A network administrator is troubleshooting a network access issue for a specific host. The administrator suspects the host is being assigned a different network access policy than expected. Where would the administrator look to identify which network access policy, if any, is being applied to a particular host?
Correct Answer: B
When troubleshooting network access in FortiNAC-F, it is often necessary to verify exactly why a host has been granted a specific level of access. Since FortiNAC-F evaluates policies from the top down and assigns access based on the first match, an administrator needs a clear way to see the results of this evaluation for a specific live endpoint. The Policy Details (C) view is the designated tool for this purpose. By navigating to the Hosts > Hosts (or Adapter View) in the Administration UI, an administrator can search for the specific MAC address or IP of the host in question. Right-clicking on the host record reveals a context menu from which Policy Details can be selected. This view provides a real-time "look" into the policy engine's decision for that specific host, showing the Network Access Policy that was matched, the User/Host Profile that triggered the match, and the resulting Network Access Configuration (VLAN/ACL) currently applied. While Policy Logs (A) provide a historical record of all policy transitions across the system, they are often too high-volume to efficiently find a single host's current state. The Connections view (B) shows the physical port and basic status but lacks the granular policy logic breakdown. The Port Properties (D) view shows the configuration of the switch interface itself, which is only one component of the final access determination. "To identify which policy is currently applied to a specific endpoint, use the Policy Details view. Navigate to Hosts > Hosts, select the host, right-click and choose Policy Details. This window displays the specific Network Access Policy, User/Host Profile, and Network Access Configuration currently in effect for that host record." - FortiNAC-F Administration Guide: Policy Details and Troubleshooting.
NSE5_FNC_AD_7.6 Exam Question 12
An administrator wants FortiNAC-F to return a group of user-defined RADIUS attributes in RADIUS responses. Which condition must be true to achieve this?
Correct Answer: B
In FortiNAC-F, the RADIUS Attribute Groups feature allows administrators to return customized RADIUS attributes (such as specific VLAN IDs, filter IDs, or vendor-specific attributes) in an Access-Accept packet sent back to a network device. This is particularly useful for supporting "Generic RADIUS" devices that are not natively supported but can be managed using standard AVPairs. According to the FortiNAC-F Generic RADIUS Wired Cookbook and the RADIUS Attribute Groups section of the Administration Guide, there is one critical prerequisite for this feature to function: the inbound RADIUS request must contain the Calling-Station-ID attribute. The Calling-Station-ID typically contains the MAC address of the connecting endpoint. Because FortiNAC-F is a host-centric system, it uses the MAC address as the unique identifier to look up the host record, evaluate the associated Network Access Policy, and determine which Logical Network (and thus which Attribute Group) should be applied. If the incoming request lacks this attribute, FortiNAC-F cannot reliably identify the host and, as a safety mechanism, will not include any user-defined RADIUS attributes in the response. This ensures that unauthorized or unidentifiable devices do not receive privileged access through misapplied attributes. "Configure a set of attributes that must be included in the RADIUS Access-Accept packet returned by FortiNAC... Requirement: Inbound RADIUS request must contain Calling-Station-Id. Otherwise, FortiNAC will not include the RADIUS attributes. This attribute is used to identify the host and its current state within the FortiNAC database." - FortiNAC-F 7.6.0 Generic RADIUS Wired Cookbook: Configure RADIUS Attribute Groups.
NSE5_FNC_AD_7.6 Exam Question 13
What must an administrator configure to allow FortiNAC-F to process incoming syslog messages that are not supported by default?
Correct Answer: C
FortiNAC-F provides a robust engine for processing security notifications from third-party devices. For standard integrations, such as FortiGate or Check Point, the system comes pre-loaded with templates to interpret incoming data. However, when an administrator needs FortiNAC-F to process syslog messages from a vendor or device that is not supported by default, they must configure a Security Event Parser. The Security Event Parser acts as the translation layer. It uses regular expressions (Regex) or specific field mappings to identify key data points within a raw syslog string, such as the source IP address, the threat type, and the severity. Without a parser, FortiNAC-F may receive the syslog message but will be unable to "understand" its contents, meaning it cannot generate the necessary Security Event required to trigger automated responses. Once a parser is created, the system can extract the host's IP address from the message, resolve it to a MAC address via L3 polling, and then apply the appropriate security rules. This allows for the integration of any security appliance capable of sending RFC-compliant syslog messages. "FortiNAC parses the information based on pre-defined security event parsers stored in FortiNAC's database... If the incoming message format is not recognized, a new Security Event Parser must be created to define how the system should extract data fields from the raw syslog message. This enables FortiNAC to generate a security event and take action based on the alarm configuration." - FortiNAC-F Administration Guide: Security Event Parsers.
NSE5_FNC_AD_7.6 Exam Question 14
When creating a user or host profile, which three criteria can you apply? (Choose three.)
Correct Answer: A,B,E
The User/Host Profile is the primary mechanism in FortiNAC-F for identifying and categorizing endpoints to determine their level of network access. According to the FortiNAC-F Administration Guide, a profile is built using a combination of criteria that define "Who" is connecting, "What" device they are using, and "Where" they are located on the network. The three main categories of criteria available in the configuration are: Host or User Attributes (B): This includes specific details such as the host's operating system, the user's role (e.g., Employee, Contractor), or custom attributes assigned to the record. Host or User Group Memberships (A): Profiles can be configured to match endpoints that are members of specific internal FortiNAC groups or synchronized directory groups (like LDAP or Active Directory groups). This allows for broad policy application based on organizational structure. Location (E): The "Where" component allows administrators to restrict a profile match to specific physical or logical areas of the network, such as a particular switch, a group of ports, or a specific SSID. Criteria like an "applied access policy" (D) are the outcome of a profile match rather than a criterion used to define the profile itself. Similarly, the "Adapter current VLAN" (C) is a dynamic state that changes based on enforcement and is not a standard static identifier used for profile matching. "User/Host Profiles are used to identify the hosts and users to which a policy will apply. Profiles are created by selecting various criteria in the Who/What (Attributes and Groups) and Where (Locations) sections. Attributes can include Host Role, User Role, and OS. Group memberships allow matching based on internal or directory-based groups. Location criteria allow for filtering based on the device or port where the host is connected." - FortiNAC-F Administration Guide: User/Host Profile Configuration.