NSE7_PBC-7.2: Fortinet NSE 7 Public Cloud Security 7.2 (FCSS)

Refer to the exhibit.

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.

What are two possible reasons for this behavior? (Choose two.)

The web servers are not configured with the default gateway.
The Internet gateway (IGW) is not added to VPC (virtual private cloud).
AWS source and destination checks are enabled on the FortiGate interfaces.
AWS security groups may be blocking the traffic.

Correct answer: CD

Explanation:

You need to check if source/destination are enabled. Public_Cloud_6.4_Study_Guide Page 67

Refer to the exhibit.

Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.

How do you resolve this issue?

Run diagnose debug application azd -l on FortiGate.
In the Microsoft Azure portal, set the correct tag values for the windows server.
In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
Delete the address object and recreate a new address object with the type set to FQDN.

Correct answer: B

Explanation:

https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/azure-administration-guide/985498/troubleshooting-azure-fabric-connector

Refer to the exhibit.

You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.

What caused the validation process to fail?

You selected the incorrect resource group.
You selected the Bring Your Own License (BYOL) licensing mode.
You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.
You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.

Correct answer: D

Explanation:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources

An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.

This has now black-holed the private subnet in this availability zone.

What action will the worker node automatically perform to restore access to the black-holed subnet?

The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.
The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.
The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
The worker node migrates the subnet to a different availability zone.

Correct answer: C

Explanation:

Official documentation, failover process on a single AZ, https://github.com/fortinet/aws-cloudformation-templates/blob/main/FGCP/7.0/SingleAZ/README.md#failover-process || Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate 1's private interface to FortiGate 2's private interface. ##Additionally any route targets referencing FortiGate 1's private interface will be updated to reference FortiGate 2's private interface.##https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

Official documentation, failover process on a single AZ, https://github.com/fortinet/aws-cloudformation-templates/blob/main/FGCP/7.0/SingleAZ/README.md#failover-process || Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate 1's private interface to FortiGate 2's private interface. ##Additionally any route targets referencing FortiGate 1's private interface will be updated to reference FortiGate 2's private interface.##

https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true? (Choose two.)

Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.
Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
Network ACLs must be manually applied to virtual network interfaces.
Network ACLs support allow rules and deny rules.

Correct answer: AD

Explanation:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.htmlhttps://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/-Network ACLs are stateless. You must define rules for both outbound and inbound traffic.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

https://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/

-Network ACLs are stateless. You must define rules for both outbound and inbound traffic.

When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.

In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

Less than 10 seconds
30 seconds
20 seconds
16 seconds

Correct answer: A

Explanation:

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview

-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.

-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.

Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.

Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

Action
Sequence number
Source and destination IP ranges
Destination port ranges
Source port ranges

Correct answer: ADE

Explanation:

Under 'Default security rules' we read source, destination, source port, destination port and access. However under 'Security rules' we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured. I would mark A D and E and source/destination port are to be seen in the table, maybe old documentation. https://docs.microsoft.com/en-us/azure/virtualnetwork/network-security-groups-overview

Refer to the exhibit.

You attempted to deploy the FortiGate-VM in Microsoft Azure with the JSON template, and it failed to boot up. The exhibit shows an excerpt from the JSON template.

What is incorrect with the template?

The LUN ID is not defined.
FortiGate-VM does not support managedDisk from Azure.
The caching parameter should be None.
The CreateOptions parameter should be FromImage.

Correct answer: D

Explanation:

https://github.com/fortinet/azure-templates/blob/main/FortiGate/A-Single-VM/azuredeploy.json

Which two statements about Microsoft Azure network security groups are true? (Choose two.)

Network security groups can be applied to subnets and virtual network interfaces.
Network security groups can be applied to subnets only.
Network security groups are stateless inbound and outbound rules used for traffic filtering.
Network security groups are a stateful inbound and outbound rules used for traffic filtering.

Correct answer: AD

Explanation:

You can deploy resources from several Azure services into an Azure virtual network. For a complete list, see Services that can be deployed into a virtual network. You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose. https://learn.microsoft.com/enus/azure/virtual-network/network-security-group-how-it-works

Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.

Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).

How do you achieve this outcome with minimum configuration?

Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.
Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

Correct answer: D

Explanation:

AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services without using NAT instance. the main routing table sends internet traffic from the private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP address of the elastic IP address.Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services without using NAT instance. the main routing table sends internet traffic from the private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP address of the elastic IP address.

Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.