Fortinet NSE7_PBC-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE7_PBC-7.2 Online Questions & Answers

• Question 1:

  Refer to Exhibit: The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.

  

  Which two statements are correct? (Choose two.)

  A. The peer GRE address is the FortiGate external interface IP address.
  B. The Transit Gateway GRE address is auto-generated
  C. The BGP inside CIDR blocks can be any CIDR block with /29
  D. The Peer GRE address is the FortiGate internal interface IP address
  A. The peer GRE address is the FortiGate external interface IP address.
  B. The Transit Gateway GRE address is auto-generated

  ---

  explanation:

  Explanation

  A. The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel

  between the FortiGate and the transit gateway2.

  B. The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is

  automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3. The other options are incorrect because:

  The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used

  for BGP peering over the GRE tunnel4. The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer

  GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.

• Question 2:

  Refer to the exhibit

  

  An administrator deployed a FortiGate-VM in a high availability (HA)

  (active/passive) architecture in Amazon Web Services (AWS) using Terraform

  for testing purposes. At the same time, the administrator deployed a single

  Linux server using AWS Marketplace

  Which two options are available for the administrator to delete all the resources

  created in this test? (Choose two.)

  A. Use the terraform destroy command
  B. Use the terraform validate command.
  C. Use the terraform destroy all command.
  D. The administrator must manually delete the Linux server.
  A. Use the terraform destroy command
  D. The administrator must manually delete the Linux server.

  ---

  explanation:

  Explanation

  A. Use the terraform destroy command. This command is used to remove all the resources that were created using the Terraform configuration1. It is the opposite of the terraform apply command, which is used to create resources. The terraform destroy command will first show a plan of what resources will be destroyed, and then ask for confirmation before proceeding. The command will also update the state file to reflect the changes.

  D. The administrator must manually delete the Linux server. This is because the Linux server was not deployed using Terraform, but using AWS Marketplace2. Therefore, Terraform does not have any information about the Linux server in its state file, and cannot manage or destroy it. The administrator will have to use the AWS console or CLI to delete the Linux server manually. The other options are incorrect because: There is no terraform validate command. The correct command is terraform plan, which is used to show a plan of what changes will be made by applying the configuration3. However, this command does not delete any resources, it only shows what will happen if terraform apply or terraform destroy is run. There is no terraform destroy all command. The correct command is terraform destroy, which will destroy all the resources in the current configuration by default1. There is no need to add an all argument to the command.

• Question 3:

  You are asked to find a solution to replace the existing VPC peering topology to have a higher bandwidth connection from Amazon Web Services (AWS) to the on-premises data center Which two solutions will satisfy the requirement? (Choose two.)

  A. Use ECMP and VPN to achieve higher bandwidth.
  B. Use transit VPC to build multiple VPC connections to the on-premises data center
  C. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
  D. Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
  C. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
  D. Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center

  ---

  explanation:

  Explanation

  The correct answer is C and

  D. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center. According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels1. A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels2. The other options are incorrect because: Using ECMP and VPN to achieve higher bandwidth is not a complete solution, as it does not specify how to replace the existing VPC peering topology or how to connect the AWS VPCs to the on-premises data center. Using transit VPC to build multiple VPC connections to the on-premises data center is not a correct solution, as it does not specify how to use a hub and spoke topology or how to leverage ECMP routing for higher bandwidth. 1:Fortinet Documentation Library - Transit VPC on AWS2:Fortinet Documentation Library - Deploying FortiGate VMs on AWS

• Question 4:

  You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  A. Enable automation on the AWS portal.
  B. Create an AWS Identity and Access Management (IAM) user With permissions.
  C. Use CloudSheIl to install Terraform.
  D. Create an AWS Active Directory user with permissions.
  B. Create an AWS Identity and Access Management (IAM) user With permissions.
  C. Use CloudSheIl to install Terraform.

  ---

  explanation:

  Explanation

  To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.

  References: Deploying FortiGate-VM using Terraform | AWS Administration Guide Setting up IAM roles | AWS Administration Guide Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp

• Question 5:

  Which two Amazon Web Services (AWS) features support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  A. A NAT gateway with an EIP
  B. A transit gateway with an attachment
  C. An Internet gateway with an EIP
  D. A transit VPC
  B. A transit gateway with an attachment
  D. A transit VPC

  ---

  explanation:

  Explanation

  The correct answer is B and

  D. A transit gateway with an attachment and a transit VPC support east-west traffic inspection within the AWS cloud by the FortiGate VM. According to the Fortinet documentation for Public Cloud Security, a transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway.By using a transit gateway with an attachment, you can route traffic from your spoke VPCs to your security VPC, where the FortiGate VM can inspect the traffic1. A transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs).By using a transit VPC, you can deploy the FortiGate VM as a virtual appliance that provides network security and threat prevention for your VPCs2. The other options are incorrect because: A NAT gateway with an EIP is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.A NAT gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM3. An Internet gateway with an EIP is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.An Internet gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM4. 1:Fortinet Documentation Library - Deploying FortiGate VMs on AWS2: [Fortinet Documentation Library - Transit VPC on AWS]3: [NAT Gateways - Amazon Virtual Private Cloud]4: [Internet Gateways - Amazon Virtual Private Cloud]

• Question 6:

  Refer to the exhibit

  

  You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS.

  However, your connection is not successful.

  Given the network topology, what can be the issue?

  A. There is no connection between VPC A and VPC
  B. There is no elastic IP address attached to FortiGate in the Security VPC.
  C. The Transit Gateway BGP IP address is incorrect.
  D. There is no internet gateway attached to the Spoke VPC A.
  D. There is no internet gateway attached to the Spoke VPC A.

  ---

  explanation:

  Explanation

  This is because the Linux1 EC2 instance is not accessible directly from the internet using its public IP address in AWS.

  An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. Without an internet gateway, the Linux1 EC2 instance cannotreceive or

  send traffic to or from the internet, even if it has a public IP address assigned to it. To fix this issue, you need to attach an internet gateway to the Spoke VPC A and configure a route table that directs internet-bound traffic to the internet

  gateway. You also need to ensure that the Linux1 EC2 instance has a security group that allows inbound and outbound traffic on the desired ports.

  [Internet Gateways - Amazon Virtual Private Cloud] : [Attach an Internet Gateway to Your VPC - Amazon Virtual Private Cloud] : [Security Groups for Your VPC - Amazon Virtual Private Cloud]

• Question 7:

  A Network security administrator is searching for a solution to secure traffic going in and out of the container infrastructure.

  In which two ways can Fortinet container security help secure container infrastructure?(Choose two.)

  A. FortiGate NGFW can be placed between each application container for north-south traffic inspection
  B. FortiGate NGFW can connect to the worker node and protects the container-
  C. FortiGate NGFW can inspect north-south container traffic with label aware policies
  D. FortiGate NGFW and FortiSandbox can be used to secure container traffic
  C. FortiGate NGFW can inspect north-south container traffic with label aware policies
  D. FortiGate NGFW and FortiSandbox can be used to secure container traffic

  ---

  explanation:

  Explanation

  The correct answer is C and

  D. FortiGate NGFW can inspect north-south container traffic with label aware policies and FortiGate NGFW and FortiSandbox can be used to secure container traffic.

  According to the Fortinet documentation for container security1, FortiGate NGFW can provide the following benefits for securing container infrastructure:

  It can inspect north-south traffic between containers and external networks using label aware policies, which allow for dynamic policy enforcement based on Kubernetes labels and metadata.

  It can integrate with FortiSandbox to provide advanced threat protection for container traffic, by sending suspicious files or URLs to a cloud-based sandbox for analysis and detection.

  It can leverage FortiGuard Security Services to provide real-time threat intelligence and updates for container traffic, such as antivirus, web filtering, IPS, and application control.

  The other options are incorrect because:

  FortiGate NGFW cannot be placed between each application container for north- south traffic inspection, as this would create unnecessary complexity and overhead. Instead, FortiGate NGFW can be deployed at the edge of the container

  network or as a sidecar proxy to inspect traffic at the ingress and egress points. FortiGate NGFW cannot connect to the worker node and protect the container, as this would not provide sufficient visibility and control over the container traffic.

  Instead, FortiGate NGFW can leverage the native Kubernetes APIs and services to monitor and secure the container traffic.

  1:Fortinet Documentation Library - Container Security

• Question 8:

  What is the main advantage of using SD-WAN Transit Gateway Connect over traditional SD-WAN?

  A. It eliminates the use of ECMP
  B. You can use GRE-based tunnel attachments
  C. You can combine it with IPsec to achieve higher bandwidth
  D. You can use BGP over IPsec for maximum throughput
  B. You can use GRE-based tunnel attachments

  ---

  explanation:

  Explanation

  Simplified and Scalable Connectivity: Transit Gateway Connect allows you to establish GRE tunnels to your SD-WAN appliances natively within the AWS network. This eliminates the complexity of managing individual IPsec VPN connections,

  especially as your cloud presence grows. Potential for Enhanced Performance: GRE offers lower overhead compared to IPsec, which can result in higher throughput for bandwidth-intensive SD-WAN applications.

  Flexibility: While IPsec is supported for scenarios requiring strong encryption, the focus on GRE highlights the performance and scalability benefits that are often prioritized when integrating SD-WAN with AWS.

  Dynamic Routing: The integration with BGP further streamlines network management by automating route updates and distribution.

  Addressing the IPsec Consideration:

  It's important to acknowledge that SD-WAN Transit Gateway Connect does support IPsec. If your question is specifically framed within the context of Fortinet's FCSS 7.2 materials and they emphasize the hybrid usage of GRE and IPsec, then

  a modified answer might be appropriate:

• Question 9:

  You need a solution to safeguard public cloud-hosted web applications from the OWASP Top 10 vulnerabilities. The solution must support the same region in which your applications reside, with minimum traffic cost

  Which solution meets the requirements?

  A. Use FortiADC
  B. Use FortiCNP
  C. Use FortiWebCloud
  D. Use FortiGate
  C. Use FortiWebCloud

  ---

  explanation:

  Explanation

  The correct answer is

  C. Use FortiWebCloud. FortiWebCloud is a SaaS cloud-based web application firewall (WAF) that protects public cloud hosted web applications from the OWASP Top 10, zero day threats, and other application layer attacks.FortiWebCloud also includes robust features such as API discovery and protection, bot mitigation, threat analytics, and advanced reporting.FortiWebCloud supports multiple regions across the world, and you can choose the region that is closest to your applications to minimize traffic cost. The other options are incorrect because: FortiADC is an application delivery controller that provides load balancing, acceleration, and security for web applications.It is not a dedicated WAF solution and does not offer the same level of protection as FortiWebCloud. FortiCNP is a cloud-native platform that provides security and visibility for containerized applications.It is not a WAF solution and does not protect web applications from the OWASP Top 10 vulnerabilities. FortiGate is a next-generation firewall (NGFW) that provides network security and threat prevention. It is not a WAF solution and doesnot offer the same level of protection as FortiWebCloud for web applications.It also requires additional configuration and management to deploy in the public cloud. Overview | FortiWeb Cloud 23.3.0 - Fortinet Documentation Web Application Firewall (WAF) and API Protection | Fortinet [FortiWeb Cloud WAF-as-a-Service | Fortinet] [Application Delivery Controller (ADC) | Fortinet]

  [Fortinet Cloud Native Platform | Fortinet] [FortiGate Next-Generation Firewall (NGFW) | Fortinet]

• Question 10:

  How does the immutable infrastructure strategy work in automation?

  A. It runs a single live environment for configuration changes.
  B. It runs one idle and a single live environment for configuration changes.
  C. It runs two live environments for configuration changes.
  D. It runs one idle and two live environments for configuration changes.
  C. It runs two live environments for configuration changes.

  ---

  explanation:

  Explanation

  Immutable infrastructure is a DevOps approach that emphasizes the creation of disposable resources instead of modifying existing ones. This approach helps to achieve stability, consistency, and predictability in IT operations by reducing the

  risk of configuration drift and eliminating stateful components.

  One way to implement immutable infrastructure is to use a blue-green deployment strategy, which runs two live environments for configuration changes. The blue environment is the current production environment, while the green

  environment is the new version of the application or service. When the green environment is ready, the traffic is switched from blue to green, and the blue environment is destroyed or kept as a backup. This way, there is no need to update or

  patch the existing infrastructure, but rather replace it with a new one.

  References:

  1: Immutable Infrastructure, Architecture, and its benefits

  2: Introduction to Immutable Infrastructure ?BMC Software | Blogs