Fortinet FCP_FCT_AD-7.4 Fortinet NSE 6 - FortiClient EMS 7.4 Administrator Exam Practice Test

"The firewall policy matches and redirects client requests to the access proxy VIP"https://docs.fortinet.com/document/fortigate/7.0.0/new-features/194961/basic-ztna-configuration

According to theFortiClient EMS Administration Guide(specifically the sections onMultitenancy), when multitenancy is enabled, the system introduces specific administrator roles to manage the separation between global settings and individual sites.

1. The Settings Administrator Role (Answer B)

Specific Scope:TheSettings administratoris a specialized role designed to haveaccess to the global site only.

Permissions:This role can access all configuration options on the global site, with the notable exception ofadministrator configuration(they cannot create or manage other admin accounts).

Use Case:This is typically used for auditors or system managers who need to oversee global-level configurations without needing access to specific endpoint data within individual sites or the power to modify administrative users.

2. Comparison with Other Multitenancy Roles

Super administrator:This role hasunlimited accessto the global site andall other siteswithin the EMS instance.

Site administrator:This role is restricted tospecified sites onlyand hasno access to the global site.

Standard administrator (Answer C):This is a generic role level within a site or a single-tenant environment but is not the role that defines "global-only" access in a multitenant setup.

Tenant administrator / Global administrator:While these terms are common in general IT, FortiClient EMS documentation specifically uses the titlesSuper,Settings, andSiteadministrators for multitenancy management.

3. Curriculum References

FortiClient EMS 7.2/7.4 Study Guide (Multitenancy Chapter):Explicitly lists "Settings administrator" as the role providing access to the global site only.

Admin Roles Table:The documentation provides a comparison table where the Settings Administrator's scope is strictly defined as "Global site only".

Based on the configuration shown in the exhibits:

There are three endpoint policies configured: Training, Sales, and Default.

The "Training" policy is assigned to the "trainingAD.training.lab" group.

The "Sales" policy is assigned to "All Groups" and "trainingAD.training.lab/student."

The "Default" policy has no specific groups assigned.

When someone logs in with the user account "student" on an endpoint in the "trainingAD" domain:

The "Training" policy is specifically assigned to the "trainingAD.training.lab" group.

The "Sales" policy includes "trainingAD.training.lab/student" but not the general "trainingAD.training.lab" group.

The system will prioritize the most specific match for the group.

Therefore, FortiClient EMS will assign the "Training" policy to the "student" account logging into the "trainingAD" domain as it matches the group "trainingAD.training.lab" directly.

References

FortiClient EMS 7.2 Study Guide, Endpoint Policy Configuration Section

FortiClient EMS Documentation on Group Policy Assignment and Matching

Based on theFortiClient EMS 7.2/7.4 Administration Guideand theEMS Administrator Study Guide, the integration with Active Directory (AD) provides several automated management capabilities.

1. Analysis of the True Statements:

B. FortiClient installations on domain endpoints can be deployed from FortiClient EMS:

FortiClient EMS allows administrators to createDeployment Profilesspecifically for Windows endpoints discovered via AD.

By providingAD administrator credentialswithin the deployment profile, EMS can remotely push the FortiClient MSI installer to domain-joined endpoints that do not yet have the software installed.

C. Endpoint profiles can be assigned to endpoints based on domain groups:

The core benefit of AD integration is the ability to mapEndpoint Policiesto specificAD Organizational Units (OUs)orSecurity Groups.

When an endpoint policy is assigned to an AD group, all FortiClient endpoints belonging to that group automatically receive the associated security profiles (Antivirus, Web Filter, VPN, etc.) defined within that policy.

2. Why Other Options are Incorrect/Secondary:

A. FortiClient EMS has full read-write access on the AD server:

The curriculum states explicitly that theLDAP/AD connection is read-only.

EMS cannot modify AD objects, create users, or change group memberships; it only synchronized information from the AD server to the EMS database.

D. Imported AD endpoints cannot be directly deleted on FortiClient EMS:

While technically true in a functional sense (deleting a synced endpoint will result in it being re-added during the next sync unless it is removed from the AD OU), the curriculum typically prioritizesB and Cas the primary functional "features" of the integration.

Note that the guide specifies the "Delete" action in the Endpoints pane is restricted tonon-domain devicesto prevent synchronization conflicts.

3. Summary of Integration Features:

Sync Schedule:EMS periodically syncs with AD (default every 10 minutes) to update the endpoint list.

Policy Automation:Moving a user or computer to a different group in AD will cause EMS to automatically update their security posture based on the new group's assigned policy.

For adding user authentication to the ZTNA access for remote or off-fabric users, the following FortiGate feature is required in addition to ZTNA:

FortiGate explicit proxyallows FortiGate to intercept web traffic for authentication purposes.

ZTNA integrates with various FortiGate features to provide secure access and ensure that users are authenticated before accessing resources.

By using an explicit proxy, FortiGate can handle web traffic and enforce authentication policies for remote users who are not directly on the corporate network (off-fabric).

Thus, the correct feature to use for this requirement is the FortiGate explicit proxy.

References

FortiGate Security 7.2 Study Guide, ZTNA and Proxy Configuration Sections

Fortinet Documentation on FortiGate Explicit Proxy and ZTNA Integration

Observation of ZTNA Traffic Log:

The log message indicates that the remote user connection was denied due to failure to match a proxy policy.

Evaluating Log Message:

The message suggests that the connection does not match the existing ZTNA rule configuration, leading to the denial.

Conclusion:

The correct conclusion from the log message is that the remote user connection does not match the ZTNA rule configuration (B).

Block Malicious Website has nothing to do with infected files. Since Realtime Protection is OFF, it will be allowed without being scanned.

Based on the settings shown in the exhibit:

Realtime Protection:OFF

Dynamic Threat Detection:OFF

Block malicious websites:ON

Threats Detected:75

The "Realtime Protection" setting is crucial for preventing infected files from being downloaded and executed. Since "Realtime Protection" is OFF, FortiClient will not actively scan files being downloaded. The setting "Block malicious websites" is intended to prevent access to known malicious websites but does not scan files for infections.

Therefore, when a user tries to download an infected file, FortiClient will allow the file to download without scanning it due to the Realtime Protection being OFF.

References

FortiClient EMS 7.2 Study Guide, Antivirus Protection Section

Fortinet Documentation on FortiClient Real-time Protection Settings

Deployment Profiles Analysis:

Deployment-1 has the "First-Time-Installation" package and is assigned to "All Groups" with a priority of 1 but is not enabled.

Deployment-2 has the "To-Upgrade" package, is assigned to both "All Groups" and "trainingAD.training.lab," with a priority of 2 and is enabled.

Evaluating Deployment-2:

Deployment-2 will upgrade FortiClient on both "All Groups" and "trainingAD.training.lab" since it is enabled and assigned to these groups. This includes both AD (Active Directory) groups and workgroups.

Conclusion:

Since Deployment-2 is set to upgrade FortiClient on all the assigned groups and workgroups, the correct answer is A.

Based on the CLI output from FortiGate:

The configuration shows the use of "type fortiems," indicating that FortiGate is set up to interact with FortiClient EMS.

The "server" field points to an IP address (10.0.1.200), which is typically the address of the FortiClient EMS server.

The configuration includes an SSL-enabled connection, which is a common setup for secure communication between FortiGate and FortiClient EMS.

Thus, the configuration indicates that FortiGate is set up to pull user groups from FortiClient EMS.

References

FortiGate Security 7.2 Study Guide, FSSO Configuration Section

Fortinet Documentation on FortiGate and FortiClient EMS Integration

FortiClient EMS is the component that shares ZTNA tag information through Security Fabric integration. ZTNA tags are synchronized from FortiClient EMS as inputs for the FortiGate application gateway. They can be used in ZTNA policies as security posture checks to ensure certain security criteria are met. FortiClient EMS can share ZTNA tags across multiple devices in the Fabric, such as FortiGate, FortiManager, and FortiAnalyzer. FortiClient EMS can also share ZTNA tags across multiple VDOMs on the same FortiGate device. FortiClient EMS can be configured to control the ZTNA tag sharing behavior in the Fabric Devices settings1.

FortiGate is the device that enforces ZTNA policies using ZTNA tags. FortiGate can receive ZTNA tags from FortiClient EMS via Fabric Connector. FortiGate can also publish ZTNA services through the ZTNA portal, which allows users to access applications without installing FortiClient. FortiGate can also provide ZTNA inline CASB for SaaS application access control2.

FortiGate Access Proxy is a feature that enables FortiGate to act as a proxy for ZTNA traffic. FortiGate Access Proxy can be deployed in front of the application servers to provide ZTNA protection. FortiGate Access Proxy can also be deployed behind the application servers to provide ZTNA visibility. FortiGate Access Proxy can use ZTNA tags to identify and authenticate users and devices2.

FortiClient is the endpoint software that connects to ZTNA services. FortiClient can register ZTNA tags with FortiClient EMS based on the endpoint security posture. FortiClient can also use ZTNA tags to access ZTNA services published by FortiGate. FortiClient can also use ZTNA tags to access SaaS applications with ZTNA inline CASB2.

References :=

Technical Tip: Behavior of ZTNA Tags shared across multiple vdoms or multiple FortiGate firewalls in the Security Fabric connected to the same FortiClient EMS Server

Synchronizing FortiClient ZTNA tags

Zero Trust Network Access (ZTNA) to Control Application Access

Understanding Compliance Rules:

The compliance rule for the sales department needs to be enforced dynamically.

Enforcing Compliance:

FortiGate is responsible for enforcing compliance by integrating with FortiClient EMS to apply dynamic access control based on compliance status.

Conclusion:

The Fortinet device that will enforce compliance with dynamic access control is the FortiGate.

According to theFortiClient EMS 7.2/7.4 Administration GuideandFortiAuthenticator Study Guides, theSingle Sign-On Mobility Agent (SSOMA)is a feature specifically designed to integrate withFortiAuthenticatorto provide transparent, identity-based authentication.

1. Integration with FortiAuthenticator (Answer A)

The SSOMA Service:The mobility agent service is hosted on theFortiAuthenticatorunit. Administrators must navigate toFortinet SSO Methods > SSO > Generalon the FortiAuthenticator and toggle onEnable FortiClient SSO Mobility Agent Service.

Communication Protocol:FortiClient communicates with FortiAuthenticator via a specified TCP listening port (defaulting to8001or8005) and uses apre-shared key(secret key) for authentication.

Transparent Authentication:Once configured, the SSOMA on the endpoint automatically sends user logon information and IP address changes (such as WiFi roaming) to FortiAuthenticator. FortiAuthenticator then shares this information with FortiGate units to enforce identity-based security policies without the user needing to re-authenticate manually.

2. Modern Capabilities (Azure AD / Entra ID)

Cloud Integration:In FortiClient 7.2.1 and later, SSOMA supportsnative Azure AD (Entra ID). In this mode, the agent sends the Azure AD domain and tenant ID directly to FortiAuthenticator, allowing organizations to create identity-based policies for cloud-joined devices.

3. Note on FortiPAM (Option C)

Recent Updates:While recent FortiClient EMS 7.4 documentation mentions an"Add FortiPAM agent to SSOMA"feature, this is an extension of the existing SSOMA framework. The core product that defines and runs the SSOMA service for general Single Sign-On (SSO) remainsFortiAuthenticator.

4. Why Other Options are Incorrect

B. FortiSASE:While FortiSASE uses FortiClient for Secure Internet Access (SIA), it uses different mechanisms (like SAML or the SASE cloud portal) for user identity rather than the specific SSOMA agent service.

D. FortiNAC:FortiNAC uses FortiClient for persistent agent-based posture assessment and scanning, but it does not utilize the SSOMA mobility agent for user-to-IP mapping.

Based on the Zero Trust Tagging Rule Set configuration shown in the exhibit:

The rule set includes two conditions:

AV Software is installed and running

OS Version is Windows Server 2012 R2 or Windows 10

The Rule Logic is specified as "(1 and 3) or 2," meaning:

The endpoint must have antivirus software installed and running and must be running Windows 10.

Alternatively, the endpoint must be running Windows Server 2012 R2.

Therefore, the endpoint must satisfy either:

Antivirus is installed and running and Windows 10 is running.

Windows Server 2012 R2 is running.

References

FortiClient EMS 7.2 Study Guide, Zero Trust Tagging Rule Set Configuration Section

Fortinet Documentation on Configuring Zero Trust Tagging Rules and Logic

FortiClient communicates directly with FortiClient EMS to continuously share device status information through ZTNA telemetry.

Understanding Quick Scan Function:

The quick scan option on FortiClient is designed to scan certain elements of the system quickly for threats.

Evaluating Scan Scope:

The quick scan specifically targets executable files, DLLs, and drivers that are currently running, providing a rapid assessment of the active components of the system.

Conclusion:

The correct answer is D, as it accurately describes the function of the quick scan option on FortiClient.

According to theFortiClient EMS Administrator Study Guideand theFortinet Document Library (7.2/7.4 versions), the most effective method for deploying FortiClient toBYOD (Bring Your Own Device)andremote usersis usingMicrosoft Intune(or other supported Mobile Device Management - MDM solutions).

1. Why Microsoft Intune (Answer C) is the Correct Choice:

Cloud-Based Accessibility:Unlike GPO or SCCM, which traditionally require a direct connection to the local Active Directory (AD) domain or a VPN to reach the on-premises infrastructure, Microsoft Intune is a cloud-based MDM. This makes it the native choice forremote userswho may not always be on the corporate network.

BYOD Management:Intune is specifically designed to manage a variety of operating systems (Windows, macOS, iOS, Android) that are common in BYOD environments. It allows administrators to push the FortiClient installation package and enrollment configuration (such as the invitation_code or ems_server details) directly to the user's device via the cloud.

Integration with EMS:FortiClient EMS 7.2/7.4 provides specific documentation forIntune Integration. Administrators can create a custom MSI or .pkg installer in EMS, upload it to Intune, and use Intune’s app configuration policies to automate the Telemetry connection to EMS.

2. Why Other Options are Incorrect for this Scenario:

A. FortiClient zero-touch provisioning:While FortiClient supports zero-touch provisioning (particularly for mobile or through FortiCloud), in the context of a "deployment tool" for an organization's broad BYOD and remote fleet, it is typically afeatureorprocessfacilitated by an MDM like Intune rather than the standalone deployment mechanism for the initial software package on third-party remote devices.

B. Microsoft SCCM:SCCM (now part of Microsoft Configuration Manager) is heavily reliant on on-premises infrastructure and is generally used for corporate-owned, domain-joined devices. It is less flexible than Intune for managing "unmanaged" BYOD devices belonging to remote users.

D. Group Policy Object (GPO):GPO requires the device to be joined to theActive Directory (AD) Domain. BYOD devices are typically not domain-joined, and remote devices cannot receive GPO updates unless they are connected via VPN at the time of the policy refresh, making it unsuitable for this specific use case.

3. Curriculum References:

EMS Administration Guide (Deployment Section):Specifies that for endpoints not reachable via AD/Workgroups (which covers remote and BYOD), administrators should use theInstaller Linkmethod or anMDM (like Microsoft Intune).

Intune Deployment Guide for FortiClient:Detail the specific use ofConfiguration Keys(e.g., cloud_invite_code, ems_server) that are passed from Intune to the FortiClient app to ensure that once the remote user installs the app, it automatically registers to the correct EMS instance.

ZTNA (Zero Trust Network Access) is a security architecture that is designed to provide secure access to network resources for users, devices, and applications. It is based on the principle of "never trust, always verify," which means that all access to network resources is subject to strict verification and authentication.

Two functions of ZTNA are:

ZTNA provides a security posture check: ZTNA checks the security posture of devices and users that are attempting to access network resources. This can include checks on the device's software and hardware configurations, security settings, and the presence of malware.

ZTNA provides role-based access: ZTNA controls access to network resources based on the role of the user or device. Users and devices are granted access to only those resources that are necessary for their role, and all other access is denied. This helps to prevent unauthorized access and minimize the risk of data breaches.

Based on the exhibits provided:

The "Remote-Client" is tagged as "Remote-Users" in the FortiClient EMS Zero Trust Tag Monitor.

To ensure that the tag "Remote-Users" is visible in the FortiClient GUI, the system settings within FortiClient need to be updated to enable tag visibility.

The tag visibility feature is controlled by FortiClient system settings which manage how tags are displayed in the GUI.

Therefore, the administrator needs to change the FortiClient system settings to enable tag visibility.

References

FortiClient EMS 7.2 Study Guide, Zero Trust Tagging Section

FortiClient Documentation on Tag Management and Visibility Settings

Action On Virus Discovery Warn the User If a Process Attempts to Access Infected Files Quarantine Infected Files. You can use FortiClient to view, restore, or delete the quarantined file, as well as view the virus name, submit the file to FortiGuard, and view logs. Deny Access to Infected Files Ignore Infected Files