Fortinet FCP_WCS_AD-7.4 Exam Practice Test Instant Access

Question 1

An administrator needs to attach an Elastic Network Interface (ENI) to an application instance in a VPC with multiple availability zones. An instance runs in availability zone 1.

Which ENI property must the administrator consider when implementing this requirement?

AAn ENI cannot attach to an instance in availability zone 2.

BAfter the ENI detaches from one instance, it can reattach only to the same instance.

CYou can detach the primary ENI from an AWS instance.

DWhen you move an ENI, network traffic remains directed to the old instance until you terminate that instance.

Answer : A

ENI Attachment Across Availability Zones:

Elastic Network Interfaces (ENIs) are associated with a specific Availability Zone. They cannot be attached to instances that are in a different Availability Zone than where the ENI was created. Therefore, an ENI created in Availability Zone 1 cannot be attached to an instance in Availability Zone 2 (Option A).

ENI Reattachment:

ENIs can be detached from one instance and reattached to another instance within the same Availability Zone. This flexibility allows for network interface configuration to be preserved across instance changes within the same AZ.

Other Options Analysis:

Option B is incorrect because an ENI can be reattached to any instance in the same AZ.

Option C is incorrect as the primary ENI (eth0) cannot be detached from an instance.

Option D is incorrect because when an ENI is moved, the traffic is directed to the new instance, and there is no redirection to the old instance.

AWS ENI Documentation: Elastic Network Interfaces

AWS Networking Best Practices: AWS Networking

Question 2

Refer to the exhibit.

Which statement is correct about the VPC peering connections shown in the exhibit?

ATo route packets directly from VPC B to VPC C through VPC A, you must add a route for network 192.168.0.0/16 in the VPC A routing table.

BYou cannot route packets directly from VPC B to VPC C through VPC A.

CYou can associate VPC ID pcx-23232323 with VPC B to form a VPC peering connection between VPC B and VPC C.

DYou cannot create a separate VPC peering connection between VPC B and VPC C to route packets directly.

Answer : B

Understanding VPC Peering:

VPC peering connections allow instances in one VPC to communicate with instances in another VPC. Peering is a one-to-one relationship between two VPCs.

Transit Routing Limitation:

AWS VPC peering connections do not support transitive peering. This means that a packet originating in VPC B cannot be routed through VPC A to reach VPC C. Each pair of VPCs must have its own peering connection.

Routing Table Configuration:

Even if you add a route in the VPC A routing table for the 192.168.0.0/16 network, it won't allow VPC B to communicate with VPC C because of the non-transitive nature of VPC peering.

Comparison with Other Options:

Option A is incorrect because adding a route in VPC A does not overcome the limitation of non-transitive peering.

Option C is incorrect because associating pcx-23232323 with VPC B is not how VPC peering works.

Option D is incorrect because you can create a separate peering connection between VPC B and VPC C, which is the required approach for communication between these VPCs.

AWS VPC Peering Guide: VPC Peering

Limitations of VPC Peering: AWS VPC Peering Limitations

Question 3

Which two statements about the FortiCloud portal are true? (Choose two.)

AYou can gain remote access to your FortiGate VM directly from the portal.

BTo assign permissions in the identity and access management (JAM) portal, you must write a JSON script.

CYou can access the FortiFlex portal only after you purchase a FortiFlex license and register it on FortiCare.

DYou can access only cloud services that you have subscribed to on AWS marketplace.

Answer : A, C

Remote Access to FortiGate VM:

The FortiCloud portal allows users to remotely access their FortiGate VM instances. This is particularly useful for managing and configuring instances without needing direct network access (Option A).

FortiFlex Portal Access:

The FortiFlex portal is a feature that becomes available only after purchasing a FortiFlex license and registering it on FortiCare. This portal provides additional functionalities and services related to FortiFlex (Option C).

IAM Permissions:

Option B is incorrect because the Identity and Access Management (IAM) permissions in the FortiCloud portal do not require writing JSON scripts; they can be managed through the portal interface.

Subscription to Cloud Services:

Option D is incorrect because FortiCloud provides access to services beyond those subscribed through the AWS marketplace, including services directly offered by Fortinet.

FortiCloud Documentation: FortiCloud

FortiFlex Portal: FortiFlex Licensing

Question 4

Your organization is deciding between deploying an active-active (A-A) or active-passive (A-P) FortiGate high availability (HA) cluster in AWS cloud.

Which two statements are true about A-A clusters compared to A-P clusters? (Choose two.)

AFor A-A clusters, FortiGate must perform SNAT inbound to ensure symmetric traffic flow.

BA-A clusters rely on API calls for sfailovers.

CA-A clusters always require a load balancer.

DA-A clusters can use a software-defined network (SDN) to perform a failover.

Answer : A, C

Symmetric Traffic Flow with SNAT:

In active-active (A-A) clusters, symmetric traffic flow is essential for maintaining session integrity across multiple instances. Source Network Address Translation (SNAT) is performed inbound to ensure that return traffic is routed correctly (Option A).

Load Balancer Requirement:

A-A clusters require a load balancer to distribute incoming traffic evenly across the active instances. This is crucial for balancing the load and providing high availability (Option C).

API Calls and Failovers:

Option B is incorrect because failovers in A-A clusters do not typically rely on API calls but are managed by the load balancer and the clustering mechanism itself.

Software-Defined Network (SDN) Failover:

Option D is incorrect as SDN is not specifically required for performing failovers in A-A clusters. The failover mechanism is typically managed by the load balancer and FortiGate's clustering technology.

FortiGate High Availability on AWS: FortiGate HA

AWS Elastic Load Balancing: AWS ELB

Question 5

Refer to the exhibit.

Which two statements are correct about traffic flow in FortiWeb Cloud? (Choose two.)

AThe DNS name for the application servers must point to FortiWeb Cloud.

BFortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.

CFortiWeb Cloud can protect the application servers only if they are all located in the same virtual public cloud (VPC).

DStep 2 requires an AWS S3 bucket to be created.

Answer : A, B

DNS Configuration:

For FortiWeb Cloud to effectively protect web applications, the DNS records for the application servers must be configured to point to FortiWeb Cloud. This ensures that all incoming traffic is routed through FortiWeb Cloud for inspection and protection (Option A).

Traffic Filtering:

FortiWeb Cloud provides robust protection by filtering incoming traffic to block the OWASP Top 10 attacks, zero-day threats, and other application layer attacks. This ensures the security and integrity of the web applications it protects (Option B).

Other Options Analysis:

Option C is incorrect because FortiWeb Cloud can protect application servers across different VPCs or regions, not just within the same VPC.

Option D is incorrect because step 2 does not require an AWS S3 bucket; it refers to the inspection and filtering of incoming traffic.

FortiWeb Cloud Overview: FortiWeb Cloud

DNS Configuration for Web Applications: DNS Configuration

Question 6

You want to deploy the Fortinet HA CloudFormation template to stage and bootstrap the FortiGate configuration in the same region in which you created your VPC, which is Ohio US-East-2.

Based on this information, which statement is correct?

AYou create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket can be hosted in any region.

BThe Fortinet HA cloud formation template automatically creates an S3 bucket.

CYou create an S3 bucket to stage and bootstrap FortiGate with an FGCP unicast configuration. The S3 bucket needs to be hosted in the Ohio US-East-2 region.

DYou create a DynamoDB to stage and bootstrap FortiGate with an FGCP unicast configuration. It needs to be hosted in the Ohio US-East-2 region.

Answer : C

Understanding Fortinet HA CloudFormation Template:

The Fortinet High Availability (HA) CloudFormation template is used to automate the deployment and configuration of FortiGate instances in AWS.

Staging and Bootstrapping FortiGate:

Staging involves preparing the necessary configuration files and resources needed for deployment.

Bootstrapping is the process of automatically configuring FortiGate instances upon deployment.

S3 Bucket Requirement:

The configuration files required for staging and bootstrapping are typically stored in an S3 bucket.

Since the deployment is in the Ohio (US-East-2) region, it is recommended to host the S3 bucket in the same region to minimize latency and ensure regional compliance.

Comparison with Other Options:

Option A is incorrect because while an S3 bucket is required, it should be in the same region (US-East-2).

Option B is incorrect as the template does not automatically create the S3 bucket.

Option D is incorrect as DynamoDB is not used for staging and bootstrapping in this scenario.

Fortinet Documentation: FortiGate on AWS

AWS S3 Documentation: AWS S3

Question 7

A global organization with cloud networks deployed in several AWS regions wants to set up next-generation firewall (NGFW) protection using FortiGate Cloud-Native Firewall (CNF).

What are two deployment considerations for the organization? (Choose two.)

AThey must choose AWS Firewall Manager to provision a CNF instance.

BA CNF instance is required for each AWS region that must be protected.

CMore than one AWS account can be associated with a CNF instance.

DOnly one CNF instance is required to protect all AWS regions.

Answer : B, C

Regional Deployment:

For a global organization with cloud networks in multiple AWS regions, a separate FortiGate Cloud-Native Firewall (CNF) instance is required for each AWS region to provide localized protection and meet compliance requirements. This ensures that each region has its own dedicated NGFW protection tailored to its specific needs (Option B).

Multi-Account Association:

FortiGate CNF supports associating multiple AWS accounts with a single CNF instance. This feature is beneficial for organizations that operate in a multi-account setup, allowing centralized management and security policies across different accounts (Option C).

Other Options Analysis:

Option A is incorrect because AWS Firewall Manager is a different service and is not required to provision a CNF instance.

Option D is incorrect because a single CNF instance cannot protect multiple AWS regions due to regional isolation in AWS.

FortiGate CNF Documentation: FortiGate CNF

AWS Multi-Account Best Practices: AWS Multi-Account

Fortinet FCP_WCS_AD-7.4 FCP - AWS Cloud Security 7.4 Administrator Exam Practice Test