90 Exam Questions for NSE7_OTS-7.2 Updated Versions With Test Engine
Pass NSE7_OTS-7.2 Exam with Updated NSE7_OTS-7.2 Exam Dumps PDF 2026
NEW QUESTION # 25
Refer to the exhibit. The network topology in the exhibit shows FortiGate devices as well as FortiAnalyzer and FortiSIEM for the OT network.
Which two steps must you take to configure logging on the OT network'? (Choose two.)
- A. Configure FortiAnalyzer to send security events to FortiSIEM.
- B. Configure FortiGate and FortiAnalyzer to send industrial signature patterns to FortiSIEM.
- C. Configure FortiSIEM to send logs and alerts to FortiAnalyzer.
- D. Configure FortiGate to send logs to FortiAnalyzer and FortiSIEM.
Answer: A,D
Explanation:
FortiGates must forward their logs directly to both FortiAnalyzer and FortiSIEM for storage and correlation. FortiAnalyzer then forwards relevant security events to FortiSIEM, enabling centralized analytics across OT devices.
NEW QUESTION # 26
Refer to the exhibit.
PLC-3 and CLIENT can send traffic to PLC-1 and PLC-2. FGT-2 has only one software switch (SSW-1) connecting both PLC-3 and CLIENT. PLC-3 and CLIENT cannot send traffic to each other.
Which two statements about the traffic between PCL-1 and PLC-2 are true? (Choose two.)
- A. Traffic must be inspected by FGT-EDGE in OT networks.
- B. Micro-segmentation on FGT-2 prevents direct device-to-device communication.
- C. The switch on FGT-2 must be hardware to implement micro-segmentation.
- D. FGT-2 controls intra-VLAN traffic through firewall policies.
Answer: B,D
NEW QUESTION # 27
With the limit of using one firewall device, the administrator enables multi-VDOM on FortiGate to provide independent multiple security domains to each ICS network.
Which statement ensures security protection is in place for all ICS networks?
- A. The management VDOM must have access to all global security services.
- B. Traffic between VDOMs must pass through the physical interfaces of FortiGate to check for security incidents.
- C. Each VDOM must have an independent security license.
- D. Each traffic VDOM must have a direct connection to FortiGuard services to receive the required security updates.
Answer: A
Explanation:
In a multi-VDOM setup, one VDOM typically acts as the management VDOM (often called "root") which manages global settings and security services like FortiGuard updates.
This management VDOM handles access to global security services that benefit all traffic VDOMs.
Individual traffic VDOMs process their own traffic and enforce security policies but rely on the management VDOM for centralized access to global security services.
Each VDOM does not need an independent security license; the license is for the device as a whole.
Traffic between VDOMs does not need to pass through physical interfaces to be inspected; inter- VDOM links and policies handle traffic inspection.
Each VDOM does not require direct FortiGuard connections; this can be centralized in the management VDOM.
NEW QUESTION # 28
Refer to the exhibit.
Which statement is true about application control inspection?
- A. The parent signature takes precedence over the child application signature.
- B. The industrial application control inspection process is unique among application categories.
- C. Security actions cannot be applied on the lowest level of the hierarchy.
- D. You can control security actions only on the parent-level application signature
Answer: D
NEW QUESTION # 29
An OT network consists of multiple FortiGate devices. The edge FortiGate device is deployed as the secure gateway and is only allowing remote operators to access the ICS networks on site.
Management hires a third-party company to conduct health and safety on site. The third-party company must have outbound access to external resources.
As the OT network administrator, what is the best scenario to provide external access to the third-party company while continuing to secure the ICS networks?
- A. Implement an additional firewall using an additional upstream link to the internet.
- B. Split the edge FortiGate device into multiple logical devices to allocate an independent VDOM for the third-party company.
- C. Create VPN tunnels between downstream FortiGate devices and the edge FortiGate to protect ICS network traffic.
- D. Configure outbound security policies with limited active authentication users of the third-party company.
Answer: B
NEW QUESTION # 30
Which three criteria can a FortiGate device use to look for a matching firewall policy to process traffic?
(Choose three.)
- A. Services defined in the firewall policy.
- B. Lowest to highest policy ID number
- C. Destination defined as internet services in the firewall policy
- D. Source defined as internet services in the firewall policy
- E. Highest to lowest priority defined in the firewall policy
Answer: A,C,D
NEW QUESTION # 31
Refer to the exhibit.
Given the configurations on the FortiGate, which statement is true?
- A. FortiGate is configured with forward-domains to forward only company domain website traffic.
- B. FortiGate is configured with forward-domains to filter and drop non-domain controller traffic.
- C. FortiGate is configured with forward-domains to forward only domain controller traffic.
- D. FortiGate is configured with forward-domains to reduce unnecessary traffic.
Answer: D
NEW QUESTION # 32
Refer to the exhibit. Based on the topology designed by the OT architect, which two statements about implementing OT security are true? (Choose two.)
- A. IT and OT networks are separated by segmentation.
- B. FortiGate-3 and FortiGate-4 devices must be in a transparent mode.
- C. Firewall policies should be configured on FortiGate-3 and FortiGate-4 with industrial protocol sensors.
- D. Micro-segmentation can be achieved only by replacing FortiGate-3 and FortiGate-4 with a pair of FortiSwitch devices.
Answer: A,C
NEW QUESTION # 33
Refer to the exhibit. The FGT-Edge device is a VPN gateway that allows remote administrators access to the local ICS network. Management hires a third-party company to conduct health and safety on site. The third-party company must have outbound access to external resources.
What is the best scenario to provide external access to the third-party company while continuing to secure the ICS networks?
- A. Implement an additional firewall using an additional upstream link to the internet.
- B. Split the edge FortiGate device into multiple logical devices to allocate an independent VDOM for the third-party company.
- C. Create VPN tunnels between downstream FortiGate devices and the edge FortiGate to protect ICS network traffic.
- D. Configure outbound security policies with limited active authentication users of the third-party company.
Answer: B
Explanation:
By splitting the edge FortiGate into VDOMs, you isolate the third-party company in its own virtual firewall. That VDOM can have outbound internet policies without exposing or risking the ICS networks protected by the other VDOMs.
NEW QUESTION # 34
Refer to the exhibit. An operational technology (OT) architect has implemented Modbus TCP with a simulation Conpot server to identify and control Modbus traffic in their OT network. The FortiGate-Edge device is configured with a software switch interface, SSW-01.
Based on the topology shown in the exhibit, which two statements must be true for the simulation of traffic between client and server to be successful? (Choose two.)
- A. In the FortiGate firewall policy, NAT must be enabled from port3 to SSW-01
- B. The FortiGate device must be in offline intrusion detection system (IDS) mode
- C. The FortiGate-Edge device must be in network address translation (NAT) operation mode
- D. An IP address must be assigned to port5
Answer: A,C
Explanation:
In the FortiGate firewall policy, NAT must be enabled from port3 to SSW-01: To ensure successful communication between the client and the Conpot server through FortiGate, Network Address Translation (NAT) must be configured in the firewall policy. This allows the client to access the server via the FortiGate interface by properly routing the traffic.
The FortiGate-Edge device must be in network address translation (NAT) operation mode:
FortiGate in NAT operation mode ensures that traffic between different subnets (e.g., client and server) is routed correctly, enabling communication and simulation in the given topology.
NEW QUESTION # 35
Refer to the exhibit. Based on the Purdue model, which three measures can be implemented in the control area zone using the Fortinet Security Fabric? (Choose three.)
- A. FortiNAC for network access control
- B. FortiSIEM for security incident and event management
- C. FortiGate for application control and IPS
- D. FortiEDR for endpoint detection
- E. FortiGate for SD-WAN
Answer: A,C,D
NEW QUESTION # 36
FortiAnalyzer is implemented in the OT network to receive logs from responsible FortiGate devices. The logs must be processed by FortiAnalyzer.
In this scenario, which statement is correct about the purpose of FortiAnalyzer receiving and processing multiple log messages from a given PLC or RTU?
- A. To isolate PLCs or RTUs in the event of external attacks
- B. To determine which type of messages from the PLC or RTU causes issues in the plant
- C. To help OT administrators configure the network and prevent breaches
- D. To configure event handlers and take further action on FortiGate
Answer: D
NEW QUESTION # 37
Refer to the exhibit.
An OT architect has implemented a Modbus TCP with a simulation server Conpot to identify and control the Modus traffic in the OT network. The FortiGate-Edge device is configured with a software switch interface ssw-01.
Based on the topology shown in the exhibit, which two statements about the successful simulation of traffic between client and server are true? (Choose two.)
- A. The FortiGate-Edge device must be in NAT mode.
- B. NAT is disabled in the FortiGate firewall policy from port3 to ssw-01.
- C. Port5 is not a member of the software switch.
- D. The FortiGate devices is in offline IDS mode.
Answer: A,B
NEW QUESTION # 38
Refer to the exhibit.
Which statement about the interfaces shown in the exhibit is true?
- A. port1, port1-vlan10, and port1-vlan1 are in different broadcast domains
- B. port2, port2-vlan10, and port2-vlan1 are part of the software switch interface.
- C. The VLAN ID of port1-vlan1 can be changed to the VLAN ID 10.
- D. port1-vlan10 and port2-vlan10 are part of the same broadcast domain
Answer: A
NEW QUESTION # 39
Refer to the exhibit. An OT network architect must implement inter-VLAN routing in the topology.
Traffic from each client is tagged with a unique VLAN. Each client is directly connected to a Layer
2 switch.
Which action must the OT network architect take to achieve this goal?
- A. Set the same forward domain on each switch interface.
- B. Make FortiGate a router on a stick.
- C. Configure a software switch to handle traffic for each client.
- D. Replace the switch with a Layer 3 device.
Answer: B
Explanation:
With clients in separate VLANs on a Layer 2 switch, inter-VLAN traffic must be routed. Creating VLAN subinterfaces on a single FortiGate physical port ("router on a stick") lets the FortiGate route and apply policy between those VLANs.
NEW QUESTION # 40
Refer to the exhibit, which shows a non-protected OT environment.
An administrator needs to implement proper protection on the OT network.
Which three steps should an administrator take to protect the OT network? (Choose three.)
- A. Configure firewall policies with industrial protocol sensors
- B. Deploy an edge FortiGate between the internet and an OT network as a one-arm sniffer.
- C. Configure firewall policies with web filter to protect the different ICS networks.
- D. Deploy a FortiGate device within each ICS network.
- E. Use segmentation
Answer: A,D,E
NEW QUESTION # 41
Refer to the exhibit.
You are navigating through FortiSIEM in an OT network.
How do you view information presented in the exhibit and what does the FortiGate device security status tell you?
- A. In the widget dashboard and there are one or more high-severity incidents for the FortiGate device.
- B. In the PCI logging dashboard and there are one or more high-severity security incidents for the FortiGate device.
- C. In the business service dashboard and there are one or more high-severity security incidents for the FortiGate device.
- D. In the summary dashboard and there are one or more high-severity security incidents for the FortiGate device.
Answer: D
NEW QUESTION # 42
Refer to the exhibit
In the topology shown in the exhibit, both PLCs can communicate directly with each other, without going through the firewall.
Which statement about the topology is true?
- A. PLCs use IEEE802.1Q protocol to communicate each other.
- B. This integration solution expands VLAN capabilities from Layer 2 to Layer 3.
- C. There is no micro-segmentation in this topology.
- D. An administrator can create firewall policies in the switch to secure between PLCs.
Answer: C
NEW QUESTION # 43
......
NSE7_OTS-7.2 Exam Dumps - Free Demo & 365 Day Updates: https://pdfpractice.actual4dumps.com/NSE7_OTS-7.2-study-material.html