Fortinet NSE 4 Infrastructure 03 Fortinet Single Sign-On (FSSO) 69 Questions with Verified Answers
When using FSSO, what entity authenticates the user?
... [Show More] - CORRECT ANSWER The domain controller
What are the two working modes available for FSSO in a Windows environment? - CORRECT ANSWER DC Agent Mode and Polling Mode
Which Windows FSSO working mode is intended to be used on simple network with a minimal number of users? - CORRECT ANSWER Polling mode
Which FSSO agent is available exclusively for Citrix and Terminal Services environments? - CORRECT ANSWER Terminal Server (TS) Agent
TS agents require one of two available technologies to collect and send login events to FortiGate. What are they? - CORRECT ANSWER Either a Windows Active Directory collector agent or FortiAuthenticator
What is the name of the FSSO agent that is installed on a Novell network? - CORRECT ANSWER eDirectory Agent
The eDirectory agent can obtain information from Novell eDirectory using one of two methods. What are they? - CORRECT ANSWER Novell API or LDAP
FSSO passive user identification is based on what three pieces of information? - CORRECT ANSWER 1. User ID
2. IP address
3. Group membership
Is a collector agent required on a Windows server environment? What is its purpose? - CORRECT ANSWER Yes, it consolidates events received from the DC agents, then forwards them to FortiGate
Where is the Windows collector agent installed? - CORRECT ANSWER On a Windows server that is a member of the domain you are monitoring
By default, both the DC agent and the collector agent perform a DNS lookup and ensure the IP address that should be associated with a user. To prevent double DNS resolution, you can configure this registry key.
HKLM/Software/Fortinet/FSAE/dcagent/donot_resolve = 1 (DWORD)
Where is the registry key entered? - CORRECT ANSWER On the domain controller
The collector agent communicates with Fortigate using what protocol and port number by default? - CORRECT ANSWER TCP 8000
The collector agent listens for updates from the DC agents using what protocol and port number? - CORRECT ANSWER UDP 8002
Where are agents installed in a collector agent-based polling mode? - CORRECT ANSWER On a Windows server in the domain only (i.e., an agent is not required on the DCs)
What three methods can be used for Collector Agent-Based Polling Mode? - CORRECT ANSWER 1. NetAPI
2. WinSecLog
3. WMI
For Collector Agent-Based Polling Mode, which method does NOT require that event logging be enabled on the DCs? - CORRECT ANSWER NetAPI
When using the WinSecLog method of Collector Agent-Based Polling Mode, what protocol and port is used by default to poll the DC for user login events? - CORRECT ANSWER SMB (TCP port 445)
With Collector Agent-Based Polling Mode, what is the ranking of most recommended to least recommended method? - CORRECT ANSWER 1. WMI (most)
2. WinSecLog
3. NetAPI (least)
Of the Collector Agent-Based Polling Mode methods, which is the fastest? - CORRECT ANSWER WMI
Of the Collector Agent-Based Polling Mode methods, which requires fast network links? - CORRECT ANSWER WinSecLog
Of the Collector Agent-Based Polling Mode methods, which has the most potential to miss some login events? - CORRECT ANSWER NetAPI
Of the Collector Agent-Based Polling Mode methods, which polls the NetSessionEnum function? - CORRECT ANSWER NetAPI
Of the Collector Agent-Based Polling Mode methods, which returns login events approximately every 3 seconds? - CORRECT ANSWER WMI
Of the Collector Agent-Based Polling Mode methods, which returns login events approximately every 10 seconds (or longer based on number of events and network latency)? - CORRECT ANSWER WinSecLog
Of the Collector Agent-Based Polling Mode methods, which is actually retrieving the authentication session held in RAM? - CORRECT ANSWER NetAPI
Agentless Polling (i.e. polling directly from FortiGate) operates similarly to which Collector Agent-Based Polling Mode method? - CORRECT ANSWER WinSecLog
Agentless Polling (i.e. polling directly from FortiGate) only polls which Event IDs from the Windows logs? - CORRECT ANSWER 4768 & 4769
Between DC Agent Mode and Polling Mode, which has the most complex installation? - CORRECT ANSWER DC Agent Mode
Between DC Agent Mode and Polling Mode, which is the most scalable? - CORRECT ANSWER DC Agent Mode
Between DC Agent Mode and Polling Mode, which is the least reliable? - CORRECT ANSWER Polling Mode
What is the high-level process for configuring Agentless Polling Mode? - CORRECT ANSWER 1. On FortiGate, navigate to Security Fabric > External Connectors
2. Add External Connector for Poll Active Directory Server and configure the IP addresses and AD Admin credentials
3. Add the LDAP Server to the Poll Active Directory Server configuration (required to retrieve user group information)
If using either DC Agent Mode or Collector Agent-based Polling Mode, what External Connector must be configured? - CORRECT ANSWER FSSO Agent on Windows AD
The FSSO Agent on Windows AD External Connector can identify the user group in using one of which two methods? - CORRECT ANSWER Collector Agent or Local
Is it necessary that the FSSO agent version matches the FortiGate firmware version? - CORRECT ANSWER No
Is it necessary that the DC Agent version matches the Collector Agent version? - CORRECT ANSWER Yes
By default, the agent uses which account? - CORRECT ANSWER Whatever account was used to install the agent
Is it best practice to use Standard or Advanced mode on the agents? - CORRECT ANSWER Advanced
What is the minimum number of Windows AD user groups supported by FortiGate? - CORRECT ANSWER 256
In order to perform user group filtering from FortiGate instead of from the agent, what mode must the agent be running in? - CORRECT ANSWER Advanced
True/False? If you change the AD access mode from Standard to Advanced or visa versa, you must recreate the filters because they vary depending on the mode. - CORRECT ANSWER True
What service does the Collector Agent use on the remote Windows workstation to verify if a user is stilled logged on? - CORRECT ANSWER The remote registry service
By default, how often does the collector agent verify if a user is still logged on? - CORRECT ANSWER 5 minutes
What happens if you set the Workstation verify interval to 0 minutes on the collector agent? - CORRECT ANSWER It disables workstation verification
If the collector agent cannot connect to a workstation, what does it change the user status to? - CORRECT ANSWER not verified
What port numbers does the collector agent use to connect to the remote workstation in order to verify if a user is still logged in? - CORRECT ANSWER 139 or 445
From the perspective of FortiGate, what is the difference between entries that are OK and not verified? - CORRECT ANSWER There is no difference, they are both valid
What is the default Dead entry timeout interval in minutes? - CORRECT ANSWER 480
In the collector agent, what is the purpose of the IP address change verify interval? - CORRECT ANSWER It configures how frequently the agent checks the IP addresses of logged in users and updates FortiGate when a user's IP address changes
What is the main difference between Standard and Advanced modes in the FSSO Agent? - CORRECT ANSWER Name convention (Standard uses NetBIOS, Advanced uses LDAP convention)
Which FSSO Agent mode supports nested or inherited groups? - CORRECT ANSWER Advanced
Which FSSO Agent mode allows FortiGate to apply security profiles to individual users, user groups, and OUs? - CORRECT ANSWER Advanced
When the FSSO Agent is running in Advanced mode, where can you configure group filters? - CORRECT ANSWER On FortiGate or the Collector Agent
Even though you can configure group filters from either FortiGate or the Collector agent when the FSSO Agent is running in Advanced mode, where is the recommended configuration location? - CORRECT ANSWER From the Collector Agent
In addition to Windows servers, what are the four other types of servers that can be configured to poll login/logout events from? - CORRECT ANSWER 1. Citrix/Terminal Server
2. Exchange
3. RADIUS
4. Syslog
If only passive FSSO authentication is employed and a user is not part of an FSSO group, to what Fortinet built-in group are they added? - CORRECT ANSWER SSO_Guest_Users
Which four AD Group types are supported? - CORRECT ANSWER 1. Security groups
2. Universal groups
3. Groups inside OUs
4. Local or universal groups that contain universal groups from child domains (only with Global Catalog)
If you have collector agents using either the DC agent mode or the collector agent-based polling mode, which fabric connector should you select on FortiGate? - CORRECT ANSWER Fortinet Single Sign-On Agent
On the FSSO Collector Agent, what are the four options available for Minimum Severity Level of logged messages? - CORRECT ANSWER 1. Debug
2. Information
3. Warning (Default)
4. Error
On the FSSO Collector Agent, what is the default Log level? - CORRECT ANSWER Warning
On the FSSO Collector Agent, what is the recommended Log level for most troubleshooting? - CORRECT ANSWER Information
On the Collector Agent configuration, what is the effect of checking the Log login events in separate logs checkbox? - CORRECT ANSWER A summary of events sent and removed from FortiGate is listed under the View Logon Events, while all other information remains under View Log
What is the purpose of the following command?
diagnose debug authd fsso list - CORRECT ANSWER It displays the list of currently logged in FSSO users
What is the purpose of the following command?
execute fsso refresh - CORRECT ANSWER It is used to manually refresh user group information from any directory service servers connected to FortiGate, using the collector agent
What is the purpose of the following commands?
diagnose debug enable
diagnose debug authd fsso server-status - CORRECT ANSWER It shows the status of communication between FortiGate and each collector agent
What is the purpose of the following command?
diagnose debug fsso-polling detail - CORRECT ANSWER It displays status information and some statistics related to the polls done by FortiGate on each DC in agentless polling
After issuing the diagnose debug fsso-polling detail command, what does it mean when the read log offset value is increasing? - CORRECT ANSWER FortiGate is connecting to and reading the logs on the DC
What is the name of the FortiGate daemon that handles polling mode? - CORRECT ANSWER fssod
Which logging level shows the login events on the collector agent? - CORRECT ANSWER Information
The command diagnose debug fsso-polling detail displays information for which mode of FSSO?
A. Agentless polling
B. Collector agent-based polling - CORRECT ANSWER A. Agentless polling [Show Less]