ExamGecko
Home / Fortinet / NSE7_PBC-7.2 / List of questions
Ask Question

Fortinet NSE7_PBC-7.2 Practice Test - Questions Answers, Page 3

List of questions

Question 21

Report
Export
Collapse

Refer to the exhibit

Fortinet NSE7_PBC-7.2 image Question 21 27162 09182024190825000000

Consider the active-active load balance sandwich scenario in Microsoft Azure.

What are two important facts in the active-active load balance sandwich scenario? (Choose two )

It uses the vdom-exception command to exclude the configuration from being synced
It uses the vdom-exception command to exclude the configuration from being synced
It is recommended to enable NAT on FortiGate policies.
It is recommended to enable NAT on FortiGate policies.
It uses the FGCP protocol
It uses the FGCP protocol
It supports session synchronization for handling asynchronous traffic.
It supports session synchronization for handling asynchronous traffic.
Suggested answer: B, D

Explanation:

B) It is recommended to enable NAT on FortiGate policies.This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1.If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1.Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic.This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2.For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.

The other options are incorrect because:

It does not use the vdom-exception command to exclude the configuration from being synced.The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.

It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.

asked 18/09/2024
Massimo Cerqui
38 questions

Question 22

Report
Export
Collapse

Refer to the exhibit.

Fortinet NSE7_PBC-7.2 image Question 22 27163 09182024190825000000

You are troubleshooting a FortiGate HA floating IP issue with Microsoft Azure. After the failover, the new primary device does not have the previous primary device floating IP

address.

What could be the possible issue With this scenario?

FortiGate port4 does not have internet access.
FortiGate port4 does not have internet access.
A wrong client secret credential is used
A wrong client secret credential is used
The error is caused by credential time expiration.
The error is caused by credential time expiration.
The Azure service principle account must have a contributor role.
The Azure service principle account must have a contributor role.
Suggested answer: D

Explanation:

In this scenario, the issue is caused by the Azure service principle account not having a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover.Reference: Fortinet Public Cloud Security knowledge source documents or study guide.

https://docs.fortinet.com/product/fortigate-public-cloud/7.2

asked 18/09/2024
Jeremiah Hutchins
45 questions

Question 23

Report
Export
Collapse

You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM

Which two queries does that SDN connector use to interact with the Azure management API? (Choose two.)

The first query is targeted to a special IP address to get a token.
The first query is targeted to a special IP address to get a token.
The first query is targeted to IP address 8.8
The first query is targeted to IP address 8.8
There is only one query initiating from FortiGate port1 -
There is only one query initiating from FortiGate port1 -
Some queries are made to manage public IP addresses.
Some queries are made to manage public IP addresses.
Suggested answer: A, D

Explanation:

The Azure SDN connector uses two types of queries to interact with the Azure management API. The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM.Reference:Configuring an SDN connector in Azure,Azure SDN connector using service principal,Troubleshooting Azure SDN connector

asked 18/09/2024
Tom Starren
43 questions

Question 24

Report
Export
Collapse

When adding the Amazon Web Services (AWS) account to the FortiCNP, which three mandatory configuration steps must you follow? (Choose three.)

Add AWS accounts through FortiCNP.
Add AWS accounts through FortiCNP.
Enable cloud protection through AWS Guard Duty and AWS Inspector
Enable cloud protection through AWS Guard Duty and AWS Inspector
Accept FortiCNP to create CloudTrail for the account
Accept FortiCNP to create CloudTrail for the account
Enable cross-reg Ion aggregation
Enable cross-reg Ion aggregation
Launch the CloudFormation template.
Launch the CloudFormation template.
Suggested answer: A, C, E

Explanation:

When adding the Amazon Web Services (AWS) account to the FortiCNP, you must follow these three mandatory configuration steps:

Add AWS accounts through FortiCNP. This is the first step to enable cloud protection for your AWS account. You can add one or multiple accounts automatically or manually. You need to provide the AWS account ID and a name for the account.You also need to select the optional permissions to be granted to FortiCNP as needed1.

Accept FortiCNP to create CloudTrail for the account. This is required for FortiCNP to collect and analyze the AWS API calls and events. You can choose to let FortiCNP create a CloudTrail for the account or use an existing one.You also need to specify the aggregation region for the CloudTrail1.

Launch the CloudFormation template. This is required for FortiCNP to create a stack and a role in your AWS account. The stack contains the resources that FortiCNP needs to access and monitor your AWS account. The role allows FortiCNP to assume it and perform actions on your behalf.You need to enter a custom or default role name and a unique UUID that is designated for your company on FortiCNP1.

https://docs.fortinet.com/document/forticnp/22.4.a/online-help/246021/add-aws-account-automatically

To configure a FortiGate VM to add to FortiCNP, you need to perform three steps on FortiGate:

Enable send logs in FortiGate to allow FortiCNP to receive the IPS logs from FortiGate.

Create an SSL/SSH inspection profile on FortiGate to inspect the encrypted traffic and apply IPS protection.

Create an IPS sensor and a firewall policy on FortiGate to enable IPS detection and prevention for the traffic.

FortiCNP 22.4.a Administration Guide, page 22-24

FortiGate IPS Administration Guide, page 9-10

asked 18/09/2024
Peter Sundstrom
31 questions

Question 25

Report
Export
Collapse

Refer to the exhibit

Fortinet NSE7_PBC-7.2 image Question 25 27166 09182024190825000000

The exhibit shows the results of a FortiCNP registry scan

Which two statements are correct? (Choose two )

When adding a repository, you can leave the Tag section blank to scan all images-
When adding a repository, you can leave the Tag section blank to scan all images-
The registry scan is part of the FortiCNP cloud protection.
The registry scan is part of the FortiCNP cloud protection.
The registry scan is part of the FortiCNP container protection.
The registry scan is part of the FortiCNP container protection.
When adding a repository, you can add a minimum number of images to be imported through the CAP section.
When adding a repository, you can add a minimum number of images to be imported through the CAP section.
Suggested answer: A, C

Explanation:

The exhibit shows the results of a FortiCNP registry scan, which is part of the FortiCNP container protection.FortiCNP's Container Protection provides deep visibility into the security posture of container registries and images1.The registry scan utilizes Common Vulnerabilities and Exposures (CVE) index regularly updated by NVD to detect underlying vulnerabilities, security flaws, and provides security best practices2.The registry scan is performed at the registry level, and it can scan all images in a repository if the Tag section is left blank when adding a repository2.The CAP section stands for Container Assurance Policy, which defines the minimum number of images to be scanned per repository3. Therefore, the correct statements are A and C.Reference:Container Image Scan | FortiCNP 22.3.a,FortiCNP,Cloud Native Application Protection Platform | FortiCNP

asked 18/09/2024
Akhil Borkar
40 questions

Question 26

Report
Export
Collapse

A customer would like to use FortiGate fabric integration With FortiCNP

When configuring a FortiGate VM to add to FortiCNP, which three mandatory configuration steps must you follow on FortiGate? (Choose three.)

Enable send logs-
Enable send logs-
Create and IPS sensor and a firewall policy
Create and IPS sensor and a firewall policy
Create an IPsec tunnel.
Create an IPsec tunnel.
Create an SSL]SSH inspection profile.
Create an SSL]SSH inspection profile.
Enable two-factor authentication.
Enable two-factor authentication.
Suggested answer: A, B, D

Explanation:

To configure a FortiGate VM to add to FortiCNP, you need to perform three steps on FortiGate:

Enable send logs in FortiGate to allow FortiCNP to receive the IPS logs from FortiGate.

Create an SSL/SSH inspection profile on FortiGate to inspect the encrypted traffic and apply IPS protection.

Create an IPS sensor and a firewall policy on FortiGate to enable IPS detection and prevention for the traffic.

FortiCNP 22.4.a Administration Guide, page 22-24

FortiGate IPS Administration Guide, page 9-10

×End Practice TestAre you sure you want to end the test?YesNo


asked 18/09/2024
Juan Rodriguez
41 questions

Question 27

Report
Export
Collapse

Refer to the exhibit

Fortinet NSE7_PBC-7.2 image Question 27 27168 09182024190825000000

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Linux1 and Linux2 instances to the internet through the security VPC (virtual private cloud). The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface. Assume there are no issues with the Transit Gateway (TGW) configuration

Which two settings must the customer add to correct the issue? (Choose two.)

Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the Internet Gateway (IOW).
Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the Internet Gateway (IOW).
Both landing subnets in the spoke VPCs must have a 0.0 00/0 traffic route to the TGW
Both landing subnets in the spoke VPCs must have a 0.0 00/0 traffic route to the TGW
Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
The four landing subnets in all the VPCs must have a 0.0 0 0/0 traffic route to the TGW
The four landing subnets in all the VPCs must have a 0.0 0 0/0 traffic route to the TGW
Suggested answer: B, C

Explanation:

The correct answer is B and C. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the TGW. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.

According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To send outbound traffic from the Linux instances to the internet through the security VPC, you need to do the following steps:

In the main subnet routing table in the spoke VPCs, add a new route with destination 0.0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.

In the main subnet routing table in the security VPC, add a new route with destination 0.0.0.0/0, next hop FortiGate port2. This route directs all traffic from the TGW to the FortiGate internal interface, where it can be inspected and allowed by the FortiGate policies.

The other options are incorrect because:

Adding a 0.0.0.0/0 traffic route to the Internet Gateway (IGW) in the spoke VPCs is not correct, as this would bypass the TGW and the security VPC and send all traffic directly to the internet.

Adding a 0.0.0.0/0 traffic route to the TGW in all the VPCs is not necessary, as only the spoke VPCs need to send traffic to the TGW. The security VPC needs to send traffic to the FortiGate port2.

: Transit Gateways - Amazon Virtual Private Cloud : Fortinet Documentation Library - Deploying FortiGate VMs on AWS

asked 18/09/2024
Tony Hardyanto
30 questions

Question 28

Report
Export
Collapse

Which two Amazon Web Services (AWS) features support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

A NAT gateway with an EIP
A NAT gateway with an EIP
A transit gateway with an attachment
A transit gateway with an attachment
An Internet gateway with an EIP
An Internet gateway with an EIP
A transit VPC
A transit VPC
Suggested answer: B, D

Explanation:

The correct answer is B and D. A transit gateway with an attachment and a transit VPC support east-west traffic inspection within the AWS cloud by the FortiGate VM.

According to the Fortinet documentation for Public Cloud Security, a transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. By using a transit gateway with an attachment, you can route traffic from your spoke VPCs to your security VPC, where the FortiGate VM can inspect the traffic1.

A transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). By using a transit VPC, you can deploy the FortiGate VM as a virtual appliance that provides network security and threat prevention for your VPCs2.

The other options are incorrect because:

A NAT gateway with an EIP is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. A NAT gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM3.

An Internet gateway with an EIP is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. An Internet gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM4.

1: Fortinet Documentation Library - Deploying FortiGate VMs on AWS 2: [Fortinet Documentation Library - Transit VPC on AWS] 3: [NAT Gateways - Amazon Virtual Private Cloud] 4: [Internet Gateways - Amazon Virtual Private Cloud]

asked 18/09/2024
carlos soto
36 questions

Question 29

Report
Export
Collapse

Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true?

TGW can have multiple TGW route tables.
TGW can have multiple TGW route tables.
Both the TGW attachment and propagation must be in the same TGW route table
Both the TGW attachment and propagation must be in the same TGW route table
A TGW attachment can be associated with multiple TGW route tables.
A TGW attachment can be associated with multiple TGW route tables.
The TGW default route table cannot be disabled.
The TGW default route table cannot be disabled.
Suggested answer: A

Explanation:

According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks.A transit gateway route table is a set of rules that determines how traffic is routed among the attachments to the transit gateway1.

A transit gateway can have multiple route tables, and you can associate different attachments with different route tables.This allows you to control how traffic is routed between your VPCs and VPNs based on your network design and security requirements1.

The other options are incorrect because:

Both the TGW attachment and propagation must be in the same TGW route table is not true. You can associate an attachment with one route table and enable propagation from another attachment to a different route table.This allows you to separate the routing domains for your attachments1.

A TGW attachment can be associated with multiple TGW route tables is not true. You can only associate an attachment with one route table at a time.However, you can change the association at any time1.

The TGW default route table cannot be disabled is not true. You can disable the default route table by deleting all associations and propagations from it.However, you cannot delete the default route table itself1.

1:Transit Gateways - Amazon Virtual Private Cloud

asked 18/09/2024
Brian Wilson
37 questions

Question 30

Report
Export
Collapse

You are asked to find a solution to replace the existing VPC peering topology to have a higher bandwidth connection from Amazon Web Services (AWS) to the on-premises data center Which two solutions will satisfy the requirement? (Choose two.)

Use ECMP and VPN to achieve higher bandwidth.
Use ECMP and VPN to achieve higher bandwidth.
Use transit VPC to build multiple VPC connections to the on-premises data center
Use transit VPC to build multiple VPC connections to the on-premises data center
Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
Suggested answer: C, D

Explanation:

The correct answer is C and D. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center.

According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention. A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels1.

A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention. A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels2.

The other options are incorrect because:

Using ECMP and VPN to achieve higher bandwidth is not a complete solution, as it does not specify how to replace the existing VPC peering topology or how to connect the AWS VPCs to the on-premises data center.

Using transit VPC to build multiple VPC connections to the on-premises data center is not a correct solution, as it does not specify how to use a hub and spoke topology or how to leverage ECMP routing for higher bandwidth.

1: Fortinet Documentation Library - Transit VPC on AWS 2: Fortinet Documentation Library - Deploying FortiGate VMs on AWS

asked 18/09/2024
AshokBabu Kumili
43 questions
Total 59 questions
Go to page: of 6
Search

Related questions