Pass the Fortinet Fortinet Network Security Expert NSE5_FNC_AD_7.6 Questions and answers with CertsForce

TheFortiNAC-F Manager (FortiNAC-M)is designed as a centralized management platform for large-scale distributed environments where multiple FortiNAC-F Control and Application (CA) appliances are deployed across different sites. According to theFortiNAC-F Manager Administration Guide, the deployment of a Manager simplifies administrative overhead in three specific ways:

First, it providesGlobal Version Control (B). The Manager serves as a central repository for firmware and software updates, allowing administrators to push specific versions to all managed CAs simultaneously, ensuring consistency across the entire fabric. Second, it enablesPooled Licenses (D). Instead of purchasing and managing individual licenses for every CA, licenses are centralized on the Manager. The Manager then distributes these licenses to the CAs as needed based on their host counts. This "floating" license model optimizes cost and prevents individual sites from running out of capacity while others have excess. Third, it offersGlobal Visibility (E). The Manager aggregates host and device data from every managed CA into a single console. This "single pane of glass" allows an administrator to search for a specific MAC address or user across the entire global organization without logging into individual servers.

While the Manager can assist with configuration templates, authentication security policies (C) and infrastructure modeling (A) are still predominantly managed at the local CA level to ensure site-specific logic and performance.

"The FortiNAC Manager provides a central management console for multiple FortiNAC-F servers (CAs). Key benefits include: •License Management: Licenses are pooled on the Manager and allocated to managed CAs as needed. •Software Management: Firmware updates can be centrally managed and pushed to all CAs from the Manager. •Centralized Monitoring: Provides a global view of all hosts, adapters, and events across the entire managed environment." —FortiNAC-F Manager Administration Guide: Overview and Benefits.

In FortiNAC-F, theDevice Profileris a rule-based engine that evaluates unknown "rogue" devices and classifies them based on fingerprints and behavior. When a profiling rule matches a device, the administrator can configure the rule to automatically register that device. The registration process can place the device record in two primary locations: theTopology View(as a device) or theHost View(as a registered host).

According to theFortiNAC-F Administration Guide, registering a device in theHost Viewprovides significant advantages for identity management and historical tracking. First, the devices can beassociated with a user (C). In the FortiNAC database architecture, the Host View is the primary repository for endpoint identity; placing a profiled device here allows the system to link that hardware (MAC address) to a specific user account, whether that user is an employee, guest, or a system-level "owner". This association is essential for Role-Based Access Control (RBAC) and for tracking accountability across the network fabric.

Second, devices registered in the Host View will haveconnection logs (B). FortiNAC-F maintains a detailed operational history for all host records, including every instance of the device connecting to or disconnecting from a port, its IP address assignments, and the specific policies applied during each session. These logs are invaluable for troubleshooting connectivity issues and for security forensic audits, as they provide a clear timeline of the device's lifecycle on the network. In contrast, devices managed only in the Topology View are typically treated as infrastructure components where the focus is on device availability rather than individual session history.

"Devices that are registered and associated with a user are placed in theHost Viewand removed from the Profiled Devices window... Placing a device in the Host View allows for the tracking ofconnection historyand the association of the device with a specificidentity or user recordwithin the FortiNAC database." —FortiNAC-F Administration Guide: Device Profiler How it Works.

Questions no:22

Verified Answer: D

Comprehensive and Detailed 250 to 300 words each Explanation with Exact Matched Extract from FortiNAC-F Administrator library and documentation for current versions (including F 7.2, 7.4, and 7.6) documents:

In FortiNAC-F, the expiration of a guest or contractor account is determined by the configuration settings within theAccount Creation Wizardand the associatedGuest/Contractor Template. While a template can define a default "Account Duration" (as seen in the 12-hour setting in the second exhibit), theAccount Creation Wizardallows an administrator to manually specify or override the start and end parameters for a specific user session.

According to theFortiNAC-F Administration Guideregarding guest management, theAccount End Datefield in the creation wizard is the definitive timestamp for when the account object will be disabled or deleted from the system. In the provided exhibit (Account Creation Wizard), the administrator has explicitly set theAccount Start Dateto2025/09/12 08:00:00and theAccount End Dateto2025/09/13 17:00:00.

Even though the template indicates an "Account Duration" of 12 hours, this value typically serves as a pre-populated default. When a manual date and time are entered into the wizard, those specific values take precedence for that individual account. The account will remain active and valid until5:00 PM (17:00:00)on the following day,2025/09/13. It is also important to note the "Login Availability" from the template (8:00 AM - 7:00 PM); while the accountexistsuntil the 13th at 17:00:00, the user would only be able to authenticate during the active hours defined by the login schedule on both days.

"When creating an account, the administrator can select a template to provide default settings. However, specific values such as theAccount End Datecan be modified within theAccount Creation Wizard. The date and time specified in the 'Account End Date' field determines the absolute expiration of the account. Once this time is reached, the account is moved to an expired state and the user's network access is revoked." —FortiNAC-F Administration Guide: Guest and Contractor Account Management.

In FortiNAC-F,MAC notification traps(also known as MAC Move or MAC Change traps) are essential for achieving real-time visibility of endpoint connections and disconnections. When a device connects to a switch port, the switch generates an SNMP trap that informs FortiNAC-F of the new MAC address on that specific interface. This allows FortiNAC-F to immediately initiate the profiling and policy evaluation process without waiting for the next scheduled L2 poll.

According to theFortiNAC-F Administration GuideandSwitch Integrationdocumentation, MAC notification traps should be configured onall ports except uplink ports. Uplink ports are the interfaces that connect one switch to another or to the core network. Because these ports see the MAC addresses of every device on the downstream switches, enabling MAC notification on uplinks would cause the switch to send a massive volume of redundant traps to FortiNAC-F every time any device anywhere in the downstream branch moves or reconnects. This can overwhelm the FortiNAC-F process queue and degrade system performance.

By only enabling these traps on "edge" or "access" ports—where individual endpoints like PCs, printers, and VoIP phones connect—FortiNAC-F receives precise data regarding exactly where a device is physically located. Uplinks should be identified in the FortiNAC-F inventory as "Uplink" or "Learned Uplink," which tells the system to ignore MAC data seen on those specific ports.

"To ensure accurate host tracking and optimal system performance, SNMP MAC notification traps must be enabled on all access (downlink) ports.Do not enable MAC notification traps on uplink ports, as this will result in excessive and unnecessary trap processing. Uplink ports should be excluded to prevent the system from attempting to map multiple downstream MAC addresses to a single infrastructure interface." —FortiNAC-F Administration Guide: SNMP Configuration for Network Devices.

FortiNAC-F serves as a central manager for security events originating from a diverse ecosystem of third-party security appliances, such as FortiGate, Check Point, and Cisco. Each vendor utilizes its own internal scale forseverity levelswithin syslog messages (e.g., Check Point uses a 1–5 scale, while others may use 0–7). To provide a consistent response regardless of the source, FortiNAC-F usesSeverity Mappingsto normalize these incoming values.

According to theFortiNAC-F Administration Guide, severity mappings allow the administrator to translate vendor-specific threat levels into standardizedFortiNAC Security Levels(such as High, Medium, or Low Violation). When a syslog message arrives, the parser extracts the vendor's severity code, and the system immediately references theSecurity Event Severity Level Mappingstable to determine how that event should be categorized internally. This normalization is vital because it allows a singleSecurity Alarmto be configured to respond to any "High Violation" event, whether it was reported as a "Critical" by one vendor or a "Level 5" by another. Without these mappings, the administrator would have to create separate, redundant security rules for every vendor to account for their different naming conventions and numerical scales.

"Each vendor defines its own severity levels for syslog messages. The following table shows the equivalent FortiNAC security level... To normalize these events, configure theSeverity Level Mappingsfound in the device integration guides. This allows FortiNAC to generate a consistent security event that can then trigger an alarm regardless of the reporting vendor's specific terminology." —FortiNAC-F Administration Guide: Vendor Severity Levels and Syslog Management.

In FortiNAC-F, theRADIUS Attribute Groupsfeature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in anAccess-Acceptpacket sent back to a network device. This is particularly useful for supporting "Generic RADIUS" devices that are not natively supported but can be managed using standard AVPairs.

According to theFortiNAC-F Generic RADIUS Wired Cookbookand theRADIUS Attribute Groups sectionof the Administration Guide, there is one critical prerequisite for this feature to function: theinbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains theMAC addressof the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, willnot include any user-defined RADIUS attributesin the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes.

"Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC...Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes.This attribute is used to identify the host and its current state within the FortiNAC database." —FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.

In FortiNAC-F, theGuest & Contractor Templateis a configuration object that defines the parameters for accounts created by sponsors or through self-registration. One of the critical security controls within this template is theLogin Availabilitysetting. This setting restricts the specific days and times during which a guest or contractor is permitted to authenticate and access the network.

As shown in the exhibit, the "StandardGuest" template hasLogin Availabilityset to"Specify Time", with a schedule defined asMon-Fri, 6:00 AM to 7:00 PM. If a guest user attempts to connect or authenticate at8:00 PM, which is outside of the permitted window, FortiNAC-F's policy engine will automatically deny the authentication request. When an authentication attempt is denied due to schedule restrictions, the system does not move the host into the "Authenticated" or "Registered" state required for production access. Instead, the host ismarked as non-authenticatedin the adapter or host view.

This behavior ensures that even if a guest possesses valid credentials, their access is strictly bound by the organizational policy for visitor hours. The host will typically remain in its current isolation or registration VLAN, and the user will see a message on the captive portal indicating that their account is not currently authorized for login. It is important to distinguish this from "at-risk" (C), which relates to security scan failures, or "rogue" (B), which typically refers to unknown devices that have not yet been associated with a valid account or profiling rule.

"Login Availabilitydefines the timeframe during which the guest or contractor account is valid for network access. This schedule is enforced at the time of authentication. If a user attempts to log in outside of the designated window, the authentication is rejected by the system. Consequently, the host record will reflect anon-authenticatedstatus, and the device will remain restricted to the isolation or registration network until a valid login window is reached." —FortiNAC-F Administration Guide: Guest and Contractor Templates Section.

The integration of FortiNAC-F withFortiGate VPNrequires a specific policy workflow to bridge the gap between initial user authentication and full network access. When a user connects to the VPN, the FortiGate typically provides the User ID and IP address, but FortiNAC-F requires aMAC addressto uniquely identify and manage the endpoint's record.

According to theFortiGate VPN Integration Guide, theEndpoint Compliance Policyis a mandatory component of this setup because it is used todesignate the required agent type. Because a VPN connection is Layer 3, FortiNAC cannot "see" the MAC address through traditional SNMP or L2 polling. The compliance policy instructs the system to present aCaptive Portalto the remote user, requiring them to download and run either thePersistentorDissolvable Agent. The agent then reports the device's MAC address back to FortiNAC, allowing the system to correlate the VPN session with a host record.

Once the agent is running and the MAC is known, FortiNAC-F can evaluate the device's security posture (if scanning is configured) and send the necessaryFSSO tagsback to the FortiGate to lift the initial network restrictions. Without the compliance policy to enforce the agent requirement, the connection would remain in an isolated "IP-only" state with no unique hardware identity.

"TheEndpoint Compliance Policyis necessary to control the agent requirement for VPN users. Create a default VPN Endpoint Compliance Policy todistribute an agentvia captive portal for isolated machines. This policy allows the administrator todesignate the required agent type(Persistent or Dissolvable) that will be used to collect the hardware (MAC) address and perform health scans on the remote endpoint." —FortiNAC FortiGate VPN Integration Guide: Default Endpoint Compliance Policy (Optional) Section.

In FortiNAC-F,Port Groupsare used to apply specific enforcement behaviors to switch ports. When a port is assigned to an enforcement group, such asForced RegistrationorForced Remediation, FortiNAC-F overrides normal policy logic to force all connected adapters into that specific state. The exhibit shows a port (IF#13) with "Multiple Hosts" connected, which is a common scenario in environments using unmanaged switches or hubs downstream from a managed switch port.

According to theFortiNAC-F Administrator Guide, it is possible for a single port to be a member of multiple port groups. However, when those groups have conflicting enforcement actions—such as one group forcing a registration state and another forcing a remediation state—FortiNAC-F utilizes aranking systemto resolve the conflict. In the FortiNAC-F GUI underNetwork > Port Management > Port Groups, each group is assigned a rank. The system evaluates these ranks, andonly the higher ranked enforcement group is appliedto the port. If a port is in both a Forced Registration group and a Forced Remediation group, the group with the numerical priority (rank) will dictate the VLAN and access level assigned to all hosts on that port.

This mechanism ensures consistent behavior across the fabric. If the ranking determines that "Forced Registration" is higher priority, then even a known host that is failing a compliance scan (which would normally trigger Remediation) will be held in the Registration VLAN because the port-level enforcement takes precedence based on its rank.

"A port can be a member of multiple groups. If more than one group has an enforcement assigned, the group with thehighest rank(lowest numerical value) is used to determine the enforcement for the port. When a port is placed in a group with an enforcement, that enforcement is applied toall hostsconnected to that port, regardless of the host's current state." —FortiNAC-F Administration Guide: Port Group Enforcement and Ranking.