Fortinet NSE5_FNC_AD_7.6 Fortinet NSE 5 - FortiNAC-F 7.6 Administrator Exam Practice Test

The correct answer is B . In the trigger exhibit, the Filter Match setting is configured as Any 1 Filters , meaning the security trigger is satisfied when any one of the defined filters matches within the configured time window. The contractor triggers two of the defined filters, so two separate security events are generated because FortiNAC-F creates a security event whenever a security filter matches. The study guide confirms that each matched filter generates a security event, and when a trigger contains multiple filters, multiple matched filters can be associated with the resulting alarm.

The security rule exhibit also shows User/Host Profile: Match Contractors . Because the triggering user is a contractor, the user/host profile condition is satisfied. Once the trigger is satisfied and the user/host profile matches, FortiNAC-F generates a security alarm . The fact that Action is set to None does not stop the alarm from being generated; it only means no automated or manual response action is executed from that rule. Option A is wrong because the contractor profile matches, so an alarm is generated. Option C is wrong because only two filters were triggered, not three. Option D is wrong because two filters matched, so two events are generated, not one.

In FortiNAC-F,MAC notification traps(also known as MAC Move or MAC Change traps) are essential for achieving real-time visibility of endpoint connections and disconnections. When a device connects to a switch port, the switch generates an SNMP trap that informs FortiNAC-F of the new MAC address on that specific interface. This allows FortiNAC-F to immediately initiate the profiling and policy evaluation process without waiting for the next scheduled L2 poll.

According to theFortiNAC-F Administration GuideandSwitch Integrationdocumentation, MAC notification traps should be configured onall ports except uplink ports. Uplink ports are the interfaces that connect one switch to another or to the core network. Because these ports see the MAC addresses of every device on the downstream switches, enabling MAC notification on uplinks would cause the switch to send a massive volume of redundant traps to FortiNAC-F every time any device anywhere in the downstream branch moves or reconnects. This can overwhelm the FortiNAC-F process queue and degrade system performance.

By only enabling these traps on " edge " or " access " ports—where individual endpoints like PCs, printers, and VoIP phones connect—FortiNAC-F receives precise data regarding exactly where a device is physically located. Uplinks should be identified in the FortiNAC-F inventory as " Uplink " or " Learned Uplink, " which tells the system to ignore MAC data seen on those specific ports.

" To ensure accurate host tracking and optimal system performance, SNMP MAC notification traps must be enabled on all access (downlink) ports.Do not enable MAC notification traps on uplink ports, as this will result in excessive and unnecessary trap processing. Uplink ports should be excluded to prevent the system from attempting to map multiple downstream MAC addresses to a single infrastructure interface. " —FortiNAC-F Administration Guide: SNMP Configuration for Network Devices.

The correct answer is A . FortiNAC-F passes firewall tags to FortiGate through Security Fabric integration so FortiGate can use those values as dynamic address groups in firewall policies. The study guide explains that firewall tags are administrator-defined string values and that FortiNAC-F dynamically assigns them based on a security policy or logical network. More specifically for network access enforcement, it states that the network access configuration defines the logical network , and the logical network defines the firewall tag through the device model configuration .

This is the same mechanism used in VPN and Fabric workflows: the FortiGate device model contains the mappings of logical networks to the actual tags or groups that FortiNAC-F sends to FortiGate. The guide states that FortiNAC-F network access policies and logical networks determine the group or tag information, while the FortiGate model configuration contains the mappings used for the values sent.

Option B is not the best answer because a device profiling rule can classify a device and may cause it to match a policy, but it does not directly define the FortiGate tag value sent for policy enforcement. Option C can apply firewall tags in security automation scenarios, but the standard FortiGate dynamic address group mapping is defined in model configuration. Option D is unrelated; RADIUS attributes are used in RADIUS access responses, not FortiGate Fabric tag propagation.

The FortiNAC-FLogical Networkfeature is specifically designed to provide an abstraction layer between high-level security policies and the underlying physical network infrastructure. In large-scale deployments where different physical locations (like Building 1, 2, and 3 in the exhibit) use different local VLAN IDs for the same type of device (e.g., VLAN 10, 20, and 30 for printers), managing separate policies for each building would create significant administrative overhead.

By using aLogical Network, an administrator can create a single entity—for example, a logical network named " Printers " —and use it as the " Access Value " in a singleNetwork Access Policy. The mapping of this logical label to a specific physical VLAN occurs at theModel Configurationlevel for each network device. When a printer connects to a switch in Building 1, FortiNAC-F evaluates the policy, identifies that the printer should be in the " Printers " logical network, and checks the Model Configuration for that specific switch to see which VLAN ID is mapped to that label (VLAN 10). If the same printer moves to Building 3, the same single policy applies, but FortiNAC-F provisions it to VLAN 30 based on the local mapping for that building ' s switch.

This architectural approach ensures that policies remain consistent and easy to manage regardless of the complexity or variations in the local network topology.

" Logical Networks provide a way to define a network access requirement once and apply it across many different network devices that may use different VLAN IDs for that access... Each managed device can usedifferent VLAN IDs for the same Logical Network label. You can define the Logical Networks based on requirements and then associate the network to a VLAN ID when the managed device is configured in theModel Configuration. " —FortiNAC-F IoT Deployment Guide: Define the Logical Networks.

FortiNAC-F provides a robust engine for processing security notifications from third-party devices. For standard integrations, such as FortiGate or Check Point, the system comes pre-loaded with templates to interpret incoming data. However, when an administrator needs FortiNAC-F to process syslog messages from a vendor or device that is not supported by default, they must configure aSecurity Event Parser.

TheSecurity Event Parseracts as the translation layer. It uses regular expressions (Regex) or specific field mappings to identify key data points within a raw syslog string, such as the source IP address, the threat type, and the severity. Without a parser, FortiNAC-F may receive the syslog message but will be unable to " understand " its contents, meaning it cannot generate the necessarySecurity Eventrequired to trigger automated responses. Once a parser is created, the system can extract the host ' s IP address from the message, resolve it to a MAC address via L3 polling, and then apply the appropriate security rules. This allows for the integration of any security appliance capable of sending RFC-compliant syslog messages.

" FortiNAC parses the information based onpre-defined security event parsersstored in FortiNAC ' s database... If the incoming message format is not recognized, a newSecurity Event Parsermust be created to define how the system should extract data fields from the raw syslog message. This enables FortiNAC to generate a security event and take action based on the alarm configuration. " —FortiNAC-F Administration Guide: Security Event Parsers.

In FortiNAC-F, theInventory topologyuses specific icons to represent the status and model of discovered network infrastructure. When a switch or other network device is discovered via SNMP, FortiNAC-F retrieves itsSystem ObjectID (sysObjectID)to identify the specific make and model. This OID is then compared against the internal database of supported device mappings.

Aquestion mark (?)icon appearing on a discovered switch indicates that while the discovery process successfully communicated with the device (meaning SNMP credentials were correct), theSNMP ObjectID is not recognizedor mapped in the current version of FortiNAC-F. This essentially means the device is " unsupported " by the current software out-of-the-box. Because the OID is unknown, FortiNAC-F does not know which CLI or SNMP command set to use for critical functions like L2 polling (host visibility) or VLAN switching (enforcement). To resolve this, an administrator can manually " Set Device Mapping " to a similar existing model or a " Generic SNMP Device " if only basic L3 visibility is required.

" Discovered devices displaying a ' ? ' iconindicate the currently running version does not have a mapping for that device ' sSystem OID(device is not supported). Device mappings are used to manage the device by performing functions such as L2/L3 Polling, Reading, and Switching VLANs. " —Fortinet Technical Tip: Options for devices unable to be modeled in Inventory.

The correct answers are A and C . Fortinet’s FortiNAC-F 7.6 documentation states that, to receive and interpret traps from devices or applications, those devices or applications must be modeled in FortiNAC and must have an associated IP address. That validates option A directly. The same Fortinet Trap MIB Files documentation also lists a FortiNAC-OS requirement: the snmp option must be included in the set allowaccess command. That validates option C .

Option B is wrong because Trap MIB integration is not limited to SNMPv3. Fortinet states that Trap MIB supports receiving SNMPv1 and SNMPv2 traps from external devices, while SNMPv3 is discussed separately for traps that populate host and user records.

Option D is the trap. The Fortinet documentation explicitly says IP address OID, MAC address OID, and user ID OID are not all required ; any one OID can be used to identify the host or user that triggered the trap. So the statement that both the IP address OID and MAC address OID must be configured is false.

FortiNAC-F serves as a central manager for security events originating from a diverse ecosystem of third-party security appliances, such as FortiGate, Check Point, and Cisco. Each vendor utilizes its own internal scale forseverity levelswithin syslog messages (e.g., Check Point uses a 1–5 scale, while others may use 0–7). To provide a consistent response regardless of the source, FortiNAC-F usesSeverity Mappingsto normalize these incoming values.

According to theFortiNAC-F Administration Guide, severity mappings allow the administrator to translate vendor-specific threat levels into standardizedFortiNAC Security Levels(such as High, Medium, or Low Violation). When a syslog message arrives, the parser extracts the vendor ' s severity code, and the system immediately references theSecurity Event Severity Level Mappingstable to determine how that event should be categorized internally. This normalization is vital because it allows a singleSecurity Alarmto be configured to respond to any " High Violation " event, whether it was reported as a " Critical " by one vendor or a " Level 5 " by another. Without these mappings, the administrator would have to create separate, redundant security rules for every vendor to account for their different naming conventions and numerical scales.

" Each vendor defines its own severity levels for syslog messages. The following table shows the equivalent FortiNAC security level... To normalize these events, configure theSeverity Level Mappingsfound in the device integration guides. This allows FortiNAC to generate a consistent security event that can then trigger an alarm regardless of the reporting vendor ' s specific terminology. " —FortiNAC-F Administration Guide: Vendor Severity Levels and Syslog Management.

The correct answers are B and C . The persistent agent is the strongest fit because it is installed and stays resident on the endpoint. The study guide states that after deployment, the persistent agent communicates back to FortiNAC-F every 15 minutes and performs scheduled scans in the background, transparent to the end user. That directly satisfies the requirement for recurring compliance scans without user involvement.

The passive agent can also scan Windows domain end stations without end-user interaction. The guide states that the passive agent is deployed through login/logoff scripts and administrative templates, and that passive agent registration can register and scan hosts associated with LDAP or Active Directory users. If enabled, the passive agent scans the host to verify compliance with the appropriate endpoint policy.

Option A is wrong because the dissolvable agent is a run-once agent that requires manual end-user interaction in the captive portal, then removes itself after reporting results. Option D is not the best answer for this requirement because the mobile agent is specifically for Android onboarding and is manually installed; it is not the general solution for daily compliance scanning of all end stations.

In FortiNAC-F, theGuest & Contractor Templateis a configuration object that defines the parameters for accounts created by sponsors or through self-registration. One of the critical security controls within this template is theLogin Availabilitysetting. This setting restricts the specific days and times during which a guest or contractor is permitted to authenticate and access the network.

As shown in the exhibit, the " StandardGuest " template hasLogin Availabilityset to " Specify Time " , with a schedule defined asMon-Fri, 6:00 AM to 7:00 PM. If a guest user attempts to connect or authenticate at8:00 PM, which is outside of the permitted window, FortiNAC-F ' s policy engine will automatically deny the authentication request. When an authentication attempt is denied due to schedule restrictions, the system does not move the host into the " Authenticated " or " Registered " state required for production access. Instead, the host ismarked as non-authenticatedin the adapter or host view.

This behavior ensures that even if a guest possesses valid credentials, their access is strictly bound by the organizational policy for visitor hours. The host will typically remain in its current isolation or registration VLAN, and the user will see a message on the captive portal indicating that their account is not currently authorized for login. It is important to distinguish this from " at-risk " (C), which relates to security scan failures, or " rogue " (B), which typically refers to unknown devices that have not yet been associated with a valid account or profiling rule.

" Login Availabilitydefines the timeframe during which the guest or contractor account is valid for network access. This schedule is enforced at the time of authentication. If a user attempts to log in outside of the designated window, the authentication is rejected by the system. Consequently, the host record will reflect anon-authenticatedstatus, and the device will remain restricted to the isolation or registration network until a valid login window is reached. " —FortiNAC-F Administration Guide: Guest and Contractor Templates Section.

The correct answer is A . In a FortiNAC-F 1+1 HA deployment, failover from primary to secondary is automatic, but failback to the primary is not automatic . The study guide states that if the primary device or its network connectivity fails, the secondary assumes control automatically, but restoration of a failed-over HA deployment is a manual administrator-driven process. It further explains that after the cause of the failover is resolved, the administrator must use the Resume Control button to transfer control back to the primary server.

That means when the primary comes back online, it does not immediately take over again. The pair can resume HA communication, but the secondary remains the in-control node until an administrator deliberately returns control to the primary. Option B is wrong because FortiNAC-F 1+1 HA is active-passive, not load-balanced. Option C is wrong because the restored primary does not power itself down for maintenance. Option D is a trap: five failed heartbeats are used in failure detection and gateway validation logic, not as an automatic failback timer. The exam point is simple: automatic failover, manual failback .

The correct answer is C . The Port Changes view is the correct troubleshooting location when FortiNAC-F changes endpoint network access, such as moving a switch port into a different VLAN. The study guide states that any time FortiNAC-F changes network access for an endpoint, the change is documented in Network > Port Changes . This view shows the date and time of the change, whether a CLI configuration was executed, the reason for the change, the role or access policy that caused it, the port that was changed, and the VLAN the port was changed to.

This directly matches the troubleshooting requirement in the question: the administrator needs to know when the VLAN change happened and why FortiNAC-F made that network access decision. Option A , Security Event view, is used for security-related events, not detailed port-level VLAN-change history. Option B , Reports view, is too broad and not the operational audit trail for a specific access change. Option D , Admin Auditing, tracks administrative actions, but an automatic policy-driven VLAN assignment is documented under Port Changes, not primarily as an admin audit event.

The integration of FortiNAC-F withFortiGate VPNrequires a specific policy workflow to bridge the gap between initial user authentication and full network access. When a user connects to the VPN, the FortiGate typically provides the User ID and IP address, but FortiNAC-F requires aMAC addressto uniquely identify and manage the endpoint ' s record.

According to theFortiGate VPN Integration Guide, theEndpoint Compliance Policyis a mandatory component of this setup because it is used todesignate the required agent type. Because a VPN connection is Layer 3, FortiNAC cannot " see " the MAC address through traditional SNMP or L2 polling. The compliance policy instructs the system to present aCaptive Portalto the remote user, requiring them to download and run either thePersistentorDissolvable Agent. The agent then reports the device ' s MAC address back to FortiNAC, allowing the system to correlate the VPN session with a host record.

Once the agent is running and the MAC is known, FortiNAC-F can evaluate the device ' s security posture (if scanning is configured) and send the necessaryFSSO tagsback to the FortiGate to lift the initial network restrictions. Without the compliance policy to enforce the agent requirement, the connection would remain in an isolated " IP-only " state with no unique hardware identity.

" TheEndpoint Compliance Policyis necessary to control the agent requirement for VPN users. Create a default VPN Endpoint Compliance Policy todistribute an agentvia captive portal for isolated machines. This policy allows the administrator todesignate the required agent type(Persistent or Dissolvable) that will be used to collect the hardware (MAC) address and perform health scans on the remote endpoint. " —FortiNAC FortiGate VPN Integration Guide: Default Endpoint Compliance Policy (Optional) Section.

The correct answers are B and C . FortiNAC-F must have a persistent agent on the endpoint if the goal is continual or background endpoint monitoring. The study guide states that the persistent agent is an install-and-stay resident agent and that, after deployment, it communicates back to FortiNAC-F every 15 minutes. It also performs scheduled scans in the background without normal user interaction unless the scan fails. That is the agent model required for continuous compliance monitoring, not a one-time captive portal scan.

A custom scan is also required because the administrator wants to check very specific endpoint conditions: a registry key and a security service. The FortiNAC-F study guide lists Windows custom scan types including Registry Keys and Service , which directly match the two conditions in the question.

Option A is wrong because MDM integration is used to synchronize mobile device data, retrieve MDM-known hosts, receive MDM host updates, and apply policies based on MDM attributes; it is not the required mechanism for checking Windows registry keys or Windows service status. Option D is wrong because a remediation admin scan is not what defines the compliance check itself. The compliance logic must be created as a custom scan, and continuous monitoring requires the persistent agent.

TheUser/Host Profilein FortiNAC-F is the fundamental logic engine used to categorize endpoints for policy assignment. As seen in the exhibit, the configuration uses a combination of Boolean logic operators (ORandAND) to define the " Who/What " attributes.

According to theFortiNAC-F Administrator Guide, attributes grouped together within the same bracket or connected by anORoperator require only one of those conditions to be met. In the exhibit, the first two attributes are " Host Role = Contractor " OR " Host Persistent Agent = Yes " . This forms a single logical block. This block is then joined to the third attribute ( " Host Security Access Value = Contractor " ) by anANDoperator. Consequently, a host must satisfyat least oneof the first two conditionsANDsatisfy the third condition to match the " Who/What " section.

Furthermore, the profile includesLocationandWhen(time) constraints. The exhibit shows the location is restricted to the " Building 1 First Floor Ports " group. The " When " schedule is explicitly set toMon-Fri 6:00 AM - 5:00 PM. For a profile to match,allenabled sections (Who/What, Locations, and When) must be satisfied simultaneously. Therefore, the host must meet the conditional contractor/agent criteria, possess the specific security access value, and connect during the defined 6 AM to 5 PM window.

" User/Host Profiles use a combination of attributes to identify a match. Attributes joined byORrequire any one to be true, while attributes joined byANDmust all be true. If aSchedule(When) is applied, the host must also connect within the specified timeframe for the profile to be considered a match. All criteria in the Who/What, Where, and When sections are cumulative. " —FortiNAC-F Administration Guide: User/Host Profile Configuration.

In a corporate domain environment where " enhanced endpoint visibility " is required, thePersistent Agentis the recommended choice. Unlike the Dissolvable Agent, which is temporary and intended for one-time compliance scans during registration, the Persistent Agent is an " install-and-stay-resident " application.

The Persistent Agent is specifically designed to be distributed through automated enterprise methods, includinglogin scripts, Group Policy Objects (GPO), or third-party software management tools. When deployed via a login script, the agent can be configured to silently install and immediately begin communicating with the FortiNAC-F service interface. Once active, it provides continuous visibility by reporting host details such as logged-on users, installed applications, and adapter information. It also listens for Windows session events (logon/logoff) to trigger automatic single-sign-on (SSO) registration in FortiNAC-F, ensuring that as soon as a user connects to the domain, their device is identified and assigned the correct network access policy.

" The Persistent Agent can be distributed to Windows domain machines vialogin scriptor by any other software distribution method your organization might use. The Persistent Agent remains installed on the host at all times. Once the agent is installed it runs in the background and communicates with FortiNAC at intervals established by the FortiNAC administrator. " —FortiNAC-F Administration Guide: Persistent Agent Overview.

In FortiNAC-F, theLayer 3 Network typeis specifically designed for deployments where the isolation networks—such as Registration, Remediation, and Dead End—are separated from the FortiNAC appliance ' s service interface (port2) by one or more routers. This architecture is common in large, distributed enterprise environments where endpoints in different physical locations or branches must be isolated into subnets that are local to their respective network equipment.

The reason the Configuration Wizard allows for more than one DHCP scope for a single isolation network type (state) is thatthere can be more than one isolation network of each typeacross the infrastructure. For instance, if an organization has three different sites, each site might require its own unique Layer 3 registration subnet to ensure efficient routing and to accommodate local IP address management. By allowing multiple scopes for the " Registration " state, FortiNAC can provide the appropriate IP address, gateway, and DNS settings to a rogue host regardless of which site ' s registration VLAN it is placed into.

When an endpoint is isolated, the network infrastructure (via DHCP Relay/IP Helper) directs the DHCP request to the FortiNAC service interface. FortiNAC then identifies which scope to use based on the incoming request ' s gateway information. This flexibility ensures that the system is not limited to a single flat subnet for each isolation state, supporting a scalable, multi-routed network topology.

" Multiple scopes are allowed for each isolation state (Registration, Remediation, Dead End, VPN, Authentication, Isolation, and Access Point Management). Within these scopes, multiple ranges in the lease pool are also permitted... This configWizard option is used when Isolation Networks are separated from the FortiNAC Appliance ' s port2 interface by a router. " —FortiNAC-F Configuration Wizard Reference Manual: Layer 3 Network Section.