Exam NSE7_ZTA-7.2 topic 1 question 22 discussion

I have problems with this. If you review the page 143, there are only two correct answers, but it says "choose three". A is incorrect. Point 6: FortiClient checks the endpoint using the provided zero trust tagging rules and sends back the results to FortiClient EMS. Note that it says "zero trust tagging RULES". Not "ZTNA tags" B is incorrect. Point 4: Zero-trust tagging rules are configured in FortiClient EMS, based on criteria such as certificates, the logged in domain, files present, OS versions, running processes, registry keys, and so on. Note that it says "Zero-trust tagging rules are configured in FortiClient EMS". Not "ZTNA tags are configured in FortiClient". C is correct. Point 9: Network access is provided to the endpoint, based on the zero-trust tagging rules. (this answer continues)

study guide page 67: Fortinet ZTNA workflow

This slide shows how FortiClient-EMS and FortiGate check for compliance: FortiClient-EMS is connected to FortiGate as a participant in the Security Fabric. FortiClient Telemetry attempts to connect to FortiClient-EMS. Based on the FortiClient-EMS configuration, FortiClient may receive an SSL certificate from EMS to verify the connection. FortiClient-EMS sends the endpoint information received through FortiClient Telemetry to FortiOS. Zero-trust tagging rules are configured in FortiClient-EMS, based on criteria such as certificates, the logged in domain, files present, OS versions, running processes, registry keys. FortiClient-EMS sends zero-trust tagging rules to the endpoint. FortiClient checks the endpoint using the provided zero trust tagging rules and sends back the results to FortiClient-EMS. FortiClient-EMS dynamically groups the endpoint, based on the zero-trust tagging rules. FortiOS can receive the dynamic endpoint groups from FortiClient-EMS and use them to create dynamic firewall policies. Network access is provided to the endpoint, based on the zero-trust tagging rules.