FC

Which two policy types can be created on a FortiNAC Control Manager? (Choose two.). Authentication. Network Access. Endpoint Compliance. Supplicant EasvConnect.

Which three communication methods are used by FortiNAC to gather information from and control, infrastructure devices? (Choose three.). CLI. SMTP. SNMP. FTP. RADIUS.

What would occur if both an unknown (rogue) device and a known (trusted) device simultaneously appeared on a port that is a member of the Forced Registration port group?. The port would be provisioned for the normal state host, and both hosts would have access to that VLAN. The port would not be managed, and an event would be generated. The port would be provisioned to the registration network, and both hosts would be isolated. The port would be administratively shut down.

Which two methods can be used to gather a list of installed applications and application details from a host? (Choose two.). Agent technology. Portal page on-boarding options. MDM integration. Application layer traffic inspection.

Where do you look to determine which network access policy, if any is being applied to a particular host?. The Policy Details view for the host. The Connections view. The Port Properties view of the hosts port. The Policy Logs view.

What is the current state of this host?. Rogue. Registred. Not Authenticated. At-Risk.

In an isolation VLAN which three services does FortiNAC supply? (Choose three.). NTP. DHCP. WEB. DNS. ISMTP.

When configuring isolation networks in the configuration wizard, why does a Layer 3 network type allow for more than one DHCP scope for each isolation network type?. There can be more than one isolation network of each type. Any scopes beyond the first scope are used if the Initial scope runs out of IP addresses. Configuring more than one DHCP scope allows for DHCP server redundancy. The Layer 3 network type allows for one scope for each possible host status.

When a contractor account is created using this template, what value will be set in the accounts Rote field?. Accounting Contractor. Eng-Contractor. Engineer-Contractor. Conti actor.

Which three capabilities does FortiNAC Control Manager provide? (Choose three.). Global visibility. Global authentication security policies. Global infrastructure device inventory. Global version control. Pooled licenses.

When FortiNAC is managing VPN clients connecting through FortiGate. why must the clients run a FortiNAC agent?. To collect user authentication details. To meet the client security profile rule for scanning connecting clients. To collect the client IP address and MAC address. To transparently update the client IP address upon successful authentication.

Which agent is used only as part of a login script?. Mobile. Passive. Persistent. Dissolvable.

Which connecting endpoints are evaluated against all enabled device profiling rules? (1 réponse). All hosts, each time they connect. Rogues devices, only when they connect for the first time. Known trusted devices each time they change location. Rogues devices, each time they connect.

What would happen if the highlighted port with connected hosts was placed in both the Forced Registration and Forced Remediation port groups?. Multiple enforcement groups could not contain the same port. Only the higher ranked enforcement group would be applied. Both types of enforcement would be applied. Enforcement would be applied only to rogue hosts.

What is the state of database replication?. Secondary to primary synchronization failed. Primary to secondary synchronization failed. Secondary to primary synchronization was successful. Primary to secondary database synchronization was successful.

If you are forcing the registration of unknown (rogue) hosts, and an unknown (rogue) host connects to a port on the switch, what occurs?. The host is moved to VLAN 111. The host is moved to a default isolation VLAN. No VLAN change is performed. The host is disabled.

Considering the host status of the two hosts connected to the same wired port, what will happen if the port is a member of the Forced Registration port group?. The port will be provisioned for the normal state host, and both hosts will have access to that VLAN. The port will not be managed, and an event will be generated. The port will be provisioned to the registration network, and both hosts will be isolated. The port will be administratively shut down.

If a host is connected to a port in the Building 1 First Floor Ports group, what must also be true to match this user/host profile?. The host must have a role value of contractor, an installed persistent agent or a security access value of contractor, and be connected between 6 AM and 5 PM. The host must have a role value of contractor or an installed persistent agent, a security access value of contractor, and be connected between 9 AM and 5 PM. The host must have a role value of contractor or an installed persistent agent and a security access value of contractor, and be connected between 6 AM and 5 PM. The host must have a role value of contractor or an installed persistent agent or a security access value of contractor, and be connected between 6 AM and 5 PM.

Which three are components of a security rule? (Choose three.). Methods. Security String. Trigger. User or host profile. Action.

In which view would you find who made modifications to a Group?. The Event Management view. The Security Events view. The Alarms view. The Admin Auditing view.

Which two of the following are required for endpoint compliance monitors? (Choose two.). Persistent agent. Logged on user. Security rule. Custom scan.

What would happen if a port was placed in both the Forced Registration and the Forced Remediation port groups?. Only rogue hosts would be impacted. Both enforcement groups cannot contain the same port. Only al-risk hosts would be impacted. Both types of enforcement would be applied.

During an evaluation of state-based enforcement, an administrator discovers that ports that should not be under enforcement have been added to enforcement groups. In which view would the administrator be able to determine who added the ports to the groups?. The Alarms view. The Admin Auditing view. The Event Management view. The Security Events view.

When FortiNAC passes a firewall tag to FortiGate, what determines the value that is passed?. RADIUS group attribute. Device profiling rule. Security rule. Logical network.

During the on-boarding process through the captive portal, what are two reasons why a host that successfully registered would remain stuck in the Registration VLAN? (Choose two.). There is another unregistered host on the same port. The wrong agent is installed. Bridging is enabled on the host. The port default VLAN is the same as the Registration VLAN.

While troubleshooting a network connectivity issue, an administrator determines that a device was being automatically provisioned to an incorrect VLAN. Where would the administrator look to determine when and why FortiNAC made the network access change? (1 reponses). The Admin Auditing view. The Port Changes view. The Connections view. The Event view.

What causes a host's state to change to "at risk"?. The logged on user is not found in the Active Directory. The host has failed an endpoint compliance policy or admin scan. The host has been administratively disabled. The host is not in the Registered Hosts group.

Which two are required for endpoint compliance monitors? (Choose two.}. Custom scan. Persistent agent. ZTNA agent. MDM integration.

Which agent can receive and display messages from FortiNAC to the end user?. Dissolvable. Persistent. Passive. MDM.

Which group type can have members added directly from the FortiNAC Control Manager?. Administrator. Device. Port. Host.

Which host is rogue?. 3. 2. 1. 4.

What method of communication does FortiNAC use to control VPN host access on FortiGate?. SAMLSSO. Security Fabric. RSSO. RADIUS accounting.

Which two of the following are required for endpoint compliance monitors? (Choose two.). Persistent agent. Logged on user. Security rule. Custom scan.

When configuring isolation networks in the configuration wizard, why does a Layer 3 network type allow for more than one DHCP scope for each isolation network type? (1 reponse). Any scopes beyond the first scope are used if the Initial scope runs out of IP addresses. The Layer 3 network type allows for one scope for each possible host status. There can be more than one isolation network of each type. Configuring more than one DHCP scope allows for DHCP server redundancy.

Where are logical network values defined?. In the model configuration view of each infrastructure device. In the port properties view of each port. On the profiled devices view. In the security and access field of each host record.

How are logical networks assigned to endpoints?. Through device profiling rules. Through network access policies. Through Layer 3 polling configurations. Through FortiGate IPv4 policies.

Which two agents can validate endpoint compliance transparently to the end user? (Choose two.). Dissolvable. Mobile. Passive. Persistent.

By default, if after a successful Layer 2 poll, more than 20 endpoints are seen connected on a single switch port simultaneously, what happens to the port?. The port becomes a threshold uplink. The port is disabled. The port is added to the Forced Registration group. The port is switched into the Dead-End VLAN.

In a wireless integration, what method does FortiNAC use to obtain connecting MAC address information?. SNMP traps. RADIUS. Endstation traffic monitoring. Link traps.

How does FortiGate update FortiNAC about VPN session information?. SNMP traps. API calls to FortiNAC. Syslog messages. Security Fabric Integration.

Which two things must be done to allow FortiNAC to process incoming syslog messages from an unknown vendor? (Choose two.). A security event parser must be created for the device. The device sending the messages must be modeled in the Network Inventory view. The device must be added as a patch management server. The device must be added as a log receiver.

Where do you look to determine when and why the FortiNAC made an automated network access change? (1 Reponse). The Admin Auditing view. The Port Changes view. The Connections view. The Event view.

Which two device classification options can register a device automatically and transparently to the end user? (Choose two.). Dissolvable agent. DotlxAuto Registration. Device importing. MDM integration. Captive portal.

What is the state of database replication?. Secondary to primary synchronization failed. Primary to secondary synchronization failed. Secondary to primary synchronization was successful. Primary to secondary database synchronization was successful.

An administrator is configuring FortiNAC to manage FortiGate VPN users. As part of the configuration, the administrator must configure a few FortiGate firewall policies. What is the purpose of the FortiGate firewall policy that applies to unauthorized VPN clients?. To deny access to only the FortiNAC VPN interface. To allow access to only the FortiNAC VPN interface. To allow access to only the production DNS server. To deny access to only the production DNS server.

An administrator wants the Host At Risk event to generate an alarm. What is used to achieve this result?. A security trigger activity. A security filter. An event to alarm mapping. An event to action mapping.

Examine the communication between a primary FortiNAC (192.168.10.10) and a secondary FortiNAC (192.166.10.110) configured as an HA pair What is the current state of the FortiNAC HA pair?. The primary server Is running and in control. The secondary server is running and in control. The database replication failed. Fallover from the primary server to the secondary server is in progress.

What would happen if a port was placed in both the Forced Registration and the Forced Remediation port groups?. Only al-risk hosts would be impacted. Only rogue hosts would be impacted. Both types of enforcement would be applied. Both enforcement groups cannot contain the same port.

Where should you configure MAC notification traps on a supported switch?. Configure them only after you configure linkup and linkdown traps. Configure them on all ports on the switch. Configure them only on ports set as 802 1g trunks. Configure them on all ports except uplink ports.

Which three of the following are components of a security rule? (Choose three.). Action. Methods. Trigger. User or host profile. Security String.

When you create a user or host profile; which three criteria can you use? (Choose three.). An applied access policy. Administrative group membership. Location. Host or user group memberships. Host or user attributes.

Which three communication methods are used by the FortiNAC to gather information from, and control, infrastructure devices? (Choose three.). SNMP. RADIUS. FTP. CLI. SMTP.

Which three circumstances trigger Layer 2 polling of infrastructure devices? (Choose three.). A matched security policy. Scheduled poll timings. Linkup and Linkdown traps. Manual polling. A failed Layer 3 poll.

How should you configure MAC notification traps on a supported switch?. Configure them only on ports set as 802.1q trunks. Configure them on all ports except uplink ports. Configure them on all ports on the switch. Configure them only after you configure linkup and linkdown traps.

Which connecting endpoints are evaluated against all enabled device profiling rules?. Known trusted devices each time they change location. Rogues devices, each time they connect. Rogues devices, only when they connect for the first time. All hosts, each time they connect.

Which devices are evaluated by device profiling rules? (Choose one answer). All hosts, each time they connect. Known trusted devices, each time they connect. Rogue devices, only when they are initially added to the database. Rogue devices, each time they change location.

Where should you configure MAC notification traps on a supported switch? (Choose one answer). Configure them only on ports that generate linkup and linkdown traps. Configure them only on uplink ports. Configure them on all ports on the switch. Configure them on all ports except uplink ports.

Which group type can have members added directly from the FortiNAC Control Manager? (Choose one answer). Port. Host. Administrator. Device.

Which two methods can be used to gather a list of installed applications and application details, from a host? (Choose two answers). Application layer traffic inspection. Agent technology. MDM integration. Portal page on-boarding options.

When creating a user or host profile, which three criteria can you apply? (Choose three answers). Location. An applied access policy. Host or user group memberships. Administrative group membership. Host or user attributes.

When FortiNAC passes a firewall tag to FortiGate, what determines the value that is passed? (Choose one answer). RADIUS group attribute. Device profiling rule. Logical network. Security rule.

With enforcement for network access policies and at-risk hosts enabled, what happens if a host matches a network access policy and has a state of “at risk”? (Choose one answer). The host is isolated. The host is provisioned based on the network access policy. The host is administratively disabled. The host is provisioned based on the default access defined by the point of connection.

What is the purpose of the FortiGate firewall policy that applies to clients not yet authorized by FortiNAC? (Choose one answer). To allow access to only the production DNS server. To deny access to only the FortiNAC VPN interface. To deny access to only the production DNS server. To allow access to only the FortiNAC VPN interface.

When FortiNAC is managing VPN clients connecting through FortiGate, why must the clients run a FortiNAC agent? (Choose one answer). To meet the client security profile rule for scanning connecting clients. To transparently update the client IP address upon successful authentication. To collect user authentication details. To collect the client IP address and MAC address.