Fortinet NSE7_PBC-7.2 Online Practice Questions and Exam Preparation

Fortinet NSE7_PBC-7.2 Online Questions & Answers

• Question 21:

  Refer to the exhibit Consider the active-active load balance sandwich scenario in Microsoft Azure.

  

  What are two important facts in the active-active load balance sandwich scenario? (Choose two )

  A. It uses the vdom-exception command to exclude the configuration from being synced
  B. It is recommended to enable NAT on FortiGate policies.
  C. It uses the FGCP protocol
  D. It supports session synchronization for handling asynchronous traffic.
  B. It is recommended to enable NAT on FortiGate policies.
  D. It supports session synchronization for handling asynchronous traffic.

  ---

  Explanation

  B. It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets. If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues. Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing.

  D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session. For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors. The other options are incorrect because: It does not use the vdom-exception command to exclude the configuration from being synced. The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname. It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.

• Question 22:

  Refer to the exhibit.

  

  You deployed an HA active-active load balance sandwich with two FortiGate VMs in Microsoft Azure.

  After the deployment, you prefer to use FGSP to synchronize sessions, and allowasymmetric return traffic In the environment, FortiGate port 1 and port 2 are facing external and internal load balancers respectively

  What IP address must you use in the peerip configuration?

  A. The opposite FortiGate port 1 IP address.
  B. The public load balancer port 2 IP address
  C. The internal load balancer port 1 IP address.
  D. The opposite FortiGate port 2 IP address.
  D. The opposite FortiGate port 2 IP address.

  ---

  Explanation

  In an HA active-active load balance configuration with FortiGate VMs, especially in Microsoft Azure where FGSP (FortiGate Session Life Support Protocol) is used for session synchronization, the correct configuration for thepeeripis: D.The opposite FortiGate port 2 IP address. HA Synchronization Requirements:FGSP requires direct communication between the FortiGates to synchronize the session table. This synchronization typically occurs over a dedicated HA link that connects the HA pair. Asymmetric Traffic Considerations:FGSP allows asymmetric traffic to rejoin the correct session by synchronizing session information, including NAT and TCP sequence tracking between the FortiGate units in a cluster. Configuration Specifics:For port 2, which is facing the internal load balancer, thepeeripshould be set to the corresponding port 2 IP address of the opposite FortiGate. This allows the internal interfaces to communicate directly with each other for session synchronization purposes, which is crucial in an active-active deployment to ensure sessions persist during failover scenarios.

  References:The choice of using port 2's IP address for FGSP is supported by the Fortinet documentation, which explains how FortiGates should be configured for HA, especially in cloud environments where traditional HA links may not be available.

• Question 23:

  Which two statements are true about Transit Gateway Connect peers in anlPv4 BGP configuration'? (Choose two.)

  A. The inside CIDR blocks are used for BGP peering
  B. You cannot use IPv6 addresses
  C. You must specify a /29CIDR block from the 169.254.0.0/16 range
  D. You must configure the second address from the IPv4 range on the device as the BGP IP address
  A. The inside CIDR blocks are used for BGP peering
  C. You must specify a /29CIDR block from the 169.254.0.0/16 range

  ---

  Explanation

  For Transit Gateway Connect peers in an IPv4 BGP configuration, the correct statements are: The inside CIDR blocks are used for BGP peering (Option A):In a BGP configuration for Transit Gateway Connect, the inside CIDR blocks, typically within the 169.254.0.0/16 range, are designated for the BGP peering connections. These blocks are reserved for internal network protocols and are commonly used in AWS for automatic IP address assignment within managed networking services. You must specify a /29 CIDR block from the 169.254.0.0/16 range (Option C):It is a requirement to specify a /29 CIDR block within the 169.254.0.0/16 range for setting up the network interfaces that facilitate BGP peering. This specific range allows for the necessary number of IP addresses to establish BGP sessions effectively between the transit gateway and on-premises or other virtual appliances.

  References:These practices are in line with AWS guidelines for Transit Gateway Connect, which stipulate the use of specified CIDR blocks for internal networking and BGP configurations, ensuring seamless connectivity and routing management.

• Question 24:

  Which two Amazon Web Services (AWS) features do you use for the transit virtual private cloud (VPC) automation process to add new spoke N/PCs? (Choose two )

  A. Amazon S3 bucket
  B. AWS Security Hub
  C. AWS Transit Gateway
  D. Amazon CloudWatch
  C. AWS Transit Gateway
  D. Amazon CloudWatch

  ---

  Explanation

  For automating the process of adding new spoke VPCs in a transit VPC architecture within Amazon Web Services (AWS), the two relevant features are:

  AWS Transit Gateway (Option C):This service is crucial for managing connectivity between VPCs and other networks without routing traffic through the public internet. It acts as a hub that controls how traffic is routed among all the connected

  networks, which simplifies network management and minimizes latency. Amazon CloudWatch (Option D):CloudWatch provides monitoring and observability services that are essential for managing the health and performance of the AWS

  infrastructure, including Transit Gateways. It allows administrators to set alarms and react to changes in AWS resources, which is vital for the dynamic addition and integration of new spoke VPCs into the transit VPC architecture.

  References:AWS official documentation on Transit Gateways and CloudWatch details these services' roles in enhancing network management and monitoring, essential for effective and automated transit VPC operations.

• Question 25:

  Refer to the exhibit.

  

  You are troubleshooting a FortiGate HA floating IP issue with Microsoft Azure. After the failover, the new primary device does not have the previous primary device floating IP address. What could be the possible issue With this scenario?

  A. FortiGate port4 does not have internet access.
  B. A wrong client secret credential is used
  C. The error is caused by credential time expiration.
  D. The Azure service principle account must have a contributor role.
  D. The Azure service principle account must have a contributor role.

  ---

  Explanation

  In this scenario, the issue is caused by the Azure service principle account nothaving a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover.

  References: Fortinet Public Cloud Security knowledge source documents or study guide.

  https://docs.fortinet.com/product/fortigate-public-cloud/7.2

• Question 26:

  An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure However, the SDN connector is failing on the connection What must the administrator do to correct this issue?

  A. Make sure to add the Tenant ID on FortiGate side of the configuration
  B. Make sure to set the type to system managed identity on FortiGate SDN connectorsettings
  C. Make sure to enable the system assigned managed identity on Azure
  D. Make sure to add the Client secret on FortiGate side of the configuration
  C. Make sure to enable the system assigned managed identity on Azure

  ---

  Explanation

  When an administrator decides to use the 'Use managed identity' option for the FortiGate SDN connector with Microsoft Azure and faces a connection failure, the correct action to take is: C.Make sure to enable the system assigned managed identity on Azure. Managed Identity Configuration:The system assigned managed identity is a feature in Azure that provides an identity for the Azure service instance (in this case, the FortiGate SDN connector) within Azure Active Directory and eliminates the need for credentials to be stored in the configuration. Troubleshooting Connection Issues:If the SDN connector is failing to connect, it could be because the system assigned managed identity has not been enabled or configured properly in Azure for the FortiGate service.

  References:Azure documentation on managed identities explains the need to enable and configure this feature for services to authenticate and interact securely with Azure resources.

• Question 27:

  You are adding more spoke VPCs to an existing hub and spoke topology Your goal is to finish this task in the minimum amount of time without making errors.

  Which Amazon AWS services must you subscribe to accomplish your goal?

  A. GuardDuty, CloudWatch
  B. WAF, DynamoDB
  C. Inspector, S3
  D. CloudWatch, S3
  D. CloudWatch, S3

  ---

  Explanation

  The correct answer is

  D. CloudWatch and S3. According to the GitHub repository for the Fortinet aws-lambda-tgw script1, this function requires the following AWS services:

  CloudWatch: A monitoring and observability service that collects and processes events from various AWS resources, including Transit Gateway attachments and route tables.

  S3: A scalable object storage service that can store the configuration files and logs generated by the Lambda function.

  By using the Fortinet aws-lambda-tgw script, you can automate the creation and configuration of Transit Gateway Connect attachments for your FortiGate devices.This can help you save time and avoid errors when adding more spoke VPCs

  to an existing hub and spoke topology.

  The other AWS services mentioned in the options are not required for this task. GuardDuty is a threat detection service that monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. WAF is a web

  application firewall that helps protect web applications from common web exploits. Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. DynamoDB is a fast and flexible

  NoSQL database service that can store various types of data.GitHub - fortinet/aws-lambda-tgw

• Question 28:

  You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  A. Enable automation on the AWS portal.
  B. Create an AWS Identity and Access Management (IAM) user With permissions.
  C. Use CloudSheIl to install Terraform.
  D. Create an AWS Active Directory user with permissions.
  B. Create an AWS Identity and Access Management (IAM) user With permissions.
  C. Use CloudSheIl to install Terraform.

  ---

  Explanation

  To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.

  References: Deploying FortiGate-VM using Terraform | AWS Administration Guide Setting up IAM roles | AWS Administration Guide Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp

• Question 29:

  A customer would like to use FortiGate fabric integration With FortiCNP

  When configuring a FortiGate VM to add to FortiCNP, which three mandatory configuration steps must you follow on FortiGate? (Choose three.)

  A. Enable send logs-
  B. Create and IPS sensor and a firewall policy
  C. Create an IPsec tunnel.
  D. Create an SSL]SSH inspection profile.
  E. Enable two-factor authentication.
  A. Enable send logs-
  B. Create and IPS sensor and a firewall policy
  D. Create an SSL]SSH inspection profile.

  ---

  Explanation

  To configure a FortiGate VM to add to FortiCNP, you need to perform three steps on FortiGate:

  Enable send logs in FortiGate to allow FortiCNP to receive the IPS logs from FortiGate.

  Create an SSL/SSH inspection profile on FortiGate to inspect the encrypted traffic and apply IPS protection.

  Create an IPS sensor and a firewall policy on FortiGate to enable IPS detection and prevention for the traffic.

  References:

  FortiCNP 22.4.a Administration Guide, page 22-24 FortiGate IPS Administration Guide, page 9-10

• Question 30:

  You need a solution to safeguard public cloud-hosted web applications from the OWASP Top 10 vulnerabilities. The solution must support the same region in which your applications reside, with minimum traffic cost

  Which solution meets the requirements?

  A. Use FortiADC
  B. Use FortiCNP
  C. Use FortiWebCloud
  D. Use FortiGate
  C. Use FortiWebCloud

  ---

  Explanation

  The correct answer is

  C. Use FortiWebCloud. FortiWebCloud is a SaaS cloud-based web application firewall (WAF) that protects public cloud hosted web applications from the OWASP Top 10, zero day threats, and other application layer attacks.FortiWebCloud also includes robust features such as API discovery and protection, bot mitigation, threat analytics, and advanced reporting.FortiWebCloud supports multiple regions across the world, and you can choose the region that is closest to your applications to minimize traffic cost. The other options are incorrect because: FortiADC is an application delivery controller that provides load balancing, acceleration, and security for web applications.It is not a dedicated WAF solution and does not offer the same level of protection as FortiWebCloud. FortiCNP is a cloud-native platform that provides security and visibility for containerized applications.It is not a WAF solution and does not protect web applications from the OWASP Top 10 vulnerabilities. FortiGate is a next-generation firewall (NGFW) that provides network security and threat prevention. It is not a WAF solution and doesnot offer the same level of protection as FortiWebCloud for web applications.It also requires additional configuration and management to deploy in the public cloud. Overview | FortiWeb Cloud 23.3.0 - Fortinet Documentation Web Application Firewall (WAF) and API Protection | Fortinet [FortiWeb Cloud WAF-as-a-Service | Fortinet] [Application Delivery Controller (ADC) | Fortinet]

  [Fortinet Cloud Native Platform | Fortinet] [FortiGate Next-Generation Firewall (NGFW) | Fortinet]