Where should you configure MAC notification traps on a supported switch?
C
Explanation:
In general, for network switches supporting MAC notification traps, it's advisable to configure these
traps on all ports except uplink ports. Uplink ports are used for connecting to other switches or
network infrastructure devices and typically don't need MAC notification traps, which are more
relevant for end-device connectivity monitoring.
The study guide specifies that MAC notification traps should not be configured on interfaces that are
uplinks. They are the preferred method for learning and updating Layer 2 information and should be
used whenever available, but not on uplink interfaces.
Where do you look to determine which network access policy, if any is being applied to a particular
host?
A
Explanation:
To determine which network access policy is applied to a particular host, you should look at the
Policy Details window. This window provides information about the types of policies applied (such as
Network Access, Authentication, Supplicant, etc.), including the profile name, policy name,
configuration name, and any settings that make up the configuration.
FortiNAC p 382: "Under Network Access Settings - Policy Name - Name of the Network Access Policy
that currently applies to the host."
While troubleshooting a network connectivity issue, an administrator determines that a device was
being automatically provisioned to an incorrect VLAN.
Where would the administrator look to determine when and why FortiNAC made the network access
change?
C
Which agent can receive and display messages from FortiNAC to the end user?
B
Explanation:
The persistent agent has the ability to display messages on the desktop of an endpoint. These
messages can target an individual host, a group of hosts, or all hosts with the persistent agent
installed. The messaging options include sending a message content with an optional web address
link
When FortiNAC passes a firewall tag to FortiGate, what determines the value that is passed?
B
What capability do logical networks provide?
C
Explanation:
Logical Networks allow you to create fewer Network Access Policies than before. (FortiNAC - What's
new in FortiNAC 7.2)
Logical networks in FortiNAC decouple a policy from a specific access value, allowing for the
application of different access values from a single access policy. This is done based on the point of
connection, significantly reducing the number of network access policies needed and simplifying
network access policy management
Which two device classification options can register a device automatically and transparently to the
end user? (Choose two.)
B, D
Explanation:
The FortiNAC 7.2 Study Guide does not explicitly mention Dot1x Auto Registration and MDM
integration as the specific device classification options for automatic and transparent registration to
the end user. However, based on the general functioning of FortiNAC, Dot1x Auto Registration and
MDM integration are typically used for such purposes. The guide discusses automatic device
registration in the context of profiling rules
In an isolation VLAN which three services does FortiNAC supply? (Choose three.)
B, C, D
Explanation:
In an isolation VLAN, FortiNAC supplies DHCP and DNS services. The guide specifies that FortiNAC
has a DHCP scope defined for a particular VLAN and should be the only DHCP server available to
hosts on that VLAN. Additionally, hosts on the VLAN would get a DNS server configuration of the
FortiNAC IP for that VLAN
Which group type can have members added directly from the FortiNAC Control Manager?
B
Explanation:
The study guide explains that there are six different types of groups in FortiNAC, including device,
host, IP phone, port, user, and administrator groups. Groups created by administrative users or
imported as a result of an LDAP integration can be used to organize elements but do not enforce any
type of control or functionality directly
Which system group will force at-risk hosts into the quarantine network, based on point of
connection?
D
Explanation:
Forced Quarantine, study guide 7.2 pag 245 and 248
How are logical networks assigned to endpoints?
A
Explanation:
Logical networks are assigned to endpoints through device profiling rules in FortiNAC. These
networks appear in device Model Configuration views and are used for endpoint isolation based on
the endpoint’s state or status
By default, if after a successful Layer 2 poll, more than 20 endpoints are seen connected on a single
switch port simultaneously, what happens to the port?
A
Explanation:
If more than 20 endpoints are seen connected on a single switch port simultaneously after a
successful Layer 2 poll, the port is designated as an uplink. FortiNAC will ignore all physical addresses
learned on an uplink port and will not perform any control operations on it
An administrator wants the Host At Risk event to generate an alarm. What is used to achieve this
result?
C
Explanation:
To generate an alarm from a Host At Risk event, an administrative user must create an Event to
Alarm Mapping for the Vulnerability Scan Failed event. Within this alarm mapping, a host security
action must be designated to mark the host at risk
Which three communication methods are used by FortiNAC to gather information from and control,
infrastructure devices? (Choose three.)
ACE
Explanation:
FortiNAC Study Guide 7.2 | Page 11
FortiNAC uses various methods to communicate with infrastructure devices such as SNMP for
discovery and ongoing management, SSH or Telnet through the CLI for tasks related to the
infrastructure, and RADIUS for handling specific types of requests
An administrator is configuring FortiNAC to manage FortiGate VPN users. As part of the
configuration, the administrator must configure a few FortiGate firewall policies.
What is the purpose of the FortiGate firewall policy that applies to unauthorized VPN clients?
B