User/host profiles are used to map sets of hosts and users to different types of policies or rules on FortiNAC. Among the options given, network access and endpoint compliance are the two types of configuration that can be associated with a user/host profile. Network access configuration determines the VLAN, CLI configuration or VPN group that is assigned to a host or user based on their profile. Endpoint compliance configuration defines the policies that checkthe host or user for compliance status, such as antivirus, firewall, patch level, etc. Service connectors and inventory are not types of configuration, but features of FortiNAC that allow integration with other services and devices, and collection of host and user data, respectively. References := User/host profiles | FortiNAC 9.4.0 - Fortinet Documentation and User/host profiles | FortiNAC 9.4.0 - Fortinet Documentation

Fortinet ZTNA solution is a zero-trust network access approach that provides secure and granular access to applications hosted anywhere, for users working from anywhere. The three core products that are mandatory in the Fortinet ZTNA solution are:

• FortiClient EMS: This is the central management console that orchestrates the ZTNA policies and provides visibility and control over the endpoints and devices. It also integrates with FortiAuthenticator for identity verification and FortiAnalyzer for reporting and analytics.
• FortiClient: This is the endpoint agent that supports ZTNA, VPN, endpoint protection, and vulnerability scanning. It establishes encrypted tunnels with the ZTNA proxy on the FortiGate and provides device posture and single sign-on (SSO) capabilities.
• FortiGate: This is the next-generation firewall that acts as the ZTNA proxy and enforces the ZTNA policies based on user identity, device posture, and application context. It also provides security inspection and threat prevention for the ZTNA traffic.

References := Zero Trust Network Access (ZTNA) - Fortinet, Zero-Trust Network Access Solution | Fortinet, and Fortinet ZTNA | Fortinet Case Study.

 A persistent agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC Manager and scan them for compliance with an endpoint compliance policy. A persistent agent can support advanced custom scans and software inventory, apply supplicant configuration to a host, and be used for automatic registration and authentication. References :=

• Persistent Agent
• Persistent Agent on Windows
• Using the Persistent Agent

 Based on the exhibit, the true statements about the hr endpoint are:

• B. The endpoint is marked as a rogue device: The "w" symbol typically indicates a warning or an at-risk status, which can be associated with an endpoint being marked as rogue due to failing to meet the security compliance requirements or other reasons.
• C. The endpoint has failed the compliance scan: The "w" symbol can also signify that the endpoint has failed a compliance scan, which is a common reason for an endpoint to be marked as at risk.

 Certificate-based authentication is a method of verifying the identity of a device or user by using a digital certificate issued by a trusted authority. For ZTNA deployment, certificate-based authentication is used to ensure that only authorized devices and users can access the protected applications or resources.

B. The default action for empty certificates is block. This is true because ZTNA requires both device and user verification before granting access. If a device does not have a valid certificate issued by the ZTNA CA, it will be blocked by the ZTNA gateway. This prevents unauthorized or compromised devices from accessing the network.

D. Client certificate configuration is a mandatory component for ZTNA. This is true because ZTNA relies on client certificates to identify and authenticate devices. Client certificates are generated by the ZTNA CA and contain the device ID, ZTNA tags, and other information. Client certificates are distributed to devices by the ZTNA management server (such as EMS) and are used to establish a secure connection with the ZTNA gateway.

A. FortiGate signs the client certificate submitted by FortiClient. This is false because FortiGate does not sign the client certificates. The client certificates are signed by the ZTNA CA, which is a separate entity from FortiGate. FortiGate only verifies the client certificates and performs certificate actions based on the ZTNA tags.

C. Certificate actions can be configured only on the FortiGate CLI. This is false because certificate actions can be configured on both the FortiGate GUI and CLI. Certificate actions are the actions that FortiGate takes based on the ZTNA tags in the client certificates. For example, FortiGate can allow, block, or redirect traffic based on the ZTNA tags.

References :=

• 1: Technical Tip: ZTNA for Corporate hosts with SAML authentication and FortiAuthenticator as IDP
• 2: Zero Trust Network Access - Fortinet