ExamGecko
Search Search Login
Home Home / Fortinet / FCP_WCS_AD-7.4

Fortinet FCP_WCS_AD-7.4 Practice Test - Questions Answers, Page 3

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Refer to the exhibit. An administrator configured a FortiGate device to connect to the AWS API to retrieve resource values from the AWS console to create dynamic objects for the FortiGate policies. The administrator is unable to retrieve AWS dynamic objects on FortiGate. Which two reasons can explain why? (Choose two.)
A customer is attempting to deploy an active-passive high availability (HA) cluster using the software-defined network (SDN) connector in the AWS cloud. What is an important consideration to ensure a successful formation of HA, failover, and traffic flow?
An organization has created a VPC with two subnets and deployed a FortiGate-VM (VM04/c4.xlarge) in AWS. The EC2 instance is initially configured with two Elastic Network Interfaces (ENIs). The primary ENI is configured on the public subnet, and the secondary ENI is configured on the private subnet. To provide internet access for the FortiGate-VM, they now want to associate an EIP to its primary ENI, but the assignment is failing. Which action would allow the EIP assignment to be successful?
Which three statements are correct about VPC flow logs? (Choose three.)
Refer to the exhibit. Which two statements are true about inbound traffic based on the IGW ingress route table and GWLB deployment shown in the exhibit? (Choose two.)
Refer to the exhibit. What occurs during a failover for an active-passive (A-P) cluster that is deployed in two different availability zones? (Choose two.)
Refer to the exhibit. You deployed an active-passive FortiGate HA cluster using a CloudFormation template on an existing VPC. Now you want to test active-passive FortiGate HA failover by running a debug so you can see the API calls to change the Elastic and secondary IP addresses. Which statement is correct about the output of the debug?
You need to deploy a new Windows server in AWS to offload web traffic from an existing web server in a different availability zone. According to the AWS shared responsibility model, what three actions must you take to secure the new EC2 instance? (Choose three.)
An administrator must deploy a web application firewall (WAF) solution to protect the web applications of their organization. Why would the administrator choose FortiWeb Cloud over AWS WAF with Fortinet managed rules?
An administrator needs to attach an Elastic Network Interface (ENI) to an application instance in a VPC with multiple availability zones. An instance runs in availability zone 1. Which ENI property must the administrator consider when implementing this requirement?

Question 21

Report
Export
Collapse

You need to deploy a new Windows server in AWS to offload web traffic from an existing web server in a different availability zone.

According to the AWS shared responsibility model, what three actions must you take to secure the new EC2 instance? (Choose three.)

A.
Update software on the instance.
A.
Update software on the instance.
Answers
B.
Change the existing elastic load balancer (ELB) to a gateway load balancer
B.
Change the existing elastic load balancer (ELB) to a gateway load balancer
Answers
C.
Configure security groups.
C.
Configure security groups.
Answers
D.
Manage the operating system on the instance.
D.
Manage the operating system on the instance.
Answers
E.
Move all web servers into the same availability zone.
E.
Move all web servers into the same availability zone.
Answers
Suggested answer: A, C, D

Explanation:

Update Software:

As part of the AWS shared responsibility model, it is the customer's responsibility to update and maintain the software running on the EC2 instance, including applying security patches and updates (Option A).

Configure Security Groups:

Security groups act as virtual firewalls for instances to control inbound and outbound traffic. Configuring them correctly is essential for securing the EC2 instance and ensuring only legitimate traffic can reach the server (Option C).

Manage Operating System:

Managing the operating system, including user accounts, permissions, and operating system patches, is the responsibility of the customer under the shared responsibility model (Option D).

Other Options Analysis:

Option B is incorrect as changing the existing ELB to a gateway load balancer is not necessary for securing the new EC2 instance.

Option E is incorrect because it is not required to move all web servers into the same availability zone for security purposes.

AWS Shared Responsibility Model: AWS Shared Responsibility

EC2 Security Best Practices: AWS EC2 Security

Question 22

Report
Export
Collapse

An administrator wants to deploy a solution to automatically create firewall rules on FortiGate to accelerate time-to-protection for threats.

Which AWS service can be integrated with FortiGate to accomplish this?

A.
AWS Firewall Manager
A.
AWS Firewall Manager
Answers
B.
AWS network access control list
B.
AWS network access control list
Answers
C.
SDN Connector for AWS
C.
SDN Connector for AWS
Answers
D.
AWS GuardDuty
D.
AWS GuardDuty
Answers
Suggested answer: D

Explanation:

AWS GuardDuty Integration:

AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads. It can generate findings that can be used to create or update firewall rules automatically in FortiGate to enhance security and provide timely protection (Option D).

Integration with FortiGate:

GuardDuty findings can be integrated with FortiGate using automation tools and scripts to create firewall rules dynamically, thereby accelerating the time-to-protection against emerging threats.

Other Options Analysis:

Option A (AWS Firewall Manager) is more suited for managing rules across multiple accounts but not for dynamic threat response.

Option B (AWS Network ACL) provides stateless filtering but does not offer automated rule creation.

Option C (SDN Connector for AWS) helps in integrating SDN capabilities but is not specifically focused on threat-based rule automation.

AWS GuardDuty: AWS GuardDuty

FortiGate Integration: Fortinet Integration

Question 23

Report
Export
Collapse

An administrator needs to attach an Elastic Network Interface (ENI) to an application instance in a VPC with multiple availability zones. An instance runs in availability zone 1.

Which ENI property must the administrator consider when implementing this requirement?

A.
An ENI cannot attach to an instance in availability zone 2.
A.
An ENI cannot attach to an instance in availability zone 2.
Answers
B.
After the ENI detaches from one instance, it can reattach only to the same instance.
B.
After the ENI detaches from one instance, it can reattach only to the same instance.
Answers
C.
You can detach the primary ENI from an AWS instance.
C.
You can detach the primary ENI from an AWS instance.
Answers
D.
When you move an ENI, network traffic remains directed to the old instance until you terminate that instance.
D.
When you move an ENI, network traffic remains directed to the old instance until you terminate that instance.
Answers
Suggested answer: A

Explanation:

ENI Attachment Across Availability Zones:

Elastic Network Interfaces (ENIs) are associated with a specific Availability Zone. They cannot be attached to instances that are in a different Availability Zone than where the ENI was created. Therefore, an ENI created in Availability Zone 1 cannot be attached to an instance in Availability Zone 2 (Option A).

ENI Reattachment:

ENIs can be detached from one instance and reattached to another instance within the same Availability Zone. This flexibility allows for network interface configuration to be preserved across instance changes within the same AZ.

Other Options Analysis:

Option B is incorrect because an ENI can be reattached to any instance in the same AZ.

Option C is incorrect as the primary ENI (eth0) cannot be detached from an instance.

Option D is incorrect because when an ENI is moved, the traffic is directed to the new instance, and there is no redirection to the old instance.

AWS ENI Documentation: Elastic Network Interfaces

AWS Networking Best Practices: AWS Networking

Question 24

Report
Export
Collapse

Refer to the exhibit.

What occurs during a failover for an active-passive (A-P) cluster that is deployed in two different availability zones? (Choose two.)

A.
The cluster elastic IP address (EIP) is moved from Port1 of FGT-1 to Port1 of FGT-2.
A.
The cluster elastic IP address (EIP) is moved from Port1 of FGT-1 to Port1 of FGT-2.
Answers
B.
The secondary IP address of Port2 of FGT-1 is moved to Port2 of FGT-2.
B.
The secondary IP address of Port2 of FGT-1 is moved to Port2 of FGT-2.
Answers
C.
The default static route in the Private-AZ1 subnet route table is modified to forward all traffic to Port2 of FGT2.
C.
The default static route in the Private-AZ1 subnet route table is modified to forward all traffic to Port2 of FGT2.
Answers
D.
An additional route is added to the route table of the HA Sync AZ2 subnet to forward all traffic to the Internet GW.
D.
An additional route is added to the route table of the HA Sync AZ2 subnet to forward all traffic to the Internet GW.
Answers
Suggested answer: A, B

Explanation:

Cluster Elastic IP Address (EIP) Movement:

During a failover in an active-passive (A-P) cluster, the Elastic IP (EIP) associated with the active FortiGate instance (FGT-1) needs to be moved to the passive instance (FGT-2), which becomes the new active instance. This ensures that the traffic directed to the EIP is now handled by FGT-2 (Option A).

Secondary IP Address Movement:

The secondary IP address on Port2 of the current active instance (FGT-1) is moved to the same port on the new active instance (FGT-2). This step is crucial to ensure seamless network traffic redirection and connectivity for the services relying on that IP address (Option B).

Other Options Analysis:

Option C is incorrect because the static route modification mentioned is not directly related to the failover process described.

Option D is incorrect because no additional route needs to be added to the HA Sync AZ2 subnet route table to forward traffic to the Internet Gateway during a failover.

FortiGate HA Configuration Guide: FortiGate HA

AWS Elastic IP Documentation: Elastic IP

Question 25

Report
Export
Collapse

Refer to the exhibit.

Which two statements are correct about traffic flow in FortiWeb Cloud? (Choose two.)

A.
The DNS name for the application servers must point to FortiWeb Cloud.
A.
The DNS name for the application servers must point to FortiWeb Cloud.
Answers
B.
FortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.
B.
FortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.
Answers
C.
FortiWeb Cloud can protect the application servers only if they are all located in the same virtual public cloud (VPC).
C.
FortiWeb Cloud can protect the application servers only if they are all located in the same virtual public cloud (VPC).
Answers
D.
Step 2 requires an AWS S3 bucket to be created.
D.
Step 2 requires an AWS S3 bucket to be created.
Answers
Suggested answer: A, B

Explanation:

DNS Configuration:

For FortiWeb Cloud to effectively protect web applications, the DNS records for the application servers must be configured to point to FortiWeb Cloud. This ensures that all incoming traffic is routed through FortiWeb Cloud for inspection and protection (Option A).

Traffic Filtering:

FortiWeb Cloud provides robust protection by filtering incoming traffic to block the OWASP Top 10 attacks, zero-day threats, and other application layer attacks. This ensures the security and integrity of the web applications it protects (Option B).

Other Options Analysis:

Option C is incorrect because FortiWeb Cloud can protect application servers across different VPCs or regions, not just within the same VPC.

Option D is incorrect because step 2 does not require an AWS S3 bucket; it refers to the inspection and filtering of incoming traffic.

FortiWeb Cloud Overview: FortiWeb Cloud

DNS Configuration for Web Applications: DNS Configuration

Question 26

Report
Export
Collapse

What is a drawback of deploying a FortiWeb VM inside a virtual public cloud (VPC) compared to FortiWeb Cloud?

A.
It is unable to support web applications from OWASP Top 10 threats.
A.
It is unable to support web applications from OWASP Top 10 threats.
Answers
B.
It does not support zero-day protection.
B.
It does not support zero-day protection.
Answers
C.
It is slower than FortiWeb Cloud to apply advanced WAF protection.
C.
It is slower than FortiWeb Cloud to apply advanced WAF protection.
Answers
D.
Only applications going through the VPC are protected.
D.
Only applications going through the VPC are protected.
Answers
Suggested answer: D

Explanation:

VPC-Scoped Protection:

When deploying a FortiWeb VM inside a Virtual Private Cloud (VPC), the security and protection it offers are limited to the applications and traffic that pass through that specific VPC. This means that any applications outside this VPC will not benefit from the protection of FortiWeb VM (Option D).

Comparison with FortiWeb Cloud:

FortiWeb Cloud, being a cloud-native WAF-as-a-Service, can protect applications regardless of their VPC location, offering broader and more flexible protection capabilities.

Other Options Analysis:

Option A is incorrect because both FortiWeb VM and FortiWeb Cloud protect against OWASP Top 10 threats.

Option B is incorrect because FortiWeb VM does support zero-day protection.

Option C is incorrect as the performance of FortiWeb VM in applying advanced WAF protection is not inherently slower compared to FortiWeb Cloud.

FortiWeb Overview: FortiWeb

Question 27

Report
Export
Collapse

An AWS administrator is designing internet connectivity for an organization's virtual public cloud (VPC). The organization has web servers with private addresses that must be reachable from the internet. The web servers must be highly available.

Which two configurations can you use to ensure the web servers are highly available and reachable from the internet? (Choose two.)

A.
Deploy a network load balancer.
A.
Deploy a network load balancer.
Answers
B.
Configure a network address translation (NAT) Gateway in your VPC. Place web servers behind the NAT Gateway.
B.
Configure a network address translation (NAT) Gateway in your VPC. Place web servers behind the NAT Gateway.
Answers
C.
Add a route to the default virtual public cloud (VPC) route table forwarding all traffic to the internet gateway.
C.
Add a route to the default virtual public cloud (VPC) route table forwarding all traffic to the internet gateway.
Answers
D.
Deploy web servers in multiple availability zones.
D.
Deploy web servers in multiple availability zones.
Answers
Suggested answer: A, D

Explanation:

Network Load Balancer:

Deploying a network load balancer ensures that incoming traffic is distributed across multiple web servers, providing high availability and redundancy. This setup helps in managing traffic efficiently and maintaining service uptime even if some servers fail (Option A).

Multiple Availability Zones:

Deploying web servers in multiple availability zones (AZs) enhances fault tolerance and availability. If one AZ goes down, servers in other AZs can continue to handle the traffic, ensuring the web application remains accessible (Option D).

Other Options Analysis:

Option B is incorrect because NAT Gateways are used to provide internet access to instances in private subnets, not to make private addresses reachable from the internet.

Option C is not sufficient on its own for high availability. Adding a route to the default VPC route table forwarding traffic to the internet gateway makes the VPC internet-accessible but does not ensure high availability.

AWS High Availability and Fault Tolerance: AWS High Availability

AWS Network Load Balancer: Network Load Balancer

Question 28

Report
Export
Collapse

A global organization with cloud networks deployed in several AWS regions wants to set up next-generation firewall (NGFW) protection using FortiGate Cloud-Native Firewall (CNF).

What are two deployment considerations for the organization? (Choose two.)

A.
They must choose AWS Firewall Manager to provision a CNF instance.
A.
They must choose AWS Firewall Manager to provision a CNF instance.
Answers
B.
A CNF instance is required for each AWS region that must be protected.
B.
A CNF instance is required for each AWS region that must be protected.
Answers
C.
More than one AWS account can be associated with a CNF instance.
C.
More than one AWS account can be associated with a CNF instance.
Answers
D.
Only one CNF instance is required to protect all AWS regions.
D.
Only one CNF instance is required to protect all AWS regions.
Answers
Suggested answer: B, C

Explanation:

Regional Deployment:

For a global organization with cloud networks in multiple AWS regions, a separate FortiGate Cloud-Native Firewall (CNF) instance is required for each AWS region to provide localized protection and meet compliance requirements. This ensures that each region has its own dedicated NGFW protection tailored to its specific needs (Option B).

Multi-Account Association:

FortiGate CNF supports associating multiple AWS accounts with a single CNF instance. This feature is beneficial for organizations that operate in a multi-account setup, allowing centralized management and security policies across different accounts (Option C).

Other Options Analysis:

Option A is incorrect because AWS Firewall Manager is a different service and is not required to provision a CNF instance.

Option D is incorrect because a single CNF instance cannot protect multiple AWS regions due to regional isolation in AWS.

FortiGate CNF Documentation: FortiGate CNF

AWS Multi-Account Best Practices: AWS Multi-Account

Question 29

Report
Export
Collapse

An organization has created a VPC with two subnets and deployed a FortiGate-VM (VM04/c4.xlarge) in AWS.

The EC2 instance is initially configured with two Elastic Network Interfaces (ENIs). The primary ENI is configured on the public subnet, and the secondary ENI is configured on the private subnet. To provide internet access for the FortiGate-VM, they now want to associate an EIP to its primary ENI, but the assignment is failing.

Which action would allow the EIP assignment to be successful?

A.
Create and associate a public subnet with the primary ENI of the FortiGate VM, and then assign the EIP to the primary ENI.
A.
Create and associate a public subnet with the primary ENI of the FortiGate VM, and then assign the EIP to the primary ENI.
Answers
B.
Shut down the FortiGate VM, if it is running, assign the EIP to the primary ENI, and then power it on.
B.
Shut down the FortiGate VM, if it is running, assign the EIP to the primary ENI, and then power it on.
Answers
C.
Create and attach an internet gateway to the VPC, and then assign the EIP to the primary ENI of the FortiGate VM.
C.
Create and attach an internet gateway to the VPC, and then assign the EIP to the primary ENI of the FortiGate VM.
Answers
D.
Create and attach a public routing table to the public subnet, associate the public subnet with the primary ENI of the FortiGate VM, and then assign the EIP to the primary ENI.
D.
Create and attach a public routing table to the public subnet, associate the public subnet with the primary ENI of the FortiGate VM, and then assign the EIP to the primary ENI.
Answers
Suggested answer: C

Explanation:

Internet Gateway Requirement:

For an Elastic IP (EIP) to be assigned to an instance's primary ENI, the VPC must have an Internet Gateway (IGW) attached. The IGW enables the VPC to communicate with the internet, allowing the EIP to function properly (Option C).

Process of Assigning EIP:

Once the Internet Gateway is attached to the VPC, the EIP can be successfully assigned to the primary ENI of the FortiGate VM, providing it with internet access.

Other Options Analysis:

Option A is incorrect because the primary ENI is already in a public subnet.

Option B is not necessary and may not solve the issue without an attached Internet Gateway.

Option D is partially correct about the routing table but does not address the primary issue of needing an Internet Gateway.

AWS Elastic IP Documentation: Elastic IP

AWS Internet Gateway: Internet Gateway

Question 30

Report
Export
Collapse

Which three statements correctly describe FortiGate Cloud-Native Firewall (CNF)? (Choose three.)

A.
It provides carrier-grade protection.
A.
It provides carrier-grade protection.
Answers
B.
It scales seamlessly.
B.
It scales seamlessly.
Answers
C.
It uses AWS Elastic Load Balancing (ELB).
C.
It uses AWS Elastic Load Balancing (ELB).
Answers
D.
It is considered to be a Firewall-as-a-Service (FWaaS).
D.
It is considered to be a Firewall-as-a-Service (FWaaS).
Answers
E.
It can be managed by FortiManager and AWS firewall manager.
E.
It can be managed by FortiManager and AWS firewall manager.
Answers
Suggested answer: B, D, E

Explanation:

Scalability:

FortiGate Cloud-Native Firewall (CNF) is designed to scale seamlessly with your cloud infrastructure, providing the necessary protection without requiring manual intervention for scaling (Option B).

Firewall-as-a-Service:

FortiGate CNF is offered as a Firewall-as-a-Service (FWaaS), which simplifies the deployment and management of firewall capabilities directly in the cloud environment (Option D).

Management:

FortiGate CNF can be managed using FortiManager and AWS Firewall Manager, providing comprehensive management capabilities both from Fortinet's platform and AWS's native management tools (Option E).

Other Considerations:

Option A (carrier-grade protection) is not specifically highlighted as a feature of FortiGate CNF.

Option C (uses AWS Elastic Load Balancing) is incorrect as FortiGate CNF operates independently of AWS ELB, although it can integrate with various AWS services.

FortiGate CNF Documentation: FortiGate CNF

AWS Firewall Manager: AWS Firewall Manager

Total 34 questions
Go to page: of 4
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms