Fortinet NSE7_PBC-7.2 Practice Test - Questions Answers
List of questions
Related questions
Question 1
Refer to the exhibit
An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform However, during the configuration, the Azure client secret is no longer visible in the Azure portal.
How would the administrator obtain the Azure client secret to configure on Terratorm?
Explanation:
The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform.To create a new client secret, they need to follow these steps12:
Sign in to the Azure portal and navigate to the Azure Active Directory service.
Select the application name under the App Registrations.
Select Certificates & Secrets > New client secret to create a new client secret.
Add a description and an expiration date for the client secret and select Add.
Copy the value of the new client secret immediately as it will not be shown again.
Generate new Client Secret and link to key-vault | Microsoft Learn
Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn
Question 2
What are two main features in Amazon Web Services (AWS) network access control lists (ACLs)? (Choose two.)
Explanation:
B) The default network ACL is configured to allow all traffic.This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC1.By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic1.You can modify the default network ACL, but you cannot delete it1. C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately1.Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny1.For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address2.
The other options are incorrect because:
You can use network ACL and security group at the same time.Network ACL and security group are two different types of security layers for your VPC that can work together to control traffic3.Network ACL acts as a firewall for your subnets, while security group acts as a firewall for your instances3. You can use both of them to create a more granular and effective security policy for your VPC.
Network ACLs are not tied to an instance.Network ACLs are associated with subnets, not instances1.This means that network ACLs apply to all the instances in the subnets that they are associated with1. You cannot associate a network ACL with a specific instance.However, you can associate a security group with a specific instance or multiple instances3.
Question 3
What are three important steps required to get Terraform ready using Microsoft Azure Cloud Shell? (Choose three.)
Explanation:
To get Terraform ready using Microsoft Azure Cloud Shell, you need to perform the following steps:
Set up a storage account in Azure.This is required to store the Terraform state file in a blob container, which enables collaboration and persistence of the infrastructure configuration1.
Use the wget (terraform_version) command to upload Terraform.This command downloads the latest version of Terraform from the official website and saves it as a zip file in the current directory2.
Move the Terraform file to the bin directory. This step extracts the Terraform executable from the zip file and moves it to the bin directory, which is part of the PATH environment variable.This allows you to run Terraform commands from any directory in Cloud Shell2.
The other options are incorrect because:
You do not need to use the -O command to download Terraform.This command is used to specify a different output file name for the downloaded file, but it is not necessary for this task3.
You do not need to subscribe to Terraform in Azure.Terraform is an open-source tool that can be used with any cloud provider, and there is no subscription or registration required to use it with Azure4.Reference:
Updating the route table and adding an IAM policy
Configure Terraform in Azure Cloud Shell with Bash
wget(1) - Linux man page
Terraform by HashiCorp
Question 4
Refer to the exhibit
You are tasked with deploying a webserver and FortiGate VMS in AWS_ You are using Terraform to automate the process
Which two important details should you know about the Terraform files? (Choose two.)
Explanation:
A) All the output values are available after a successful terraform apply command.This means that after the deployment, you can view the output values by running terraform output or terraform show in the same directory where you ran terraform apply1.You can also use the output values in other Terraform configurations or external systems by using the terraform output command with various options2. B. The subnet_private_1 value is defined in the variables.tf file.This means that the subnet_private_1 value is an input variable that can be customized by passing a different value when running terraform apply or by setting an environment variable3.The variables.tf file is where you declare all the input variables for your Terraform configuration4.
The other options are incorrect because:
After the deployment, Terraform output values are not visible only through AWS CloudShell. You can access them from any shell or terminal where you have Terraform installed and configured with your AWS credentials.
You do not need to specify all the AWS credentials in the output.tf file.The output.tf file is where you declare all the output values for your Terraform configuration4. You can specify your AWS credentials in a separate file, such as provider.tf, or use environment variables or shared credentials files.Reference:
Output Values - Configuration Language | Terraform - HashiCorp Developer
Command: output - Terraform by HashiCorp
Input Variables - Configuration Language | Terraform - HashiCorp Developer
Configuration Language | Terraform - HashiCorp Developer
Question 5
Refer to the exhibit
You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?
Explanation:
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to ''eu-west-1'' and the availability_zone variable is set to ''eu-west-1a''. The vpc_id variable is set to ''vpc-0e9d6a6f'' and the subnets variable is set to a list of two subnet IDs: ''subnet-0f9d6a6f'' and ''subnet-1f9d6a6f''. The license_type variable is set to ''on-demand'' and the ami_id variable is set to ''ami-0e9d6a6f''.
Question 6
You are automating configuration changes on one of the FortiGate VMS using Linux Red Hat Ansible.
How does Linux Red Hat Ansible connect to FortiGate to make the configuration change?
Explanation:
Ansible connects to FortiGate using an API, which is a method of communication between different software components.Ansible uses the fortios_* modules to interact with the FortiOS API, which is a RESTful API that allows configuration and monitoring of FortiGate devices12.Ansible can use either HTTP or HTTPS as the transport protocol, and can authenticate with either a username and password or an API token3.
The other options are incorrect because:
Ansible does not use TCP port 21 to connect to FortiGate.Port 21 is typically used for FTP, which is not supported by FortiOS4.
Ansible does not use SSH as a connection method to FortiOS. SSH is a secure shell protocol that allows remote command execution and file transfer, but it is not the preferred way of automating configuration changes on FortiGate devices.
Ansible does not use YAML to connect to FortiGate. YAML is a data serialization language that Ansible uses to write playbooks and inventory files, but it is not a connection method.Reference:
Fortinet.Fortios --- Ansible Documentation
FortiOS REST API Reference
FortiOS Module Guide --- Ansible Documentation
FortiOS 7.0 CLI Reference
[Connection methods and details --- Ansible Documentation]
[YAML Syntax --- Ansible Documentation]
Question 7
Refer to the exhibit
In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.
Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?
(Choose three.)
Explanation:
B) Add route destination 0.0.0.0/0 to target the transit gateway.This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1.The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D) Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway.This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3.An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC.This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.
The other options are incorrect because:
Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Question 8
You must allow an SSH traffic rule in an Amazon Web Services (AWS) network access list (NACL) to allow SSH traffic to travel to a subnet for temporary testing purposes. When you review the current inbound network ACL rules, you notice that rule number 5 demes SSH and telnet traffic to the subnet
What can you do to allow SSH traffic?
Explanation:
Network ACLs are stateless, and they evaluate each packet separately based on the rules that you define.The rules are processed in order, starting with the lowest numbered rule1.If the traffic matches a rule, the rule is applied and no further rules are evaluated1. Therefore, if you want to allow SSH traffic to a subnet, you must create a new allow SSH rule above rule number 5, which denies SSH and telnet traffic. Otherwise, the deny rule will take precedence and block the SSH traffic.
The other options are incorrect because:
Creating a new allow SSH rule below rule number 5 will not allow SSH traffic, because the deny rule will be evaluated first and block the traffic.
Creating a new allow SSH rule anywhere in the network ACL rule base will not guarantee that SSH traffic will be allowed, because it depends on the order of the rules. If the allow SSH rule is below the deny rule, it will not be effective.
You cannot rely on the default security group rule to allow SSH traffic to the subnet, because network ACLs act as an additional layer of security for your VPC. Even if your security group allows SSH traffic, your network ACL must also allow it. Otherwise, the traffic will be blocked at the subnet level.
Question 9
Refer to Exhibit:
The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)
Explanation:
A) The peer GRE address is the FortiGate external interface IP address.This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1.This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B) The Transit Gateway GRE address is auto-generated.This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2.This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29.They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64.These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address.The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1.The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.
Question 10
Refer to the exhibit.
You are configuring a second route table on a Transit Gateway to accommodate east-west traffic inspection between two VPCs_ However, you are getting an error during the transit gateway route table association With the Connect attachment.
Which action Should you take to fulfill your requirement?
Explanation:
The error message indicates that the Connect attachment is already associated with another transit gateway route table. You cannot associate the same attachment with more than one route table. However, you can propagate the same attachment to multiple route tables. Therefore, to fulfill your requirement of configuring a second route table for east-west traffic inspection between two VPCs, you need to create a propagation with the Connect attachment in the second route table.This will allow the second route table to learn the routes from the Connect attachment and forward the traffic to the security VPC1.You also need to associate the second route table with the Transport attachment, which is the transit gateway attachment for the security VPC1.
Transit gateway route tables - Amazon VPC | AWS Documentation
Getting started with transit gateways - Amazon VPC | AWS Documentation
Configuring TGW route tables | FortiGate Public Cloud 7.4.0 | Fortinet Document Library
Question