FSCP Forescout Certified Professional Exam Questions and Answers

According to the Forescout User Directory Plugin Configuration Guide and the RADIUS Plugin Configuration Guide Version 4.3, the "Use as directory" selection allows resolution of user information via LDAP. The documentation explicitly states:​

"Use as directory: Select this option to use the server as a directory to retrieve user information. This option is not available for RADIUS and TACACS servers."​

What "Use as directory" Does:

According to the User Directory Plugin documentation:​

When "Use as directory" is selected on a User Directory server configuration:

LDAP Query Capability - The server can be queried via LDAP to retrieve user information

User Resolution - User details are resolved by querying the LDAP directory

Directory Lookups - User properties (group membership, attributes, contact info) are retrieved from the directory

Policy Matching - Users can be matched in policies based on directory group membership

Supported Server Types for "Use as directory":

According to the configuration guide:​

The "Use as directory" option is available for:

Microsoft Active Directory (via LDAP protocol)

OpenLDAP (via LDAP protocol)

Other LDAP-compatible directory servers

The "Use as directory" option is NOT available for:

RADIUS servers - Cannot be used as a directory

TACACS servers - Cannot be used as a directory

Why RADIUS/TACACS Cannot Be Directories:

According to the documentation:​

RADIUS and TACACS are authentication and authorization protocols, NOT directory protocols

They do not support directory-style lookups and user attribute queries

They only provide authentication (username/password verification) and authorization (what the user can do)

They cannot provide the rich user information that LDAP directories can provide

LDAP as a Directory Protocol:

According to the documentation:​

LDAP (Lightweight Directory Access Protocol) provides:

User Information Storage - Stores user objects with multiple attributes

Directory Queries - Can query for specific users and their properties

Group Membership - Can retrieve LDAP group information

Attribute Resolution - Can access user attributes for policy conditions

Three Critical Checkboxes:

According to the RADIUS Plugin Configuration Guide:​

"Make sure that both the Use as directory option and the Use for authentication option are enabled."

This indicates that a single User Directory server can have multiple roles:

Use as directory - For LDAP queries and user information resolution

Use for authentication - For user login authentication

Use for Console Login - For access to the Forescout Console

Example Configuration:

According to the documentation:​

When you have an Active Directory server:

✓ "Use as directory" is CHECKED - Enables LDAP queries for user info and group membership

✓ "Use for authentication" is CHECKED - Allows users to authenticate with their AD credentials

✓ "Use for Console Login" is CHECKED - Allows administrators to log into Forescout Console with AD credentials

Why Other Options Are Incorrect:

B. It allows resolution of user information via TACACS - Explicitly NOT available for TACACS; TACACS cannot function as a directory

C. It allows for Guest Registration when Approvals are required - This is a separate User Directory feature unrelated to "Use as directory"

D. It enables HTTP authentication and resolves HTTP login status - This is not related to directory usage; HTTP authentication is a separate feature

E. It allows resolution of user information via RADIUS - Explicitly NOT available for RADIUS; RADIUS servers cannot function as directories

Referenced Documentation:

User Directory Plugin Configuration - Define User Directory Servers​

User Directory Plugin - Name and Type Step documentation​

RADIUS Plugin Configuration Guide Version 4.3 - User Directory Readiness section

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

The Windows Installed Programs property condition utilizes multiple sub-properties including Program Name, Program Version, Program Vendor, and Program Path. However, when using the "for ANY/for ALL" logic mechanism, the "any/all" refers to the PROGRAMS and not to the sub-properties.​

How the "Any/All" Logic Works with Windows Installed Programs:

When configuring a policy condition with the Windows Installed Programs property, the "any/all" logic determines whether an endpoint should match the condition based on:

"For ANY" - The endpoint matches the policy condition if ANY of the configured programs are installed on the endpoint

"For ALL" - The endpoint matches the policy condition if ALL of the configured programs are installed on the endpoint

Example: If an administrator creates a condition like:

Windows Installed Programs contains "Microsoft Office" OR "Adobe Reader"

Using "For ANY": The endpoint matches if it has EITHER Microsoft Office OR Adobe Reader installed

Using "For ALL": The endpoint matches only if it has BOTH Microsoft Office AND Adobe Reader installed

The sub-properties (Program Name, Version, Vendor, Path) are used to define and identify which specific programs to match against, but the "any/all" logic applies to the PROGRAMS themselves, not to the sub-properties.​

Why Other Options Are Incorrect:

A - Incorrectly states the "any/all" evaluates the programs for the sub-properties

B - Factually incorrect; the condition definitely has multiple sub-properties (Name, Version, Vendor, Path)

C - Confuses the scope; the "any/all" does not refer to "program's properties" but to multiple programs

D - Inverted logic; the "any/all" refers to the programs, not the sub-properties

Referenced Documentation:

Forescout Administration Guide v8.3, v8.4​

Working with Policy Conditions - List of Properties by Category

Windows Applications Content Module Configuration Guide​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

The correct command to monitor system memory and CPU load with 5 second update intervals is vmstat 5. According to the official Linux documentation and Forescout CLI reference materials, the vmstat command uses a straightforward syntax where the first numerical parameter specifies the delay interval in seconds.​

vmstat Command Syntax:

The vmstat (Virtual Memory Statistics) command uses the following syntax:​

bash

vmstat [options] [delay] [count]

Where:

delay - The time interval (in seconds) between updates

count - The number of updates to display (optional; if omitted, displays indefinitely)

vmstat 5 Command:

When you execute vmstat 5:​

Updates are displayed every 5 seconds

Continues indefinitely until manually stopped

Shows memory and CPU statistics in each update

Example output:

text

procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----

r b swpd free buff cache si so bi bo in cs us sy id wa st

1 0 0 1166396 70768 2233228 0 0 0 13 10 24 0 0 100 0 0

0 0 0 1165568 70776 2233352 0 0 0 8 121 224 0 0 99 0 0

0 0 0 1166608 70784 2233352 0 0 0 53 108 209 0 0 100 0 0

Each line represents a new report generated at 5-second intervals.​

Memory and CPU Information Provided:

The vmstat output includes:​

Memory Columns:

free - Amount of idle memory

buff - Amount of memory used as buffers

cache - Amount of memory used as cache

swpd - Amount of virtual memory used

si/so - Memory swapped in/out

CPU Columns:

us - Time spent running user code

sy - Time spent running kernel code

id - Time spent idle

wa - Time spent waiting for I/O

st - Time stolen from virtual machine

Why Other Options Are Incorrect:

A. watch -t 5 vmstat - Incorrect syntax; -t removes headers, not set intervals; interval flag is -n, not -t

C. vmstat -t 5 - The -t option adds a timestamp to output, but doesn't set the interval; the 5 would be ignored

D. watch uptime - The uptime command displays system uptime and load average but not detailed memory/CPU stats; watch requires -n flag for interval specification

E. watch -n 10 vmstat - While syntactically valid, this uses a 10-second interval, not 5 seconds; also unnecessary since vmstat already supports delay parameter directly

Additional vmstat Examples:

According to documentation:​

bash

vmstat 5 5 # Display 5 updates at 5-second intervals

vmstat 1 10 # Display 10 updates at 1-second intervals

vmstat -t 5 5 # Display 5 updates every 5 seconds WITH timestamps

First Report Note:

According to the documentation:​

"When you run vmstat without any parameters, it shows system values based on the averages for each element since the server was last rebooted. These results are not a snapshot of current values."

The first report with vmstat 5 shows averages since last reboot; subsequent reports show statistics for each 5-second interval.​

Referenced Documentation:

Linux vmstat Command Documentation​

RedHat vmstat Command Guide​

Oracle Solaris vmstat Manual​

Microsoft Azure Linux Troubleshooting Guide​

IBM AIX vmstat Documentation

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Administration Guide - Policy Templates, to allow network-based PC imaging of devices while blocking non-corporate devices, modifications are required to Enterprise Discover policy (B) and Windows Enterprise Manageability policy (E).​

Network-Based PC Imaging Requirements:

For network-based PC imaging (such as through WinPE boot environments or imaging servers), the system must:

Discover Corporate PCs - Identify legitimate corporate devices

Allow Imaging Traffic - Permit PXE boot and imaging protocol traffic

Block Non-Corporate Devices - Prevent unauthorized BYOD or guest devices from initiating imaging

Enterprise Discover Policy Modifications:

According to the policy templates documentation:​

The Enterprise Discover policy must be modified to:

Allow PXE boot traffic for legitimate devices

Permit discovery protocols from imaging servers

Distinguish between corporate and non-corporate devices

Windows Enterprise Manageability Policy Modifications:

According to the documentation:​

The Windows Enterprise Manageability policy must be modified to:

Identify Windows corporate devices

Permit imaging-related activities for corporate machines

Block or restrict imaging access for non-managed or guest devices

Why Other Options Are Incorrect:

A. Linux Manageability policy - Linux devices are not typically subjected to network-based Windows imaging; this policy manages Linux endpoint compliance, not PC imaging

C. MAC Manageability policy - MAC devices use different imaging methods; this policy is for managing macOS endpoints

D. IoT Discover policy - IoT devices are not imaged via PC imaging protocols; this policy handles IoT device discovery and classification

Imaging Access Control Workflow:

According to the administration guide:​

text

1. Enterprise Discover Policy (Modified)

- Identify devices attempting PXE/imaging boot

- Distinguish corporate vs. non-corporate

- Allow corporate devices to proceed

2. Windows Enterprise Manageability Policy (Modified)

- Verify device is corporate-managed

- Check compliance status

- Permit imaging for compliant devices

- Block non-compliant or unauthorized devices

Referenced Documentation:

Forescout Administration Guide - Policy Templates​

Policy Templates - Enterprise Discover and Windows Manageability sections​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Administration Guide - Remediate Actions, "Start Antivirus update" is an example of a remediation action.​

Remediation Actions Definition:

According to the Remediate Actions documentation:​

"Remediation actions are actions that address compliance issues by taking corrective measures on endpoints. These actions fix, update, or improve the security posture of non-compliant endpoints."

Examples of Remediation Actions:

According to the documentation:​

Remediation actions include:

Start Antivirus Update - Updates antivirus definitions on the endpoint

Update Antivirus - Updates antivirus software

Start Windows Updates - Initiates Windows security patches

Enable Firewall - Activates Windows firewall

Disable USB - Restricts USB access

Why Other Options Are Incorrect:

A. Start SecureConnector - This is a deployment action, not remediation

C. Assign to VLAN - This is a containment/isolation action (Switch Remediate Action), not a remediation action

D. Switch port block - This is a containment/restrict action (Switch Restrict Action), not remediation

E. HTTP login - This is authentication, not a remediation action

Action Categories:

According to the documentation:​

Category

Examples

Purpose

Remediate Actions

Start Antivirus, Windows Updates, Enable Firewall

Fix compliance issues

Restrict Actions

Switch Block, Port Block, ACL

Contain threats

Remediate Actions (Switch)

Assign to VLAN (quarantine)

Move to isolated VLAN

Deployment

Start SecureConnector

Deploy agents

Referenced Documentation:

Remediate Actions​

Switch Remediate Actions​

Switch Restrict Actions​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Switch Plugin documentation and Switch Properties, the endpoint attributes learned from the Switch plugin are: Mac address, Host name, Port VLAN, Port Description, Switch OS, and Switch Version.​

Switch Plugin Endpoint Properties:

According to the Switch Properties documentation:​

The Switch plugin learns and populates the following endpoint attributes:

Mac address - MAC address of the endpoint

Host name - Device hostname from switch ARP table

Port VLAN - VLAN ID assigned to the switch port

Port Description - Switch port alias/description

Switch OS - Operating system of the switch

Switch Version - Software version of the switch

Why Other Options Are Incorrect:

A. Includes "Mac table" and "Host Table" - These are switch resources, not endpoint attributes

B. Lists "ARP Table" and duplicates "Switch Version" - ARP table is not an endpoint attribute

D. Includes "ARP Table" - ARP table is a switch resource, not an endpoint attribute

**E. "Switch IP and Port name" - "Switch IP" is not an endpoint attribute; should be "Port VLAN"

Distinction: Switch Resources vs. Endpoint Attributes:

According to the documentation:​

Endpoint Attributes (learned about the endpoint):

Mac address

Host name

Port VLAN

Port Description

Switch OS

Switch Version

Switch Resources (infrastructure information):

Mac table

ARP table

Host table

Referenced Documentation:

Switch Properties - v8.4.4​

Switch Properties - v8.16.h​

Switch Properties - v8.1.x​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Upgrade Guides for multiple versions, the first thing you should do when preparing for an upgrade to a new CounterACT version is consult the CounterACT Release Notes for the appropriate version.​

Release Notes as First Step:

According to the official documentation:​

"Review the Forescout Release Notes for important information before performing any upgrade."

The documentation emphasizes this as a critical first step before any other upgrade activities.

What Release Notes Contain:

According to the upgrade guidance:​

The Release Notes provide essential information including:

Upgrade Paths - Which versions you can upgrade from and to

Pre-Upgrade Requirements - System requirements and prerequisites

End-of-Life Products - Products that must be uninstalled before upgrade

Non-Supported Products - Products not compatible with the new version

Module/Plugin Dependencies - Version compatibility requirements

Known Issues - Potential problems and workarounds

Upgrade Procedures - Step-by-step instructions

Rollback Information - How to revert if needed

Critical Pre-Upgrade Information:

According to the Release Notes guidance:​

"The upgrade process does not continue when end-of-life products are detected."

Release Notes list:

End-of-Life (EOL) Products - Must be uninstalled before upgrade

Non-Supported Products - Must be uninstalled before upgrade

Plugin Version Compatibility - Which plugin versions work with the new Forescout version

Upgrade Order vs. Release Notes Review:

According to the documentation:​

While the order of upgrade (EM first, then Appliances) is important, consulting Release Notes comes FIRST because it determines what needs to be done before any upgrade attempts.

The Release Notes tell you:

Whether you can upgrade at all

What must be uninstalled

System requirements

Compatibility information

Only AFTER reviewing Release Notes do you proceed with the actual upgrade sequence.

Why Other Options Are Incorrect:

A. Upgrade the members first before upgrading the EM - This is the OPPOSITE of correct order; EM (Enterprise Manager) should be upgraded first

B. Upgrading an appliance is done through Options/Modules - This is not the upgrade path; upgrades are done through Tools > Options > CounterACT Devices

C. From the appliance CLI, fstool upgrade /tmp/counteract-v8.0.1.fsp - This is ONE possible upgrade method, but not the first step; downloading and reviewing Release Notes comes first

E. Upgrade only the modules compatible with the version you are installing - This is a consideration found IN the Release Notes, not the first step itself

Correct Upgrade Sequence:

According to the comprehensive upgrade documentation:​

text

1. FIRST: Review Release Notes (determine what's needed)

2. Second: Check system requirements

3. Third: Uninstall EOL/non-supported products

4. Fourth: Back up Enterprise Manager and Appliances

5. Fifth: Upgrade Enterprise Manager

6. Sixth: Upgrade Appliances

Referenced Documentation:

Before You Upgrade the Forescout Platform - v8.3​

Before You Upgrade the Forescout Platform - v9.1.2​

Forescout 8.1.3 Release Notes​

Installation Guide v8.0 - Upgrade section​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout CounterACT HPS Inspection Engine Configuration Guide Version 10.8, SMB (Server Message Block) is required for Windows Manageability because scripts run on endpoints are copied to a temp directory and run locally on the endpoint.​

SMB Purpose for Windows Management:

According to the HPS Inspection Engine guide:​

"Server Message Block (SMB) is a protocol for file and resource sharing. CounterACT uses this protocol with WMI or RPC methods to inspect and manage endpoints. This protocol must be available to perform the following:

Resolve file-related properties

Resolve script properties

Run script actions"

Script Execution Process Using SMB:

According to the documentation:​

When WMI is used for Remote Inspection:

CounterACT downloads scripts - Scripts are transferred FROM CounterACT TO the endpoint using SMB protocol

Scripts stored in temp directory - By default, scripts are downloaded to and run from:

Non-interactive scripts: %TEMP%\fstmp\ directory

Interactive scripts: %TEMP% directory of currently logged-in user

Scripts execute locally - Scripts are executed ON the endpoint itself (not remotely executed from CounterACT)

Script Execution Locations:

According to the detailed documentation:​

For Remote Inspection on Windows endpoints:

text

Non-interactive scripts are downloaded to and run from:

%TEMP%\fstmp\

(Typically %TEMP% is c:\windows\temp\)

Interactive scripts are downloaded to and run from:

%TEMP% directory of the currently logged-in user

For SecureConnector on Windows endpoints:

text

When deployed as a Service:

%TEMP%\fstmpsc\

When deployed as a Permanent Application:

%TEMP% directory of the currently logged-in user

SMB Requirements for Script Execution:

According to the documentation:​

To execute scripts via SMB on Windows endpoints:

Port Requirements:

Windows 7 and above: Port 445/TCP

Earlier versions (XP, Vista): Port 139/TCP

Required Services:

Server service

Remote Procedure Call (RPC)

Remote Registry service

SMB Signing (optional but recommended):

Can be configured to require digitally signed SMB communication

Helps prevent SMB relay attacks

Why Other Options Are Incorrect:

A. Scripts run on CounterACT are copied to a temp directory and run locally on the endpoint - Scripts don't RUN on CounterACT; they're copied FROM CounterACT TO the endpoint

B. Scripts run on endpoints are copied to a Linux script repository - Forescout endpoints are Windows machines, not Linux; also no "Linux script repository" is involved

C. Scripts run on endpoints are copied to a temp directory and run remotely from CounterACT - Scripts run LOCALLY on the endpoint, not remotely from CounterACT

D. Scripts run on CounterACT are copied to a script repository and run remotely from CounterACT - Inverts the direction; CounterACT doesn't copy TO a repository; it copies TO endpoints

Script Execution Flow:

According to the documentation:​

text

CounterACT --> (copies via SMB) --> Endpoint Temp Directory --> (executes locally) --> Result

The SMB protocol is essential for this file transfer step, which is why it's required for Windows manageability and script execution.

Referenced Documentation:

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide v10.8​

Script Execution Services documentation​

About SMB documentation​

Based on the policy condition image showing "Does not meet the following criteria", the correct statement is that it negates the criteria as part of the property.​

Understanding "Does not meet the following criteria":

According to the Forescout Administration Guide:​

The "Does not meet the following criteria" radio button option in policy conditions creates a logical negation of the condition:

"Meets the following criteria" - Endpoint matches if the condition is true

"Does not meet the following criteria" - Endpoint matches if the condition is FALSE (negated)

How the Negation Works:

According to the documentation:​

"Use the AND value between both properties: Windows>Manageable Domain>Does not meet the following criteria"

This syntax shows that "Does not meet the following criteria" negates the entire criteria evaluation:

Normal condition: "Windows Antivirus Running = True"

Result: Matches endpoints WITH antivirus running

Negated condition: "Windows Antivirus Running Does not meet the following criteria (= True)"

Result: Matches endpoints WITHOUT antivirus running (negates the criteria)

Negation Happens at Property Level:

The negation is applied as part of the property evaluation, not as a separate NOT operator. When you select "Does not meet the following criteria":

The condition is evaluated normally

The result is then negated/inverted

The endpoint matches only if the negated result is true

Why Other Options Are Incorrect:

B. Modifies the irresolvable condition to TRUE - "Does not meet the following criteria" doesn't specifically affect irresolvable property handling

C. Generates a NOT condition in the sub-rule condition - The negation is part of this property's evaluation, not a separate sub-rule NOT condition

D. Irresolvable hosts would match the condition - "Does not meet the following criteria" doesn't specifically target irresolvable hosts

E. Modifies the evaluate irresolvable condition to FALSE - This setting doesn't affect the "Evaluate irresolvable as" setting

Referenced Documentation:

Forescout Administration Guide v8.3​

Forescout Administration Guide v8.4​

ForeScout CounterACT Administration Guide - Policy Conditions section​

Manage Actions documentation​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout User Directory Plugin Configuration Guide, to allow Active Directory credentials to authenticate console logins, the "Use for console login" option must be configured.​

Three Key Checkboxes in User Directory Configuration:

According to the User Directory plugin documentation:​

When configuring a User Directory server (such as Active Directory), three important checkboxes are available:

Use as directory - Allows LDAP queries for user information

Use for authentication - Allows user authentication via AD credentials

Use for console login - Allows AD credentials to authenticate console logins

"Use for console login" Purpose:

According to the documentation:​

"When checked, this option enables Forescout Console administrators to log in using their Active Directory (or other configured directory server) credentials."

This checkbox specifically enables:

Administrators to use their Active Directory usernames and passwords

Console authentication via the configured directory server

Elimination of the need for separate Forescout Console accounts

Separate Functions of Each Checkbox:

According to the configuration guide:​

Checkbox

Purpose

Use as directory

LDAP queries for user properties and group membership

Use for authentication

802.1X, RADIUS, and other authentication protocols

Use for console login

Console login authentication for Forescout administrators

Each serves a distinct purpose and must be configured independently.

Why Other Options Are Incorrect:

A. Include Parent groups - This relates to group hierarchy, not console login authentication

B. Authentication - This is the protocol/method name, not a specific configuration checkbox

C. Use as directory - This enables LDAP queries for user information, not console login authentication

D. Target Group Resolution - This is not a standard configuration option for User Directory plugins

Console Login Workflow with Active Directory:

According to the documentation:

When "Use for console login" is enabled:

Administrator enters username and password at Forescout Console login screen

Credentials are sent to the configured Active Directory server

Active Directory validates the credentials

If valid, administrator is granted console access

No separate Forescout password needed

Referenced Documentation:

User Directory Plugin - Name and Type Step configuration​

User Directory readiness section

User Directory server configuration documentation

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout IoT Security solutions documentation and policy best practices, proper policy flow should consist of: "Modify as little as possible in discovery, each classify sub-rule should flow to an assess policy, IoT classify policies typically test manageability, IT classify usually indicates ownership".​

Policy Flow Architecture:

According to the Forescout IoT Security documentation:​

text

Discovery Phase (Passive)

↓

Classification Phase (Determine device type)

├─ IoT Classify - Test MANAGEABILITY

└─ IT Classify - Indicate OWNERSHIP

↓

Assessment Phase (Evaluate compliance)

↓

Control Phase (Apply actions)

Discovery Phase - Minimal Modification:

According to the documentation:​

"Modify as little as possible in discovery. Discovery should remain passive and non-invasive, using only network traffic analysis and passive profiling to gain device visibility."

This approach prevents operational disruption and maintains passive-only visibility.

Classification Phase:

According to the Forescout solution brief:​

IT Device Classification Policies:

Typically indicate OWNERSHIP (corporate vs. BYOD)

Determine if device is managed or unmanaged

Establish if device belongs to organization

IoT Device Classification Policies:

Typically test MANAGEABILITY (can it be managed)

Determine if device can support agents or management

Assess remote accessibility capabilities

Assessment Phase Flow:

According to the documentation:​

"Each classify sub-rule should flow to an assess policy. This hierarchical flow ensures that assessment policies evaluate endpoints based on their classification, not before."

The workflow is:

text

Classify Sub-Rule → Assessment Policy

├─ If device matches classifier criteria

└─ Then assessment policy evaluates compliance

Why Other Options Are Incorrect:

A. IoT classify policies typically test ownership - Incorrect; IT classify policies test ownership, IoT policies test manageability

C. Each sub-rule should flow to assess - Missing the critical "from classify" part; sub-rules flow from classify to assess

D. Discovery should include customized sub-rules - Incorrect; discovery should be minimal; sub-rules are for classify/assess phases

E. Each discovery sub-rule should flow to classify policy - Incorrect terminology; discovery doesn't have sub-rules that flow forward

Referenced Documentation:

Forescout IoT Security Solution Brief​

Internet of Things (IoT) Platform Overview​

Forescout IoT Security - Total Device Visibility​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

The Service Banner host property is resolved by NMAP scanning. According to the Forescout Administration Guide - Advanced Classification Properties, the Service Banner property "Indicates the service and version information, as determined by Nmap".​

Service Banner Property:

The Service Banner is an Advanced Classification Property that captures critical service identification information:​

Purpose - Identifies running services and their versions on endpoints

Resolution Method - Uses NMAP banner scanning functionality

Information Provided - Service name and version numbers (e.g., "Apache 2.4.41", "OpenSSH 7.6")

NMAP Banner Scanning Configuration:

According to the HPS Inspection Engine Configuration Guide, the Service Banner is specifically resolved when "Use Nmap Banner Scan" option is selected:​

When Use Nmap Banner Scan is enabled, the HPS Inspection Engine uses NMAP banner scans to improve the resolution of device services, application versions, and other details that help classify endpoints.​

NMAP Banner Scan Process:

According to the CounterACT HPS Inspection Engine Guide, when NMAP banner scanning is enabled:​

text

NMAP command line parameters for banner scan:

-T Insane -sV -p T: 21,22,23,53,80,135,88,1723,3389,5900

The -sV parameter specifically performs version detection, which resolves the Service Banner property by scanning open ports and identifying service banners returned by those services.​

Classification Process:

The Service Banner property is resolved through the following workflow:​

Port Detection - Forescout identifies open ports on the endpoint

Banner Scanning - NMAP sends requests to identified ports

Service Identification - Services respond with banner information containing version data

Property Resolution - The Service Banner property is populated with the version information discovered

Why Other Options Are Incorrect:

A. Packet engine - The Packet Engine provides network visibility through port mirroring, but does not resolve service banners through deep packet inspection

C. Device classification engine - While involved in overall classification, the Device Classification Engine doesn't specifically resolve service banners; NMAP does

D. Device profile library - The Device Profile Library contains pre-defined classification profiles but doesn't actively scan for service banners

E. NetFlow - NetFlow provides network flow data and statistics, but cannot determine service version information

Service Banner Examples:

Service Banner property values resolved by NMAP scanning include:​

Apache/2.4.41 (Ubuntu)

OpenSSH 7.6p1

Microsoft-IIS/10.0

nginx/1.17.0

MySQL/5.7.26-0ubuntu0.18.04.1

NMAP Scanning Requirements:

According to the documentation:​

NMAP Banner Scan must be explicitly enabled in HPS Inspection Engine configuration

Banner scanning targets specific ports typically associated with common services​

Service version information improves endpoint classification accuracy

Referenced Documentation:

Forescout Administration Guide - Advanced Classification Properties​

HPS Inspection Engine - Configure Classification Utility​

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide Version 10.8​

NMAP Scan Logs documentation​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Platform Administration and Deployment Documentation, the best practice to pass an endpoint from one policy to another is to use SUB-RULES.​

Sub-Rules and Policy Routing:

Sub-rules are conditional branches within a Forescout policy that allow for sophisticated endpoint routing and handling. When an endpoint matches a sub-rule condition, it can be directed to perform specific actions or be passed to another policy group for further evaluation.​

Key Advantages of Using Sub-Rules:

Granular Control - Sub-rules enable precise segmentation of endpoints based on multiple properties and conditions

Hierarchical Processing - Once an endpoint matches a sub-rule, it proceeds down the sub-rule branch; later sub-rules of the policy are not evaluated for that endpoint​

Efficient Endpoint Routing - Sub-rules allow endpoints to be efficiently routed to appropriate policy handlers without evaluating unnecessary conditions

Policy Chaining - Sub-rules facilitate the logical flow and routing of endpoints through multiple policy layers

Best Practice Implementation:

The documentation emphasizes that when designing policies for endpoint management, administrators should:

Use sub-rules to create conditional branches that evaluate endpoints against multiple criteria

Route endpoints to appropriate policy handlers based on their properties and compliance status

Avoid using simple property-based routing when complex multi-step evaluation is needed​

Why Other Options Are Incorrect:

A. Use operating system property - While OS properties can be used in conditions, they are not the mechanism for passing endpoints between policies

C. Use function property - Function properties are not used for inter-policy endpoint routing

D. Use groups - While groups are useful for organizing endpoints, they are not the primary best practice for passing endpoints between policies

E. Use policy condition - Policy conditions define what endpoints should be evaluated, but sub-rules provide the actual routing mechanism

Referenced Documentation:

Forescout Platform Administration Guide - Defining Policy Sub-Rules​

"Defining Forescout Platform Policy Sub-Rules" - Best Practice section​

Sub-Rule Advanced Options documentation

The NOT checkbox negates the criteria inside the property. According to the Forescout Administration Guide, when the NOT checkbox is selected on a policy condition criteria, it reverses the logic of that specific criterion evaluation.​

Understanding the NOT Operator in Policy Conditions:

In Forescout policy configuration, the NOT operator is a Boolean logic operator that inverts the result of the property evaluation. When you select the NOT checkbox:

Logical Inversion - The condition is evaluated normally, and then the result is inverted

Criteria Negation - If a criteria would normally match an endpoint, selecting NOT causes it NOT to match

Property-Level Operation - The NOT operator applies specifically to that individual property/criterion, not to the entire rule​

Example of NOT Logic:

Without NOT:

Condition: "Windows Antivirus Running = True"

Result: Matches endpoints that HAVE antivirus running

With NOT:

Condition: "NOT (Windows Antivirus Running = True)"

Result: Matches endpoints that DO NOT have antivirus running

NOT vs. "Evaluate Irresolvable As":

According to the documentation, the NOT operator and "Evaluate Irresolvable As" are independent settings:​

NOT operator - Negates/inverts the criteria evaluation itself

"Evaluate Irresolvable As" - Defines what happens when a property CANNOT be resolved (is irresolvable)

These serve different purposes:

NOT determines what value to match

Evaluate Irresolvable As determines how to handle unresolvable properties

Handling Irresolvable Criteria:

According to the administration guide documentation:​

"If you do not select the Evaluate irresolvable criteria as option, the criteria is handled as irresolvable and the endpoint does not undergo further analysis."

The "Evaluate Irresolvable As" checkbox allows you to define whether an irresolvable property should be treated as True or False when the property value cannot be determined. This is independent of the NOT checkbox.​

Why Other Options Are Incorrect:

A. The NOT checkbox means the "Evaluate Irresolvable as" should be set to True - Incorrect; NOT and Evaluate Irresolvable As are independent settings

B. The external NOT does not change the meaning of "evaluate irresolvable as" - While technically true that NOT doesn't change the Evaluate Irresolvable setting, the answer doesn't explain what NOT actually does

C. Has no effect on irresolvable hosts - Incorrect; NOT negates the criterion logic regardless of whether it's resolvable

E. The NOT checkbox means the "Evaluate Irresolvable as" should be set to False - Incorrect; NOT and Evaluate Irresolvable As are independent

Policy Condition Structure:

According to the documentation, a policy condition consists of:​

Property criteria combined with Boolean logic operators

Individual criterion settings including NOT operator

Irresolvable handling options that are separate from the NOT operator

Referenced Documentation:

Forescout Administration Guide - Define policy scope​

Forescout eyeSight policy sub-rule advanced options​

Handling Irresolvable Criteria section​

Working with Policy Conditions

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Upgrade Guide and System Backup documentation, Policies are included in System backups.​

What System Backups Include:

According to the official documentation:​

"Each backup saves all Forescout Platform device and Console settings. This data includes the following:

Configuration

License

Operating System settings

Policies

Profiles

Reports

Administrator accounts

And other system data"

System Backup Contents:

According to the backup documentation:​

System backups include:

Policies - All configured policies and policy templates

Configuration - System configuration settings

License Information - License keys and licensing data

Administrator Accounts - User accounts and access controls

Reports - Scheduled and saved reports

System Settings - Mail, network, and other system configurations

Profiles - User profiles and system profiles

What System Backups DO NOT Include:

According to the documentation:​

System backups are encrypted using AES-256 and include most system data but are separate from:

Appliance-specific firmware - May require separate backup

Component-specific backups - Some modules have separate backup procedures

Log files - Not typically included in system backups

Why Other Options Are Incorrect:

A. Switch Plugin version 8.7.0 and above - Plugin versions are not individually backed up; plugins are part of the module installation, not system configuration backup

C. Hostname and IP address - While these are part of system configuration, they are covered under "Configuration" not listed separately in backup contents

D. Failover Clustering plugin - Plugin software itself is not backed up; configuration related to plugins is backed up

E. Wireless Plugin version 1.4.0 and above - Plugin versions are installed separately; backups contain configuration, not plugin versions

Policy Backup Importance:

According to the documentation:​

Policies are one of the most critical items included in system backups because:

Restore Capability - After system recovery, policies are restored automatically

Business Continuity - Restoring policies ensures the same security posture

Compliance - Policies contain compliance rules that must be preserved

Operational Continuity - Restores endpoint management immediately after recovery

System vs. Component Backups:

According to the backup documentation:​

System Backup - Includes policies, configuration, licenses, administrator accounts, etc.

Component Backup - Specific modules may have additional backup capabilities

Both backup types - Both are encrypted with AES-256 for security

Backup Encryption:

According to the documentation:​

"Both system and component backup files, backed up either manually or via a schedule, are encrypted using AES-256 to protect sensitive file data."

This ensures that backed-up policies and other sensitive configuration remain secure.

Referenced Documentation:

Back Up your Enterprise Manager and/or Appliances - v8.4​

Back Up your Enterprise Manager and/or Appliances - v8.5.1​

Backing Up System and Component Settings - v8.4​

Backing Up Forescout Platform System and Component Settings - v8.5.1

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Administration Guide and List of Properties by Category documentation, NMAP Scanning provides additional discovery details that can assist in correctly profiling hosts when the standard discover properties (OS, Function, Network Function, NIC Vendor) do not provide sufficient information.​

Standard Discovery Properties:

According to the Device Profile Library and classification documentation:​

The standard discovery properties include:

OS - Operating System classification

Function - Network function (printer, workstation, server, etc.)

Network Function - Specific network device role

NIC Vendor - MAC address vendor information

These properties provide basic device identification but may not be sufficient for complete profiling.

NMAP Scanning for Enhanced Profiling:

According to the Advanced Classification Properties documentation:​

"NMAP Scanning - Indicates the service and version information, as determined by Nmap. Due to the activation of Nmap, this..."

NMAP scanning provides advanced discovery including:

Service Banner Information - Service name and version (e.g., Apache 2.4, OpenSSH 7.6)

Open Port Detection - Identifies which ports are open and responding

Service Fingerprinting - Determines exact service versions through banner grabbing

Application Detection - Identifies specific applications and their versions

Why NMAP Provides Additional Details:

According to the documentation:​

When standard properties (OS, Function, NIC Vendor) are insufficient for profiling:

NMAP banner scanning uses active probing of open ports

Returns service version information through banner grabbing

Enables more precise device classification

Helps identify specific applications running on endpoints

Example of NMAP Enhancement:

According to the documentation:

Standard properties might show: "Windows 7, Workstation, Dell NIC"

NMAP scanning additionally shows:

Open ports: 80, 135, 445, 3389

Services: Apache 2.4.41, MS RPC, SMB 3.0

This enables more precise classification (e.g., "Development workstation running web services")

Why Other Options Are Incorrect:

A. Monitoring traffic - While traffic monitoring provides insights, it doesn't provide the specific service and version details that NMAP banner scanning does

B. Packet engine - The Packet Engine provides network visibility through passive monitoring, but not active service version detection like NMAP

C. Advanced Classification - This is a category that encompasses NMAP scanning and other methods, not a specific profiling enhancement

E. Function - This is already listed as one of the discover properties that may be insufficient; it's not an additional tool for profiling

NMAP Configuration:

According to the HPS Inspection Engine documentation:​

NMAP banner scanning is configured with specific port targeting:

text

NMAP Banner Scan Parameters:

-T Insane -sV -p T: 21,22,23,53,80,135,88,1723,3389,5900

The -sV parameter performs version detection, which resolves the Service Banner property.

Referenced Documentation:

Forescout Administration Guide - Advanced Classification Properties​

Forescout Administration Guide - List of Properties by Category​

CounterACT HPS Inspection Engine Configuration Guide​

NMAP Scan Options documentation​

NMAP Scan Logs documentation​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout RADIUS Plugin Configuration Guide and CSR Generation documentation, the information that must be known prior to generating a Certificate Signing Request (CSR) is Hostname, IP Address, and FQDN.​

Information Required for CSR Generation:

According to the RADIUS Plugin Configuration Guide:​

"When you generate the certificate signing request (CSR), you must know the following information about the system requesting the certificate:

The hostname of the system

The IP address of the system

The FQDN (Fully Qualified Domain Name) of the system"

Standard CSR Requirements:

According to the official documentation:​

When generating a CSR, the following information is typically requested:

Common Name (CN) - The FQDN or hostname of the system

IP Address - The IP address of the appliance or device

Organization Name - The organization/company name

Organization Unit (OU) - Department or division

Locality (L) - City or town

State (ST) - State or province

Country (C) - Country code

Key Type - Typically RSA (2048-bit minimum)

Core Required Elements:

The most critical information that MUST be known before generating the CSR:​

Hostname - The computer/appliance name (e.g., "counteract-em-01")

IP Address - The management IP address of the appliance (e.g., "192.168.1.50")

FQDN - The fully qualified domain name (e.g., "counteract-em-01.example.com")

These three pieces of information are essential because:

The certificate's validity is tied to these identifiers

The CSR encodes these values

The CA uses this information to validate the certificate request

Endpoints and systems verify certificates against these values

Why Other Options Are Incorrect:

A. Certificate extension, format requirements, Encryption Type - These are configuration options, not prerequisite knowledge; extension type (e.g., .pfx, .pem) is determined after CSR signing

C. IP address, CA, Host Name - Missing FQDN; while CA information is needed eventually, it's not required to GENERATE the CSR

D. Revocation Authority, Certificate Extension, CA - Revocation authority and certificate extension are post-generation concerns; not needed to generate CSR

E. CA, Domain Name, Administrators Name - Administrator name is not necessary for CSR generation; CA information is needed for obtaining signed certificate, not generating CSR

CSR Generation Process:

According to the documentation:​

Gather Required Information - Collect hostname, IP address, and FQDN

Generate CSR - Use tools like fstool cert gen to create the CSR file

Answer Prompts - Provide the hostname, IP, and FQDN when prompted

Submit to CA - Send the CSR file to a Certificate Authority for signing

Receive Signed Certificate - CA returns the signed certificate

CSR File Output:

According to the documentation:​

The CSR generation process creates a file (typically ca_request.csr) containing:

The encoded hostname, IP address, and FQDN

The public key

The signature algorithm

Other system identification information

This file is then submitted to a Certificate Authority for signing.

Referenced Documentation:

Forescout RADIUS Plugin Configuration Guide v4.3 - Certificate Readiness section​

Create a Certificate Sign Request documentation​

How to Create a CSR (Certificate Signing Request) - DigiCert Reference​

RADIUS Plugin Configuration - System Certificate section

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout HPS Inspection Engine Configuration Guide and HPS Applications Plugin documentation, the properties that can be determined by the HPS Plugin are: Operating System (C) and HTTP banner (E).​

HPS Plugin Capabilities:

According to the HPS Inspection Engine guide:​

"The HPS (Host Property Scanner) Inspection Engine provides host properties for detecting endpoint characteristics including operating system, services, and applications."

The HPS plugin determines:

Operating System - OS type, version, service pack level

HTTP Banner - Service versions from HTTP banner scanning

Services and Applications - Running processes and installed software

System Information - Hardware vendor, NIC vendor, etc.

Operating System Detection:

According to the HPS Applications Plugin guide:​

"Windows operating system information is detected by the HPS Applications Plugin, including: Release, Package/flavor, Service Pack"

The plugin detects:

Windows OS versions (XP, Vista, 7, 8, 10, etc.)

Server editions (2003, 2008, 2012, 2016, etc.)

Service pack levels

OS build information

HTTP Banner Detection:

According to the HPS Inspection Engine guide:​

"Service Banner: Indicates the service and version information, as determined by Nmap. HTTP banner scanning returns service identification information."

The HTTP banner property is resolved by NMAP scanning with the -sV parameter, which is part of the HPS plugin's classification capabilities.

Why Other Options Are Incorrect:

A. Application installed on Mac OS - The HPS Applications Plugin is for Windows applications only; it does not detect Mac OS applications

B. External Device on Windows - External Device detection is a separate property unrelated to HPS plugin discovery

D. AD group membership - This is determined by the User Directory plugin via LDAP, not the HPS plugin

HPS Plugin vs. Other Plugins:

According to the documentation:​

Property

HPS Plugin

Other Plugins

Operating System

✓Yes

N/A

HTTP Banner

✓Yes (NMAP)

N/A

Windows Applications

✓Yes

N/A

AD Group Membership

✗No

User Directory

Mac OS Applications

✗No

macOS-specific

External Devices

✗No

Network discovery

Referenced Documentation:

CounterACT Endpoint Module HPS Inspection Engine Configuration Guide v10.8​

CounterACT HPS Applications Plugin Configuration Guide v2.1.4​

About the HPS Applications Plugin​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Administration Guide and Switch Plugin documentation, in a multi-site Distributed deployment, to ensure switch management traffic does not cross the WAN, you should "Change the switch settings by going to Options > Switch and select the switch and change the Connecting Appliance option".​

Switch Management Traffic in Distributed Deployments:

In a multi-site deployment:

Local Appliance - Should manage switches at the same site (LAN)

Remote Appliance - Should NOT manage switches across WAN links

Traffic Optimization - Management traffic stays local to reduce WAN usage

Connecting Appliance Configuration:

According to the administration guide:​

When a switch is discovered or needs to be managed by a specific appliance:

Navigate to Tools > Options > Switch

Select the switch from the list

Change the "Connecting Appliance" option

Select the local appliance that should manage this switch

Apply the configuration

This ensures management traffic stays local to the site where both the appliance and switch reside.

Why Other Options Are Incorrect:

A. Configure Switch Auto Discovery - Auto-discovery may assign switches incorrectly across WAN; manual assignment is needed for multi-site

B. Configure CLI username and password - While credentials are needed for management, this doesn't control which appliance connects to the switch

C. Configure Failover Clustering - Failover clustering is for appliance redundancy, not for controlling switch management traffic paths

D. Change via Option > Appliance > IP Assignment - This path manages appliance segment assignments, not individual switch connections

Best Practice for Multi-Site Deployments:

According to the administration guide:​

text

Site A Site B

├─ Appliance A ├─ Appliance B

├─ Switch A-1 ├─ Switch B-1

│ └─ Managed by A✓│ └─ Managed by B✓

└─ Switch A-2 └─ Switch B-2

└─ Managed by A✓└─ Managed by B✓

NOT:

Appliance A managing Switch B-1 across WAN✗

Connecting Appliance Option Details:

According to the switch configuration documentation:​

The "Connecting Appliance" setting:

Specifies which CounterACT appliance will manage the switch

Should be set to the appliance closest to the switch

Minimizes WAN traffic for switch management protocols (SNMP, SSH, Telnet)

Applies immediately without requiring appliance restart

Referenced Documentation:

ForeScout CounterACT Administration Guide - Switch Configuration​

Congratulations! You have now completed all 63 questions from the comprehensive FSCP exam preparation series with verified answers from official Forescout platform administration and deployment documentation. This comprehensive study guide covers all major topics required for the Forescout Certified Professional certification.

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Installation Guide and Windows Vulnerability DB Configuration Guide, a characteristic of a centralized deployment is that checking Microsoft vulnerabilities at a remote site may have significant bandwidth impact.​

Centralized vs. Distributed Deployment Models:

In a centralized deployment, Forescout uses a central location with Enterprise Manager and Appliances, while in a distributed deployment, appliances are placed at multiple locations.​

Bandwidth Considerations in Centralized Deployments:

According to the Windows Vulnerability DB Configuration Guide:​

"Minimize Bandwidth During Vulnerability File Download: You can minimize bandwidth usage during Microsoft vulnerability file download processes by limiting the number of concurrent HTTP downloads to endpoints. The default is 20 endpoints simultaneously."

The documentation further states:​

"To customize: Select Tools>Options>HPS Inspection Engine>Windows Updates tab. Define a value in the Maximum Concurrent Vulnerability DB File HTTP Uploads field."

This configuration option exists specifically because checking Microsoft vulnerabilities (downloading vulnerability definition files to endpoints and having endpoints upload compliance data back) can consume significant bandwidth.

Why Centralized Deployments Magnify Bandwidth Impact:

According to the Installation Guide:​

In a centralized deployment:

All vulnerability checking traffic flows through a single central location

Multiple endpoints simultaneously download large vulnerability database files

All endpoints upload vulnerability compliance data back to central appliances

All this traffic concentrates at the central site

In contrast, in a distributed deployment where appliances exist at remote sites, local endpoints can communicate directly with the local appliance without impacting the central WAN link.

Bandwidth Management for Centralized Deployments:

According to the documentation:​

To address the bandwidth impact in centralized deployments:

Limit concurrent HTTP uploads for vulnerability DB files

Schedule vulnerability checks during off-peak hours

Carefully plan deployment architecture considering remote site bandwidth

Why Other Options Are Incorrect:

B. Provides enhanced IPS and HTTP actions - This is not specific to centralized deployments; both deployment models can use IPS and HTTP actions

C. Is optimal for threat protection - Neither deployment model is necessarily optimal; choice depends on specific requirements

D. Deployed as a Layer-2 channel - Deployment mode (Layer-2 vs. Layer-3) is independent of centralized vs. distributed architecture

E. Every site has an appliance - This describes a distributed deployment, not a centralized one. In centralized deployments, appliances are concentrated at a central site

Centralized Deployment Characteristics:

According to the documentation:​

Appliances are typically located at a central site

Remote sites connect through WAN links

Reduced operational complexity with centralized management

Higher bandwidth requirements on WAN for vulnerability checking and policy enforcement

Requires careful bandwidth planning for remote vulnerability assessment

Referenced Documentation:

Forescout Platform Installation Guide - Network Deployment Requirements​

Windows Vulnerability DB Configuration Guide - Minimize Bandwidth During Vulnerability File Download​

Forescout Platform Cloud Strategies and Best Practices - Bandwidth considerations​

Comprehensive and Detailed Explanation From Exact Extract of Forescout Platform Administration and Deployment:

According to the Forescout Administration Guide, additional recipients for the "Send Mail" action are added through the setting on Tools > Options > General > Mail and adding the recipients separated by commas.​

Managing Email Notification Addresses:

According to the official documentation:​

"From the Tools menu, select Options > General > Mail and DNS. Update any of the following fields: Send Email Alerts/Notifications - List email addresses to receive CounterACT email alerts."

Email Address Separator Options:

According to the documentation:​

"Separate multiple addresses using any of the following characters: semicolon (;), blank space or comma (,)."

So while commas are the primary method shown in the documentation, the system also accepts semicolons and spaces as separators. However, the answer that most specifically matches the Forescout documentation interface is Option A.

How to Configure Email Recipients:

According to the administration guide:​

Open Tools Menu - Select "Tools" from the menu bar

Select Options - Click on "Options"

Navigate to Mail Settings - Select "General > Mail and DNS"

Add Recipients - Enter email addresses in the "Send Email Alerts/Notifications" field

Separate Multiple Addresses - Use commas, semicolons, or spaces between addresses

Example Recipient Configuration:

According to the documentation:​

text

Example 1: user1@example.com,user2@example.com,user3@example.com

Example 2: user1@example.com; user2@example.com; user3@example.com

Policy-Level vs. Global Email Configuration:

According to the documentation:​

Global Email Configuration (Tools > Options > General > Mail) - Sets default recipients for all email alerts

Send Email Action (in policy) - Can be configured to send to administrator email or specify alternative recipients

The global configuration in Tools > Options is where the primary recipient list is maintained.

Why Other Options Are Incorrect:

B. Thru the policy "Send Mail" action, under the Parameters tab - This is not where email recipients are configured; the policy action uses the global settings

C. Thru Tools > Options > Advanced - Mail - The correct path is Tools > Options > General > Mail, not Advanced

D. Thru the Tools > Options > NAC Email - There is no "NAC Email" option in Tools > Options

E. Thru the policy sub rule and adding a condition - Sub-rules contain conditions, not email recipient configuration

Send Email Action in Policies:

According to the documentation:​

"The Send Email action automatically delivers email to administrators when a policy is matched."

This action uses the email addresses configured in the global mail settings.

Referenced Documentation:

Managing Email Notifications documentation​

Initial Setup – Mail section​

Managing Email Notification Addresses documentation​

Core Extensions Module Reports Plugin Configuration Guide​