Fortinet NSE5_FNC_AD_7.6 Exam Questions

The User/Host Profile in FortiNAC-F is the fundamental logic engine used to categorize endpoints for policy assignment. As seen in the exhibit, the configuration uses a combination of Boolean logic operators (OR and AND) to define the 'Who/What' attributes.

According to the FortiNAC-F Administrator Guide, attributes grouped together within the same bracket or connected by an OR operator require only one of those conditions to be met. In the exhibit, the first two attributes are 'Host Role = Contractor' OR 'Host Persistent Agent = Yes'. This forms a single logical block. This block is then joined to the third attribute ('Host Security Access Value = Contractor') by an AND operator. Consequently, a host must satisfy at least one of the first two conditions AND satisfy the third condition to match the 'Who/What' section.

Furthermore, the profile includes Location and When (time) constraints. The exhibit shows the location is restricted to the 'Building 1 First Floor Ports' group. The 'When' schedule is explicitly set to Mon-Fri 6:00 AM - 5:00 PM. For a profile to match, all enabled sections (Who/What, Locations, and When) must be satisfied simultaneously. Therefore, the host must meet the conditional contractor/agent criteria, possess the specific security access value, and connect during the defined 6 AM to 5 PM window.

'User/Host Profiles use a combination of attributes to identify a match. Attributes joined by OR require any one to be true, while attributes joined by AND must all be true. If a Schedule (When) is applied, the host must also connect within the specified timeframe for the profile to be considered a match. All criteria in the Who/What, Where, and When sections are cumulative.' --- FortiNAC-F Administration Guide: User/Host Profile Configuration.

The User/Host Profile in FortiNAC-F is the fundamental logic engine used to categorize endpoints for policy assignment. As seen in the exhibit, the configuration uses a combination of Boolean logic operators (OR and AND) to define the 'Who/What' attributes.

According to the FortiNAC-F Administrator Guide, attributes grouped together within the same bracket or connected by an OR operator require only one of those conditions to be met. In the exhibit, the first two attributes are 'Host Role = Contractor' OR 'Host Persistent Agent = Yes'. This forms a single logical block. This block is then joined to the third attribute ('Host Security Access Value = Contractor') by an AND operator. Consequently, a host must satisfy at least one of the first two conditions AND satisfy the third condition to match the 'Who/What' section.

Furthermore, the profile includes Location and When (time) constraints. The exhibit shows the location is restricted to the 'Building 1 First Floor Ports' group. The 'When' schedule is explicitly set to Mon-Fri 6:00 AM - 5:00 PM. For a profile to match, all enabled sections (Who/What, Locations, and When) must be satisfied simultaneously. Therefore, the host must meet the conditional contractor/agent criteria, possess the specific security access value, and connect during the defined 6 AM to 5 PM window.

'User/Host Profiles use a combination of attributes to identify a match. Attributes joined by OR require any one to be true, while attributes joined by AND must all be true. If a Schedule (When) is applied, the host must also connect within the specified timeframe for the profile to be considered a match. All criteria in the Who/What, Where, and When sections are cumulative.' --- FortiNAC-F Administration Guide: User/Host Profile Configuration.

In FortiNAC-F, Security Triggers are used to identify specific security-related activities based on incoming data such as Syslog messages or SNMP traps from external security devices (like a FortiGate or an IDS). These triggers act as a filtering mechanism to determine if an incoming notification should be escalated from a standard system event to a Security Event.

According to the FortiNAC-F Administrator Guide and relevant training materials for versions 7.2 and 7.4, the Filter Match setting is the critical logic gate for this process. As seen in the exhibit, the 'Filter Match' configuration is set to 'All'. This means that for the Security Trigger named 'Infected File Detected' to 'fire' and generate a Security Event or a subsequent Security Alarm, every single filter listed in the Security Filters table must be satisfied simultaneously by the incoming data.

In the provided exhibit, there are two filters: one looking for the Vendor 'Fortinet' and another looking for the Sub Type 'virus'. If only one of these filters is satisfied (for example, a message from Fortinet that does not contain the 'virus' subtype), the logic for the Security Trigger is not met. Consequently, FortiNAC-F does not escalate the notification. Instead, it processes the incoming data as a Normal Event, which is recorded in the Event Log but does not trigger the automated security response workflows associated with security alarms.

'The Filter Match option defines the logic used when multiple filters are defined. If 'All' is selected, then all filter criteria must be met in order for the trigger to fire and a Security Event to be generated. If the criteria are not met, the incoming data is processed as a normal event. If 'Any' is selected, the trigger fires if at least one of the filters matches.' --- FortiNAC-F Administration Guide: Security Triggers Section.

In FortiNAC-F, the RADIUS Attribute Groups feature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in an Access-Accept packet sent back to a network device. This is particularly useful for supporting 'Generic RADIUS' devices that are not natively supported but can be managed using standard AVPairs.

According to the FortiNAC-F Generic RADIUS Wired Cookbook and the RADIUS Attribute Groups section of the Administration Guide, there is one critical prerequisite for this feature to function: the inbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains the MAC address of the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, will not include any user-defined RADIUS attributes in the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes.

'Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC... Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes. This attribute is used to identify the host and its current state within the FortiNAC database.' --- FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.

The process of moving a host from a Registration VLAN to a Production VLAN (Access VLAN) is a fundamental part of the FortiNAC-F 'VLAN steering' workflow. When a host successfully registers via the captive portal, FortiNAC-F evaluates its Network Access Policies to determine the correct VLAN. If the host remains stuck in the Registration VLAN despite a successful registration, it is typically due to port-level restrictions or the presence of other unregistered devices.

The two most common reasons for this behavior as per the documentation are:

The port default VLAN is the same as the Registration VLAN: If the 'Default VLAN' field in the switch port's model configuration is set to the same ID as the Registration VLAN, the port will not change state because FortiNAC-F believes it is already in its 'normal' or 'forced' state.

There is another unregistered host on the same port: FortiNAC-F maintains the security posture of the physical port. If multiple hosts are connected to a single port (e.g., via a hub or unmanaged switch) and at least one host remains 'Rogue' (unregistered), FortiNAC-F will generally keep the entire port in the isolation/registration VLAN to prevent the unregistered host from gaining unauthorized access to the production network.

Issues with agents (A, B) typically prevent a host from completing compliance or registration but do not usually result in a 'stuck' status after registration has already been marked as successful in the system.

'If a port is identified as having Multiple Hosts, and those hosts require different levels of access, FortiNAC remains in the most restrictive state (Registration or Isolation) until all hosts on that port are authorized... Additionally, verify the Default VLAN setting for the port; if the Default VLAN and Registration VLAN match, the system will not trigger a VLAN change upon registration.' --- FortiNAC-F Administration Guide: Troubleshooting Host Management.