Fortinet NSE7_PBC-7.2 Practice Test - Questions Answers

B) The default network ACL is configured to allow all traffic.This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC1.By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic1.You can modify the default network ACL, but you cannot delete it1. C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately1.Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny1.For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address2.

The other options are incorrect because:

You can use network ACL and security group at the same time.Network ACL and security group are two different types of security layers for your VPC that can work together to control traffic3.Network ACL acts as a firewall for your subnets, while security group acts as a firewall for your instances3. You can use both of them to create a more granular and effective security policy for your VPC.

Network ACLs are not tied to an instance.Network ACLs are associated with subnets, not instances1.This means that network ACLs apply to all the instances in the subnets that they are associated with1. You cannot associate a network ACL with a specific instance.However, you can associate a security group with a specific instance or multiple instances3.

To get Terraform ready using Microsoft Azure Cloud Shell, you need to perform the following steps:

Set up a storage account in Azure.This is required to store the Terraform state file in a blob container, which enables collaboration and persistence of the infrastructure configuration1.

Use the wget (terraform_version) command to upload Terraform.This command downloads the latest version of Terraform from the official website and saves it as a zip file in the current directory2.

Move the Terraform file to the bin directory. This step extracts the Terraform executable from the zip file and moves it to the bin directory, which is part of the PATH environment variable.This allows you to run Terraform commands from any directory in Cloud Shell2.

The other options are incorrect because:

You do not need to use the -O command to download Terraform.This command is used to specify a different output file name for the downloaded file, but it is not necessary for this task3.

You do not need to subscribe to Terraform in Azure.Terraform is an open-source tool that can be used with any cloud provider, and there is no subscription or registration required to use it with Azure4.Reference:

Updating the route table and adding an IAM policy

Configure Terraform in Azure Cloud Shell with Bash

wget(1) - Linux man page

Terraform by HashiCorp

A) All the output values are available after a successful terraform apply command.This means that after the deployment, you can view the output values by running terraform output or terraform show in the same directory where you ran terraform apply1.You can also use the output values in other Terraform configurations or external systems by using the terraform output command with various options2. B. The subnet_private_1 value is defined in the variables.tf file.This means that the subnet_private_1 value is an input variable that can be customized by passing a different value when running terraform apply or by setting an environment variable3.The variables.tf file is where you declare all the input variables for your Terraform configuration4.

The other options are incorrect because:

After the deployment, Terraform output values are not visible only through AWS CloudShell. You can access them from any shell or terminal where you have Terraform installed and configured with your AWS credentials.

You do not need to specify all the AWS credentials in the output.tf file.The output.tf file is where you declare all the output values for your Terraform configuration4. You can specify your AWS credentials in a separate file, such as provider.tf, or use environment variables or shared credentials files.Reference:

Output Values - Configuration Language | Terraform - HashiCorp Developer

Command: output - Terraform by HashiCorp

Input Variables - Configuration Language | Terraform - HashiCorp Developer

Configuration Language | Terraform - HashiCorp Developer

The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to ''eu-west-1'' and the availability_zone variable is set to ''eu-west-1a''. The vpc_id variable is set to ''vpc-0e9d6a6f'' and the subnets variable is set to a list of two subnet IDs: ''subnet-0f9d6a6f'' and ''subnet-1f9d6a6f''. The license_type variable is set to ''on-demand'' and the ami_id variable is set to ''ami-0e9d6a6f''.

Ansible connects to FortiGate using an API, which is a method of communication between different software components.Ansible uses the fortios_* modules to interact with the FortiOS API, which is a RESTful API that allows configuration and monitoring of FortiGate devices12.Ansible can use either HTTP or HTTPS as the transport protocol, and can authenticate with either a username and password or an API token3.

The other options are incorrect because:

Ansible does not use TCP port 21 to connect to FortiGate.Port 21 is typically used for FTP, which is not supported by FortiOS4.

Ansible does not use SSH as a connection method to FortiOS. SSH is a secure shell protocol that allows remote command execution and file transfer, but it is not the preferred way of automating configuration changes on FortiGate devices.

Ansible does not use YAML to connect to FortiGate. YAML is a data serialization language that Ansible uses to write playbooks and inventory files, but it is not a connection method.Reference:

Fortinet.Fortios --- Ansible Documentation

FortiOS REST API Reference

FortiOS Module Guide --- Ansible Documentation

FortiOS 7.0 CLI Reference

[Connection methods and details --- Ansible Documentation]

[YAML Syntax --- Ansible Documentation]

B) Add route destination 0.0.0.0/0 to target the transit gateway.This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1.The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D) Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway.This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3.An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC.This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.

The other options are incorrect because:

Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

Network ACLs are stateless, and they evaluate each packet separately based on the rules that you define.The rules are processed in order, starting with the lowest numbered rule1.If the traffic matches a rule, the rule is applied and no further rules are evaluated1. Therefore, if you want to allow SSH traffic to a subnet, you must create a new allow SSH rule above rule number 5, which denies SSH and telnet traffic. Otherwise, the deny rule will take precedence and block the SSH traffic.

The other options are incorrect because:

Creating a new allow SSH rule below rule number 5 will not allow SSH traffic, because the deny rule will be evaluated first and block the traffic.

Creating a new allow SSH rule anywhere in the network ACL rule base will not guarantee that SSH traffic will be allowed, because it depends on the order of the rules. If the allow SSH rule is below the deny rule, it will not be effective.

You cannot rely on the default security group rule to allow SSH traffic to the subnet, because network ACLs act as an additional layer of security for your VPC. Even if your security group allows SSH traffic, your network ACL must also allow it. Otherwise, the traffic will be blocked at the subnet level.

A) The peer GRE address is the FortiGate external interface IP address.This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1.This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B) The Transit Gateway GRE address is auto-generated.This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2.This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.

The other options are incorrect because:

The BGP inside CIDR blocks cannot be any CIDR block with /29.They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64.These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.

The Peer GRE address is not the FortiGate internal interface IP address.The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1.The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.

The error message indicates that the Connect attachment is already associated with another transit gateway route table. You cannot associate the same attachment with more than one route table. However, you can propagate the same attachment to multiple route tables. Therefore, to fulfill your requirement of configuring a second route table for east-west traffic inspection between two VPCs, you need to create a propagation with the Connect attachment in the second route table.This will allow the second route table to learn the routes from the Connect attachment and forward the traffic to the security VPC1.You also need to associate the second route table with the Transport attachment, which is the transit gateway attachment for the security VPC1.

Transit gateway route tables - Amazon VPC | AWS Documentation

Getting started with transit gateways - Amazon VPC | AWS Documentation

Configuring TGW route tables | FortiGate Public Cloud 7.4.0 | Fortinet Document Library