Fortinet NSE 7 - Public Cloud Security 7.2 NSE7_PBC-7.2 Exam Questions

Answer : C

The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform.To create a new client secret, they need to follow these steps12:

Sign in to the Azure portal and navigate to the Azure Active Directory service.

Select the application name under the App Registrations.

Select Certificates & Secrets > New client secret to create a new client secret.

Add a description and an expiration date for the client secret and select Add.

Copy the value of the new client secret immediately as it will not be shown again.

Generate new Client Secret and link to key-vault | Microsoft Learn

Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn

Answer : B

For deploying a FortiGate VM using Terraform in AWS, the administrator must use:

B . Use the Name of the key pair.

Terraform and AWS SSH Keys: When deploying instances in AWS using Terraform, it is required to specify the name of the SSH key pair to enable key-based authentication to the instance post-deployment.

Configuration Syntax: The variable keyname within the Terraform configuration should match the exact name of the SSH key pair as it is stored in AWS. This ensures that Terraform can reference the correct key during the deployment process to set up SSH access to the FortiGate VM.

Terraform Variables: The variable 'keyname' block in the Terraform configuration will look for the key pair name as it should be declared in the terraform.tfvars file or passed as a variable during execution. This does not require the key pair's ID or fingerprint, just its name.

Answer : C

To keep track of sensitive data files located in AWS S3 buckets and protect them from malware, the administrator should use:

C . FortiCNP DLP policies.

Data Loss Prevention (DLP): DLP policies are designed to detect and prevent unauthorized access or sharing of sensitive data. In the context of AWS S3, DLP policies can be used to scan for sensitive information stored in S3 objects and enforce protective measures to prevent data exfiltration or compromise.

FortiCNP Integration: FortiCNP is Fortinet's cloud-native protection platform that offers security and compliance solutions across cloud environments. By applying DLP policies within FortiCNP, the administrator can ensure sensitive data within S3 is monitored and protected consistently.

Answer : A

Terraform manages and tracks the state of infrastructure resources through a file known as terraform.tfstate. This file is automatically created by Terraform and is updated after the application of a Terraform plan to capture the current state of the resources.

State File Purpose: The terraform.tfstate file contains a JSON object that records the IDs and properties of resources Terraform manages, so that it can map real-world resources to your configuration, keep track of metadata, and improve performance for large infrastructures.

State File Management: This file is crucial for Terraform to perform resource updates, deletions, and for creating dependencies. It's essentially the 'source of truth' for Terraform about your managed infrastructure and services.

Answer : B, C

B . The default network ACL is configured to allow all traffic.This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC1.By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic1.You can modify the default network ACL, but you cannot delete it1. C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately1.Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny1.For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address2.

The other options are incorrect because:

You can use network ACL and security group at the same time.Network ACL and security group are two different types of security layers for your VPC that can work together to control traffic3.Network ACL acts as a firewall for your subnets, while security group acts as a firewall for your instances3. You can use both of them to create a more granular and effective security policy for your VPC.

Network ACLs are not tied to an instance.Network ACLs are associated with subnets, not instances1.This means that network ACLs apply to all the instances in the subnets that they are associated with1. You cannot associate a network ACL with a specific instance.However, you can associate a security group with a specific instance or multiple instances3.

Answer : C

Ansible connects to FortiGate using an API, which is a method of communication between different software components.Ansible uses the fortios_* modules to interact with the FortiOS API, which is a RESTful API that allows configuration and monitoring of FortiGate devices12.Ansible can use either HTTP or HTTPS as the transport protocol, and can authenticate with either a username and password or an API token3.

The other options are incorrect because:

Ansible does not use TCP port 21 to connect to FortiGate.Port 21 is typically used for FTP, which is not supported by FortiOS4.

Ansible does not use SSH as a connection method to FortiOS. SSH is a secure shell protocol that allows remote command execution and file transfer, but it is not the preferred way of automating configuration changes on FortiGate devices.

Ansible does not use YAML to connect to FortiGate. YAML is a data serialization language that Ansible uses to write playbooks and inventory files, but it is not a connection method.Reference:

Fortinet.Fortios --- Ansible Documentation

FortiOS REST API Reference

FortiOS Module Guide --- Ansible Documentation

FortiOS 7.0 CLI Reference

[Connection methods and details --- Ansible Documentation]

[YAML Syntax --- Ansible Documentation]

Answer : A, B

According to the AWS documentation for Transit Gateway, a Transit Gateway is a network transit hub that connects VPCs and on-premises networks. To route traffic from Linux instances to the TGW, you need to do the following steps:

In the TGW route table, associate two attachments. An attachment is a resource that connects a VPC or VPN to a Transit Gateway. By associating the attachments to the TGW route table, you enable the TGW to route traffic between the VPCs and the VPN.

In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.

The other options are incorrect because:

In the TGW route table, adding route propagation to 192.168.0 0/16 is not necessary, as this is already the default route for the TGW. Route propagation allows you to automatically propagate routes from your VPC or VPN to your TGW route table.

In the main subnet routing table in VPC A and B, adding a new route with destination 0_0.0.0/0, next hop Internet gateway (IGW) is not correct, as this would bypass the TGW and send all traffic directly to the internet. An IGW is a VPC component that enables communication between instances in your VPC and the internet.

: [Transit Gateways - Amazon Virtual Private Cloud]