NSE7 OT Security 6.4

Question 1

What are two benefits of a Nozomi integration with FortiNAC?

Answer 1

C. Adapter consolidation for multi-adapter hosts
D. Importation and classification of hosts

Question 2

Which three criteria can a FortiGate device use to look for a matching firewall policy to process traffic? (Choose three.)

Answer 2

A. Services defined in the firewall policy.
B. Source defined as internet services in the firewall policy
D. Destination defined as internet services in the firewall policy

Question 3

PH DEV MON

Answer 3

C. This is a sample of a PAM event type.
All performance events have the prefix of PH DEV MON, which means a device monitoring event, or, put another way, an event derived from a performance monitoring poll.

Question 4

Which three Fortinet products can be used for device identification in an OT industrial control system (ICS)? (Choose three.)

Answer 4

A. FortiNAC
FortiSIEM
FortiGate

Question 5

In the topology shown in the exhibit, both PLCs can communicate directly with each other, without going through the firewall.
Which statement about the topology is true?

Answer 5

D. There is no micro-segmentation in this topology.

Question 6

In a wireless network integration, how does FortiNAC obtain connecting MAC address information?

Answer 6

A. RADIUS

Question 7

Which three common breach points can be found in a typical OT environment? (Choose three.)

Answer 7

B. Hard hat
D. Black hat
E. RTU exploits

Question 8

You are navigating through FortiSIEM in an OT network.
How do you view information presented in the exhibit and what does the FortiGate device security status tell you?

Answer 8

B. In the summary dashboard and there are one or more high-severity security incidents for the FortiGate device.

Question 9

An OT network administrator is trying to implement active authentication.
Which two methods should the administrator use to achieve this? (Choose two.)

Answer 9

A. Two-factor authentication on FortiAuthenticator
D. Local authentication on FortiGate

Question 10

An OT administrator ran a report to identify device inventory in an OT network.
Based on the report results, which report was run?

Answer 10

A. A FortiSIEM CMDB report

Question 11

An OT administrator deployed many devices to secure the OT network. However, the SOC team is reporting that there are too many alerts, and that many of the alerts are false positive. The OT administrator would like to find a solution that eliminates repetitive tasks, improves efficiency, saves time, and saves resources.
Which products should the administrator deploy to address these issues and automate most of the manual tasks done by the SOC team?

Answer 11

C. FortiSOAR and FortiSIEM

Question 12

You need to configure VPN user access for supervisors at the breach and HQ sites using the same soft FortiToken. Each site has a FortiGate VPN gateway.
What must you do to achieve this objective?

Answer 12

A. You must use a FortiAuthenticator.

Question 13

An OT supervisor has configured LDAP and FSSO for the authentication. The goal is that all the users be authenticated against passive authentication first and, if passive authentication is not successful, then users should be challenged with active authentication.
What should the OT supervisor do to achieve this on FortiGate?

Answer 13

C. Configure a firewall policy with FSSO users and place it on the top of list of firewall policies.

Question 14

An OT network architect needs to secure control area zones with a single network access policy to provision devices to any number of different networks.
On which device can this be accomplished?

Answer 14

D. FortiNAC

Question 15

Based on the topology designed by the OT architect, which two statements about implementing OT security are true? (Choose two.)

Answer 15

A. Firewall policies should be configured on FortiGate-3 and FortiGate-4 with industrial protocol sensors.
C. IT and OT networks are separated by segmentation.

Question 16

Which three methods of communication are used by FortiNAC to gather visibility information? (Choose three.)

Answer 16

A. SNMP
C. API
D. RADIUS

Question 17

An OT architect has deployed a Layer 2 switch in the OT network at Level 1 the Purdue model-process control. The purpose of the Layer 2 switch is to segment traffic between PLC1 and PLC2 with two VLANs. All the traffic between PLC1 and PLC2 must first flow through the Layer 2 switch and then through the FortiGate device in the Level 2 supervisory control network.
What statement about the traffic between PLC1 and PLC2 is true?

Answer 17

C. PLC1 and PLC2 traffic must flow through the Layer-2 switch trunk link to the FortiGate device.

Question 18

An OT administrator is defining an incident notification policy using FortiSIEM and would like to configure the system with a notification policy. If an incident occurs, the administrator would like to be able to intervene and block an IP address or disable a user in Active Directory from FortiSIEM.
Which step must the administrator take to achieve this task?

Answer 18

B. Create a notification policy and define a script/remediation on FortiSIEM.

Question 19

When you create a user or host profile, which three criteria can you use? (Choose three.)

Answer 19

A. Host or user group memberships
D. Location
E. Host or user attributes

Question 20

An administrator needs to implement proper protection on the OT network.
Which three steps should an administrator take to protect the OT network? (Choose three.)

Answer 20

B. Deploy a FortiGate device within each ICS network.
D. Configure firewall policies with industrial protocol sensors
E. Use segmentation

Question 21

An OT administrator has configured FSSO and local firewall authentication. A user who is part of a user group is not prompted from credentials during authentication.
What is a possible reason?

Answer 21

A. FortiGate determined the user by passive authentication

Question 22

Given the configurations on the FortiGate, which statement is true?

Answer 22

A. FortiGate is configured with forward-domains to reduce unnecessary traffic.

Question 23

An administrator wants to use FortiSoC and SOAR features on a FortiAnalyzer device to detect and block any unauthorized access to FortiGate devices in an OT network.
Which two statements about FortiSoC and SOAR features on FortiAnalyzer are true? (Choose two.)

Answer 23

A. You must set correct operator in event handler to trigger an event.
B. You can automate SOC tasks through playbooks.

Question 24

You are investigating a series of incidents that occurred in the OT network over past 24 hours in FortiSIEM.
Which three FortiSIEM options can you use to investigate these incidents? (Choose three.)

Answer 24

C. List
D. Risk
E. Overview

Question 25

When device profiling rules are enabled, which devices connected on the network are evaluated by the device profiling rules?

Answer 25

C. Rogue devices, only when they connect for the first time

Question 26

What two advantages does FortiNAC provide in the OT network? (Choose two.)

Answer 26

A. It can be used for IoT device detection.
D. It can be used for device profiling.

Question 27

What triggers Layer 2 polling of infrastructure devices connected in the network?

Answer 27

D. A linkup or linkdown trap

Question 28

An OT administrator configured and ran a default application risk and control report in FortiAnalyzer to learn more about the key application crossing the network.
However, the report output is empty despite the fact that some related real-time and historical logs are visible in the FortiAnalyzer.
What are two possible reasons why the report output was empty? (Choose two.)

Answer 28

B. The administrator selected the wrong time period for the report.
C. The administrator selected the wrong devices in the Devices section.

Question 29

An OT supervisor needs to protect their network by implementing security with an industrial signature database on the FortiGate device.
Which statement about the industrial signature database on FortiGate is true?

Answer 29

D. A supervisor can enable it through the FortiGate CLI.
Config IPS global

Question 30

Based on the Purdue model, which three measures can be implemented in the control area zone using the Fortinet Security Fabric? (Choose three.)

Answer 30

B. FortiGate for application control and IPS
C. FortiNAC for network access control
E. FortiEDR for endpoint detection

Question 31

What can be assigned using network access control policies?

Answer 31

C. Logical networks

Question 32

As an OT administrator, it is important to understand how industrial protocols work in an OT network.
Which communication method is used by the Modbus protocol?

Answer 32

D. It uses OSI Layer 2 and the secondary device sends data based on request from primary device.

Question 33

An OT architect has implemented a Modbus TCP with a simulation server Conpot to identify and control the Modus traffic in the OT network. The FortiGate-Edge device is configured with a software switch interface ssw-01.
Based on the topology shown in the exhibit, which two statements about the successful simulation of traffic between client and server are true? (Choose two.)

Answer 33

A. The FortiGate-Edge device must be in NAT mode.
B. NAT is disabled in the FortiGate firewall policy from port3 to ssw-01.

Question 34

An OT network architect must deploy a solution to protect fuel pumps in an industrial remote network. All the fuel pumps must be closely monitored from the corporate network for any temperature fluctuations.
How can the OT network architect achieve this goal?

Answer 34

C. Configure a fuel server on the remote network, and deploy a FortiSIEM with a single pattern temperature performance rule on the corporate network.