[2024年05月]更新のFortinet NSE7_ZTA-7.2試験基本問題には解答が付きます [Q12-Q28]

Share

[2024年05月]更新のFortinet NSE7_ZTA-7.2試験基本問題には解答が付きます

2024年最新の実際に出るFortinet NSE7_ZTA-7.2試験問題集と解答


Fortinet NSE7_ZTA-7.2 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • FortiNAC の構成と管理
  • エンドポイントのコンプライアンスとワークフローの説明
トピック 2
  • FortiAnalyzer プレイブックの構成
  • FortiClient EMS と FortiNAC の統合
トピック 3
  • ZTNA コンポーネントの特定
  • FortiNAC インシデント対応の構成
トピック 4
  • 保護されたリソースへのアクセスを管理
  • 従来の境界ベースのセキュリティ アーキテクチャを定義する

 

質問 # 12
Which three core products are mandatory in the Fortinet ZTNA solution'' {Choose three.)

  • A. FortiClient EMS
  • B. FortiClient
  • C. FortiToken
  • D. FortiAuthenticator
  • E. FortiGate

正解:A、B、E


質問 # 13
Which statement is true about FortiClient EMS in a ZTNA deployment?

  • A. Generates and installs client certificates on managed endpoints
  • B. Acts as ZTNA access proxy for managed endpoints
  • C. Uses endpoint information to grant or deny access to the network
  • D. Provides network and user identity authentication services

正解:C

解説:
In a ZTNA (Zero Trust Network Access) deployment, FortiClient EMS:
A: Uses endpoint information to grant or deny access to the network: FortiClient EMS plays a critical role in ZTNA by using information about the endpoint, such as its security posture and compliance status, to determine whether to grant or deny network access.
The other options do not accurately represent the role of FortiClient EMS in ZTNA:
B: Provides network and user identity authentication services: While it contributes to the overall ZTNA strategy, FortiClient EMS itself does not directly provide authentication services.
C; Generates and installs client certificates on managed endpoints: Certificate management is typically handled by other components in the ZTNA framework.
D: Acts as ZTNA access proxy for managed endpoints: FortiClient EMS does not function as an access proxy; its role is more aligned with endpoint management and policy enforcement.
References:
FortiClient EMS in Zero Trust Network Access Deployment.
Role of FortiClient EMS in ZTNA.


質問 # 14
An administrator has to configure LDAP authentication tor ZTNA HTTPS access proxy Which authentication scheme can the administrator apply1?

  • A. Basic
  • B. Form-based
  • C. NTLM
  • D. Digest

正解:B

解説:
LDAP (Lightweight Directory Access Protocol) authentication for ZTNA (Zero Trust Network Access) HTTPS access proxy is effectively implemented using a Form-based authentication scheme. This approach allows for a secure, interactive, and user-friendly means of capturing credentials. Form-based authentication presents a web form to the user, enabling them to enter their credentials (username and password), which are then processed for authentication against the LDAP directory. This method is widely used for web-based applications, making it a suitable choice for HTTPS access proxy setups in a ZTNA framework.References:FortiGate Security 7.2 Study Guide, LDAP Authentication configuration sections.


質問 # 15
Which three statements are true about a persistent agent? (Choose three.)

  • A. Supports advanced custom scans and software inventory.
  • B. Agent is downloaded and run from captive portal
  • C. Deployed by a login/logout script and is not installed on the endpoint
  • D. Can be used for automatic registration and authentication
  • E. Can apply supplicant configuration to a host

正解:A、D、E

解説:
A persistent agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC Manager and scan them for compliance with an endpoint compliance policy. A persistent agent can support advanced custom scans and software inventory, apply supplicant configuration to a host, and be used for automatic registration and authentication. References := Persistent Agent Persistent Agent on Windows Using the Persistent Agent


質問 # 16
Exhibit.

Which statement is true about the hr endpoint?

  • A. The endpoint is unauthenticated
  • B. The endpoint has been marked at risk
  • C. The endpoint is disabled
  • D. The endpoint is a rogue device

正解:B

解説:
Based on the exhibit showing the status of the hr endpoint, the true statement about this endpoint is:
D: The endpoint has been marked at risk: The "w" next to the host status for the 'hr' endpoint typically denotes a warning, indicating that the system has marked it as at risk due to some security policy violations or other concerns that need to be addressed.
The other options do not align with
the provided symbol "w" in the context of FortiNAC:
A: The endpoint is a rogue device: If the endpoint were rogue, we might expect a different symbol, often indicating a critical status or alarm.
B:The endpoint is disabled: A disabled status is typically indicated by a different icon or status indicator.
C: The endpoint is unauthenticated: An unauthenticated status would also be represented by a different symbol or status indication, not a "w".


質問 # 17
Exhibit.

Which two statements are true about the hr endpoint? (Choose two.)

  • A. The endpoint will be moved to the remediation VLAN
  • B. The endpoint application inventory could not be retrieved
  • C. The endpoint is marked as a rogue device
  • D. The endpoint has failed the compliance scan

正解:C、D

解説:
Based on the exhibit, the true statements about the hr endpoint are:
B: The endpoint is marked as a rogue device: The "w" symbol typically indicates a warning or an at-risk status, which can be associated with an endpoint being marked as rogue due to failing to meet the security compliance requirements or other reasons.
C: The endpoint has failed the compliance scan: The "w" symbol can also signify that the endpoint has failed a compliance scan, which is a common reason for an endpoint to be marked as at risk.


質問 # 18
Exhibit.

An administrator has to provide on-fabric clients with access to FortiAnalyzer using ZTNA tags Which two conditions must be met to achieve this task? (Choose two.)

  • A. The on-fabric client should have FortiGate as its default gateway
  • B. The ZTNA server must be configured on FortiGate
  • C. The IP/MAC based firewall policy must be configured on FortiGate
  • D. The ZTNArule must be configured on FortiClient

正解:A、B

解説:
For on-fabric clients to access FortiAnalyzer using ZTNA tags, the following conditions must be met:
A: The on-fabric client should have FortiGate as its default gateway: This is essential to ensure that all client traffic is routed through FortiGate, where ZTNA policies can be enforced.
B: The ZTNA server must be configured on FortiGate: For ZTNA tags to be effectively used, the ZTNA server, which processes and enforces these tags, must be configured on the FortiGate appliance.
References :=
Configuring ZTNA tags and tagging rules
Synchronizing FortiClient ZTNA tags
FortiAnalyzer
Technical Tip: ZTNA Tags fail to synchronize between FortiClient and FortiGate


質問 # 19
Which factor is a prerequisite on FortiNAC to add a Layer 3 router to its inventory?

  • A. Allow FTP access to the FortiNAC database from the router
  • B. Allow HTTPS access from the router to the FortiNAC ethO IP address
  • C. The router responding to ping requests from the FortiNAC eth1 IP address
  • D. SNMP or CLI access to the router to carry out remote tasks

正解:D

解説:
FortiNAC uses SNMP or CLI to communicate with network devices such as routers and switches. To add a Layer 3 router to its inventory, FortiNAC needs to have SNMP or CLI access to the router to perform remote tasks such as polling, VLAN assignment, and port shutdown. Without SNMP or CLI access, FortiNAC cannot manage the router or its ports. Therefore, SNMP or CLI access is a prerequisite for adding a Layer 3 router to FortiNAC's inventory. References := https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/105927/inventor
https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/344098/l3-polling


質問 # 20
Exhibit.

Which statement is true about the configuration shown in the exhibit?

  • A. default_ZTNARoot CA signs the FortiClient certificate for the SSL connectivity to FortiClient EMS
  • B. The domain that FortiClient is connecting to should match the domain to which the certificate is issued.
  • C. The connection from FortiClient to FortiClient EMS uses TCP and TLS 1.2.
  • D. It the FortiClient EMS server certificate is invalid, FortiClient connects silently.

正解:C

解説:
The exhibit shows the EMS Settings where various configurations related to network security are displayed.
Option C is correct because, in the settings, it is indicated that HTTPS port is used (which operates over TCP) and SSL certificates are involved in securing the connection, implying the use of TLS for encryption and secure communication between FortiClient and FortiClient EMS.
Option A is incorrect because the domain that FortiClient is connecting to does not have to match the domain to which the certificate is issued. The certificate is issued by the ZTNA CA, which is a separate entity from the domain. The certificate only contains the device ID, ZTNA tags, and other information that are used to identify and authenticate the device.
Option B is incorrect because if the FortiClient EMS server certificate is invalid, FortiClient does not connect silently. Instead, it performs the Invalid Certificate Action that is configured in the settings. The Invalid Certificate Action can be set to block, warn, or allow the connection.
Option D is incorrect because default_ZTNARoot CA does not sign the FortiClient certificate for the SSL connectivity to FortiClient EMS. The FortiClient certificate is signed by the ZTNA CA, which is a different certificate authority from default_ZTNARoot CA. default_ZTNARoot CA is the EMS CA Certificate that is used to verify the identity of the EMS server.
References :=
[1]: Technical Tip: ZTNA for Corporate hosts with SAML authentication and FortiAuthenticator as IDP
[2]: Zero Trust Network Access - Fortinet


質問 # 21
Exhibit.

Which port group membership should you enable on FortiNAC to isolate rogue hosts'?

  • A. Forced Authentication
  • B. Forced Remediation
  • C. Reset Forced Registration
  • D. Forced Registration

正解:B

解説:
In FortiNAC, to isolate rogue hosts, you should enable the:
C: Forced Remediation: This port group membership is used to isolate hosts that have been determined to be non-compliant or potentially harmful. It enforces a remediation process on the devices in this group, often by placing them in a separate VLAN or network segment where they have limited or no access to the rest of the network until they are remediated.
The other options are not specifically designed for isolating rogue hosts:
A: Forced Authentication: This is used to require devices to authenticate before gaining network access.
B: Forced Registration: This group is used to ensure that all devices are registered before they are allowed on the network.
D: Reset Forced Registration: This is used to reset the registration status of devices, not to isolate them.


質問 # 22
Which statement is true about disabled hosts on FortiNAC?

  • A. They are quarantined and placed in the remediation VLAN
  • B. They are marked as unregistered rogue devices
  • C. They are placed in the dead end VLAN
  • D. They are placed in the authentication VLAN to reauthenticate

正解:C

解説:
According to the FortiNAC documentation1, disabled hosts are placed in the dead end VLAN, which is a special VLAN that isolates them from the production network. This is done to prevent unauthorized or compromised hosts from accessing network resources or spreading malware. The dead end VLAN must be configured in the AP model or the SSID configuration, and the state must be enforced23. Disabled hosts can be enabled again by the administrator or by reauthenticating through the FortiNAC portal. References := 1:
Enable or disable hosts | FortiNAC 9.4.0 - Fortinet Documentation 2: Technical Tip: Disabled wireless hosts not isolated - FortiNAC 3: Technical Tip: Disabled wired hosts not isolated - FortiNAC


質問 # 23
Which one of the supported communication methods does FortiNAC usefor initial device identification during discovery?

  • A. LLDP
  • B. API
  • C. SNMP
  • D. SSH

正解:C

解説:
FortiNAC uses a variety of methods to identify devices on the network, such as Vendor OUI, DHCP fingerprinting, and device profiling12. One of the supported communication methods that FortiNAC uses for initial device identification during discovery is SNMP (Simple Network Management Protocol)3. SNMP is a protocol that allows network devices to exchange information and monitor their status4. FortiNAC can use SNMP to read information from switches and routers, such as MAC addresses, IP addresses, VLANs, and port status3. SNMP can also be used to configure network devices and enforce policies4. References: 1:
Identification | FortiNAC 9.4.0 - Fortinet Documentation 2: Device profiling process | FortiNAC8.3.0 | Fortinet Document Library 3: Using FortiNAC to identify medical devices - James Pratt 4: How does FortiNAC identify a new device on the network?


質問 # 24
Which three statements are true about zero-trust telemetry compliance1? (Choose three.)

  • A. FortiOS provides network access to the endpoint based on the zero-trust tagging rules
  • B. ZTNA tags are configured in FortiClient,based on criteria such as certificates and the logged in domain
  • C. FortiClient EMS sends the endpoint information received through FortiClient Telemetry to FortiOS
  • D. FortiClient EMS creates dynamic policies using ZTNAtags
  • E. FortiChent checks the endpoint using the ZTNAtags provided by FortiClient EMS

正解:A、D、E

解説:
In the context of zero-trust telemetry compliance, the three true statements are:
A: FortiClient EMS creates dynamic policies using ZTNA tags: FortiClient EMS utilizes ZTNA (Zero Trust Network Access) tags to create dynamic policies based on the telemetry it receives from endpoints.
B: FortiClient checks the endpoint using the ZTNA tags provided by FortiClient EMS: FortiClient on the endpoint uses the ZTNA tags from FortiClient EMS to determine compliance with the specified security policies.
D: FortiOS provides network access to the endpoint based on the zero-trust tagging rules: FortiOS, the operating system running on FortiGate devices, uses the zero-trust tagging rules to make decisions on network access for endpoints.
The other options are not accurate in this context:
C: ZTNA tags are configured in FortiClient, based on criteria such as certificates and the logged-in domain: ZTNA tags are typically configured and managed in FortiClient EMS, not directly in FortiClient.
E: FortiClient EMS sends the endpoint information received through FortiClient Telemetry to FortiOS: While FortiClient EMS does process telemetry data, the direct sending of endpoint information to FortiOS is not typically described in this manner.
References:
Zero Trust Telemetry in Fortinet Solutions.
FortiClient EMS and FortiOS Integration for ZTNA.


質問 # 25
......

合格保証付きのNSE 7 Network Security Architect NSE7_ZTA-7.2試験問題集:https://www.goshiken.com/Fortinet/NSE7_ZTA-7.2-mondaishu.html

NSE7_ZTA-7.2練習テストエンジンで今すぐ使おう32試験問題:https://drive.google.com/open?id=1I-F_Uc7iBHT-2DoyPJP_xtirPL-T7fRh