NSE5_FNC_AD_7.6 Fortinet NSE 5 - FortiNAC-F 7.6 Administrator Questions and Answers

FortiNAC-F serves as a central manager for security events originating from a diverse ecosystem of third-party security appliances, such as FortiGate, Check Point, and Cisco. Each vendor utilizes its own internal scale forseverity levelswithin syslog messages (e.g., Check Point uses a 1–5 scale, while others may use 0–7). To provide a consistent response regardless of the source, FortiNAC-F usesSeverity Mappingsto normalize these incoming values.

According to theFortiNAC-F Administration Guide, severity mappings allow the administrator to translate vendor-specific threat levels into standardizedFortiNAC Security Levels(such as High, Medium, or Low Violation). When a syslog message arrives, the parser extracts the vendor's severity code, and the system immediately references theSecurity Event Severity Level Mappingstable to determine how that event should be categorized internally. This normalization is vital because it allows a singleSecurity Alarmto be configured to respond to any "High Violation" event, whether it was reported as a "Critical" by one vendor or a "Level 5" by another. Without these mappings, the administrator would have to create separate, redundant security rules for every vendor to account for their different naming conventions and numerical scales.

"Each vendor defines its own severity levels for syslog messages. The following table shows the equivalent FortiNAC security level... To normalize these events, configure theSeverity Level Mappingsfound in the device integration guides. This allows FortiNAC to generate a consistent security event that can then trigger an alarm regardless of the reporting vendor's specific terminology." —FortiNAC-F Administration Guide: Vendor Severity Levels and Syslog Management.

In FortiNAC-F, theRADIUS Attribute Groupsfeature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in anAccess-Acceptpacket sent back to a network device. This is particularly useful for supporting "Generic RADIUS" devices that are not natively supported but can be managed using standard AVPairs.

According to theFortiNAC-F Generic RADIUS Wired Cookbookand theRADIUS Attribute Groups sectionof the Administration Guide, there is one critical prerequisite for this feature to function: theinbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains theMAC addressof the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, willnot include any user-defined RADIUS attributesin the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes.

"Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC...Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes.This attribute is used to identify the host and its current state within the FortiNAC database." —FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.

The integration of FortiNAC-F withFortiGate VPNrequires a specific policy workflow to bridge the gap between initial user authentication and full network access. When a user connects to the VPN, the FortiGate typically provides the User ID and IP address, but FortiNAC-F requires aMAC addressto uniquely identify and manage the endpoint's record.

According to theFortiGate VPN Integration Guide, theEndpoint Compliance Policyis a mandatory component of this setup because it is used todesignate the required agent type. Because a VPN connection is Layer 3, FortiNAC cannot "see" the MAC address through traditional SNMP or L2 polling. The compliance policy instructs the system to present aCaptive Portalto the remote user, requiring them to download and run either thePersistentorDissolvable Agent. The agent then reports the device's MAC address back to FortiNAC, allowing the system to correlate the VPN session with a host record.

Once the agent is running and the MAC is known, FortiNAC-F can evaluate the device's security posture (if scanning is configured) and send the necessaryFSSO tagsback to the FortiGate to lift the initial network restrictions. Without the compliance policy to enforce the agent requirement, the connection would remain in an isolated "IP-only" state with no unique hardware identity.

"TheEndpoint Compliance Policyis necessary to control the agent requirement for VPN users. Create a default VPN Endpoint Compliance Policy todistribute an agentvia captive portal for isolated machines. This policy allows the administrator todesignate the required agent type(Persistent or Dissolvable) that will be used to collect the hardware (MAC) address and perform health scans on the remote endpoint." —FortiNAC FortiGate VPN Integration Guide: Default Endpoint Compliance Policy (Optional) Section.

In FortiNAC-F, accountability and forensic tracking of configuration changes are managed through theAdmin Auditingfunctionality. When an administrator performs an action that modifies the system state—such as creating a policy, changing a device's status, or adding a switch port to anEnforcement Group—the system generates an audit record. This record is essential for troubleshooting scenarios where unauthorized or accidental configuration changes have occurred, leading to unintended network behavior.

TheAdmin Auditingview (found underLogs > Admin Auditing) provides a comprehensive log of the "Who, What, and When" for every administrative session. Each entry includes the username of the administrator, the source IP address from which they accessed the FortiNAC-F console, a precise timestamp, and a detailed description of the modification. In the scenario described, where ports have been incorrectly added to enforcement groups, the Admin Auditing view allows a supervisor to filter by the specific "Port" or "Group" object to identify exactly which administrator executed the command.

In contrast, theEvent Managementview (B) is designed to monitor system and network events, such as RADIUS authentications, host connections, and SNMP trap arrivals. While it tracks system activity, it does not typically log the manual configuration changes performed by admins. ThePort Changesview (C) tracks the operational history of a port (such as VLAN assignment changes and host movements) but does not attribute the administrative assignment of the port to a group. Finally, theSecurity Eventsview (D) is dedicated to alerts triggered by security rules and external threat feeds.

"Admin Auditing displays a record of all modifications made to the FortiNAC-F system by an administrator. This view includes the administrator's name, the date and time of the change, and a description of the action taken. It is the primary resource for determining which administrative user performed a specific configuration change, such as modifying port group memberships or altering policy settings." —FortiNAC-F Administration Guide: Logging and Auditing Section.

In FortiNAC-F,MAC notification traps(also known as MAC Move or MAC Change traps) are essential for achieving real-time visibility of endpoint connections and disconnections. When a device connects to a switch port, the switch generates an SNMP trap that informs FortiNAC-F of the new MAC address on that specific interface. This allows FortiNAC-F to immediately initiate the profiling and policy evaluation process without waiting for the next scheduled L2 poll.

According to theFortiNAC-F Administration GuideandSwitch Integrationdocumentation, MAC notification traps should be configured onall ports except uplink ports. Uplink ports are the interfaces that connect one switch to another or to the core network. Because these ports see the MAC addresses of every device on the downstream switches, enabling MAC notification on uplinks would cause the switch to send a massive volume of redundant traps to FortiNAC-F every time any device anywhere in the downstream branch moves or reconnects. This can overwhelm the FortiNAC-F process queue and degrade system performance.

By only enabling these traps on "edge" or "access" ports—where individual endpoints like PCs, printers, and VoIP phones connect—FortiNAC-F receives precise data regarding exactly where a device is physically located. Uplinks should be identified in the FortiNAC-F inventory as "Uplink" or "Learned Uplink," which tells the system to ignore MAC data seen on those specific ports.

"To ensure accurate host tracking and optimal system performance, SNMP MAC notification traps must be enabled on all access (downlink) ports.Do not enable MAC notification traps on uplink ports, as this will result in excessive and unnecessary trap processing. Uplink ports should be excluded to prevent the system from attempting to map multiple downstream MAC addresses to a single infrastructure interface." —FortiNAC-F Administration Guide: SNMP Configuration for Network Devices.

Questions no:22

Verified Answer: D

Comprehensive and Detailed 250 to 300 words each Explanation with Exact Matched Extract from FortiNAC-F Administrator library and documentation for current versions (including F 7.2, 7.4, and 7.6) documents:

In FortiNAC-F, the expiration of a guest or contractor account is determined by the configuration settings within theAccount Creation Wizardand the associatedGuest/Contractor Template. While a template can define a default "Account Duration" (as seen in the 12-hour setting in the second exhibit), theAccount Creation Wizardallows an administrator to manually specify or override the start and end parameters for a specific user session.

According to theFortiNAC-F Administration Guideregarding guest management, theAccount End Datefield in the creation wizard is the definitive timestamp for when the account object will be disabled or deleted from the system. In the provided exhibit (Account Creation Wizard), the administrator has explicitly set theAccount Start Dateto2025/09/12 08:00:00and theAccount End Dateto2025/09/13 17:00:00.

Even though the template indicates an "Account Duration" of 12 hours, this value typically serves as a pre-populated default. When a manual date and time are entered into the wizard, those specific values take precedence for that individual account. The account will remain active and valid until5:00 PM (17:00:00)on the following day,2025/09/13. It is also important to note the "Login Availability" from the template (8:00 AM - 7:00 PM); while the accountexistsuntil the 13th at 17:00:00, the user would only be able to authenticate during the active hours defined by the login schedule on both days.

"When creating an account, the administrator can select a template to provide default settings. However, specific values such as theAccount End Datecan be modified within theAccount Creation Wizard. The date and time specified in the 'Account End Date' field determines the absolute expiration of the account. Once this time is reached, the account is moved to an expired state and the user's network access is revoked." —FortiNAC-F Administration Guide: Guest and Contractor Account Management.