Free Practice Questions for Fortinet NSE5_FNC_AD_7.6 Exam

In FortiNAC-F, accountability and forensic tracking of configuration changes are managed through theAdmin Auditingfunctionality. When an administrator performs an action that modifies the system state—such as creating a policy, changing a device ' s status, or adding a switch port to anEnforcement Group—the system generates an audit record. This record is essential for troubleshooting scenarios where unauthorized or accidental configuration changes have occurred, leading to unintended network behavior.

TheAdmin Auditingview (found underLogs > Admin Auditing) provides a comprehensive log of the " Who, What, and When " for every administrative session. Each entry includes the username of the administrator, the source IP address from which they accessed the FortiNAC-F console, a precise timestamp, and a detailed description of the modification. In the scenario described, where ports have been incorrectly added to enforcement groups, the Admin Auditing view allows a supervisor to filter by the specific " Port " or " Group " object to identify exactly which administrator executed the command.

In contrast, theEvent Managementview (B) is designed to monitor system and network events, such as RADIUS authentications, host connections, and SNMP trap arrivals. While it tracks system activity, it does not typically log the manual configuration changes performed by admins. ThePort Changesview (C) tracks the operational history of a port (such as VLAN assignment changes and host movements) but does not attribute the administrative assignment of the port to a group. Finally, theSecurity Eventsview (D) is dedicated to alerts triggered by security rules and external threat feeds.

" Admin Auditing displays a record of all modifications made to the FortiNAC-F system by an administrator. This view includes the administrator ' s name, the date and time of the change, and a description of the action taken. It is the primary resource for determining which administrative user performed a specific configuration change, such as modifying port group memberships or altering policy settings. " —FortiNAC-F Administration Guide: Logging and Auditing Section.

The correct answer is C . In a link-trap-based wired deployment, the switch sends a linkUp or linkDown SNMP trap to FortiNAC-F, but that trap does not contain the endpoint MAC address. After receiving the link trap, FortiNAC-F must contact the switch and perform a Layer 2 poll to read the forwarding table and determine which MAC address was added or removed on the port. The FortiNAC-F study guide states that link traps trigger FortiNAC-F to perform a Layer 2 poll to update its awareness of devices connected to the edge device, and the wired link-trap workflow specifically shows FortiNAC-F performing a Layer 2 poll before locating the host record and provisioning access.

The symptoms in the exhibit are classic stale Layer 2 visibility: FortiNAC-F still shows a rogue host on a port where no host is connected, while also failing to show hosts on ports where endpoints are actually connected. That means FortiNAC-F is not successfully refreshing the switch MAC table information. Since link traps depend on FortiNAC-F being able to poll the switch after the trap, a contact failure with the modeled switch is the most likely cause.

Option A is wrong because logical network settings affect access enforcement, not whether FortiNAC-F can see current MAC-to-port mappings. Option B is wrong because the FortiNAC-F agent is not required for basic switch-port visibility; Layer 2 visibility comes from switch polling, MAC notification traps, or RADIUS. Option D is tempting, but the broader failure shown here is not merely a policy or endpoint-side issue—it is that FortiNAC-F cannot obtain current Layer 2 data from the switch. In practice, you would still verify SNMP/CLI credentials while troubleshooting, but the best answer to the symptom pattern is that FortiNAC-F cannot contact/query the switch successfully.

The correct answer is D . The question is about guest onboarding , and the exhibit shows the Guest Network using gateway 10.20.1.250 . In a Layer 3 captive network design, FortiNAC-F provides DHCP and DNS services to isolated or captive-network hosts, but the DHCP scope must still give the endpoint the correct default gateway for the network where that endpoint is placed. The study guide specifically warns that, when configuring Layer 3 captive network scopes, the administrator must think from the isolated host’s perspective for the IP pool and gateway configuration . It also states that each captive network interface configuration includes an IP address, subnet mask, default gateway, and one or more DHCP scopes.

Option A , 10.0.1.254 , is the infrastructure gateway on the FortiNAC-F service/production-side segment, not the guest network gateway. Option B , 10.0.1.110 , is the FortiNAC-F interface address shown in the diagram, not the default gateway for guest clients. Option C , 10.10.1.250 , is the gateway for the Isolation Network , not the Guest Network . Since the administrator is configuring guest onboarding, the DHCP scope for guest users must hand out 10.20.1.250 as the gateway.

The correct answer is A . In FortiNAC-F, device profiling rules are used primarily to classify unknown or untrusted devices when they are first discovered. The study guide explains that when a device does not already exist in the database, FortiNAC-F adds it, treats it as a rogue, and evaluates it against enabled device profiling rules. It also states that devices are initially evaluated against device profiling rules only if they do not already exist in the database, because this avoids unnecessary repeated evaluation of known devices.

The exhibit also matters: the rules are enabled and set to Automatic registration, but Confirm Rule On Connect is not enabled and Confirm Rule Interval is set to None . That means FortiNAC-F will not automatically revalidate already-profiled or trusted devices every time they connect. Option B is wrong because trusted devices are not repeatedly evaluated unless rule confirmation is configured. Option C is too broad because all hosts are not processed through profiling rules on every connection. Option D is also wrong because changing location does not by itself force automatic device profiling; location can be used as a rule method, but the automatic evaluation described here applies when the rogue device is initially added to the database.

The correct answer is B . In the trigger exhibit, the Filter Match setting is configured as Any 1 Filters , meaning the security trigger is satisfied when any one of the defined filters matches within the configured time window. The contractor triggers two of the defined filters, so two separate security events are generated because FortiNAC-F creates a security event whenever a security filter matches. The study guide confirms that each matched filter generates a security event, and when a trigger contains multiple filters, multiple matched filters can be associated with the resulting alarm.

The security rule exhibit also shows User/Host Profile: Match Contractors . Because the triggering user is a contractor, the user/host profile condition is satisfied. Once the trigger is satisfied and the user/host profile matches, FortiNAC-F generates a security alarm . The fact that Action is set to None does not stop the alarm from being generated; it only means no automated or manual response action is executed from that rule. Option A is wrong because the contractor profile matches, so an alarm is generated. Option C is wrong because only two filters were triggered, not three. Option D is wrong because two filters matched, so two events are generated, not one.

The correct answer is A . FortiNAC-F passes firewall tags to FortiGate through Security Fabric integration so FortiGate can use those values as dynamic address groups in firewall policies. The study guide explains that firewall tags are administrator-defined string values and that FortiNAC-F dynamically assigns them based on a security policy or logical network. More specifically for network access enforcement, it states that the network access configuration defines the logical network , and the logical network defines the firewall tag through the device model configuration .

This is the same mechanism used in VPN and Fabric workflows: the FortiGate device model contains the mappings of logical networks to the actual tags or groups that FortiNAC-F sends to FortiGate. The guide states that FortiNAC-F network access policies and logical networks determine the group or tag information, while the FortiGate model configuration contains the mappings used for the values sent.

Option B is not the best answer because a device profiling rule can classify a device and may cause it to match a policy, but it does not directly define the FortiGate tag value sent for policy enforcement. Option C can apply firewall tags in security automation scenarios, but the standard FortiGate dynamic address group mapping is defined in model configuration. Option D is unrelated; RADIUS attributes are used in RADIUS access responses, not FortiGate Fabric tag propagation.

The correct answer is A . In a FortiNAC-F 1+1 HA deployment, failover from primary to secondary is automatic, but failback to the primary is not automatic . The study guide states that if the primary device or its network connectivity fails, the secondary assumes control automatically, but restoration of a failed-over HA deployment is a manual administrator-driven process. It further explains that after the cause of the failover is resolved, the administrator must use the Resume Control button to transfer control back to the primary server.

That means when the primary comes back online, it does not immediately take over again. The pair can resume HA communication, but the secondary remains the in-control node until an administrator deliberately returns control to the primary. Option B is wrong because FortiNAC-F 1+1 HA is active-passive, not load-balanced. Option C is wrong because the restored primary does not power itself down for maintenance. Option D is a trap: five failed heartbeats are used in failure detection and gateway validation logic, not as an automatic failback timer. The exam point is simple: automatic failover, manual failback .

In FortiNAC-F,Port Groupsare used to apply specific enforcement behaviors to switch ports. When a port is assigned to an enforcement group, such asForced RegistrationorForced Remediation, FortiNAC-F overrides normal policy logic to force all connected adapters into that specific state. The exhibit shows a port (IF#13) with " Multiple Hosts " connected, which is a common scenario in environments using unmanaged switches or hubs downstream from a managed switch port.

According to theFortiNAC-F Administrator Guide, it is possible for a single port to be a member of multiple port groups. However, when those groups have conflicting enforcement actions—such as one group forcing a registration state and another forcing a remediation state—FortiNAC-F utilizes aranking systemto resolve the conflict. In the FortiNAC-F GUI underNetwork > Port Management > Port Groups, each group is assigned a rank. The system evaluates these ranks, andonly the higher ranked enforcement group is appliedto the port. If a port is in both a Forced Registration group and a Forced Remediation group, the group with the numerical priority (rank) will dictate the VLAN and access level assigned to all hosts on that port.

This mechanism ensures consistent behavior across the fabric. If the ranking determines that " Forced Registration " is higher priority, then even a known host that is failing a compliance scan (which would normally trigger Remediation) will be held in the Registration VLAN because the port-level enforcement takes precedence based on its rank.

" A port can be a member of multiple groups. If more than one group has an enforcement assigned, the group with thehighest rank(lowest numerical value) is used to determine the enforcement for the port. When a port is placed in a group with an enforcement, that enforcement is applied toall hostsconnected to that port, regardless of the host ' s current state. " —FortiNAC-F Administration Guide: Port Group Enforcement and Ranking.

In a1+1 High Availability (HA)deployment, FortiNAC-F supports two primary methods for management access: individual IP addresses or aShared IP Address(also known as a Virtual IP or VIP). The Shared IP option is part of aLayer 2 HAdesign, which simplifies administration by providing a single URL or IP that always points to whichever appliance is currently in the " Active " or " In Control " state.

For a Shared IP configuration to function correctly, thePrimary and Secondary administrative interfaces (port1) must be on the same subnet. This requirement exists because the Shared IP is a logical address that is dynamically assigned to the physical interface of the active unit. Since only one unit can own the IP at a time, both units must reside on the same broadcast domain (Layer 2) to ensure that ARP requests for the Shared IP are correctly answered and that the gateway remains reachable regardless of which unit is active. If the appliances were on different subnets (a Layer 3 HA design), a shared IP could not be used because it cannot " float " across different network segments; instead, administrators would need to manage each unit via its unique physical IP or use a FortiNAC Manager.

" For L2 HA configurations, click theUse Shared IP Addresscheckbox and enter the Shared IP Address information...If your Primary and Secondary Servers are not in the same subnet, do not use a shared IP address.The shared IP address moves between appliances during a failover and recovery and requires both units to reside on the same network. " —FortiNAC-F High Availability Reference Manual: Shared IP Configuration.