NSE5_FNC_AD_7.6 Fortinet NSE 5 - FortiNAC-F 7.6 Administrator Questions and Answers

Questions no:9

Verified Answer: B

Comprehensive and Detailed 250 to 300 words each Explanation with Exact Matched Extract from FortiNAC-F Administrator library and documentation for current versions (including F 7.2, 7.4, and 7.6) documents:

In FortiNAC-F, the integration with FortiGate for Security Fabric and Single Sign-On (FSSO) allows the system to communicate the access level of an endpoint directly to the firewall usingfirewall tags. This eliminates the need for complex VLAN steering in some environments by allowing the FortiGate to apply policies based on these dynamic tags instead of just a physical or virtual network segment.

The actual assignment of the firewall tag value occurs within aLogical Network. In the FortiNAC-F architectural model, a Logical Network acts as a container for "Access Values". When an administrator configures a Logical Network (located underNetwork > Logical Networks), they define what that network represents—such as "Corporate Access" or "Contractor Limited". Within that definition, they assign the specificFirewall Tagthat matches the tag created on the FortiGate. Once a user or host matches aNetwork Access Policy, FortiNAC-F identifies the associated Logical Network and pushes the defined tag to the FortiGate via the FSSO connector.

It is important to note that whileNetwork Access Policies(and by extensionSecurity Rules) are the logic engines thattriggerthe assignment, they do not hold the tag value itself. They simply point to a Logical Network, which serves as the central repository for that specific access configuration.

"To assign firewall tags, navigate toNetwork > Logical Networks. Select the desired logical network and clickEdit. Under theAccess Valuesection, selectFirewall Tagas the type and enter the tag name exactly as it appears on the FortiGate. When a Network Access Policy matches a host, FortiNAC sends this tag to the FortiGate as an FSSO message." —FortiNAC-F Administration Guide: Logical Networks and Security Fabric Integration.

In anN+1 High Availability (HA)configuration, a single secondary Control and Application (CA) server provides backup for multiple primary CA servers. The FortiNAC-F Manager (FortiNAC-M) acts as the centralized orchestrator for this cluster, monitoring the health of all participating nodes.

According to theFortiNAC-F 7.6.0 N+1 Failover Reference Manual, when a primary CA (such asCA-2in the exhibit) fails, the secondary CA (CA-3) is automatically promoted by the Manager to take over the specific workload and database functions of that failed primary. Crucially, the documentation specifies that even after this promotion, the system architecture maintains its N+1 logic. The secondary CA effectively "assumes the identity" of the failed primary while continuing to operate within the N+1 framework established by the Manager.

It doesnotmerge with CA-1 to form a traditional 1+1 active/passive cluster (A), nor does it engage in load balancing (D), as FortiNAC-F HA is designed for redundancy and failover rather than active traffic distribution. Furthermore, CA-3 does not "share" management with CA-1 (C); it independently handles the tasks originally assigned to CA-2. Throughout this failover state, the Manager continues to oversee the group, and CA-3 remains the designated secondary unit currently acting in a primary capacity for the downed node until CA-2 is restored.

"In an N+1 Failover Group, theSecondary CAis designed to take over the functionality ofany single failed primary componentwithin the group. The FortiNAC Manager monitors the primaries and initiates the failover to the secondary... Once failover occurs, the secondary continues to operate as the backup unit for the failed primary while remaining part of the managed N+1 HA configuration." —FortiNAC-F 7.6.0 N+1 Failover Reference Manual: Failover Behavior Section.

In FortiNAC-F,Port Groupsare used to apply specific enforcement behaviors to switch ports. When a port is assigned to an enforcement group, such asForced RegistrationorForced Remediation, FortiNAC-F overrides normal policy logic to force all connected adapters into that specific state. The exhibit shows a port (IF#13) with "Multiple Hosts" connected, which is a common scenario in environments using unmanaged switches or hubs downstream from a managed switch port.

According to theFortiNAC-F Administrator Guide, it is possible for a single port to be a member of multiple port groups. However, when those groups have conflicting enforcement actions—such as one group forcing a registration state and another forcing a remediation state—FortiNAC-F utilizes aranking systemto resolve the conflict. In the FortiNAC-F GUI underNetwork > Port Management > Port Groups, each group is assigned a rank. The system evaluates these ranks, andonly the higher ranked enforcement group is appliedto the port. If a port is in both a Forced Registration group and a Forced Remediation group, the group with the numerical priority (rank) will dictate the VLAN and access level assigned to all hosts on that port.

This mechanism ensures consistent behavior across the fabric. If the ranking determines that "Forced Registration" is higher priority, then even a known host that is failing a compliance scan (which would normally trigger Remediation) will be held in the Registration VLAN because the port-level enforcement takes precedence based on its rank.

"A port can be a member of multiple groups. If more than one group has an enforcement assigned, the group with thehighest rank(lowest numerical value) is used to determine the enforcement for the port. When a port is placed in a group with an enforcement, that enforcement is applied toall hostsconnected to that port, regardless of the host's current state." —FortiNAC-F Administration Guide: Port Group Enforcement and Ranking.

In FortiNAC-F, theLayer 3 Network typeis specifically designed for deployments where the isolation networks—such as Registration, Remediation, and Dead End—are separated from the FortiNAC appliance's service interface (port2) by one or more routers. This architecture is common in large, distributed enterprise environments where endpoints in different physical locations or branches must be isolated into subnets that are local to their respective network equipment.

The reason the Configuration Wizard allows for more than one DHCP scope for a single isolation network type (state) is thatthere can be more than one isolation network of each typeacross the infrastructure. For instance, if an organization has three different sites, each site might require its own unique Layer 3 registration subnet to ensure efficient routing and to accommodate local IP address management. By allowing multiple scopes for the "Registration" state, FortiNAC can provide the appropriate IP address, gateway, and DNS settings to a rogue host regardless of which site's registration VLAN it is placed into.

When an endpoint is isolated, the network infrastructure (via DHCP Relay/IP Helper) directs the DHCP request to the FortiNAC service interface. FortiNAC then identifies which scope to use based on the incoming request's gateway information. This flexibility ensures that the system is not limited to a single flat subnet for each isolation state, supporting a scalable, multi-routed network topology.

"Multiple scopes are allowed for each isolation state (Registration, Remediation, Dead End, VPN, Authentication, Isolation, and Access Point Management). Within these scopes, multiple ranges in the lease pool are also permitted... This configWizard option is used when Isolation Networks are separated from the FortiNAC Appliance's port2 interface by a router." —FortiNAC-F Configuration Wizard Reference Manual: Layer 3 Network Section.

When FortiNAC-F manages VPN clients through a FortiGate, the agent plays a fundamental role in device identification that standard network protocols cannot provide on their own. In a standard VPN connection, the FortiGate establishes a Layer 3 tunnel and assigns a virtual IP address to the client. While the FortiGate sends a syslog message to FortiNAC-F containing the username and this assigned IP address, it typically does not provide the hardware (MAC) address of the remote endpoint's physical or virtual adapter.

FortiNAC-F relies on theMAC addressas the primary unique identifier for all host records in its database. Without the MAC address, FortiNAC-F cannot correlate the incoming VPN session with an existing host record to apply specific policies or track the device's history. By running either a Persistent or Dissolvable Agent, the endpoint retrieves its own MAC address and communicates it directly to the FortiNAC-F service interface. This allows the "IP to MAC" mapping to occur. Once FortiNAC-F has both the IP and the MAC, it can successfully identify the device, verify its status, and send the appropriateFSSO tagsor group information back to the FortiGate to lift network restrictions.

Furthermore, while the agent can also perform compliance checks (Option D), the architectural requirement for the agent in a managed VPN environment is primarily driven by the need for session data correlation—specifically the collection of the IP and MAC address pairing.

"Session Data Components: • User ID (collected via RADIUS, syslog and API from the FortiGate). • Remote IP address for the remote user connection (collected via syslog and API from the FortiGate and from the FortiNAC agent). •Device IP and MAC address (collected via FortiNAC agent).... The Agent is used to provide the MAC address of the connecting VPN user (IP to MAC)." —FortiNAC-F FortiGate VPN Integration Guide: How it Works Section.

In FortiNAC-F, theNetwork Sessionsview provides a real-time and historical log of traffic flows, including source/destination IP addresses, ports, and protocols. This data is essential for buildingDevice Profiling Rulesthat rely on "Traffic Patterns" or "Network Footprints" to identify devices (e.g., an IP camera communicating with its specific NVR). If the network session view is empty, the system is not receiving the necessary flow or session data from the network infrastructure.

According to theFortiNAC-F Administration Guide, there are two primary methods to populate this view:

NetFlow/sFlow/IPFIX (C):FortiNAC-F can act as a flow collector. By enablingNetFlowsettings on the FortiNAC-F service interface (port2/eth1) and configuring your switches or routers to export flow data to the FortiNAC IP, the system can parse these packets and record sessions.

Firewall Session Polling (B):For environments with FortiGate firewalls, FortiNAC-F can proactively poll the FortiGate via theREST APIto retrieve its current session table. This is particularly useful as it provides session visibility without requiring the overhead of configuring NetFlow on every access layer switch.

Settings likeLayer 3 Polling(D) only provide ARP table mappings (IP to MAC correlation) and do not provide the detailed flow information required for the session view.

"TheNetwork Sessionsview displays information regarding active and inactive network traffic sessions... To populate this view, FortiNAC must receive data through one of the following methods: •NetFlow/sFlow Support: Configure network devices to send flow data to the FortiNAC service interface. •Firewall Session Polling: Enable session polling on modeled FortiGate devices to retrieve session information via API. These records are then used by the Device Profiler to match rules based on traffic patterns." —FortiNAC-F Administration Guide: Network Sessions and Flow Data Collection.