NSE7_OTS-7.2 MCQs
NSE7_OTS-7.2 TestPrep NSE7_OTS-7.2 Study Guide NSE7_OTS-7.2 Practice Test NSE7_OTS-7.2 Exam Questions
killexams.com
Trustworthy for Fortinet Certified Solution Specialist (FCSS)
https://killexams.com/pass4sure/exam-detail/NSE7
_OTS-7.2An OT administrator is troubleshooting device detection in a Security Fabric with FortiGate and FortiNAC. A new PLC using IEC 61850 is not detected. Which steps resolve this?
Configure FortiGate to log IEC 61850 traffic with set application-list iec61850; set logtraffic all
Enable FortiNAC's passive discovery for IEC 61850 with set protocol iec61850 enable
Update FortiNAC's protocol database to include IEC 61850 signatures
Use FortiGate CLI to enable IEC 61850 detection with set iec61850-detection enable
Integrate FortiSIEM to forward IEC 61850 logs to FortiNAC
Answer: A,C
Explanation: Logging IEC 61850 traffic on FortiGate (set application-list iec61850; set logtraffic all) ensures detection data is available. Updating FortiNAC's protocol database with IEC 61850 signatures enables accurate detection.
An Operational Technology network uses FortiAnalyzer to log all traffic from a specific VLAN (100). Which filter ensures only VLAN 100 traffic is logged?
logid=10 AND vlan=100
logid=1 AND vlan_id=100
logid=10 AND vlan_id=100
logid=1 AND vlan=100
Answer: A
Explanation: The correct FortiAnalyzer filter is logid=10 AND vlan=100, as logid=10 targets traffic logs and vlan is the field for VLAN ID) Other options use incorrect fields (vlan_id) or incorrect logid values (logid=1).
In an OT environment, a FortiGate is deployed to protect a SCADA network using the IEC 61850 protocol. The administrator needs to identify and log all MMS (Manufacturing Message Specification)
traffic for compliance auditing. Which two FortiGate features should be configured to achieve this?
Application control profile with IEC 61850 MMS signatures enabled
Deep packet inspection (DPI) with a custom MMS filter
Firewall policy with protocol inspection for IEC 61850
IPS sensor with MMS-specific signatures enabled
Traffic logging with a filter for MMS protocol
Answer: A, E
Explanation: To identify and log MMS traffic in an IEC 61850 SCADA network, the administrator should enable an application control profile with MMS signatures (part of IEC 61850) to identify the traffic and configure traffic logging with a filter for the MMS protocol to capture logs for auditing.
An Operational Technology network uses FortiSIEM to monitor IEC 61850 traffic for anomalies. Which query detects devices sending GOOSE messages with invalid sequence numbers?
SELECT source, seq_num FROM $log WHERE type="GOOSE" AND seq_num IS INVALID
SELECT src_ip, goose_seq FROM $log WHERE protocol="IEC61850" AND goose_seq NOT IN (SELECT valid_seq FROM goose_table)
SELECT src_ip, sequence FROM $log WHERE protocol="IEC61850" AND sequence != VALID
SELECT device, goose_seq FROM $log WHERE proto="GOOSE" AND goose_seq NOT VALID
Answer: B
Explanation: The correct FortiSIEM query is SELECT src_ip, goose_seq FROM $log WHERE protocol="IEC61850" AND goose_seq NOT IN (SELECT valid_seq FROM goose_table). It targets IEC 61850 GOOSE messages and checks for invalid sequence numbers by comparing against a valid sequence table. Other options use incorrect fields (type, proto, sequence, seq_num) or invalid syntax (IS INVALID, NOT VALID).
An Operational Technology network uses FortiAnalyzer to monitor S7comm traffic. You need to configure a filter to log only S7comm write requests. Which filter syntax is correct?
set filter "protocol=s7comm action=write"
set filter "app=s7comm write"
set filter "s7comm.write"
set filter "app=s7comm-write"
Answer: B
Explanation: To log S7comm write requests, the filter must specify the S7comm application and write action. "set filter "app=s7comm write"" is correct. "protocol=s7comm action=write" uses incorrect syntax. "s7comm.write" is invalid. "app=s7comm-write" assumes a hyphenated name, so it's incorrect.
An Operational Technology network uses a FortiSwitch ring topology with MRP for redundancy. A link failure causes a 300ms recovery delay. Which configuration achieves a 100ms recovery time?
Enable RSTP as a fallback protocol
Set the MRP recovery time to 100ms
Configure a static LAG for redundancy
Increase the MRP ring check interval to 50ms
Set the MRP priority to 8192
Answer: B
Explanation: Setting the MRP recovery time to 100ms configures the protocol to recover within the desired timeframe, as MRP supports ultra-fast recovery in ring topologies. RSTP is not compatible with MRP. A static LAG doesn't support ring topologies. Increasing the ring check interval slows recovery. MRP priority affects role assignment, not recovery time.
An Operational Technology network uses FortiNAC to enforce network access control. A new device using PROFINET (EtherType 0x8892) fails to connect to the production VLAN. The FortiNAC log shows a profiling failure. Which steps should you take to resolve this issue?
Add a custom profiling rule in FortiNAC for EtherType 0x8892
Configure the Industrial Ethernet switch to send LLDP packets to FortiNAC
Verify the FortiGate firewall allows PROFINET traffic to the VLAN
Enable SNMP traps on the switch to update FortiNAC's device inventory
Manually assign the device to the production VLAN in FortiNAC
Answer: A,B,C
Explanation: Adding a custom profiling rule for EtherType 0x8892 allows FortiNAC to recognize PROFINET devices. Configuring the switch to send LLDP packets provides additional device information for profiling. Verifying the FortiGate allows PROFINET traffic ensures connectivity to the VLAN. SNMP traps help with inventory but are less specific to PROFINET profiling. Manually assigning the VLAN bypasses profiling and is not scalable.
An OT administrator is configuring FortiGate to detect a new PLC using DNP3 protocol in a Security Fabric environment. Which command enables FortiGate to identify and log DNP3 traffic for device detection?
config firewall service custom; set protocol DNP3; set logtraffic all; end
config system settings; set dnp3-detection enable; end
config firewall policy; set application-list DNP3; set logtraffic all; end
config system interface; set dnp3 enable; set logtraffic enable; end
Answer: C
Explanation: To detect and log DNP3 traffic, the administrator configures a firewall policy with an application control list for DNP3 and enables logging (config firewall policy; set application-list DNP3; set logtraffic all; end). This integrates with the Security Fabric for device detection.
An OT environment uses FortiGate to segment SCADA devices on VLAN 400 from IT devices on VLAN 500. The administrator needs to allow specific OPC UA traffic (port 4840) from a SCADA server (172.16.1.10) to a client in VLAN 500 (172.16.2.20). Which firewall policy is correct?
config firewall policy edit 1 set srcintf "vlan400" set dstintf "any" set srcaddr "all" set dstaddr "all" set service "OPCUA" set action accept next end
config firewall policy edit 1 set srcintf "vlan400" set dstintf "vlan400" set srcaddr "172.16.1.10" set dstaddr "172.16.2.20" set service "OPCUA" set action accept next end
config firewall policy edit 1 set srcintf "vlan500" set dstintf "vlan400" set srcaddr "172.16.2.20" set dstaddr "172.16.1.10" set service "OPCUA" set action accept next end
config firewall policy edit 1 set srcintf "vlan400" set dstintf "vlan500" set srcaddr "172.16.1.10" set dstaddr "172.16.2.20" set service "OPCUA" set action accept next end
Answer: D
Explanation: To allow OPC UA traffic (port 4840) from the SCADA server (172.16.1.10) in VLAN 400 to a client (172.16.2.20) in VLAN 500, the firewall policy must specify the correct source and destination interfaces and addresses.
An Operational Technology network uses a FortiGate to secure a Profibus network. The administrator needs to implement an IPS policy to detect and block Profibus packets with unauthorized master-slave communication attempts. Which two CLI commands are required to enable this protection?
config ips sensor edit "Profibus_Protection" set action block next end
config ips sensor edit "Profibus_Protection" config entries edit 1 set protocol PROFIBUS set signature "Profibus.Unauthorized_Master" set action block next end next end
config firewall policy edit 1 set ips-sensor "Profibus_Protection" set service "PROFIBUS" set action deny next end
config ips sensor edit "Profibus_Protection" config entries edit 1 set protocol TCP set signature "Profibus.Generic" set action block next end next end
config firewall policy edit 1 set service "PROFIBUS" set action deny next end
Answer: B, C
Explanation: To detect and block unauthorized Profibus master-slave communication attempts, the administrator must configure an IPS sensor with a specific signature and apply it to a firewall policy.
An Operational Technology network uses FortiGate with FortiNAC for device authentication. The administrator wants to ensure that only devices with valid digital certificates issued by the internal CA can access the control network. Which configuration on FortiGate is required to enforce this?
Configure a firewall policy with deep packet inspection and certificate validation
Set set auth-cert in the firewall policy configuration
Enable certificate-based authentication in the FortiGate SSL-VPN settings
Use set ssl-ocsp enable in the FortiGate global configuration
Answer: B
Explanation: To enforce certificate-based authentication on FortiGate, the administrator must configure a firewall policy with the certificate validation setting using the command set auth-cert (Set set auth-cert in the firewall policy configuration). This ensures only devices with valid certificates issued by the specified CA are allowed. Deep packet inspection does not specifically handle certificate authentication, SSL-VPN
settings are irrelevant for OT device access, and OCSP enables certificate revocation checking but does not enforce authentication.
To ensure OT availability, you configure a FortiGate high-availability (HA) cluster in an Industrial Ethernet network. The cluster uses VRRP for redundancy. Which command verifies that the secondary FortiGate is synchronizing correctly with the primary?
diagnose sys ha status
get router info vrrp
show system ha
diagnose sys vrrp status
get system ha status
Answer: E
Explanation: The get system ha status command displays the HA synchronization status, including whether the secondary FortiGate is properly synchronized with the primary. diagnose sys ha status provides detailed HA diagnostics but is less straightforward. show system ha displays configuration, not real-time status. diagnose sys vrrp status and get router info vrrp relate to VRRP but don't confirm HA synchronization.
A FortiSIEM rule needs to detect OT devices with memory utilization above 90% for 10 minutes. Which condition is correct?
EventType = "System" AND memory > 90 INTERVAL 10m
EventType = "Performance" AND mem_usage > 90 INTERVAL 600s
EventType = "Performance" AND mem_load > 90 INTERVAL 600s
EventType = "System" AND mem_usage > 90 INTERVAL 10m
Answer: B
Explanation: The correct FortiSIEM rule condition is EventType = "Performance" AND mem_usage > 90 INTERVAL 600s, as EventType = "Performance" targets performance metrics, mem_usage is the standard field, and INTERVAL 600s specifies 10 minutes. Other options use incorrect fields (memory, mem_load) or event types (System).
An OT administrator needs to configure FortiSIEM to detect devices sending excessive ICMP packets. Which query identifies devices with over 1000 ICMP packets in 5 minutes?
SELECT source, SUM(packets) FROM $log WHERE type="ICMP" GROUP BY source HAVING SUM(packets) > 1000 INTERVAL 5m
SELECT src_ip, COUNT(*) AS pkt_count FROM $log WHERE protocol="ICMP" GROUP BY src_ip HAVING pkt_count > 1000 INTERVAL 300s
SELECT src_ip, COUNT(packets) FROM $log WHERE protocol="ICMP" GROUP BY src_ip HAVING COUNT(packets) > 1000 INTERVAL 300s
SELECT device, SUM(pkt) FROM $log WHERE proto="ICMP" GROUP BY device HAVING SUM(pkt) > 1000 INTERVAL 5m
Answer: B
Explanation: The correct FortiSIEM query is SELECT src_ip, COUNT(*) AS pkt_count FROM $log WHERE protocol="ICMP" GROUP BY src_ip HAVING pkt_count > 1000 INTERVAL 300s. It filters ICMP traffic, counts packets with COUNT(*), groups by source IP, and uses a 300-second (5-minute) interval. Other options use incorrect fields (type, proto, packets, pkt) or aggregation methods.
An Operational Technology network uses FortiAnalyzer to monitor IEC 61850 traffic. You need to configure a filter to log only GOOSE messages. Which filter syntax is correct?
set filter "app=goose"
set filter "protocol=iec61850 type=goose"
set filter "iec61850.goose"
set filter "app=iec61850.goose"
Answer: D
Explanation: To log GOOSE messages, the filter must specify the IEC 61850 application and GOOSE type. "set filter "app=iec61850.goose"" is correct. "protocol=iec61850 type=goose" uses incorrect syntax. "iec61850.goose" is invalid. "app=goose" does not specify IEC 61850, so it's incorrect.
In an OT environment, a FortiGate is used to secure a network with S7comm protocol traffic. The administrator needs to allow only specific S7comm function codes. Which CLI command is used to configure this?
config system settings
config firewall policy
config application list
config ips sensor
Answer: C
Explanation: The config application list command is used to create an application control profile to filter specific S7comm function codes. The config firewall policy command applies the profile but does not configure it. The config system settings command is unrelated. The config ips sensor command is for IPS, not application control.
In a FortiSIEM deployment, an OT administrator wants to prioritize alerts for devices with a criticality score above 7. Which configuration ensures this?
Set Priority = Criticality * Severity in the FortiSIEM rule
Configure an event handler with filter: Criticality > 7
Adjust the FortiSIEM global policy to weight Criticality > 7
Use a CMDB query to tag devices with Criticality > 7
Answer: B
Explanation: To prioritize alerts for devices with a criticality score above 7 in FortiSIEM, configure an event handler with the filter Criticality > 7 to directly target high-criticality devices. Setting Priority = Criticality * Severity modifies priority but does not ensure prioritization of alerts. Adjusting the global policy is too broad and not specific to criticality. A CMDB query for tagging is a prerequisite, not a prioritization mechanism.
In a FortiNAC deployment, an OT administrator wants to enforce 802.1X authentication for PLCs using
EAP-TLS. The FortiSwitch ports must dynamically assign VLAN 500 for authenticated devices and VLAN 600 for guest devices. Which configuration is correct?
config switch-controller 802-1x-settings set guest-vlan 600 set auth-vlan 500 set auth-type eap-tls end
config switch-controller port-security set port1 auth-mode 802.1x set guest-vlan 600 set auth-vlan 500 set eap-tls enable end
config switch-controller security-policy 802-1x set guest-vlanid 600 set auth-vlanid 500 set security- mode eap-tls end
config switch-controller vlan-policy set vlan 500 set guest-vlan 600 set auth-method eap-tls end
Answer: C
Explanation: To configure 802.1X authentication with EAP-TLS on FortiSwitch for PLCs, the correct command is under the switch-controller security-policy 802-1x context.
In an Operational Technology network, a FortiGate is used to secure a Modbus TCP network. The administrator needs to block packets with function code 23 (Read/Write Multiple Registers) from a specific VLAN (VLAN 100). Which configuration achieves this?
config application control edit "Modbus_Restrict" set protocol MODBUS set function "Read_Write" set action block next end
config firewall policy edit 1 set vlanid 100 set service "MODBUS" set action deny next end
config ips sensor edit "Modbus_Restrict" config entries edit 1 set protocol TCP set signature "Modbus.Generic" set action block next end next end
config ips sensor edit "Modbus_Restrict" config entries edit 1 set protocol MODBUS set signature "Modbus.Read_Write" set action block set vlan 100 next end next end
config firewall policy edit 1 set vlanid 100 set service "TCP/502" set action deny next end
Answer: D
Explanation: To block Modbus function code 23 packets from VLAN 100, an IPS sensor with a specific signature and VLAN filter is required.
An Operational Technology network administrator configures FortiGate to segment a control network (VLAN 900) to allow only S7comm traffic (port 102) to a server at 192.168.90.10. Which CLI configuration is correct?
config firewall policy edit 1 set srcintf "VLAN900" set dstintf "Server" set srcaddr "all" set dstaddr "192.168.90.10" set service "ALL" set action accept next end
config firewall policy edit 1 set srcintf "VLAN900" set dstintf "Server" set srcaddr "192.168.90.0/24" set dstaddr "192.168.90.10" set service "S7comm" set action accept next end
config firewall policy edit 1 set srcintf "VLAN900" set dstintf "Server" set srcaddr "192.168.90.0/24" set dstaddr "all" set service "S7comm" set action accept next end
config firewall policy edit 1 set srcintf "VLAN900" set dstintf "Server" set srcaddr "all" set dstaddr "all" set service "ALL" set action accept next end
Answer: B
Explanation: To allow only S7comm traffic from VLAN 900 to the server at 192.168.90.10, the firewall policy must specify the source interface (VLAN900), destination interface (Server), source address (192.168.90.0/24), destination address (192.168.90.10), and service (S7comm) with an accept action (config firewall policy with specific source, destination, and S7comm service). Other options allow broader addresses or services, failing to meet the requirement.
In an OT environment, a FortiGate administrator is configuring internal segmentation to isolate ICS devices on VLAN 200 from corporate devices on VLAN 300. The goal is to prevent lateral movement while allowing specific Modbus TCP traffic (port 502) from a SCADA server (10.0.2.10) to ICS devices. Which firewall policy configuration is correct?
config firewall policy edit 1 set srcintf "vlan200" set dstintf "vlan300" set srcaddr "10.0.2.10" set dstaddr "all" set service "MODBUS" set action accept next end
config firewall policy edit 1 set srcintf "vlan300" set dstintf "vlan200" set srcaddr "all" set dstaddr "10.0.2.10" set service "MODBUS" set action accept next end
config firewall policy edit 1 set srcintf "vlan200" set dstintf "vlan200" set srcaddr "10.0.2.10" set dstaddr "all" set service "MODBUS" set action accept next end
config firewall policy edit 1 set srcintf "vlan200" set dstintf "any" set srcaddr "all" set dstaddr "all" set service "MODBUS" set action accept next end
Answer: C
Explanation: To allow specific Modbus TCP traffic (port 502) from the SCADA server (10.0.2.10) in VLAN 200 to ICS devices within the same VLAN while preventing lateral movement to VLAN 300, the firewall policy must be configured with srcintf and dstintf set to "vlan200" to restrict traffic within VLAN 200. The srcaddr should be "10.0.2.10" to specify the SCADA server, and the service should be "MODBUS" to allow port 502 traffic.
An Operational Technology network administrator needs to restrict SCADA server access to only categorized PLCs using FortiNAC) Which configuration achieves this?
Configure FortiGate to enforce PLC access with set application-list plc-only
Create a network access policy in FortiNAC to allow only PLC device profiles
Set up FortiNAC to use VLAN segmentation for PLCs with set vlan plc
Enable FortiNAC's access control with set access-control plc
Integrate FortiSIEM to enforce PLC access policies
Answer: B
Explanation: Creating a network access policy in FortiNAC to allow only PLC device profiles restricts SCADA server access effectively.
An Operational Technology network administrator configures a FortiGate to protect a BACnet network. They need to log all BACnet WriteProperty requests for auditing. Which configuration achieves this?
Use FortiAnalyzer to log all BACnet traffic
Configure a firewall policy for BACnet port 47808 with logging enabled
Enable logging in an application control profile with a custom BACnet signature
Enable IPS logging for BACnet traffic
Set up packet capture for BACnet port 47808
Answer: C
Explanation: To log BACnet WriteProperty requests, Enable logging in an application control profile with a custom BACnet signature is correct, as it targets specific BACnet requests. Configure a firewall policy for BACnet port 47808 with logging enabled logs all BACnet traffic, not specific requests. Use FortiAnalyzer to log all BACnet traffic is too broad. Enable IPS logging for BACnet traffic may log anomalies but not specific requests. Set up packet capture for BACnet port 47808 is inefficient, requiring manual analysis.
KILLEXAMS.COM
Killexams.com is a leading online platform specializing in high-quality certification exam preparation. Offering a robust suite of tools, including MCQs, practice tests, and advanced test engines, Killexams.com empowers candidates to excel in their certification exams. Discover the key features that make Killexams.com the go-to choice for exam success.
Killexams.com provides exam questions that are experienced in test centers. These questions are updated regularly to ensure they are up-to-date and relevant to the latest exam syllabus. By studying these questions, candidates can familiarize themselves with the content and format of the real exam.
Killexams.com offers exam MCQs in PDF format. These questions contain a comprehensive
collection of questions and answers that cover the exam topics. By using these MCQs, candidate can enhance their knowledge and improve their chances of success in the certification exam.
Killexams.com provides practice test through their desktop test engine and online test engine. These practice tests simulate the real exam environment and help candidates assess their readiness for the actual exam. The practice test cover a wide range of questions and enable candidates to identify their strengths and weaknesses.
Killexams.com offers a success guarantee with the exam MCQs. Killexams claim that by using this materials, candidates will pass their exams on the first attempt or they will get refund for the purchase price. This guarantee provides assurance and confidence to individuals preparing for certification exam.
Killexams.com regularly updates its question bank of MCQs to ensure that they are current and reflect the latest changes in the exam syllabus. This helps candidates stay up-to-date with the exam content and increases their chances of success.