF file and VCE practice exam engine to help pass the Fortinet NSE 7 – Secure Access 6.2 Exam successfully!

Lead4Pass NSE7_SAC-6.2 exam dumps contain 30 exam questions and answers, covering complete Fortinet NSE 7 – Secure Access 6.2 certification exam questions, and verified to be true and valid, check here to get the latest Lead4Pass NSE7_SAC-6.2 dumps: (PDF+VCE).

Check out the NSE7_SAC-6.2 PDF exam questions and answers shared for free:

Also, read the latest 15 Lead4Pass NSE7_SAC-6.2 exam questions and answers online:

Question 1:

Which step can be taken to ensure that only FortiAP devices receive IP addresses from a DHCP server on FortiGate?

A. Change the interface addressing mode to FortiAP devices.

B. Create a reservation list in the DHCP server settings.

C. Configure a VCI string value of FortiAP in the DHCP server settings.

D. Use DHCP option 138 to assign IPs to FortiAP devices.


Correct Answer: C


Question 2:


Which two EAP methods can use MSCHAPV2 for client authentication? (Choose two.)






Correct Answer: AC

Reference: 20Guide/500/501_EAP.htm

Question 3:


802.1X port authentication is enabled on only those ports to which the FortiSwitch security policy is assigned.

Which configurable items are available when you configure the security policy on FortiSwitch? (Choose two.)

A. FSSO groups

B. Security mode

C. User groups

D. Default guest group


Correct Answer: BC


Question 4:


A wireless network in a school provides guest access using a captive portal to allow unregistered users to self-register and access the network.

The administrator is requested to update the existing configuration to provide captive portal authentication through a secure connection (HTTPS) to protect and encrypt guest user credentials after they receive the login information when registered for the first time.

Which two changes must the administrator make to enforce HTTPS authentication? (Choose two.)

A. Provide instructions to users to use HTTPS to access the network.

B. Create a new SSID with the HTTPS captive portal URL.

C. Enable Redirect HTTP Challenge to a Secure Channel (HTTPS) in the user authentication settings

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator


Correct Answer: BD


Question 5:


An administrator is deploying APs that are connecting over an IPsec network. All APs have been configured to connect to FortiGate manually. FortiGate can discover the APs and authorize them. However, FortiGate is unable to establish CAPWAP tunnels to manage the APs.

Which configuration setting can the administrator perform to resolve the problem?

A. Decrease the CAPWAP tunnel MTU size for APs to prevent fragmentation.

B. Enable CAPWAP administrative access on the IPsec interface.

C. Upgrade the FortiAP firmware image to ensure compatibility with the FortiOS version.

D. Assign a custom AP profile for the remote APs with the set mpls-connectionoption enabled.


Correct Answer: B


Question 6:


What action does FortiSwitch take when it receives a loop guard data packet (LGDP) that was sent by itself?

A. The receiving port is shut down.

B. The sending port is shut down

C. The receiving port is moved to the STP blocking state.

D. The sending port is moved to the STP blocking state


Correct Answer: B


Question 7:


Default VLANs are created on FortiGate when the FortiLink interface is created. By default, which VLAN is set as Allowed VLANs on all FortiSwitch ports?

A. Sniffer VLAN

B. Camera VLAN

C. Quarantine VLAN

D. Voice VLAN


Correct Answer: A

Question 8:


What does DHCP snooping MAC verification do?

A. Drops DHCP release packets on untrusted ports

B. Drops DHCP packets with no relay agent information (option 82) on untrusted ports

C. Drops DHCP offer packets on untrusted ports

D. Drops DHCP packets on untrusted ports when the client hardware address does not match the source MAC address


Correct Answer: D

Reference: (note)

Question 9:


Which statement correctly describes the quest portal behavior on FortiAuthenticator?

A. Sponsored accounts cannot authenticate using guest portals.

B. FortiAuthenticator uses POST parameters and a RADIUS client configuration to map the request to a guest portal for authentication.

C. All guest accounts must be activated using SMS or email activation codes.

D. All self-registered and sponsored accounts are listed on the local Users GUI page on FortiAuthenticator.


Correct Answer: A


Question 10:


Examine the sections of the configuration shown in the following output:

new NSE7_SAC-6.2 dumps questions 10

What action will FortiGate take when using OCSP certificate validation?

A. FortiGate will reject the certificate if the OCSP server replies that the certificate is unknown.

B. FortiGate will use the OCSP server even when the OCSP URL field in the user certificate

contains a different OCSP server IP address.

C. FortiGate will use the OCSP server even when there is a different OCSP IP address in the ocsp-override-serveroption under config user peer.

D. FortiGate will invalidate the certificate if the OSCP server is unavailable.


Correct Answer: D


Question 11:


Refer to the exhibit.

Examine the packet capture shown in the exhibit, which contains a RADIUS access request packet sent by FortiSwitch to a RADIUS server.

new NSE7_SAC-6.2 dumps questions 11

Why does the User-Name field in the RADIUS access request packet contain a MAC address?

A. The FortiSwitch interface is configured for 802.1X port authentication with MAC address bypass, and the connected device does not support 802.1X.

B. FortiSwitch authenticates itself using its MAC address as the user name.

C. The connected device is doing machine authentication.

D. FortiSwitch is replying to an access challenge packet sent by the RADIUS server and requesting the client MAC address.


Correct Answer: D


Question 12:


Refer to the exhibits.

new NSE7_SAC-6.2 dumps questions 12

Examine the firewall policy configuration and SSID settings.

new NSE7_SAC-6.2 dumps questions 12-1

An administrator has configured a guest wireless network on FortiGate using the external captive portal. The administrator has verified that the external captive portal URL is correct. However, wireless users are not able to see the captive portal login page.

Given the configuration shown in the exhibit and the SSID settings, which configuration change should the administrator make to fix the problem?

A. Enable the captive-portal-exemptoption in the firewall policy with the ID 11.

B. Apply a guest.portal user group in the firewall policy with the ID 11.

C. Disable the user group from the SSID configuration.

D. Include the wireless client subnet range in the Exempt Source section.


Correct Answer: C


Question 13:


Refer to the exhibit.

Examine the configuration of the FortiSwitch security policy profile.

new NSE7_SAC-6.2 dumps questions 13

If the security profile shown in the exhibit is assigned on the FortiSwitch port for 802.1X.port authentication, which statement is correct?

A. Host machines that do support 802.1X authentication, but have failed authentication, will be assigned the guest VLAN.

B. All unauthenticated users will be assigned the auth-fail VLAN.

C. Authenticated users that are part of the wired-users group will be assigned the guest VLAN.

D. Host machines that do not support 802.1X authentication will be assigned the guest VLAN.


Correct Answer: C


Question 14:


Refer to the exhibit.

Examine the network topology shown in the exhibit.

new NSE7_SAC-6.2 dumps questions 14

Which port should have root guard enabled?

A. FortiSwitch A, port2

B. FortiSwitch A, port1

C. FortiSwitch B, port1

D. FortiSwitch B, port2


Correct Answer: A


Question 15:


Examine the following RADIUS configuration:

new NSE7_SAC-6.2 dumps questions 15

An administrator has configured a RADIUS server on FortiGate that points to FortiAuthenticator. FortiAuthenticator is acting as an authentication proxy and is configured to relay all authentication requests to a remote Windows AD server using LDAP.

While testing the configuration, the administrator notices that the diagnose test authservercommand works with PAP, however, authentication requests fail when using MSCHAPv2.

Which two changes should the administrator make to get MSCHAPv2 to work? (Choose two.)

A. Force FortiGate to use the PAP authentication method in the RADIUS server configuration.

B. Change the remote authentication server from LDAP to RADIUS on FortiAuthenticator.

C. Use MSCHAP instead of using MSCHAPv2

D. Enable Windows Active Directory Domain Authentication on FortiAuthenticator to add FortiAuthenticator to the Windows domain.


Correct Answer: BD



Latest Complete 30 NSE7_SAC-6.2 Certification Exam Questions With Answers Get Lead4Pass NSE7_SAC-6.2 Exam Dumps: (PDF+VCE)