Refer to the exhibit. Which two statements are true about inbound traffic based on the IGW ingress route table and GWLB deployment shown in the exhibit? (Choose two.)

Inbound traffic is directed to the GWLB through a GWLB endpoint.

GWLB encapsulates traffic with the GENEVE protocol and sends it to FortiGate.

GWLB forwards traffic to FortiGate without encapsulation in its dedicated subnet.

Inbound traffic is directed to the GWLB through a GWLB endpoint.

Inbound traffic is directed to the application subnet through a GWLB endpoint.

GWLB encapsulates traffic with the GENEVE protocol and sends it to FortiGate.

You are troubleshooting network connectivity issues between two VMs deployed in AWS.One VM is a FortiGate located on subnet 'LAN' that is part of the VPC 'Encryption'. The other VM is a Windows server located on the subnet 'servers' which is also in the 'Encryption' VPC. You are unable to ping the Windows server from FortiGate.What are two reasons for this? (Choose two.)

The firewall in the Windows VM is blocking the traffic.

Add an inbound allow ICMP rule in the security group attached to the windows server.

The firewall in the Windows VM is blocking the traffic.

The default AWS Network Access Control List (NACL) does not allow this traffic.

By default, AWS does not allow ICMP traffic between subnets.

Add an inbound allow ICMP rule in the security group attached to the windows server.

Refer to the exhibit. An organization deployed the application servers in the AWS VPC that connects to the corporate data center using Transit Gateway Connect. Demand for the applications has grown and the connection requires more bandwidth.What is required to achieve higher bandwidth?

No configuration change is required because GRE tunnels are scaled to provide higher bandwidth.

Use routable public IP addresses instead of private IP addresses for connectivity.

You cannot increase bandwidth the connection has a fixed limit.

No configuration change is required because GRE tunnels are scaled to provide higher bandwidth.

You add a Transit VPC between the organization's VPCs.

You want to deploy the Fortinet HA CloudFormation template to stage and bootstrap the FortiGate configuration in the same region in which you created your VPC, which is Ohio US-East-2.Based on this information, which statement is correct?

You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket needs to be hosted in the Ohio US-East-2 region.

You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket can be hosted in any region.

The Fortinet HA cloud formation template automatically creates an S3 bucket.

You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket needs to be hosted in the Ohio US-East-2 region.

You create a DynamoDB to stage and bootstrap FortiGate with an FGCP unicast configuration. It needs to be hosted in the Ohio US-East-2 region.

Refer to the exhibit. Traffic is initiated from the EC2 instance and is destined for the internet.Which traffic flow is correct?

EC2 instance > GWLBe > NAT GW > IGW > internet

EC2 instance > NAT GW > IGW > internet

There is no route to the internet in the Private Route Table. The traffic does not reach the internet.

EC2 instance > GWLBe > NAT GW > IGW > internet

EC2 instance > GWLBe > internet

A customer has implemented GWLB between the partner and application VPCs. FortiGate appliances are deployed in the partner VPC with multiple AZs to inspect traffic transparently.Which two things will happen to application traffic based on the GWLB deployment? (Choose two.)

Inbound and outbound traffic will go to multiple devices, which will perform load balancing.

Inbound and outbound traffic will go to the same device, which will perform stateful processing.

Inbound and outbound traffic will go to multiple devices, which will perform load balancing.

Inbound and outbound traffic will go to the same device, which will perform stateful processing.

The content of the original traffic exchanged between the GWLB and FortiGate will be preserved.

The original traffic exchanged between the GWLB and FortiGate will be hashed for data integrity.

Refer to the exhibit. A customer is using the AWS Elastic Load Balancer (ELB).Which two statements are correct about the ELB configuration? (Choose two.)

The load balancer is configured to load balance traffic among multiple availability zones.

You can use the DNS name to reach the targets behind the ELB.

The load balancer is configured to load balance traffic among multiple availability zones.

The Amazon Resource Name is used to access the load balancer node and targets.

You can use the DNS name to reach the targets behind the ELB.

The load balancer is configured for the internal traffic of the virtual public cloud (VPC).

Which two statements about the FortiCloud portal are true? (Choose two.)

You can gain remote access to your FortiGate VM directly from the portal.

You can access the FortiFlex portal only after you purchase a FortiFlex license and register it on FortiCare.

You can gain remote access to your FortiGate VM directly from the portal.

To assign permissions in the identity and access management (JAM) portal, you must write a JSON script.

You can access the FortiFlex portal only after you purchase a FortiFlex license and register it on FortiCare.

You can access only cloud services that you have subscribed to on AWS marketplace.

Which three statements are correct about VPC flow logs? (Choose three.)

Flow logs do not capture traffic to and from 169.254.169.254 for instance metadata.

Flow logs do not capture DHCP traffic.

Flow logs can be used as a security tool to monitor the traffic that is reaching the instance.

Flow logs do not capture traffic to and from 169.254.169.254 for instance metadata.

Flow logs do not capture DHCP traffic.

Flow logs can capture traffic to the reserved IP address for the default VPC router.

Flow logs can be used as a security tool to monitor the traffic that is reaching the instance.

Flow logs can capture real-time log streams for the network interfaces.

An administrator is adding a web application to be protected by FortiWeb Cloud.Which two steps are necessary to successfully onboard the application? (Choose two.)An administrator is adding a web application to be protected by FortiWeb Cloud.Which two steps are necessary to successfully onboard the application? (Choose two.)

Provide a web application name.

Create DNS records in the domain server that hosts the application.

Wait for the EC2 instance to be created.

Provide a web application name.

Create DNS records in the domain server that hosts the application.

Enable a content delivery network (CDN) in the same region where your application is located.

An administrator must deploy a web application firewall (WAF) solution to protect the web applications of their organization.Why would the administrator choose FortiWeb Cloud over AWS WAF with Fortinet managed rules?

SSL inspection is a requirement.

WAF signatures must be manually updated by FortiGuard.

The solution must meet PCI 6.6 compliance.

SSL inspection is a requirement.

Traffic must be inspected for malware.

Refer to the exhibit. You deployed an active-passive FortiGate HA cluster using a CloudFormation template on an existing VPC. Now you want to test active-passive FortiGate HA failover by running a debug so you can see the API calls to change the Elastic and secondary IP addresses.Which statement is correct about the output of the debug?

The Elastic IP is associated with port1 of Fgt2.

The routing table for Fgt2 updated successfully, and port2 will provide internet access to Fgt2.

The Elastic IP is associated with port1 of Fgt2.

IP address 10.0.0.13 is now associated with eni-0b61d8afc0aefb8a2.

The Elastic IP is associated with port2 of Fgt2, and the secondary IP address for port1 and port2 was updated successfully.

Your customers have been reporting slow response times when accessing your web application.What are two possible ways to increase response times from web servers protected by FortiWeb Cloud? (Choose two.)Your customers have been reporting slow response times when accessing your web application.What are two possible ways to increase response times from web servers protected by FortiWeb Cloud? (Choose two.)

Deploy FortiWeb Cloud in the same region where your web application is being hosted.

Enable a content delivery network

Deploy FortiWeb Cloud in the same region where your web application is being hosted.

Enable a content delivery network

Modify DNS entries to directly point to your web server.

Your company deployed a FortiSandbox for AWS.Which statement is correct about FortiSandbox for AWS?

FortiSandbox deploys new EC2 instances with the custom Windows and Linux VMs, then it sends malware, runs it, and captures the results for analysis.

FortiSandbox for AWS comes as a hybrid solution. The FortiSandbox manager is installed on-premises and analyzes the results of the sandboxing process received from AWS EC2 instances.

The FortiSandbox manager is installed on the AWS platform and analyzes the results of the sandboxing process received from on-premises Windows instances.

FortiSandbox for AWS does not need more resources because it performs only management and analysis tasks.

FortiSandbox deploys new EC2 instances with the custom Windows and Linux VMs, then it sends malware, runs it, and captures the results for analysis.

A customer is attempting to deploy an active-passive high availability (HA) cluster using the software-defined network (SDN) connector in the AWS cloud.What is an important consideration to ensure a successful formation of HA, failover, and traffic flow?

Unicast FortiGate Clustering Protocol (FGCP) must be used.

Both cluster members must be in the same availability zone.

VDOM exceptions must be configured.

Unicast FortiGate Clustering Protocol (FGCP) must be used.

Both cluster members must show as healthy in the elastic load balancer (ELB) configuration.

A cloud administrator is tasked with protecting web applications hosted in AWS cloud.Which three Fortinet cloud offerings can the administrator choose from to accomplish the task? (Choose three.)

Fortinet Managed Rules for AWS WAF

Refer to the exhibit. An administrator configured a FortiGate device to connect to the AWS API to retrieve resource values from the AWS console to create dynamic objects for the FortiGate policies. The administrator is unable to retrieve AWS dynamic objects on FortiGate.Which two reasons can explain why? (Choose two.)

AWS was not able to validate credentials provided by the AWS Lab SDN connector because of a clock skew between FortiGate and AWS.

The AWS Lab SDN connector is configured with an invalid AWS access or secret key.

The AWS API call is not supported on XML version 1.0.

AWS was not able to validate credentials provided by the AWS Lab SDN connector because of a clock skew between FortiGate and AWS.

The AWS Lab SDN connector is configured with an invalid AWS access or secret key.

The AWS Lab SDN connector failed to connect on port 401.

The AWS Lab SDN did not find any instances in the configured VPC.

Your organization is deciding between deploying FortiWeb VM or Fortinet Managed Rules for AWS WAF.What are two benefits of choosing FortiWeb VM? (Choose two.)

Up-to-date WAF signatures powered by FortiGuard.

You need to deploy a new Windows server in AWS to offload web traffic from an existing web server in a different availability zone.According to the AWS shared responsibility model, what three actions must you take to secure the new EC2 instance? (Choose three.)

Update software on the instance.

Manage the operating system on the instance.

Update software on the instance.

Change the existing elastic load balancer (ELB) to a gateway load balancer

Manage the operating system on the instance.

Move all web servers into the same availability zone.

An administrator wants to deploy a solution to automatically create firewall rules on FortiGate to accelerate time-to-protection for threats.Which AWS service can be integrated with FortiGate to accomplish this?

AWS network access control list

An administrator needs to attach an Elastic Network Interface (ENI) to an application instance in a VPC with multiple availability zones. An instance runs in availability zone 1.Which ENI property must the administrator consider when implementing this requirement?

An ENI cannot attach to an instance in availability zone 2.

After the ENI detaches from one instance, it can reattach only to the same instance.

You can detach the primary ENI from an AWS instance.

When you move an ENI, network traffic remains directed to the old instance until you terminate that instance.

Refer to the exhibit. What occurs during a failover for an active-passive (A-P) cluster that is deployed in two different availability zones? (Choose two.)

The cluster elastic IP address (EIP) is moved from Port1 of FGT-1 to Port1 of FGT-2.

The secondary IP address of Port2 of FGT-1 is moved to Port2 of FGT-2.

The cluster elastic IP address (EIP) is moved from Port1 of FGT-1 to Port1 of FGT-2.

The secondary IP address of Port2 of FGT-1 is moved to Port2 of FGT-2.

The default static route in the Private-AZ1 subnet route table is modified to forward all traffic to Port2 of FGT2.

An additional route is added to the route table of the HA Sync AZ2 subnet to forward all traffic to the Internet GW.

Refer to the exhibit. Which two statements are correct about traffic flow in FortiWeb Cloud? (Choose two.)

The DNS name for the application servers must point to FortiWeb Cloud.

FortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.

The DNS name for the application servers must point to FortiWeb Cloud.

FortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.

FortiWeb Cloud can protect the application servers only if they are all located in the same virtual public cloud (VPC).

Step 2 requires an AWS S3 bucket to be created.

What is a drawback of deploying a FortiWeb VM inside a virtual public cloud (VPC) compared to FortiWeb Cloud?

Only applications going through the VPC are protected.

It is unable to support web applications from OWASP Top 10 threats.

It does not support zero-day protection.

It is slower than FortiWeb Cloud to apply advanced WAF protection.

Only applications going through the VPC are protected.

An AWS administrator is designing internet connectivity for an organization's virtual public cloud (VPC). The organization has web servers with private addresses that must be reachable from the internet. The web servers must be highly available.Which two configurations can you use to ensure the web servers are highly available and reachable from the internet? (Choose two.)

Deploy a network load balancer.

Deploy web servers in multiple availability zones.

Deploy a network load balancer.

Configure a network address translation (NAT) Gateway in your VPC. Place web servers behind the NAT Gateway.

Add a route to the default virtual public cloud (VPC) route table forwarding all traffic to the internet gateway.

Deploy web servers in multiple availability zones.

A global organization with cloud networks deployed in several AWS regions wants to set up next-generation firewall (NGFW) protection using FortiGate Cloud-Native Firewall (CNF).What are two deployment considerations for the organization? (Choose two.)

A CNF instance is required for each AWS region that must be protected.

More than one AWS account can be associated with a CNF instance.

They must choose AWS Firewall Manager to provision a CNF instance.

A CNF instance is required for each AWS region that must be protected.

More than one AWS account can be associated with a CNF instance.

Only one CNF instance is required to protect all AWS regions.

An organization has created a VPC with two subnets and deployed a FortiGate-VM (VM04/c4.xlarge) in AWS.The EC2 instance is initially configured with two Elastic Network Interfaces (ENIs). The primary ENI is configured on the public subnet, and the secondary ENI is configured on the private subnet. To provide internet access for the FortiGate-VM, they now want to associate an EIP to its primary ENI, but the assignment is failing.Which action would allow the EIP assignment to be successful?

Create and attach an internet gateway to the VPC, and then assign the EIP to the primary ENI of the FortiGate VM.

Create and associate a public subnet with the primary ENI of the FortiGate VM, and then assign the EIP to the primary ENI.

Shut down the FortiGate VM, if it is running, assign the EIP to the primary ENI, and then power it on.

Create and attach an internet gateway to the VPC, and then assign the EIP to the primary ENI of the FortiGate VM.

Create and attach a public routing table to the public subnet, associate the public subnet with the primary ENI of the FortiGate VM, and then assign the EIP to the primary ENI.

Which three statements correctly describe FortiGate Cloud-Native Firewall (CNF)? (Choose three.)

It is considered to be a Firewall-as-a-Service (FWaaS).

It can be managed by FortiManager and AWS firewall manager.

It provides carrier-grade protection.

It uses AWS Elastic Load Balancing (ELB).

It is considered to be a Firewall-as-a-Service (FWaaS).

It can be managed by FortiManager and AWS firewall manager.

AWS native network services offer vast functionality and inter-connectivity between the cloud and on-premises networks.Which three additional functions can FortiGate for AWS offer to complement the native services offered by AWS? (Choose three.)

Secure SD-WAN with application visibility

Your organization is deciding between deploying an active-active (A-A) or active-passive (A-P) FortiGate high availability (HA) cluster in AWS cloud.Which two statements are true about A-A clusters compared to A-P clusters? (Choose two.)

For A-A clusters, FortiGate must perform SNAT inbound to ensure symmetric traffic flow.

A-A clusters always require a load balancer.

For A-A clusters, FortiGate must perform SNAT inbound to ensure symmetric traffic flow.

A-A clusters rely on API calls for sfailovers.

A-A clusters always require a load balancer.

A-A clusters can use a software-defined network (SDN) to perform a failover.

Refer to the exhibit. Which statement is correct about the VPC peering connections shown in the exhibit?

You cannot route packets directly from VPC B to VPC C through VPC A.

To route packets directly from VPC B to VPC C through VPC A, you must add a route for network 192.168.0.0/16 in the VPC A routing table.

You cannot route packets directly from VPC B to VPC C through VPC A.

You can associate VPC ID pcx-23232323 with VPC B to form a VPC peering connection between VPC B and VPC C.

You cannot create a separate VPC peering connection between VPC B and VPC C to route packets directly.

Refer to the exhibit. What two conclusions can you draw from the FortiGate debug output? (Choose two.)

The dynamic address object is automatically updated if the IP changes.

The SDN connector is correctly configured and authorized.

The dynamic address object is automatically updated if the IP changes.

The address object AWS Windows Server Lab can be manually changed on FortiGate.

The SDN connector is correctly configured and authorized.

The AWS user account used for software-defined network (SDN) integration must have full administrative rights.

Fortinet FCP_WCS_AD-7.4 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 34

A customer has deployed FortiGate Cloud-Native Firewall (CNF).

Which two statements are correct about policy sets? (Choose two.)

There is an implicit deny rule at the bottom of the policy set.

The policy set must be manually synchronized to the CNF instance each time it is modified.

A new policy set is created with each deployed CNF instance.

Multiple policy sets can be applied to a single CNF instance.

Comment (0)

Fortinet FCP_WCS_AD-7.4 Practice Test 1

Question

Fortinet FCP_WCS_AD-7.4 Practice Tests

Practice Tests