Refer to the exhibit. An administrator wants to use FortiNAC-F to automatically provision printers throughout their organization. Each building uses its own local VLAN for printers. Which FortiNAC-F feature would allow this to be accomplished with a single network access policy?
Correct Answer: B
The FortiNAC-F Logical Network feature is specifically designed to provide an abstraction layer between high-level security policies and the underlying physical network infrastructure. In large-scale deployments where different physical locations (like Building 1, 2, and 3 in the exhibit) use different local VLAN IDs for the same type of device (e.g., VLAN 10, 20, and 30 for printers), managing separate policies for each building would create significant administrative overhead. By using a Logical Network, an administrator can create a single entity-for example, a logical network named "Printers"-and use it as the "Access Value" in a single Network Access Policy. The mapping of this logical label to a specific physical VLAN occurs at the Model Configuration level for each network device. When a printer connects to a switch in Building 1, FortiNAC-F evaluates the policy, identifies that the printer should be in the "Printers" logical network, and checks the Model Configuration for that specific switch to see which VLAN ID is mapped to that label (VLAN 10). If the same printer moves to Building 3, the same single policy applies, but FortiNAC-F provisions it to VLAN 30 based on the local mapping for that building's switch. This architectural approach ensures that policies remain consistent and easy to manage regardless of the complexity or variations in the local network topology. "Logical Networks provide a way to define a network access requirement once and apply it across many different network devices that may use different VLAN IDs for that access... Each managed device can use different VLAN IDs for the same Logical Network label. You can define the Logical Networks based on requirements and then associate the network to a VLAN ID when the managed device is configured in the Model Configuration." - FortiNAC-F IoT Deployment Guide: Define the Logical Networks.
NSE5_FNC_AD_7.6 Exam Question 2
An organization wants to add a FortiNAC-F Manager to simplify their large FortiNAC-F deployment. Which two policy types can be managed globally? (Choose two.)
Correct Answer: B,D
The FortiNAC-F Manager is designed to centralize the management of multiple Control and Application (CA) appliances, ensuring consistent security posture across a distributed enterprise. To achieve this, the Manager allows administrators to define and distribute specific types of policies globally rather than configuring them on each individual CA. According to the FortiNAC Manager Guide, the two primary policy types that are managed globally are: Network Access Policies (D): These policies define the "If-Then" logic for network entry. By managing these at the global level, an administrator can ensure that a "Contractor" receives the same restricted access regardless of which branch office or campus they connect to. Endpoint Compliance Policies (B): Global management of compliance policies-which consist of scans and configurations-allows for a unified security baseline. For example, a global policy can mandate that all Windows devices across the entire organization must have a specific antivirus version installed and active before gaining access to the production network. While the Manager provides visibility into authentication events and can synchronize directory data, the specific Authentication (A) configurations (like local RADIUS secrets or specific LDAP server links) are often localized to the CA to account for site-specific infrastructure. Supplicant EasyConnect (C) is a feature set for onboarding, but the structural "Global Policy" engine focuses primarily on the Access and Compliance frameworks. "The FortiNAC Manager enables Global Policy Management, allowing for the creation and distribution of policies across all managed CA appliances. This includes Network Access Policies, which control VLAN and ACL assignment, and Endpoint Compliance Policies, which define the security requirements for hosts. Centralizing these policies ensures that security standards are enforced uniformly across the global network fabric." - FortiNAC Manager Administration Guide: Global Policy Management Overview.
NSE5_FNC_AD_7.6 Exam Question 3
While discovering network infrastructure devices, a switch appears in the inventory topology with a question mark (?) on the icon. What would cause this?
Correct Answer: A
In FortiNAC-F, the Inventory topology uses specific icons to represent the status and model of discovered network infrastructure. When a switch or other network device is discovered via SNMP, FortiNAC-F retrieves its System ObjectID (sysObjectID) to identify the specific make and model. This OID is then compared against the internal database of supported device mappings. A question mark (?) icon appearing on a discovered switch indicates that while the discovery process successfully communicated with the device (meaning SNMP credentials were correct), the SNMP ObjectID is not recognized or mapped in the current version of FortiNAC-F. This essentially means the device is "unsupported" by the current software out-of-the-box. Because the OID is unknown, FortiNAC-F does not know which CLI or SNMP command set to use for critical functions like L2 polling (host visibility) or VLAN switching (enforcement). To resolve this, an administrator can manually "Set Device Mapping" to a similar existing model or a "Generic SNMP Device" if only basic L3 visibility is required. "Discovered devices displaying a '?' icon indicate the currently running version does not have a mapping for that device's System OID (device is not supported). Device mappings are used to manage the device by performing functions such as L2/L3 Polling, Reading, and Switching VLANs." - Fortinet Technical Tip: Options for devices unable to be modeled in Inventory.
NSE5_FNC_AD_7.6 Exam Question 4
An administrator wants to create a conference manager administrator account but would like to limit the number of conference accounts that can be generated to 30. Which statement about conference accounts is true?
Correct Answer: B
In FortiNAC-F, the Conference Manager is a specialized administrative role designed for delegated administration, often used by receptionists or event organizers to create temporary guest accounts. To maintain security and prevent the over-provisioning of credentials, FortiNAC-F allows for granular restrictions on these accounts. According to the FortiNAC-F Administration Guide regarding Administrative Profiles, when an administrator creates a profile for a Conference Manager, they can define specific "Account Limits." Under the profile settings (located in System > Settings > Admin Profiles), there is a field specifically for "Max Accounts." By entering "30" into this field, the administrator ensures that any user assigned to this profile cannot exceed 30 active conference accounts at any given time. This setting is distinct from the Portal configuration or the Guest templates. While templates define the type of account (e.g., duration and access level), the Administrative Profile defines the capabilities and limitations of the person creating those accounts. This ensures that even if a guest template allows for unlimited registrations, the specific administrator is physically restricted by the system from generating more than the allotted 30. "Administrative Profiles define what an administrator can see and do within the system. For delegated administration roles like the Conference Manager, the 'Max Accounts' field in the Administrative Profile is used to specify the maximum number of accounts the user is permitted to create. Once this limit is reached, the user will be unable to generate additional accounts until existing ones expire or are deleted." - FortiNAC-F Administration Guide: Administrative Profiles and Delegated Administration.
NSE5_FNC_AD_7.6 Exam Question 5
An administrator wants to control user access to corporate resources by integrating FortiNAC-F with FortiGate using firewall tags defined on FortiNAC-F. Where would the administrator assign the firewall tag value that will be sent to FortiGate?
Correct Answer: B
Questio ns no: 9 Verified Answe r: B Comprehensive and Detailed 250 to 300 words each Explanation with Exact Matched Extract from FortiNAC-F Administrator library and documentation for current versions (including F 7.2, 7.4, and 7.6) documents: In FortiNAC-F, the integration with FortiGate for Security Fabric and Single Sign-On (FSSO) allows the system to communicate the access level of an endpoint directly to the firewall using firewall tags. This eliminates the need for complex VLAN steering in some environments by allowing the FortiGate to apply policies based on these dynamic tags instead of just a physical or virtual network segment. The actual assignment of the firewall tag value occurs within a Logical Network. In the FortiNAC-F architectural model, a Logical Network acts as a container for "Access Values". When an administrator configures a Logical Network (located under Network > Logical Networks), they define what that network represents-such as "Corporate Access" or "Contractor Limited". Within that definition, they assign the specific Firewall Tag that matches the tag created on the FortiGate. Once a user or host matches a Network Access Policy, FortiNAC-F identifies the associated Logical Network and pushes the defined tag to the FortiGate via the FSSO connector. It is important to note that while Network Access Policies (and by extension Security Rules) are the logic engines that trigger the assignment, they do not hold the tag value itself. They simply point to a Logical Network, which serves as the central repository for that specific access configuration. "To assign firewall tags, navigate to Network > Logical Networks. Select the desired logical network and click Edit. Under the Access Value section, select Firewall Tag as the type and enter the tag name exactly as it appears on the FortiGate. When a Network Access Policy matches a host, FortiNAC sends this tag to the FortiGate as an FSSO message." - FortiNAC-F Administration Guide: Logical Networks and Security Fabric Integration.