Fortinet FCP_ZCS_AD-7.4 Exam Practice Test Instant Access

Question 1

Refer to the exhibit.

The exhibit shows some of the properties of a virtual NIC that is used by a FortiGate VM deployed in Azure.

The virtual NIC shown is connected to a subnet (10.0.1.0/26) with several VMs that will be accessing the internet through the FortiGate VM.

Which statement is true for this scenario?

AThe NIC in the exhibit needs to be assigned a public IP address.

BThe VMs in the 10.0.1.0/26 subnet can access the internet through FortiGate.

CYou must change the default gateway on the VMs in the Internal Subnet for this to work.

DThe parameters of the virtual NIC are not configured correctly.

Answer : C

For VMs in the 10.0.1.0/26 subnet to access the internet through the FortiGate VM, their default gateway must be changed to the internal IP address of the FortiGate's NIC in that subnet (e.g., LAB1-FGT-A-Nic2). This ensures traffic is routed through FortiGate for inspection and NAT, rather than directly using Azure's default system routes.

Question 2

What is a limitation of the Network Security Groups (NSGs) in Azure?

ANSGs allow the filtering of inbound traffic only.

BNSGs are applied only to vNICs.

CNSGs operate at the application layer, limiting their effectiveness in the network layer.

DNSGs cannot be applied to individual virtual machines.

Answer : B

A limitation of NSGs is that they are applied only at the subnet level or to network interfaces (vNICs), not directly to other resources like load balancers or application gateways. This means granular application-layer filtering is not supported, and NSGs primarily operate at Layers 3 and 4.

Question 3

Refer to the exhibits, which show the outputs of two commands taken on a Windows VM running in Azure.

Which statement is true about the device with the IP address 10.0.2.4?

AIt is reachable through FortiGate in transparent mode

BIt is provided by Azure for routing traffic among subnets

CIt is on the same VNET as the Windows VM

DIt is on the same subnet as the Windows VM

Answer : C

The trace output shows only one hop to reach 10.0.2.4, indicating that the destination is in the same Azure virtual network (VNet) as the Windows VM. Since the VM's IP is 10.0.1.4 and the destination is 10.0.2.4, they are in different subnets, but Azure allows direct routing between subnets within the same VNet without additional hops.

Question 4

Which output was taken on a VM running in Azure?

AOption A

BOption B

COption C

DOption D

Answer : D

Azure assigns MAC addresses in a specific Organizationally Unique Identifier (OUI) range. The MAC address d8-34-99-c5-0A-BC begins with d8-34-99, which is a Microsoft-assigned OUI used in Azure virtual networks. This strongly indicates the output was taken from a VM running in Azure.

Question 5

Your organization is in the process of optimizing its Azure network architecture and wants to dynamically manage and exchange routing information between its virtual networks and on-premises networks.

Which Azure service would help to provide a centralized point for efficient route management and dynamic routing?

AAzure Virtual WAN

BAzure VPN Gateway

CAzure ExpressRoute

DAzure Route Server

Answer : D

Azure Route Server enables dynamic route exchange using BGP between your Azure virtual network and network virtual appliances (NVAs) or on-premises networks. It provides a centralized and scalable solution for route management, allowing seamless integration of routing updates without manual configuration changes.

Question 6

In the context of Azure Route Server, what is a primary function of the route server subnet?

AProviding DNS resolution for on-premises networks

BHosting virtual machines for routing propagation purposes

CServing as the hub for the exchange of routing information

DActing as a dedicated subnet to host network virtual appliances (NVAs) with routing propagation capabilities

Answer : C

The route server subnet in Azure is a dedicated subnet that hosts the Azure Route Server, which functions as the hub for dynamic routing information exchange between Azure virtual networks and BGP-enabled network virtual appliances (NVAs) or on-premises routers. It enables seamless and centralized route propagation.

Question 7

Refer to the exhibit.

You are troubleshooting a network connectivity issue between two VMs that are deployed in Azure.

One VM is a FortiGate that has one interface in the DMZ subnet, which is in the Production VNet. The other VM is a Windows Server in the Servers subnet, which is also in the Production VNet. You cannot ping the Windows Server from the FortiGate VM.

What is the reason for this?

AYou have not created a VPN to allow traffic between those subnets

BBy default, Azure does not allow ICMP traffic between subnets

CThe firewall in the Windows VM is blocking the traffic

DYou have not configured a user-defined route for this traffic

Answer : C

The FortiGate VM and the Windows Server VM are in different subnets but within the same Production virtual network, which means they can communicate by default unless restricted. Azure allows ICMP between subnets, but Windows VMs have ICMP blocked by default in their firewall settings. Therefore, the likely reason for the ping failure is that the Windows Server's firewall is blocking ICMP (ping) traffic.

Fortinet FCP_ZCS_AD-7.4 FCP - Azure Cloud Security 7.4 Administrator Exam Practice Test