Security Policy Components Quiz

Questions and Answers

What is the core offering of Fortinet in terms of Network Access Control (NAC)?

• FortiNAC (correct)
• FortiLink NAC
• FortiGate
• Forti-Switch

Which solution offers base-level discovery and control for free as a feature of the LAN Edge solution?

• Forti-Switch
• FortiLink NAC (correct)
• FortiGate
• FortiNAC

Which component is optional in a FortiNAC deployment and is primarily used for generating reports?

• NCAS
• Management
• Application and control
• FortiAnalyzer (correct)

What is the primary purpose of the FortiNAC Control Manager in a large distributed environment?

Management (B)

Which statement accurately describes Fortinet's belief about the importance of network access control?

It is essential for security at the edges of the network. (D)

In what type of deployments can FortiNAC be utilized according to the text?

Mid-sized to large enterprise deployments (B)

What type of SSL certificate is recommended for the FortiNAC captive portal?

Certificate signed by a public CA (C)

Which protocols need to be enabled on the FortiGate management interface for it to be added to the FortiNAC device inventory?

HTTPS and SSH (C)

What is the purpose of the Authentication VLAN in FortiNAC captive networks?

To isolate registered clients during user authentication (C)

When adding devices to the FortiNAC device inventory, what should one always do before validation?

Validate Credentials (D)

How does FortiNAC determine the state of a host when it connects to the network?

Based on device profiling rules (D)

Which protocol is necessary for carrying out remote tasks like manual polling and scheduled tasks in FortiNAC network modeling?

SNMP (B)

What is the recommended type of certificate to use for EAP and EAP-TLS in FortiNAC?

SAN certificate (B)

Which component of FortiNAC is responsible for providing standard visibility with limited control features?

FortiNAC Base (C)

What feature is specifically included in FortiNAC Pro but not in FortiNAC Plus or FortiNAC Base?

Real-time endpoint visibility (C)

Which license type of FortiNAC is recommended for comprehensive Zero Trust Access (ZTA) features?

FortiNAC Pro (D)

What is the responsibility of the FortiNAC Control Manager?

Global version control and scalability (B)

Which method does FortiNAC commonly use to communicate with infrastructure devices for data collection and management?

SNMP (D)

In what way does FortiAnalyzer support the FortiNAC deployment?

Centralized logging (A)

Which component is considered the only required component while configuring and deploying FortiNAC?

NCAS (B)

What does FortiNAC Plus offer beyond the features provided by FortiNAC Base?

"Advanced NAC Controls such as endpoint compliance" (D)

What happens if no filter is matched in the security alert parsing process?

The process exits and nothing occurs (B)

In the FortiNAC network access workflow, how does the system determine if a device is compliant?

Using information gathered from agents or MDM (B)

What is the role of a security trigger in the FortiNAC system?

To activate one or more filters (A)

How do user and/or host profiles impact the security alarm creation process in FortiNAC?

They define different workflows for endpoints (C)

What determines if a security alarm is created in the FortiNAC system?

Matching of one or more filters within a defined period (D)

What types of activities can be included in the actions of a security rule in FortiNAC?

Multiple activities including notification, network access, and script execution (C)

What is the purpose of FortiNAC using DHCP fingerprinting?

To identify connected devices and gain enhanced visibility (B)

In a FortiNAC deployment, what is the main task carried out during the Management Configuration stage?

Licensing, configuring management interfaces, and SSL Certificates setup (A)

What is required by FortiNAC to model devices in the network during the Network Modelling stage?

ICMP and SNMP connectivity to the devices (A)

Which statement accurately describes the Device Onboarding stage in FortiNAC?

Devices are profiled and registered based on policy configuration (D)

What is the main focus of Policy Configuration in a FortiNAC deployment?

Assigning different access levels based on device profiles and compliance (B)

In FortiNAC, what is the function of ETH1 interface?

'Service or Application' interface for selected applications (B)

Why should labels of DHCP scopes in FortiNAC not begin with reserved strings like 'AUTH' or 'DE'?

'AUTH' and 'DE' are used for system reserved functions (A)

What does FortiNAC need from network devices to gather information and maintain control?

'Read-Write' SNMP and full SSH access (A)

What is recommended for LDAP access in FortiNAC?

'Service-Account' without administrator privileges (D)

Which statement accurately describes FortiNAC's SSL Certificates usage?

FortiNAC can use SSL certificates issued by both internal private or public Certificate Authorities. (B)

What triggers Layer-2 data polling for device detection in FortiNAC?

All of the above (D)

How is a host record populated in FortiNAC after Layer-3 data polling?

With MAC-address and IP-address (B)

In FortiNAC, what occurs if both the 'If Host State is' and 'And System Group Membership is' conditions in the same row are true?

Host moves to the Registration captive network (B)

What triggers Layer-2 data polling in FortiNAC for slow detection?

Scheduled tasks (D)

How does FortiNAC simplify network policy management through Logical Networks?

By mapping different logical networks to individual devices (C)

What information is critical for some FortiNAC capabilities that is obtained through Layer-3 data polling?

MAC-address to IP-address correlation (C)

When are AP (Access Point) values designated in FortiNAC?

In Logical Network configuration (D)

What triggers real-time Layer-2 data polling in FortiNAC when devices connect or disconnect from edge devices?

'Linkup', 'WarmStart', 'ColdStart', and 'Linkdown' traps (D)

What are the methods used to evaluate connected rogue devices in FortiNAC?

Device profiling rules (B)

In FortiNAC, what settings can be leveraged for policy enforcement?

Classification settings (D)

How does FortiNAC handle user self-registration?

With an authentication VLAN (C)

What is presented to a rogue host isolated to the registration captive network in FortiNAC?

A registration page (C)

Which authentication method will take precedence in FortiNAC?

Local user database (D)

What happens when a host is isolated on a wired port in FortiNAC?

The host's link is dropped (B)

What is the purpose of the captive portal in FortiNAC?

To present additional information to hosts (D)

How does FortiNAC ensure rogue hosts resolve domain names to its interface?

"root.hint" files on FortiNAC (C)

Which component manages RADIUS connections in FortiNAC's local service?

"MAB, EAP-TLS, and PEAP" (D)

What are the two main components that compose a security policy according to the text?

Profile and Configuration (C)

Which of the following is NOT one of the agent types supported by FortiNAC?

Dynamic agent (D)

What is the purpose of the dissolvable agent in FortiNAC?

To dissolve after completing its task (B)

How can FortiNAC gather application and compliance information?

By integrating with MDMs supporting application gathering or using FortiNAC agents (C)

Which of the following is NOT a function supported by FortiNAC agents?

Network access configuration (B)

What determines the level of network access a user should be granted in FortiNAC?

The compliance information collected from the endpoint (C)

What is the primary purpose of a filter in FortiNAC security rules?

To set criteria for evaluation (C)

How does FortiNAC apply security policies when a match is identified?

It applies the highest ranked security policy for each type that matches. (B)