On FortiNAC, to isolate rogue hosts, the 'Forced Registration' port group membership should be enabled. The Forced Registration port group moves unregistered rogue hosts to the Registration VLAN, effectively isolating them from the rest of the network for further actions, such as registration or additional security checks.

Disabled hosts in FortiNAC are placed in the dead end VLAN. This VLAN is specifically used to isolate devices that have been disabled for one reason or another, preventing them from interacting with the network or accessing any resources. This ensures that disabled hosts are effectively cut off from causing any potential security issues.

The domain that FortiClient is connecting to should match the domain to which the certificate is issued. This is a standard practice in SSL/TLS connections to ensure the authenticity and integrity of the connection. The FortiClient validates certificates by checking if the Fully Qualified Domain Name (FQDN) or domain matches the domain on the certificate. This helps prevent man-in-the-middle attacks by ensuring that the client is communicating with the intended server.

To add a Layer 3 router to FortiNAC's inventory, it is necessary to have SNMP or CLI access to the router. This access allows FortiNAC to carry out remote tasks such as manual polling, scheduled tasks, and receiving link traps effectively, ensuring proper communication and management of the device.

FortiClient EMS in a ZTNA deployment uses endpoint information to grant or deny access to the network. This is a key function in Zero Trust Network Access (ZTNA) as it verifies the security posture and identity of endpoints before granting access to resources, ensuring that only compliant and secure devices can connect to the network.