An administrator wants FortiNAC-F to pass firewall tags to FortiGate to leverage dynamic address groups used in firewall policies. On FortiNAC-F, what determines the values that are passed?
The correct answer is A . FortiNAC-F passes firewall tags to FortiGate through Security Fabric integration so FortiGate can use those values as dynamic address groups in firewall policies. The study guide explains that firewall tags are administrator-defined string values and that FortiNAC-F dynamically assigns them based on a security policy or logical network. More specifically for network access enforcement, it states that the network access configuration defines the logical network , and the logical network defines the firewall tag through the device model configuration .
This is the same mechanism used in VPN and Fabric workflows: the FortiGate device model contains the mappings of logical networks to the actual tags or groups that FortiNAC-F sends to FortiGate. The guide states that FortiNAC-F network access policies and logical networks determine the group or tag information, while the FortiGate model configuration contains the mappings used for the values sent.
Option B is not the best answer because a device profiling rule can classify a device and may cause it to match a policy, but it does not directly define the FortiGate tag value sent for policy enforcement. Option C can apply firewall tags in security automation scenarios, but the standard FortiGate dynamic address group mapping is defined in model configuration. Option D is unrelated; RADIUS attributes are used in RADIUS access responses, not FortiGate Fabric tag propagation.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit