Fortinet NSE7_ZTA-7.2 Practice Test - Questions Answers, Page 3

Endpoint compliance is defined in the policy configuration stage of FortiNAC. Endpoint compliance policies specify which endpoint compliance configuration and user/host profile are applied to a host based on its location, user, and device type. Endpoint compliance configurations define whether a host is required to download an agent and undergo a scan, permitted access with no scan, or denied access. The scan parameters and security actions are also configured in the endpoint compliance configurations.Therefore, to define endpoint compliance, you need to create and assign endpoint compliance policies and configurations in the policy configuration stage of FortiNAC.Reference:= https://docs.fortinet.com/document/fortinac/9.4.0/administration-guide/985922/endpoint-compliance-policies

https://docs.fortinet.com/document/fortinac/9.4.0/fortinac-manager/161887/endpoint-compliance-configurations

A persistent agent is an application that works on Windows, macOS, or Linux hosts to identify them to FortiNAC Manager and scan them for compliance with an endpoint compliance policy. A persistent agent can support advanced custom scans and software inventory, apply supplicant configuration to a host, and be used for automatic registration and authentication.Reference:=

Persistent Agent

Persistent Agent on Windows

Using the Persistent Agent

In the context of zero-trust telemetry compliance, the three true statements are:

A) FortiClient EMS creates dynamic policies using ZTNA tags: FortiClient EMS utilizes ZTNA (Zero Trust Network Access) tags to create dynamic policies based on the telemetry it receives from endpoints.

B) FortiClient checks the endpoint using the ZTNA tags provided by FortiClient EMS: FortiClient on the endpoint uses the ZTNA tags from FortiClient EMS to determine compliance with the specified security policies.

D) FortiOS provides network access to the endpoint based on the zero-trust tagging rules: FortiOS, the operating system running on FortiGate devices, uses the zero-trust tagging rules to make decisions on network access for endpoints.

The other options are not accurate in this context:

C) ZTNA tags are configured in FortiClient, based on criteria such as certificates and the logged-in domain: ZTNA tags are typically configured and managed in FortiClient EMS, not directly in FortiClient.

E) FortiClient EMS sends the endpoint information received through FortiClient Telemetry to FortiOS: While FortiClient EMS does process telemetry data, the direct sending of endpoint information to FortiOS is not typically described in this manner.

Zero Trust Telemetry in Fortinet Solutions.

FortiClient EMS and FortiOS Integration for ZTNA.

They are quarantined and placed in the remediation VLAN. This is a standard practice in network access control systems where non-compliant or disabled hosts are isolated in a VLAN where they can be remediated or reviewed.

When FortiClient EMS is configured as an MDM connector on FortiNAC, it allows FortiNAC to obtain host information from FortiClient EMS and use it for network access control. FortiNAC polls FortiClient EMS periodically (every 5 minutes by default) to update already registered hosts in FortiNAC. This ensures that FortiNAC has the latest host data from FortiClient EMS, such as device type, OS, IP address, MAC address, hostname, and FortiClient version. FortiNAC can also use FortiClient EMS as an authentication source for devices that have FortiClient installed.FortiNAC does not send any data to FortiClient EMS or check for device vulnerabilities and compliance with FortiClient123.Reference:=1: MDM Service Connectors | FortiClient EMS Integration2: FortiClient EMS Device Integration|FortiNAC 9.4.0 - Fortinet Documentation3: Technical Tip: Integration with FortiClient EMS

User/host profiles are used to map sets of hosts and users to different types of policies or rules on FortiNAC. Among the options given, network access and endpoint compliance are the two types of configuration that can be associated with a user/host profile. Network access configuration determines the VLAN, CLI configuration or VPN group that is assigned to a host or user based on their profile. Endpoint compliance configuration defines the policies that check the host or user for compliance status, such as antivirus, firewall, patch level, etc. Service connectors and inventory are not types of configuration, but features of FortiNAC that allow integration with other services and devices, and collection of host and user data, respectively.Reference:=User/host profiles | FortiNAC 9.4.0 - Fortinet DocumentationandUser/host profiles | FortiNAC 9.4.0 - Fortinet Documentation

To create a separate web filtering profile for off-fabric and on-fabric clients and push it to managed FortiClient devices in FortiClient EMS, the feature can be enabled in:

A) Endpoint Policy: This is where administrators can define and manage different policies for FortiClient endpoints. These policies can include settings for web filtering, which can be customized for on-fabric and off-fabric scenarios.

The other options do not directly relate to the creation and management of web filtering profiles:

B) ZTNA Connection Rules: These rules are more focused on access control and do not deal directly with web filtering profiles.

C) System Settings: This section typically includes overall system configurations rather than specific policy definitions.

D) On-fabric Rule Sets: While important for on-fabric configurations, they don't directly deal with web filtering profiles.

FortiClient EMS Administration Guide.

Managing Endpoint Policies in FortiClient EMS.

The method used to install a passive agent on an endpoint is:

D) Installed by user or deployment tools: Passive agents are typically installed on endpoints either manually by users or automatically through deployment tools used by the organization.

The other options do not accurately describe the installation of passive agents:

A) Deployed by using a login/logout script: This is not the standard method for deploying passive agents.

B) Agent is downloaded from Playstore: This is more relevant for mobile devices and does not represent the general method for passive agent installation.

C) Agent is downloaded and run from captive portal: This method is not typically used for installing passive agents.

FortiNAC Agent Deployment Guide.

Installation Methods for Passive Agents in FortiNAC.

Fortinet ZTNA solution is a zero-trust network access approach that provides secure and granular access to applications hosted anywhere, for users working from anywhere. The three core products that are mandatory in the Fortinet ZTNA solution are:

FortiClient EMS: This is the central management console that orchestrates the ZTNA policies and provides visibility and control over the endpoints and devices. It also integrates with FortiAuthenticator for identity verification and FortiAnalyzer for reporting and analytics.

FortiClient: This is the endpoint agent that supports ZTNA, VPN, endpoint protection, and vulnerability scanning. It establishes encrypted tunnels with the ZTNA proxy on the FortiGate and provides device posture and single sign-on (SSO) capabilities.

FortiGate: This is the next-generation firewall that acts as the ZTNA proxy and enforces the ZTNA policies based on user identity, device posture, and application context. It also provides security inspection and threat prevention for the ZTNA traffic.