Fortinet NSE7_PBC-7.2 Exam Practice Test Instant Access

Question 1

You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:

* Two FortiGate devices must be deployed; each in a different availability zone.

* Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.

* An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.

* An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.

* Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.

Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

Aconfig system sdn-connector

Bconfig system ha

Cconfig system auto-scale

Dconfig system session-sync

Answer : B

FTG HA Active/Active requires the following configuration to sync the session by FGSP

config system ha

set session-pickup enable

set session-pickup-connectionless enable

set session-pickup-nat enable

set session-pickup-expectation enable

set override disable

end

config system cluster-sync

edit 0

set peerip 10.0.1.x

set syncvd 'root'

end

https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB

Question 2

Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.

Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

AInstall FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute

BConfigure a user-defined route table

CEnable the redirect option in ExpressRoute to send data center traffic to a user-defined route table

DConfigure the gateway subnet as the subnet in the user-defined route table

EDefine a default route where the next hop IP is the FortiGate WAN interface

Answer : A, D, E

https://docs.microsoft.com/en-us/answers/questions/618005/adding-a-inline-fw-to-express-route.html

Question 3

Refer to the exhibit.

You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.

After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.

What should you do to correct this issue?

AConfigure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).

BDelete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.

CConfigure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.

DNothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.

Answer : D

Question 4

Which statement about FortiSandbox in Amazon Web Services (AWS) is true?

AIn AWS, virtual machines (VMs) that inspect files do not have to be reset after inspecting a file.

BFortiSandbox in AWS uses Windows virtual machines (VMs) to inspect files.

CIn AWS, virtual machines (VMs) that inspect files are constantly up and running.

DFortiSandbox in AWS can have a maximum of eight virtual machines (VMs) that inspect files.

Answer : B

FortiSandbox deploys new EC2 instances with the custom Windows VMs, and then it sends malware, runs it, and captures the results for analysis. FortiSandbox for AWS does not need more resources because it performs management and analysis tasks only. Note that the cost varies based on the number of EC2 instances deployed, size of the instances, and duration of the running time.

Question 5

You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.

Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

AThe uniqueString() function must be used.

BThe storageAccount name must use special characters.

CThe storageAccount name must be in lowercase.

DThe storageAccount name must contain between 3 and 24 alphanumeric characters.

Answer : C, D

-Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep

Property values / storageAccounts

name --> The resource name :

* string (required)

* Character limit: 3-24

* Valid characters: Lowercase letters and numbers.

* Resource name must be unique across Azure.

Question 6

An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.

How can they do this?

AThey can create additional vNICs using the Cloud Shell.

BThey cannot create and add additional vNICs to an existing FortiGate-VM.

CThey can create additional vNICs in the UI console.

DThey can use the Compute Engine API Explorer.

Answer : B

GCP Limitations: You cannot add or remove network interfaces from an existing VM. https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#limitations

Question 7

Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

AImplement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.

BUse ExpressRoute to interconnect the hub VNets and spoke VNets.

CConfigure VNet peering between the spokes only.

DConfigure VNet peering between the hub and spokes.

Answer : A, D

Fortinet NSE7_PBC-7.2 Fortinet NSE 7 - Public Cloud Security 7.2 Exam Practice Test