NSE7_OTS-7.2 Exam Dumps - Fortinet NSE 7 - OT Security 7.2

Question # 4

Refer to the exhibit.

An OT administrator ran a report to identify device inventory in an OT network.

Based on the report results, which report was run?

A FortiSIEM CMDB report

A FortiAnalyzer device report

A FortiSIEM incident report

A FortiSIEM analytics report

Full Access

Question # 5

Which type of attack posed by skilled and malicious users of security level 4 (SL 4) of IEC 62443 is designed to defend against intentional attacks?

Users with access to moderate resources

Users with low access to resources

Users with unintentional operator error

Users with substantial resources

Full Access

Question # 6

An OT administrator is defining an incident notification policy using FortiSIEM and would like to configure the system with a notification policy. If an incident occurs, the administrator would like to be able to intervene and block an IP address or disable a user in Active Directory from FortiSIEM.

Which step must the administrator take to achieve this task?

Configure a fabric connector with a notification policy on FortiSIEM to connect with FortiGate.

Create a notification policy and define a script/remediation on FortiSIEM.

Define a script/remediation on FortiManager and enable a notification rule on FortiSIEM.

Deploy a mitigation script on Active Directory and create a notification policy on FortiSIEM.

Full Access

Question # 7

Which two statements are true when you deploy FortiGate as an offline IDS? (Choose two.)

FortiGate receives traffic from configured port mirroring.

Network traffic goes through FortiGate.

FortiGate acts as network sensor.

Network attacks can be detected and blocked.

Full Access

Question # 8

Refer to the exhibit.

In order for a FortiGate device to act as router on a stick, what configuration must an OT network architect implement on FortiGate to achieve inter-VLAN routing?

Set a unique forward domain on each interface on the network.

Set FortiGate to operate in transparent mode.

Set a software switch on FortiGate to handle inter-VLAN traffic.

Set a FortiGate interface with the switch to operate as an 802.1 q trunk.

Full Access

Question # 9

An OT network architect must deploy a solution to protect fuel pumps in an industrial remote network. All the fuel pumps must be closely monitored from the corporate network for any temperature fluctuations.

How can the OT network architect achieve this goal?

Configure a fuel server on the remote network, and deploy a FortiSIEM with a single pattern temperature security rule on the corporate network.

Configure a fuel server on the corporate network, and deploy a FortiSIEM with a single pattern temperature performance rule on the remote network.

Configure a fuel server on the remote network, and deploy a FortiSIEM with a single pattern temperature performance rule on the corporate network.

Configure both fuel server and FortiSIEM with a single-pattern temperature performance rule on the corporate network.

Full Access

Question # 10

Which three common breach points can be found in a typical OT environment? (Choose three.)

Global hat

Hard hat

VLAN exploits

Black hat

RTU exploits

Full Access

Question # 11

With the limit of using one firewall device, the administrator enables multi-VDOM on FortiGate to provide independent multiple security domains to each ICS network. Which statement ensures security protection is in place for all ICS networks?

Each traffic VDOM must have a direct connection to FortiGuard services to receive the required security updates.

The management VDOM must have access to all global security services.

Each VDOM must have an independent security license.

Traffic between VDOMs must pass through the physical interfaces of FortiGate to check for security incidents.

Full Access

Question # 12

Refer to the exhibit.

You are navigating through FortiSIEM in an OT network.

How do you view information presented in the exhibit and what does the FortiGate device security status tell you?

In the PCI logging dashboard and there are one or more high-severity security incidents for the FortiGate device.

In the summary dashboard and there are one or more high-severity security incidents for the FortiGate device.

In the widget dashboard and there are one or more high-severity incidents for the FortiGate device.

In the business service dashboard and there are one or more high-severity security incidents for the FortiGate device.

Full Access

Question # 13

Refer to the exhibits.

Which statement about some of the generated report elements from FortiAnalyzer is true?

The report confirms Modbus and IEC 104 are the key applications crossing the network.

FortiGate collects the logs and generates the report to FortiAnalyzer.

The file types confirm the infected applications on the PLCs.

This report is predefined and is not available for customization.

Full Access

Question # 14

As an OT network administrator, you are managing three FortiGate devices that each protect different levels on the Purdue model. To increase traffic visibility, you are required to implement additional security measures to detect exploits that affect PLCs.

Which security sensor must implement to detect these types of industrial exploits?

Intrusion prevention system (IPS)

Deep packet inspection (DPI)

Antivirus inspection

Application control

Full Access

Question # 15

Which three Fortinet products can you use for device identification in an OT industrial control system (ICS)? (Choose three.)

FortiSIEM

FortiManager

FortiAnalyzer

FortiGate

FortiNAC

Full Access

Question # 16

What triggers Layer 2 polling of infrastructure devices connected in the network?

A failed Layer 3 poll

A matched security policy

A matched profiling rule

A linkup or linkdown trap

Full Access

Question # 17

Refer to the exhibit.

An OT network security audit concluded that the application sensor requires changes to ensure the correct security action is committed against the overrides filters.

Which change must the OT network administrator make?

Set all application categories to apply default actions.

Change the security action of the industrial category to monitor.

Set the priority of the C.BO.NA.1 signature override to 1.

Remove IEC.60870.5.104 Information.Transfer from the first filter override.

Full Access

Answer:

Explanation:

According to the Fortinet NSE 7 - OT Security 6.4 exam guide1, the application sensor settings allow you to configure the security action for each application category andnetwork protocol override. The security action determines how the FortiGate unit handles traffic that matches the application category or network protocol override. The security action can be one of the following:

Allow: The FortiGate unit allows the traffic without any further inspection.
Monitor: The FortiGate unit allows the traffic and logs it for monitoring purposes.
Block: The FortiGate unit blocks the traffic and logs it as an attack.

The priority of the network protocol override determines the order in which the FortiGate unit applies the security action to the traffic. The lower the priority number, the higher the priority. For example, a priority of 1 is higher than a priority of 10.

In the exhibit, the application sensor has the following settings:

The industrial category has a security action of allow, which means that the FortiGate unit will not inspect or log any traffic that belongs to this category.
The IEC.60870.5.104 Information.Transfer network protocol override has a security action of block, which means that the FortiGate unit will block and log any traffic that matches this protocol.
The IEC.60870.5.104 Control.Functions network protocol override has a security action of monitor, which means that the FortiGate unit will allow and log any traffic that matches this protocol.
The IEC.60870.5.104 Start/Stop network protocol override has a security action of allow, which means that the FortiGate unit will not inspect or log any traffic that matches this protocol.
The IEC.60870.5.104 Transfer.C.BO.NA.1 network protocol override has a security action of block, which means that the FortiGate unit will block and log any traffic that matches this protocol.

The problem with these settings is that the IEC.60870.5.104 Transfer.C.BO.NA.1 network protocol override has a lower priority than the IEC.60870.5.104 Information.Transfer network protocol override. This means that if the traffic matches both protocols, the FortiGate unit will apply the security action of the higher priority override, which is block. However, the IEC.60870.5.104 Transfer.C.BO.NA.1 protocol is used to transfer binary outputs, which are essential for controlling OT devices. Therefore, blocking this protocol could have negative consequences for the OT network.

To fix this issue, the OT network administrator must set the priority of the IEC.60870.5.104 Transfer.C.BO.NA.1 network protocol override to 1, which is higher than the priority of the IEC.60870.5.104 Information.Transfer network protocol override. This way, the FortiGate unit will apply the security action of the lower priority override, which is allow, to the traffic that matches both protocols. This will ensure that the FortiGate unit does not block the traffic that is used to transfer binary outputs, while still blocking the traffic that is used to transfer information.

1:Â NSE 7 Network Security Architect - Fortinet

Question # 18

In a wireless network integration, how does FortiNAC obtain connecting MAC address information?

RADIUS

Link traps

End station traffic monitoring

MAC notification traps

Full Access