Fortinet NSE7_PBC-7.2 Practice Test - Questions Answers, Page 4

The two best connection solutions available between your company headquarters, branch sites, and the Azure vWAN hub are

A) ExpressRoute and E. VPN Gateway.

According to the Azure documentation for Virtual WAN, ExpressRoute and VPN Gateway are two of the supported connectivity options for connecting your on-premises sites and Azure virtual networks to the Azure vWAN hub1. These options provide secure, reliable, and high-performance connectivity for your network traffic.

ExpressRoute is a service that lets you create private connections between your on-premises sites and Azure. ExpressRoute connections do not go over the public internet, and offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the internet2.

VPN Gateway is a service that lets you create encrypted connections between your on-premises sites and Azure over the internet using IPsec/IKE protocols. VPN Gateway also supports point-to-site VPN connections for individual clients using OpenVPN or IKEv2 protocols3.

The other options are incorrect because:

GRE tunnels are not a supported connectivity option for Azure vWAN. GRE is a protocol that encapsulates packets for tunneling purposes. GRE tunnels are established between the connect attachment and your appliance in Azure vWAN4.

SSL VPN connections are not a supported connectivity option for Azure vWAN. SSL VPN is a type of VPN that uses the Secure Sockets Layer (SSL) protocol to secure the connection between a client and a server. SSL VPN is not compatible with the Azure vWAN hub5.

An L2TP connection is not a supported connectivity option for Azure vWAN. L2TP is a protocol that creates a tunnel between two endpoints at the data link layer (Layer 2) of the OSI model. L2TP is not compatible with the Azure vWAN hub.

1: Azure Virtual WAN Overview | Microsoft Learn 2: [ExpressRoute overview - Azure ExpressRoute | Microsoft Docs] 3: [VPN Gateway - Virtual Networks | Microsoft Azure] 4: [Transit Gateway Connect - Amazon Virtual Private Cloud] 5: [SSL VPN - Wikipedia] : [Layer 2 Tunneling Protocol - Wikipedia]

The correct answer is C. Use FortiWebCloud.

FortiWebCloud is a SaaS cloud-based web application firewall (WAF) that protects public cloud hosted web applications from the OWASP Top 10, zero day threats, and other application layer attacks1. FortiWebCloud also includes robust features such as API discovery and protection, bot mitigation, threat analytics, and advanced reporting2. FortiWebCloud supports multiple regions across the world, and you can choose the region that is closest to your applications to minimize traffic cost3.

The other options are incorrect because:

FortiADC is an application delivery controller that provides load balancing, acceleration, and security for web applications. It is not a dedicated WAF solution and does not offer the same level of protection as FortiWebCloud4.

FortiCNP is a cloud-native platform that provides security and visibility for containerized applications. It is not a WAF solution and does not protect web applications from the OWASP Top 10 vulnerabilities5.

FortiGate is a next-generation firewall (NGFW) that provides network security and threat prevention. It is not a WAF solution and does not offer the same level of protection as FortiWebCloud for web applications. It also requires additional configuration and management to deploy in the public cloud6.

1: Overview | FortiWeb Cloud 23.3.0 - Fortinet Documentation 2: Web Application Firewall (WAF) & API Protection | Fortinet 3: [FortiWeb Cloud WAF-as-a-Service | Fortinet] 4: [Application Delivery Controller (ADC) | Fortinet] 5: [Fortinet Cloud Native Platform | Fortinet] 6: [FortiGate Next-Generation Firewall (NGFW) | Fortinet]

This is because the Linux1 EC2 instance is not accessible directly from the internet using its public IP address in AWS.

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. Without an internet gateway, the Linux1 EC2 instance cannot receive or send traffic to or from the internet, even if it has a public IP address assigned to it.

To fix this issue, you need to attach an internet gateway to the Spoke VPC A and configure a route table that directs internet-bound traffic to the internet gateway. You also need to ensure that the Linux1 EC2 instance has a security group that allows inbound and outbound traffic on the desired ports.

: [Internet Gateways - Amazon Virtual Private Cloud] : [Attach an Internet Gateway to Your VPC - Amazon Virtual Private Cloud] : [Security Groups for Your VPC - Amazon Virtual Private Cloud]