Fortinet NSE5_FNC_AD_7.6 Exam Dumps

In FortiNAC-F, the Guest & Contractor Template is a configuration object that defines the parameters for accounts created by sponsors or through self-registration. One of the critical security controls within this template is the Login Availability setting. This setting restricts the specific days and times during which a guest or contractor is permitted to authenticate and access the network.

As shown in the exhibit, the 'StandardGuest' template has Login Availability set to 'Specify Time', with a schedule defined as Mon-Fri, 6:00 AM to 7:00 PM. If a guest user attempts to connect or authenticate at 8:00 PM, which is outside of the permitted window, FortiNAC-F's policy engine will automatically deny the authentication request. When an authentication attempt is denied due to schedule restrictions, the system does not move the host into the 'Authenticated' or 'Registered' state required for production access. Instead, the host is marked as non-authenticated in the adapter or host view.

This behavior ensures that even if a guest possesses valid credentials, their access is strictly bound by the organizational policy for visitor hours. The host will typically remain in its current isolation or registration VLAN, and the user will see a message on the captive portal indicating that their account is not currently authorized for login. It is important to distinguish this from 'at-risk' (C), which relates to security scan failures, or 'rogue' (B), which typically refers to unknown devices that have not yet been associated with a valid account or profiling rule.

'Login Availability defines the timeframe during which the guest or contractor account is valid for network access. This schedule is enforced at the time of authentication. If a user attempts to log in outside of the designated window, the authentication is rejected by the system. Consequently, the host record will reflect a non-authenticated status, and the device will remain restricted to the isolation or registration network until a valid login window is reached.' --- FortiNAC-F Administration Guide: Guest and Contractor Templates Section.

FortiNAC-F provides a robust engine for processing security notifications from third-party devices. For standard integrations, such as FortiGate or Check Point, the system comes pre-loaded with templates to interpret incoming data. However, when an administrator needs FortiNAC-F to process syslog messages from a vendor or device that is not supported by default, they must configure a Security Event Parser.

The Security Event Parser acts as the translation layer. It uses regular expressions (Regex) or specific field mappings to identify key data points within a raw syslog string, such as the source IP address, the threat type, and the severity. Without a parser, FortiNAC-F may receive the syslog message but will be unable to 'understand' its contents, meaning it cannot generate the necessary Security Event required to trigger automated responses. Once a parser is created, the system can extract the host's IP address from the message, resolve it to a MAC address via L3 polling, and then apply the appropriate security rules. This allows for the integration of any security appliance capable of sending RFC-compliant syslog messages.

'FortiNAC parses the information based on pre-defined security event parsers stored in FortiNAC's database... If the incoming message format is not recognized, a new Security Event Parser must be created to define how the system should extract data fields from the raw syslog message. This enables FortiNAC to generate a security event and take action based on the alarm configuration.' --- FortiNAC-F Administration Guide: Security Event Parsers.

In FortiNAC-F, accountability and forensic tracking of configuration changes are managed through the Admin Auditing functionality. When an administrator performs an action that modifies the system state---such as creating a policy, changing a device's status, or adding a switch port to an Enforcement Group---the system generates an audit record. This record is essential for troubleshooting scenarios where unauthorized or accidental configuration changes have occurred, leading to unintended network behavior.

The Admin Auditing view (found under Logs > Admin Auditing) provides a comprehensive log of the 'Who, What, and When' for every administrative session. Each entry includes the username of the administrator, the source IP address from which they accessed the FortiNAC-F console, a precise timestamp, and a detailed description of the modification. In the scenario described, where ports have been incorrectly added to enforcement groups, the Admin Auditing view allows a supervisor to filter by the specific 'Port' or 'Group' object to identify exactly which administrator executed the command.

In contrast, the Event Management view (B) is designed to monitor system and network events, such as RADIUS authentications, host connections, and SNMP trap arrivals. While it tracks system activity, it does not typically log the manual configuration changes performed by admins. The Port Changes view (C) tracks the operational history of a port (such as VLAN assignment changes and host movements) but does not attribute the administrative assignment of the port to a group. Finally, the Security Events view (D) is dedicated to alerts triggered by security rules and external threat feeds.

'Admin Auditing displays a record of all modifications made to the FortiNAC-F system by an administrator. This view includes the administrator's name, the date and time of the change, and a description of the action taken. It is the primary resource for determining which administrative user performed a specific configuration change, such as modifying port group memberships or altering policy settings.' --- FortiNAC-F Administration Guide: Logging and Auditing Section.

In FortiNAC-F, the Inventory topology uses specific icons to represent the status and model of discovered network infrastructure. When a switch or other network device is discovered via SNMP, FortiNAC-F retrieves its System ObjectID (sysObjectID) to identify the specific make and model. This OID is then compared against the internal database of supported device mappings.

A question mark (?) icon appearing on a discovered switch indicates that while the discovery process successfully communicated with the device (meaning SNMP credentials were correct), the SNMP ObjectID is not recognized or mapped in the current version of FortiNAC-F. This essentially means the device is 'unsupported' by the current software out-of-the-box. Because the OID is unknown, FortiNAC-F does not know which CLI or SNMP command set to use for critical functions like L2 polling (host visibility) or VLAN switching (enforcement). To resolve this, an administrator can manually 'Set Device Mapping' to a similar existing model or a 'Generic SNMP Device' if only basic L3 visibility is required.

'Discovered devices displaying a '?' icon indicate the currently running version does not have a mapping for that device's System OID (device is not supported). Device mappings are used to manage the device by performing functions such as L2/L3 Polling, Reading, and Switching VLANs.' --- Fortinet Technical Tip: Options for devices unable to be modeled in Inventory.

In FortiNAC-F, Port Groups are used to apply specific enforcement behaviors to switch ports. When a port is assigned to an enforcement group, such as Forced Registration or Forced Remediation, FortiNAC-F overrides normal policy logic to force all connected adapters into that specific state. The exhibit shows a port (IF#13) with 'Multiple Hosts' connected, which is a common scenario in environments using unmanaged switches or hubs downstream from a managed switch port.

According to the FortiNAC-F Administrator Guide, it is possible for a single port to be a member of multiple port groups. However, when those groups have conflicting enforcement actions---such as one group forcing a registration state and another forcing a remediation state---FortiNAC-F utilizes a ranking system to resolve the conflict. In the FortiNAC-F GUI under Network > Port Management > Port Groups, each group is assigned a rank. The system evaluates these ranks, and only the higher ranked enforcement group is applied to the port. If a port is in both a Forced Registration group and a Forced Remediation group, the group with the numerical priority (rank) will dictate the VLAN and access level assigned to all hosts on that port.

This mechanism ensures consistent behavior across the fabric. If the ranking determines that 'Forced Registration' is higher priority, then even a known host that is failing a compliance scan (which would normally trigger Remediation) will be held in the Registration VLAN because the port-level enforcement takes precedence based on its rank.

'A port can be a member of multiple groups. If more than one group has an enforcement assigned, the group with the highest rank (lowest numerical value) is used to determine the enforcement for the port. When a port is placed in a group with an enforcement, that enforcement is applied to all hosts connected to that port, regardless of the host's current state.' --- FortiNAC-F Administration Guide: Port Group Enforcement and Ranking.