ExamGecko
Login
Home / Fortinet / FCP_WCS_AD-7.4 / List of questions
Ask Question

Fortinet FCP_WCS_AD-7.4 Practice Test - Questions Answers

Add to Whishlist

List of questions

Question 1

Report Export Collapse

A customer has deployed FortiGate Cloud-Native Firewall (CNF).

Which two statements are correct about policy sets? (Choose two.)

There is an implicit deny rule at the bottom of the policy set.
There is an implicit deny rule at the bottom of the policy set.
The policy set must be manually synchronized to the CNF instance each time it is modified.
The policy set must be manually synchronized to the CNF instance each time it is modified.
A new policy set is created with each deployed CNF instance.
A new policy set is created with each deployed CNF instance.
Multiple policy sets can be applied to a single CNF instance.
Multiple policy sets can be applied to a single CNF instance.
Suggested answer: A, C
Explanation:

Implicit Deny Rule:

Similar to traditional firewall rule sets, FortiGate Cloud-Native Firewall (CNF) includes an implicit deny rule at the bottom of each policy set. This means any traffic that does not match an existing rule in the policy set is automatically denied (Option A).

Policy Set Creation:

When a new CNF instance is deployed, a new policy set is created specifically for that instance. This ensures that each CNF instance can have a tailored set of security policies based on the specific needs of the deployment (Option C).

Other Options Analysis:

Option B is incorrect because policy sets do not require manual synchronization; they are applied automatically once configured.

Option D is incorrect as a single CNF instance operates with a single policy set at a time.

FortiGate CNF Documentation: FortiGate CNF

Firewall Policy Best Practices: Fortinet Policies

asked 18/09/2024
Alejandro Meza
40 questions

Question 2

Report Export Collapse

Refer to the exhibit.

Fortinet FCP_WCS_AD-7.4 image Question 2 26011 09182024185905000000

Which two statements are true about inbound traffic based on the IGW ingress route table and GWLB deployment shown in the exhibit? (Choose two.)

GWLB forwards traffic to FortiGate without encapsulation in its dedicated subnet.
GWLB forwards traffic to FortiGate without encapsulation in its dedicated subnet.
Inbound traffic is directed to the GWLB through a GWLB endpoint.
Inbound traffic is directed to the GWLB through a GWLB endpoint.
Inbound traffic is directed to the application subnet through a GWLB endpoint.
Inbound traffic is directed to the application subnet through a GWLB endpoint.
GWLB encapsulates traffic with the GENEVE protocol and sends it to FortiGate.
GWLB encapsulates traffic with the GENEVE protocol and sends it to FortiGate.
Suggested answer: B, D
Explanation:

Traffic Direction through GWLB Endpoint:

The ingress route table directs inbound traffic to the GWLB through a GWLB endpoint (GWLBe). This endpoint is responsible for directing traffic to the Gateway Load Balancer for further processing (Option B).

GENEVE Encapsulation:

The GWLB encapsulates the inbound traffic using the GENEVE protocol. This encapsulated traffic is then sent to FortiGate instances for security inspection. The use of GENEVE ensures that the original traffic context is preserved and can be analyzed by FortiGate (Option D).

Other Options Analysis:

Option A is incorrect because GWLB does not forward traffic without encapsulation in its dedicated subnet.

Option C is incorrect as the inbound traffic is directed to the GWLB endpoint first, not directly to the application subnet.

AWS Gateway Load Balancer Documentation: AWS GWLB

GENEVE Protocol Overview: GENEVE Protocol

asked 18/09/2024
Stephanie Scheffers
45 questions

Question 3

Report Export Collapse

You are troubleshooting network connectivity issues between two VMs deployed in AWS.

One VM is a FortiGate located on subnet 'LAN' that is part of the VPC 'Encryption'. The other VM is a Windows server located on the subnet 'servers' which is also in the 'Encryption' VPC. You are unable to ping the Windows server from FortiGate.

What are two reasons for this? (Choose two.)

The firewall in the Windows VM is blocking the traffic.
The firewall in the Windows VM is blocking the traffic.
The default AWS Network Access Control List (NACL) does not allow this traffic.
The default AWS Network Access Control List (NACL) does not allow this traffic.
By default, AWS does not allow ICMP traffic between subnets.
By default, AWS does not allow ICMP traffic between subnets.
Add an inbound allow ICMP rule in the security group attached to the windows server.
Add an inbound allow ICMP rule in the security group attached to the windows server.
Suggested answer: A, D
Explanation:

Windows Firewall Blocking Traffic:

The firewall on the Windows VM might be configured to block incoming ICMP traffic (ping requests). By default, Windows Firewall is set to block ICMP traffic, which could be a reason for the connectivity issue (Option A).

Security Group Configuration:

AWS Security Groups act as virtual firewalls for instances. If there is no rule allowing ICMP traffic in the security group attached to the Windows server, the ping requests from FortiGate will be blocked. An inbound allow ICMP rule must be added to the security group to permit this traffic (Option D).

Other Options Analysis:

Option B is incorrect because the default AWS Network Access Control List (NACL) allows all inbound and outbound traffic.

Option C is incorrect as AWS does allow ICMP traffic between subnets if properly configured with Security Groups and NACLs.

AWS Security Groups: AWS Security Groups

Windows Firewall Configuration: Windows Firewall

asked 18/09/2024
Leon Chukwuma
35 questions

Question 4

Report Export Collapse

Refer to the exhibit.

Fortinet FCP_WCS_AD-7.4 image Question 4 26013 09182024185905000000

An organization deployed the application servers in the AWS VPC that connects to the corporate data center using Transit Gateway Connect. Demand for the applications has grown and the connection requires more bandwidth.

What is required to achieve higher bandwidth?

Use routable public IP addresses instead of private IP addresses for connectivity.
Use routable public IP addresses instead of private IP addresses for connectivity.
You cannot increase bandwidth the connection has a fixed limit.
You cannot increase bandwidth the connection has a fixed limit.
No configuration change is required because GRE tunnels are scaled to provide higher bandwidth.
No configuration change is required because GRE tunnels are scaled to provide higher bandwidth.
You add a Transit VPC between the organization's VPCs.
You add a Transit VPC between the organization's VPCs.
Suggested answer: C
Explanation:

Understanding Transit Gateway Connect:

Transit Gateway Connect is a feature of AWS Transit Gateway that simplifies the integration of SD-WAN networks with AWS. It uses Generic Routing Encapsulation (GRE) tunnels to facilitate this connection.

GRE Tunnels and Bandwidth:

GRE tunnels can dynamically scale to meet increasing bandwidth demands. They allow multiple tunnels between the same endpoints, which can aggregate bandwidth without requiring additional configuration.

Scaling Bandwidth with GRE:

The GRE protocol used by Transit Gateway Connect can support high bandwidth requirements by spreading traffic across multiple tunnels. As demand grows, additional tunnels can be automatically used to handle the increased traffic load.

Comparison with Other Options:

Option A suggests using public IP addresses, which is not relevant to bandwidth scaling.

Option B is incorrect because bandwidth can be increased through GRE scaling.

Option D suggests adding a Transit VPC, which is unnecessary for increasing bandwidth when using Transit Gateway Connect.

AWS Transit Gateway Documentation: AWS Transit Gateway

GRE Tunnels and AWS: AWS GRE Tunnels

asked 18/09/2024
AHOPkos Varga
31 questions

Question 5

Report Export Collapse

You want to deploy the Fortinet HA CloudFormation template to stage and bootstrap the FortiGate configuration in the same region in which you created your VPC, which is Ohio US-East-2.

Based on this information, which statement is correct?

You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket can be hosted in any region.
You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket can be hosted in any region.
The Fortinet HA cloud formation template automatically creates an S3 bucket.
The Fortinet HA cloud formation template automatically creates an S3 bucket.
You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket needs to be hosted in the Ohio US-East-2 region.
You create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket needs to be hosted in the Ohio US-East-2 region.
You create a DynamoDB to stage and bootstrap FortiGate with an FGCP unicast configuration. It needs to be hosted in the Ohio US-East-2 region.
You create a DynamoDB to stage and bootstrap FortiGate with an FGCP unicast configuration. It needs to be hosted in the Ohio US-East-2 region.
Suggested answer: C
Explanation:

Understanding Fortinet HA CloudFormation Template:

The Fortinet High Availability (HA) CloudFormation template is used to automate the deployment and configuration of FortiGate instances in AWS.

Staging and Bootstrapping FortiGate:

Staging involves preparing the necessary configuration files and resources needed for deployment.

Bootstrapping is the process of automatically configuring FortiGate instances upon deployment.

S3 Bucket Requirement:

The configuration files required for staging and bootstrapping are typically stored in an S3 bucket.

Since the deployment is in the Ohio (US-East-2) region, it is recommended to host the S3 bucket in the same region to minimize latency and ensure regional compliance.

Comparison with Other Options:

Option A is incorrect because while an S3 bucket is required, it should be in the same region (US-East-2).

Option B is incorrect as the template does not automatically create the S3 bucket.

Option D is incorrect as DynamoDB is not used for staging and bootstrapping in this scenario.

Fortinet Documentation: FortiGate on AWS

AWS S3 Documentation: AWS S3

asked 18/09/2024
Ramzi Smair
40 questions

Question 6

Report Export Collapse

An organization has the requirement to connect a data VPC to the on-premises infrastructure of a branch office in a hybrid cloud environment. The connectivity needs the higher bandwidth but the organization does not want to use multiple connections between sites.

Which AWS solution meets the requirement?

Become a Premium Member for full access
  Unlock Premium Member

Question 7

Report Export Collapse

Refer to the exhibit.

Fortinet FCP_WCS_AD-7.4 image Question 7 26016 09182024185905000000

Traffic is initiated from the EC2 instance and is destined for the internet.

Which traffic flow is correct?

Become a Premium Member for full access
  Unlock Premium Member

Question 8

Report Export Collapse

A customer has implemented GWLB between the partner and application VPCs. FortiGate appliances are deployed in the partner VPC with multiple AZs to inspect traffic transparently.

Which two things will happen to application traffic based on the GWLB deployment? (Choose two.)

Become a Premium Member for full access
  Unlock Premium Member

Question 9

Report Export Collapse

Refer to the exhibit.

Fortinet FCP_WCS_AD-7.4 image Question 9 26018 09182024185905000000

A customer is using the AWS Elastic Load Balancer (ELB).

Which two statements are correct about the ELB configuration? (Choose two.)

Become a Premium Member for full access
  Unlock Premium Member

Question 10

Report Export Collapse

Which two statements about the FortiCloud portal are true? (Choose two.)

Become a Premium Member for full access
  Unlock Premium Member
Total 34 questions
Go to page: of 4
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. What occurs during a failover for an active-passive (A-P) cluster that is deployed in two different availability zones? (Choose two.)
Refer to the exhibit. An administrator configured a FortiGate device to connect to the AWS API to retrieve resource values from the AWS console to create dynamic objects for the FortiGate policies. The administrator is unable to retrieve AWS dynamic objects on FortiGate. Which two reasons can explain why? (Choose two.)
A customer is attempting to deploy an active-passive high availability (HA) cluster using the software-defined network (SDN) connector in the AWS cloud. What is an important consideration to ensure a successful formation of HA, failover, and traffic flow?
You want to deploy the Fortinet HA CloudFormation template to stage and bootstrap the FortiGate configuration in the same region in which you created your VPC, which is Ohio US-East-2. Based on this information, which statement is correct?
Which three statements correctly describe FortiGate Cloud-Native Firewall (CNF)? (Choose three.)
An organization has created a VPC with two subnets and deployed a FortiGate-VM (VM04/c4.xlarge) in AWS. The EC2 instance is initially configured with two Elastic Network Interfaces (ENIs). The primary ENI is configured on the public subnet, and the secondary ENI is configured on the private subnet. To provide internet access for the FortiGate-VM, they now want to associate an EIP to its primary ENI, but the assignment is failing. Which action would allow the EIP assignment to be successful?
AWS native network services offer vast functionality and inter-connectivity between the cloud and on-premises networks. Which three additional functions can FortiGate for AWS offer to complement the native services offered by AWS? (Choose three.)
An organization has the requirement to connect a data VPC to the on-premises infrastructure of a branch office in a hybrid cloud environment. The connectivity needs the higher bandwidth but the organization does not want to use multiple connections between sites. Which AWS solution meets the requirement?
Which three statements are correct about VPC flow logs? (Choose three.)
You are troubleshooting network connectivity issues between two VMs deployed in AWS. One VM is a FortiGate located on subnet 'LAN' that is part of the VPC 'Encryption'. The other VM is a Windows server located on the subnet 'servers' which is also in the 'Encryption' VPC. You are unable to ping the Windows server from FortiGate. What are two reasons for this? (Choose two.)