Practice Free NSE7_ZTA-7.2 Exam Online Questions

Question #1

Exhibit.

Which statement is true about the hr endpoint?

A . The endpoint is a rogue device
B . The endpoint is disabled
C . The endpoint is unauthenticated
D . The endpoint has been marked at risk

Reveal Solution Hide Solution

Question #2

Which two statements are true regarding certificate-based authentication for ZTNA deployment? (Choose two.)

A . FortiGate signs the client certificate submitted by FortiClient.
B . The default action for empty certificates is block
C . Certificate actions can be configured only on the FortiGate CLI
D . Client certificate configuration is a mandatory component for ZTNA

Reveal Solution Hide Solution

Question #3

Which statement is true regarding a FortiClient quarantine using FortiAnalyzer playbooks?

A . FortiGate sends a notification to FortiClient EMS to quarantine the endpoint
B . FortiAnalyzer discovers malicious activity in the logs and notifies FortiGate
C . FortiAnalyzer sends an API to FortiClient EMS to quarantine the endpoint
D . FortiClient sends logs to FortiAnalyzer

Reveal Solution Hide Solution

Question #4

Exhibit.

Which port group membership should you enable on FortiNAC to isolate rogue hosts’?

A . Forced Authentication
B . Forced Registration
C . Forced Remediation
D . Reset Forced Registration

Reveal Solution Hide Solution

Question #5

What are two functions of NGFW in a ZTA deployment? (Choose two.)

A . Acts as segmentation gateway
B . Endpoint vulnerability management
C . Device discovery and profiling
D . Packet Inspection

Reveal Solution Hide Solution

Correct Answer: A C
A C

Explanation:

NGFW stands for Next-Generation Firewall, which is a network security device that provides advanced features beyond the traditional firewall, such as application awareness, identity awareness, threat prevention, and integration with other security tools. ZTA stands for Zero Trust Architecture, which is a security model that requires strict verification of the identity and context of every request before granting access to network resources. ZTA assumes that no device or user can be trusted by default, even if they are connected to a corporate network or have been previously verified.

In a ZTA deployment, NGFW can perform two functions:

Acts as segmentation gateway: NGFW can act as a segmentation gateway, which is a device that separates different segments of the network based on security policies and rules. Segmentation can help isolate and protect sensitive data and applications from unauthorized or malicious access, as well as reduce the attack surface and contain the impact of a breach. NGFW can enforce granular segmentation policies based on the identity and context of the devices and users, as well as the applications and services they are accessing. NGFW can also integrate with other segmentation tools, such as software-defined networking (SDN) and microsegmentation, to provide a consistent and dynamic segmentation across the network.

Device discovery and profiling: NGFW can also perform device discovery and profiling, which are processes that identify and classify the devices that are connected to the network, as well as their attributes and behaviors. Device discovery and profiling can help NGFW to apply the appropriate security policies and rules based on the device type, role, location, health, and activity. Device discovery and profiling can also help NGFW to detect and respond to anomalous or malicious devices that may pose a threat to the network.

Reference: =

What is a Next-Generation Firewall (NGFW)? | Fortinet: What is Zero Trust Network Access (ZTNA)? | Fortinet: Zero Trust Architecture Explained: A Step-by-Step Approach: The Most Common NGFW Deployment Scenarios: Sample Configuration for Post vWAN Deployment

Question #6

What are the three core principles of ZTA? (Choose three.)

A . Verity
B . Be compliant
C . Certify
D . Minimal access
E . Assume breach

Reveal Solution Hide Solution

Correct Answer: A D E
A D E

Explanation:

Zero Trust Architecture (ZTA) is a security model that follows the philosophy of “never trust, always verify” and does not assume any implicit trust for any entity within or outside the network perimeter. ZTA is based on a set of core principles that guide its implementation and operation.

According to the NIST SP 800-207, the three core principles of ZTA are:

A) Verify and authenticate. This principle emphasizes the importance of strong identification and authentication for all types of principals, including users, devices, and machines. ZTA requires continuous verification of identities and authentication status throughout a session, ideally on each request. It does not rely solely on traditional network location or controls. This includes implementing modern strong multi-factor authentication (MFA) and evaluating additional environmental and contextual signals during authentication processes.

D) Least privilege access. This principle involves granting principals the minimum level of access required to perform their tasks. By adopting the principle of least privilege access, organizations can enforce granular access controls, so that principals have access only to the resources necessary to

fulfill their roles and responsibilities. This includes implementing just-in-time access provisioning, role-based access controls (RBAC), and regular access reviews to minimize the surface area and the risk of unauthorized access.

E) Assume breach. This principle assumes that the network is always compromised and that attackers can exploit any vulnerability or weakness. Therefore, ZTA adopts a proactive and defensive posture that aims to prevent, detect, and respond to threats in real-time. This includes implementing micro-segmentation, end-to-end encryption, and continuous monitoring and analytics to restrict unnecessary pathways, protect sensitive data, and identify anomalies and potential security events.

Reference:

1: Understanding Zero Trust principles – AWS Prescriptive Guidance

2: Zero Trust Architecture – NIST

Question #7

Which three core products are mandatory in the Fortinet ZTNA solution” {Choose three.)

A . FortiClient EMS
B . FortiClient
C . FortiToken
D . FortiGate
E . FortiAuthenticator

Reveal Solution Hide Solution

Question #8

An administrator is trying to create a separate web tittering profile for off-fabric and on-fabric clients and push it to managed FortiClient devices

Where can you enable this feature on FortiClient EMS?

A . Endpoint policy
B . ZTNA connection rules
C . System settings
D . On-fabric rule sets

Reveal Solution Hide Solution

Question #9

Which statement is true about FortiClient EMS in a ZTNA deployment?

A . Uses endpoint information to grant or deny access to the network
B . Provides network and user identity authentication services
C . Generates and installs client certificates on managed endpoints
D . Acts as ZTNA access proxy for managed endpoints

Reveal Solution Hide Solution

Exams