Download FCP - AWS Cloud Security 7.4 Administrator.FCP_WCS_AD-7.4.VCEplus.2024-06-25.18q.tqb

HA Cluster in AWS Cloud:Deploying an active-passive HA cluster in AWS requires careful consideration of the clustering protocol used to ensure seamless failover and traffic flow.Unicast FortiGate Clustering Protocol (FGCP):Unicast FGCP is specifically designed for environments where multicast traffic is not feasible or supported, such as in the AWS cloud. Using unicast FGCP ensures that heartbeat and synchronization traffic between the cluster members are managed correctly over unicast communication, which is suitable for AWS's network infrastructure (Option C).Comparison with Other Options:Option A is incorrect because while placing both cluster members in the same availability zone might be required for certain configurations, it is not the critical factor for HA formation.Option B is incorrect as VDOM exceptions are not directly related to the successful formation of HA.Option D is incorrect because the ELB configuration checks are more about ensuring that the load balancer correctly routes traffic but do not specifically ensure HA formation and failover.FortiGate HA in AWS Documentation: FortiGate HAFortinet FGCP Details: FGCP Documentation

Cluster Elastic IP Address (EIP) Movement:During a failover in an active-passive (A-P) cluster, the Elastic IP (EIP) associated with the active FortiGate instance (FGT-1) needs to be moved to the passive instance (FGT-2), which becomes the new active instance. This ensures that the traffic directed to the EIP is now handled by FGT-2 (Option A).Secondary IP Address Movement:The secondary IP address on Port2 of the current active instance (FGT-1) is moved to the same port on the new active instance (FGT-2). This step is crucial to ensure seamless network traffic redirection and connectivity for the services relying on that IP address (Option B).Other Options Analysis:Option C is incorrect because the static route modification mentioned is not directly related to the failover process described.Option D is incorrect because no additional route needs to be added to the HA Sync AZ2 subnet route table to forward traffic to the Internet Gateway during a failover.FortiGate HA Configuration Guide: FortiGate HAAWS Elastic IP Documentation: Elastic IP

DNS Configuration:For FortiWeb Cloud to effectively protect web applications, the DNS records for the application servers must be configured to point to FortiWeb Cloud. This ensures that all incoming traffic is routed through FortiWeb Cloud for inspection and protection (Option A).Traffic Filtering:FortiWeb Cloud provides robust protection by filtering incoming traffic to block the OWASP Top 10 attacks, zero-day threats, and other application layer attacks. This ensures the security and integrity of the web applications it protects (Option B).Other Options Analysis:Option C is incorrect because FortiWeb Cloud can protect application servers across different VPCs or regions, not just within the same VPC.Option D is incorrect because step 2 does not require an AWS S3 bucket; it refers to the inspection and filtering of incoming traffic.FortiWeb Cloud Overview: FortiWeb CloudDNS Configuration for Web Applications: DNS Configuration