Fortinet NSE5_FNC_AD_7.6 Fortinet NSE 5 - FortiNAC-F 7.6 Administrator Exam Practice Test

In FortiNAC-F, theDevice Profileris a rule-based engine that evaluates unknown "rogue" devices and classifies them based on fingerprints and behavior. When a profiling rule matches a device, the administrator can configure the rule to automatically register that device. The registration process can place the device record in two primary locations: theTopology View(as a device) or theHost View(as a registered host).

According to theFortiNAC-F Administration Guide, registering a device in theHost Viewprovides significant advantages for identity management and historical tracking. First, the devices can beassociated with a user (C). In the FortiNAC database architecture, the Host View is the primary repository for endpoint identity; placing a profiled device here allows the system to link that hardware (MAC address) to a specific user account, whether that user is an employee, guest, or a system-level "owner". This association is essential for Role-Based Access Control (RBAC) and for tracking accountability across the network fabric.

Second, devices registered in the Host View will haveconnection logs (B). FortiNAC-F maintains a detailed operational history for all host records, including every instance of the device connecting to or disconnecting from a port, its IP address assignments, and the specific policies applied during each session. These logs are invaluable for troubleshooting connectivity issues and for security forensic audits, as they provide a clear timeline of the device's lifecycle on the network. In contrast, devices managed only in the Topology View are typically treated as infrastructure components where the focus is on device availability rather than individual session history.

"Devices that are registered and associated with a user are placed in theHost Viewand removed from the Profiled Devices window... Placing a device in the Host View allows for the tracking ofconnection historyand the association of the device with a specificidentity or user recordwithin the FortiNAC database." —FortiNAC-F Administration Guide: Device Profiler How it Works.

In a1+1 High Availability (HA)deployment, FortiNAC-F supports two primary methods for management access: individual IP addresses or aShared IP Address(also known as a Virtual IP or VIP). The Shared IP option is part of aLayer 2 HAdesign, which simplifies administration by providing a single URL or IP that always points to whichever appliance is currently in the "Active" or "In Control" state.

For a Shared IP configuration to function correctly, thePrimary and Secondary administrative interfaces (port1) must be on the same subnet. This requirement exists because the Shared IP is a logical address that is dynamically assigned to the physical interface of the active unit. Since only one unit can own the IP at a time, both units must reside on the same broadcast domain (Layer 2) to ensure that ARP requests for the Shared IP are correctly answered and that the gateway remains reachable regardless of which unit is active. If the appliances were on different subnets (a Layer 3 HA design), a shared IP could not be used because it cannot "float" across different network segments; instead, administrators would need to manage each unit via its unique physical IP or use a FortiNAC Manager.

"For L2 HA configurations, click theUse Shared IP Addresscheckbox and enter the Shared IP Address information...If your Primary and Secondary Servers are not in the same subnet, do not use a shared IP address.The shared IP address moves between appliances during a failover and recovery and requires both units to reside on the same network." —FortiNAC-F High Availability Reference Manual: Shared IP Configuration.

TheFortiNAC-F Manageris designed to centralize the management of multiple Control and Application (CA) appliances, ensuring consistent security posture across a distributed enterprise. To achieve this, the Manager allows administrators to define and distribute specific types of policies globally rather than configuring them on each individual CA.

According to theFortiNAC Manager Guide, the two primary policy types that are managed globally are:

Network Access Policies (D):These policies define the "If-Then" logic for network entry. By managing these at the global level, an administrator can ensure that a "Contractor" receives the same restricted access regardless of which branch office or campus they connect to.

Endpoint Compliance Policies (B):Global management of compliance policies—which consist of scans and configurations—allows for a unified security baseline. For example, a global policy can mandate that all Windows devices across the entire organization must have a specific antivirus version installed and active before gaining access to the production network.

While the Manager provides visibility into authentication events and can synchronize directory data, the specificAuthentication(A) configurations (like local RADIUS secrets or specific LDAP server links) are often localized to the CA to account for site-specific infrastructure.Supplicant EasyConnect(C) is a feature set for onboarding, but the structural "Global Policy" engine focuses primarily on the Access and Compliance frameworks.

"The FortiNAC Manager enablesGlobal Policy Management, allowing for the creation and distribution of policies across all managed CA appliances. This includesNetwork Access Policies, which control VLAN and ACL assignment, andEndpoint Compliance Policies, which define the security requirements for hosts. Centralizing these policies ensures that security standards are enforced uniformly across the global network fabric." —FortiNAC Manager Administration Guide: Global Policy Management Overview.

In FortiNAC-F, theNetwork Sessionsview provides a real-time and historical log of traffic flows, including source/destination IP addresses, ports, and protocols. This data is essential for buildingDevice Profiling Rulesthat rely on "Traffic Patterns" or "Network Footprints" to identify devices (e.g., an IP camera communicating with its specific NVR). If the network session view is empty, the system is not receiving the necessary flow or session data from the network infrastructure.

According to theFortiNAC-F Administration Guide, there are two primary methods to populate this view:

NetFlow/sFlow/IPFIX (C):FortiNAC-F can act as a flow collector. By enablingNetFlowsettings on the FortiNAC-F service interface (port2/eth1) and configuring your switches or routers to export flow data to the FortiNAC IP, the system can parse these packets and record sessions.

Firewall Session Polling (B):For environments with FortiGate firewalls, FortiNAC-F can proactively poll the FortiGate via theREST APIto retrieve its current session table. This is particularly useful as it provides session visibility without requiring the overhead of configuring NetFlow on every access layer switch.

Settings likeLayer 3 Polling(D) only provide ARP table mappings (IP to MAC correlation) and do not provide the detailed flow information required for the session view.

"TheNetwork Sessionsview displays information regarding active and inactive network traffic sessions... To populate this view, FortiNAC must receive data through one of the following methods: •NetFlow/sFlow Support: Configure network devices to send flow data to the FortiNAC service interface. •Firewall Session Polling: Enable session polling on modeled FortiGate devices to retrieve session information via API. These records are then used by the Device Profiler to match rules based on traffic patterns." —FortiNAC-F Administration Guide: Network Sessions and Flow Data Collection.

In FortiNAC-F, theRADIUS Attribute Groupsfeature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in anAccess-Acceptpacket sent back to a network device. This is particularly useful for supporting "Generic RADIUS" devices that are not natively supported but can be managed using standard AVPairs.

According to theFortiNAC-F Generic RADIUS Wired Cookbookand theRADIUS Attribute Groups sectionof the Administration Guide, there is one critical prerequisite for this feature to function: theinbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains theMAC addressof the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, willnot include any user-defined RADIUS attributesin the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes.

"Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC...Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes.This attribute is used to identify the host and its current state within the FortiNAC database." —FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.

The integration of FortiNAC-F withFortiGate VPNrequires a specific policy workflow to bridge the gap between initial user authentication and full network access. When a user connects to the VPN, the FortiGate typically provides the User ID and IP address, but FortiNAC-F requires aMAC addressto uniquely identify and manage the endpoint's record.

According to theFortiGate VPN Integration Guide, theEndpoint Compliance Policyis a mandatory component of this setup because it is used todesignate the required agent type. Because a VPN connection is Layer 3, FortiNAC cannot "see" the MAC address through traditional SNMP or L2 polling. The compliance policy instructs the system to present aCaptive Portalto the remote user, requiring them to download and run either thePersistentorDissolvable Agent. The agent then reports the device's MAC address back to FortiNAC, allowing the system to correlate the VPN session with a host record.

Once the agent is running and the MAC is known, FortiNAC-F can evaluate the device's security posture (if scanning is configured) and send the necessaryFSSO tagsback to the FortiGate to lift the initial network restrictions. Without the compliance policy to enforce the agent requirement, the connection would remain in an isolated "IP-only" state with no unique hardware identity.

"TheEndpoint Compliance Policyis necessary to control the agent requirement for VPN users. Create a default VPN Endpoint Compliance Policy todistribute an agentvia captive portal for isolated machines. This policy allows the administrator todesignate the required agent type(Persistent or Dissolvable) that will be used to collect the hardware (MAC) address and perform health scans on the remote endpoint." —FortiNAC FortiGate VPN Integration Guide: Default Endpoint Compliance Policy (Optional) Section.

The FortiNAC-FLogical Networkfeature is specifically designed to provide an abstraction layer between high-level security policies and the underlying physical network infrastructure. In large-scale deployments where different physical locations (like Building 1, 2, and 3 in the exhibit) use different local VLAN IDs for the same type of device (e.g., VLAN 10, 20, and 30 for printers), managing separate policies for each building would create significant administrative overhead.

By using aLogical Network, an administrator can create a single entity—for example, a logical network named "Printers"—and use it as the "Access Value" in a singleNetwork Access Policy. The mapping of this logical label to a specific physical VLAN occurs at theModel Configurationlevel for each network device. When a printer connects to a switch in Building 1, FortiNAC-F evaluates the policy, identifies that the printer should be in the "Printers" logical network, and checks the Model Configuration for that specific switch to see which VLAN ID is mapped to that label (VLAN 10). If the same printer moves to Building 3, the same single policy applies, but FortiNAC-F provisions it to VLAN 30 based on the local mapping for that building's switch.

This architectural approach ensures that policies remain consistent and easy to manage regardless of the complexity or variations in the local network topology.

"Logical Networks provide a way to define a network access requirement once and apply it across many different network devices that may use different VLAN IDs for that access... Each managed device can usedifferent VLAN IDs for the same Logical Network label. You can define the Logical Networks based on requirements and then associate the network to a VLAN ID when the managed device is configured in theModel Configuration." —FortiNAC-F IoT Deployment Guide: Define the Logical Networks.

TheUser/Host Profilein FortiNAC-F is the fundamental logic engine used to categorize endpoints for policy assignment. As seen in the exhibit, the configuration uses a combination of Boolean logic operators (ORandAND) to define the "Who/What" attributes.

According to theFortiNAC-F Administrator Guide, attributes grouped together within the same bracket or connected by anORoperator require only one of those conditions to be met. In the exhibit, the first two attributes are "Host Role = Contractor"OR"Host Persistent Agent = Yes". This forms a single logical block. This block is then joined to the third attribute ("Host Security Access Value = Contractor") by anANDoperator. Consequently, a host must satisfyat least oneof the first two conditionsANDsatisfy the third condition to match the "Who/What" section.

Furthermore, the profile includesLocationandWhen(time) constraints. The exhibit shows the location is restricted to the "Building 1 First Floor Ports" group. The "When" schedule is explicitly set toMon-Fri 6:00 AM - 5:00 PM. For a profile to match,allenabled sections (Who/What, Locations, and When) must be satisfied simultaneously. Therefore, the host must meet the conditional contractor/agent criteria, possess the specific security access value, and connect during the defined 6 AM to 5 PM window.

"User/Host Profiles use a combination of attributes to identify a match. Attributes joined byORrequire any one to be true, while attributes joined byANDmust all be true. If aSchedule(When) is applied, the host must also connect within the specified timeframe for the profile to be considered a match. All criteria in the Who/What, Where, and When sections are cumulative." —FortiNAC-F Administration Guide: User/Host Profile Configuration.

FortiNAC-F provides a robust engine for processing security notifications from third-party devices. For standard integrations, such as FortiGate or Check Point, the system comes pre-loaded with templates to interpret incoming data. However, when an administrator needs FortiNAC-F to process syslog messages from a vendor or device that is not supported by default, they must configure aSecurity Event Parser.

TheSecurity Event Parseracts as the translation layer. It uses regular expressions (Regex) or specific field mappings to identify key data points within a raw syslog string, such as the source IP address, the threat type, and the severity. Without a parser, FortiNAC-F may receive the syslog message but will be unable to "understand" its contents, meaning it cannot generate the necessarySecurity Eventrequired to trigger automated responses. Once a parser is created, the system can extract the host's IP address from the message, resolve it to a MAC address via L3 polling, and then apply the appropriate security rules. This allows for the integration of any security appliance capable of sending RFC-compliant syslog messages.

"FortiNAC parses the information based onpre-defined security event parsersstored in FortiNAC's database... If the incoming message format is not recognized, a newSecurity Event Parsermust be created to define how the system should extract data fields from the raw syslog message. This enables FortiNAC to generate a security event and take action based on the alarm configuration." —FortiNAC-F Administration Guide: Security Event Parsers.