Fortinet NSE6-FNC-9-1 Exam Questions
Questions for the NSE6-FNC-9-1 were updated on : Nov 23 ,2025
Page 1 out of 4. Viewing questions 1-15 out of 47
Question 1
What causes a host's state to change to "at risk"?
- A. The host has failed an endpoint compliance policy or admin scan.
- B. The logged on user is not found in the Active Directory.
- C. The host has been administratively disabled.
- D. The host is not in the Registered Hosts group.
Answer:
A
Explanation:
Failure – Indicates that the host has failed the scan. This option can also be set manually. When the
status is set to Failure the host is marked "At Risk" for the selected scan.
Reference:
https://docs.fortinet.com/document/fortinac/8.3.0/administration-guide/241168/host-
health-and-scanning
p. 244 of the Study Guide, "A state of at-risk indicates the host has failed a scan. This could be a
compliance scan or an administrative scan."
Question 2
By default, if more than 20 hosts are seen connected on a single port simultaneously, what will
happen to the port?
- A. The port is switched into the Dead-End VLAN.
- B. The port becomes a threshold uplink.
- C. The port is disabled.
- D. The port is added to the Forced Registration group.
Answer:
B
Explanation:
Admin Guide p. 754: Threshold Uplink—The Uplink mode has been set as Dynamic and FortiNAC has
determined that the number of MAC addresses on the port exceeds the System Defined Uplink
count. All hosts read on this port are ignored.
Question 3
When you create a user or host profile; which three criteria can you use? (Choose three.)
- A. An applied access policy
- B. Administrative group membership
- C. Location
- D. Host or user group memberships
- E. Host or user attributes
Answer:
CDE
Explanation:
Fortinac-admin-operations, P. 391
Question 4
Which three circumstances trigger Layer 2 polling of infrastructure devices? (Choose three.)
- A. Manual polling
- B. Scheduled poll timings
- C. A failed Layer 3 poll
- D. A matched security policy
- E. Linkup and Linkdown traps
Answer:
ABE
Question 5
With enforcement for network access policies and at-risk hosts enabled, what will happen if a host
matches a network access policy and has a state of "at risk"?
- A. The host is provisioned based on the default access defined by the point of connection.
- B. The host is provisioned based on the network access policy.
- C. The host is isolated.
- D. The host is administratively disabled.
Answer:
C
Explanation:
https://training.fortinet.com/pluginfile.php/1912463/mod_resource/content/26/FortiNAC_7.2_Stud
y_Guide-Online.pdf C. Page 327 - moved to the quarantine isolation network
Question 6
Refer to the exhibit, and then answer the question below.
Which host is rogue?
- A. 1
- B. 3
- C. 2
- D. 4
Answer:
B
Explanation:
Reference:
https://docs.fortinet.com/document/fortinac/8.6.0/administration-
guide/283146/evaluating-rogue-hosts
Question 7
Where do you look to determine when and why the FortiNAC made an automated network access
change?
- A. The Event view
- B. The Port Changes view
- C. The Connections view
- D. The Admin Auditing view
Answer:
B
Explanation:
Reference:
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/536166/viewing-event-
logs
Study Guide p. 356: Any time FortiNAC changes network access for an endpoint, the change is
documented on the Port Changes view. This provides an administrator with valuable information
when validating control configurations and enforcement.
Question 8
Which command line shell and scripting language does FortiNAC use for WinRM?
- A. Linux
- B. Bash
- C. DOS
- D. Powershell
Answer:
D
Explanation:
Open Windows PowerShell or a command prompt. Run the following command to determine if you
already have WinRM over HTTPS configured.
Reference:
https://docs.fortinet.com/document/fortinac/8.7.0/administration-guide/246310/winrm-
device-profile-requirements-and-setup
Admin Guide on p. 362, "Matches if the device successfully responds to a WinRM client session
request. User name and password credentials are required. If there are multiple credentials, each set
of credentials will be attempted to find a potential match. The commands are used to automate
interaction with the device. Each command is run via Powershell."
Question 9
What would happen if a port was placed in both the Forced Registration and the Forced Remediation
port groups?
- A. Only rogue hosts would be impacted.
- B. Both enforcement groups cannot contain the same port.
- C. Only al-risk hosts would be impacted.
- D. Both types of enforcement would be applied.
Answer:
B
Explanation:
Reference:
https://docs.fortinet.com/document/fortinac/8.3.0/administration-
guide/837785/system-groups
Question 10
Which two of the following are required for endpoint compliance monitors? (Choose two.)
- A. Persistent agent
- B. Logged on user
- C. Security rule
- D. Custom scan
Answer:
AD
Explanation:
DirectDefense’s analysis of FireEye Endpoint attests that the products help meet the HIPAA Security
Rule.
In the menu on the left click the + sign next to Endpoint Compliance to open it.
Reference:
https://www.fireeye.com/content/dam/fireeye-www/products/pdfs/cg-pci-and-hipaa-
compliances.pdf
https://docs.fortinet.com/document/fortinac/8.5.2/administration-guide/92047/add-or-modify-a-
scan
Question 11
In which view would you find who made modifications to a Group?
- A. The Event Management view
- B. The Security Events view
- C. The Alarms view
- D. The Admin Auditing view
Answer:
D
Explanation:
It’s important to audit Group Policy changes in order to determine the details of changes made to
Group Policies by delegated users.
Reference:
https://www.lepide.com/how-to/audit-chnages-made-to-group-policy-objects.html
Question 12
Which three of the following are components of a security rule? (Choose three.)
- A. Security String
- B. Methods
- C. Action
- D. User or host profile
- E. Trigger
Answer:
CDE
Explanation:
Reference:
https://docs.fortinet.com/document/fortinac/8.8.0/administration-guide/167668/add-
or-modify-a-rule
Question 13
Where are logical network values defined?
- A. In the model configuration view of each infrastructure device
- B. In the port properties view of each port
- C. On the profiled devices view
- D. In the security and access field of each host record
Answer:
A
Explanation:
Reference:
https://www.sciencedirect.com/topics/computer-science/logical-network
Question 14
What would occur if both an unknown (rogue) device and a known (trusted) device simultaneously
appeared on a port that is a member of the Forced Registration port group?
- A. The port would be provisioned for the normal state host, and both hosts would have access to that VLAN.
- B. The port would not be managed, and an event would be generated.
- C. The port would be provisioned to the registration network, and both hosts would be isolated.
- D. The port would be administratively shut down.
Answer:
C
Question 15
What agent is required in order to detect an added USB drive?
- A. Persistent
- B. Dissolvable
- C. Mobile
- D. Passive
Answer:
A
Explanation:
Expand the Persistent Agent folder. Select USB Detection from the tree.
Reference:
https://docs.fortinet.com/document/fortinac/8.5.2/administration-guide/814147/usb-
detection
1. Click System > Settings.
2. Expand the Persistent Agent folder.
3. Select USB Detection from the tree.
4. Click Add or select an existing USB drive and click Modify.