Pass the Fortinet NSE 7 Network Security Architect NSE7_LED-7.0 Questions and answers with CertsForce

According to the exhibits, the administrator has configured an automation stitch to automatically quarantine compromised devices based on FortiAnalyzer’s threat detection services. However, according to the FortiAnalyzer logs, the test device is not detected as compromised by FortiAnalyzer, even though it tried to access a malicious website. Therefore, option B is true because FortiAnalyzer does not have a valid threat detection services license, which is required to enable the threat detection services feature. Option D is also true because FortiAnalyzer does not consider the malicious website an indicator of compromise (IOC), which is a criterion for identifying compromised devices. Option A is false because the web filtering rating service is working, as shown by the log entry that indicates that the test device accessed a URL with a category of “Malicious Websites”. Option C is false because the device does not need to have FortiClient installed to be quarantined by FortiGate, as long as it is connected to a managed FortiSwitch device.

Based on the provided exhibit and Fortinet's official documentation for FortiOS and FortiSwitch, particularly the NSE 7 - LAN Edge 7.0 materials and the FortiSwitch Administration Guide, the behavior of the FortiSwitch security policy can be analyzed as follows:

The exhibit shows a FortiSwitch security policy configured with the following key settings:

Security mode:Port-based

User groups:FAC-Lab-User (a wired user group)

Guest VLAN:Set to "onboarding"

Guest authentication delay:30 seconds

Authentication fail VLAN:Set to "quarantine"

MAC authentication bypass:Disabled

EAP pass-through:Enabled

Override RADIUS timeout:Disabled

Analysis of the Scenario:

The question specifies that a device that does not support 802.1X authentication is connected to a port using this Port-Security security policy. Since the device does not support 802.1X, it cannot perform the standard 802.1X authentication process. The FortiSwitch will then evaluate alternative configurations to determine the port's behavior:

Guest VLAN Configuration:The Guest VLAN is set to "onboarding." According to Fortinet documentation, when a device fails to authenticate via 802.1X (e.g., due to lack of support), and a Guest VLAN is configured, the FortiSwitch assigns the port to the specified Guest VLAN after the guest authentication delay period (30 seconds in this case). The "onboarding" VLAN is typically used to place unauthenticated devices in a restricted network segment where they can be redirected to a captive portal or other onboarding process.

Authentication Fail VLAN:The Authentication Fail VLAN is set to "quarantine," which would apply if authentication fails after an attempt. However, since the device does not support 802.1X, no authentication attempt is made, and this setting does not trigger unless an authentication process is initiated and fails.

MAC Authentication Bypass:This option is disabled, so the FortiSwitch will not attempt to authenticate the device using its MAC address as the username and password.

EAP Pass-Through:This is enabled, allowing EAP frames to pass through to an external RADIUS server, but it is irrelevant here since the device does not support 802.1X.

Port Shutdown:There is no indication in the configuration or Fortinet documentation that the port will be shut down for a device that does not support 802.1X when a Guest VLAN is configured.

Conclusion:

When a device does not support 802.1X authentication and the security policy is set to Port-based with a Guest VLAN configured (set to "onboarding"), the FortiSwitch assigns the port to the Guest VLAN (onboarding) after the guest authentication delay (30 seconds). This behavior is consistent with Fortinet's design for handling unauthenticated devices in a secure network environment, as outlined in the FortiSwitch Port Security and VLAN assignment sections of the official documentation.

Why not the other options?

B. FortiSwitch shuts down the port:This action would occur only if the port security policy is configured to shut down the port upon authentication failure or violation (e.g., with a limit on MAC addresses), which is not indicated in this configuration.

C. FortiSwitch assigns the port to the quarantine VLAN:The quarantine VLAN is configured as the Authentication Fail VLAN, which applies only after an unsuccessful authentication attempt. Since no 802.1X authentication is attempted due to the device's lack of support, this does not apply.

D. FortiSwitch authenticates the device using the device MAC address as username and password:This requires MAC authentication bypass to be enabled, which it is not in this configuration.

Source Verification:

The answer is verified through the FortiSwitch Administration Guide (FortiOS 7.0) and NSE 7 - LAN Edge 7.0 training materials, specifically the sections on Port Security, 802.1X, and VLAN assignment for unauthenticated devices.

According to the FortiGate Administration Guide, “To enable HTTPS authentication, you must enable HTTP redirect in the user authentication settings. This redirects HTTP requests to HTTPS. You must also update the captive portal URL to use HTTPS on both FortiGate and FortiAuthenticator.” Therefore, options B and D are true because they describe the changes that the administrator must make to enforce HTTPS authentication for the captive portal. Option A is false because creating a new SSID with the HTTPS captive portal URL is not required, as the existing SSID can be updated with the new URL. Option C is false because disabling HTTP administrative access on the guest SSID will not enforce HTTPS connection, but rather block HTTP connection.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-secure-authentication-HTTPS-on-a-FortiGate/ta-p/192486

According to the exhibit, the network topology and SSID settings show that FortiGate is configured to use an external captive portal hosted on FortiAuthenticator, which is connected to a Windows AD server for user authentication. However, wireless users are not able to see the captive portal login page, which means that they are not redirected to the external captive portal URL. Therefore, option B is true because adding the FortiAuthenticator and WindowsAD address objects as exempt destinations services will allow the wireless users to access the external captive portal URL without being blocked by the firewall policy. Option A is false because enabling NAT in the firewall policy with the ID 13 will not affect the redirection to the external captive portal URL, but rather the source IP address of the wireless traffic. Option C is false because enabling the captive-portal-exempt option in the firewall policy with the ID 12 will bypass the captive portal authentication for the wireless users, which is not the desired outcome. Option D is false because removing the guest.portal user group in the firewall policy with the ID 12 will prevent the wireless users from being authenticated by FortiGate, which is required for accessing the external captive portal.

According to the FortiSwitch Administration Guide, “MAC-based 802.1X security mode allows you to authenticate each device connected to a port using its MAC address as the username and password.” Therefore, option B is true because it describes the MAC-based 802.1X security mode available on FortiSwitch. Option D is also true because FortiSwitch can grant different access levels to each device connected to the port based on the user group and security policy assigned to them. Option A is false because FortiSwitch does not authenticate a single device and open the port to other devices connected to the port, but rather authenticates each device individually. Option C is false because MAC-based 802.1X security mode can be used in conjunction with MAC authentication bypass (MAB) or EAP pass-through modes, which are fallback options for non-802.1X devices.