NSE5_FNC_AD_7.6 Sample Questions Answers

In FortiNAC-F, theLayer 3 Network typeis specifically designed for deployments where the isolation networks—such as Registration, Remediation, and Dead End—are separated from the FortiNAC appliance's service interface (port2) by one or more routers. This architecture is common in large, distributed enterprise environments where endpoints in different physical locations or branches must be isolated into subnets that are local to their respective network equipment.

The reason the Configuration Wizard allows for more than one DHCP scope for a single isolation network type (state) is thatthere can be more than one isolation network of each typeacross the infrastructure. For instance, if an organization has three different sites, each site might require its own unique Layer 3 registration subnet to ensure efficient routing and to accommodate local IP address management. By allowing multiple scopes for the "Registration" state, FortiNAC can provide the appropriate IP address, gateway, and DNS settings to a rogue host regardless of which site's registration VLAN it is placed into.

When an endpoint is isolated, the network infrastructure (via DHCP Relay/IP Helper) directs the DHCP request to the FortiNAC service interface. FortiNAC then identifies which scope to use based on the incoming request's gateway information. This flexibility ensures that the system is not limited to a single flat subnet for each isolation state, supporting a scalable, multi-routed network topology.

"Multiple scopes are allowed for each isolation state (Registration, Remediation, Dead End, VPN, Authentication, Isolation, and Access Point Management). Within these scopes, multiple ranges in the lease pool are also permitted... This configWizard option is used when Isolation Networks are separated from the FortiNAC Appliance's port2 interface by a router." —FortiNAC-F Configuration Wizard Reference Manual: Layer 3 Network Section.

In FortiNAC-F,Device Profiling Rulesare used to automatically identify and categorize devices (such as IP cameras, printers, or IoT devices) based on fingerprints like DHCP fingerprints, OIDs, or MAC prefixes. When a device matches a rule, it appears in theProfiled Devicesview.

However, matching a rule does not automatically register the device in the database unless the rule is configured to do so. If the devices appear in the view but remain "Unknown" and show "No" in the registration column, it indicates that the"Confirm"(or "Auto-register") action has not been triggered. In the Device Profiling Rule configuration, there is a setting called"Allow Auto-Approval"or"Confirm". If this is not enabled, the system identifies the device but waits for an administrator to manually approve the match before changing the host status from "Unknown" to "Registered".

This is a common "safety" configuration used during the initial deployment phase to ensure that the profiling rules are accurate before the system begins automatically granting network access based on those matches.

"If a device matches a rule but is not registered, check the rule configuration. TheConfirmoption (within the Method or Rule settings) determines if the system automatically registers the device upon a match. IfConfirmis not enabled, the device will remain in the 'Profiled' state with a registration status of'No'until an administrator manually promotes the device." —FortiNAC-F Administration Guide: Device Profiling Rules.

In FortiNAC-F, theRADIUS Attribute Groupsfeature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in anAccess-Acceptpacket sent back to a network device. This is particularly useful for supporting "Generic RADIUS" devices that are not natively supported but can be managed using standard AVPairs.

According to theFortiNAC-F Generic RADIUS Wired Cookbookand theRADIUS Attribute Groups sectionof the Administration Guide, there is one critical prerequisite for this feature to function: theinbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains theMAC addressof the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, willnot include any user-defined RADIUS attributesin the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes.

"Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC...Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes.This attribute is used to identify the host and its current state within the FortiNAC database." —FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.

TheFortiNAC-F Manageris designed to centralize the management of multiple Control and Application (CA) appliances, ensuring consistent security posture across a distributed enterprise. To achieve this, the Manager allows administrators to define and distribute specific types of policies globally rather than configuring them on each individual CA.

According to theFortiNAC Manager Guide, the two primary policy types that are managed globally are:

Network Access Policies (D):These policies define the "If-Then" logic for network entry. By managing these at the global level, an administrator can ensure that a "Contractor" receives the same restricted access regardless of which branch office or campus they connect to.

Endpoint Compliance Policies (B):Global management of compliance policies—which consist of scans and configurations—allows for a unified security baseline. For example, a global policy can mandate that all Windows devices across the entire organization must have a specific antivirus version installed and active before gaining access to the production network.

While the Manager provides visibility into authentication events and can synchronize directory data, the specificAuthentication(A) configurations (like local RADIUS secrets or specific LDAP server links) are often localized to the CA to account for site-specific infrastructure.Supplicant EasyConnect(C) is a feature set for onboarding, but the structural "Global Policy" engine focuses primarily on the Access and Compliance frameworks.

"The FortiNAC Manager enablesGlobal Policy Management, allowing for the creation and distribution of policies across all managed CA appliances. This includesNetwork Access Policies, which control VLAN and ACL assignment, andEndpoint Compliance Policies, which define the security requirements for hosts. Centralizing these policies ensures that security standards are enforced uniformly across the global network fabric." —FortiNAC Manager Administration Guide: Global Policy Management Overview.

In FortiNAC-F, theConference Manageris a specialized administrative role designed for delegated administration, often used by receptionists or event organizers to create temporary guest accounts. To maintain security and prevent the over-provisioning of credentials, FortiNAC-F allows for granular restrictions on these accounts.

According to theFortiNAC-F Administration GuideregardingAdministrative Profiles, when an administrator creates a profile for a Conference Manager, they can define specific "Account Limits." Under the profile settings (located inSystem > Settings > Admin Profiles), there is a field specifically for"Max Accounts."By entering "30" into this field, the administrator ensures that any user assigned to this profile cannot exceed 30 active conference accounts at any given time.

This setting is distinct from the Portal configuration or the Guest templates. While templates define thetypeof account (e.g., duration and access level), theAdministrative Profiledefines thecapabilities and limitationsof the person creating those accounts. This ensures that even if a guest template allows for unlimited registrations, the specific administrator is physically restricted by the system from generating more than the allotted 30.

"Administrative Profiles define what an administrator can see and do within the system. For delegated administration roles like the Conference Manager, the'Max Accounts'field in the Administrative Profile is used to specify the maximum number of accounts the user is permitted to create. Once this limit is reached, the user will be unable to generate additional accounts until existing ones expire or are deleted." —FortiNAC-F Administration Guide: Administrative Profiles and Delegated Administration.

In anN+1 High Availability (HA)configuration, a single secondary Control and Application (CA) server provides backup for multiple primary CA servers. The FortiNAC-F Manager (FortiNAC-M) acts as the centralized orchestrator for this cluster, monitoring the health of all participating nodes.

According to theFortiNAC-F 7.6.0 N+1 Failover Reference Manual, when a primary CA (such asCA-2in the exhibit) fails, the secondary CA (CA-3) is automatically promoted by the Manager to take over the specific workload and database functions of that failed primary. Crucially, the documentation specifies that even after this promotion, the system architecture maintains its N+1 logic. The secondary CA effectively "assumes the identity" of the failed primary while continuing to operate within the N+1 framework established by the Manager.

It doesnotmerge with CA-1 to form a traditional 1+1 active/passive cluster (A), nor does it engage in load balancing (D), as FortiNAC-F HA is designed for redundancy and failover rather than active traffic distribution. Furthermore, CA-3 does not "share" management with CA-1 (C); it independently handles the tasks originally assigned to CA-2. Throughout this failover state, the Manager continues to oversee the group, and CA-3 remains the designated secondary unit currently acting in a primary capacity for the downed node until CA-2 is restored.

"In an N+1 Failover Group, theSecondary CAis designed to take over the functionality ofany single failed primary componentwithin the group. The FortiNAC Manager monitors the primaries and initiates the failover to the secondary... Once failover occurs, the secondary continues to operate as the backup unit for the failed primary while remaining part of the managed N+1 HA configuration." —FortiNAC-F 7.6.0 N+1 Failover Reference Manual: Failover Behavior Section.