Fortinet NSE 7 - Public Cloud Security 7.2 NSE7_PBC-7.2 Exam Practice Test

Answer : A

According to the Terraform documentation for installing Terraform on Linux1, you need to download a zip archive that contains a single binary file called terraform. You need to unzip the archive and move the binary file to a directory that is included in your system's PATH environment variable, such as /usr/local/bin.This way, you can run the terraform command from any directory without specifying the full path1.

If you do not move the binary file to the bin directory, you will get a command not found error when you try to run the terraform version command, as shown in the screenshot.To fix this error, you need to move the binary file to the bin directory or specify the full path of the binary file when running the command1.

1:Install Terraform | Terraform - HashiCorp Learn

Answer : B, D, E

B . Add route destination 0.0.0.0/0 to target the transit gateway.This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1.The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway.This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3.An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC.This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.

The other options are incorrect because:

Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1.Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

Answer : B

Answer : C, D

The correct answer is C and D. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center.

According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention. A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels1.

A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention. A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels2.

The other options are incorrect because:

Using ECMP and VPN to achieve higher bandwidth is not a complete solution, as it does not specify how to replace the existing VPC peering topology or how to connect the AWS VPCs to the on-premises data center.

Using transit VPC to build multiple VPC connections to the on-premises data center is not a correct solution, as it does not specify how to use a hub and spoke topology or how to leverage ECMP routing for higher bandwidth.

1: Fortinet Documentation Library - Transit VPC on AWS 2: Fortinet Documentation Library - Deploying FortiGate VMs on AWS

Answer : B, C

To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.

Deploying FortiGate-VM using Terraform | AWS Administration Guide

Setting up IAM roles | AWS Administration Guide

Launching the instance using roles and user data | AWS Administration Guide

Terraform by HashiCorp

Answer : C

The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform.To create a new client secret, they need to follow these steps12:

Sign in to the Azure portal and navigate to the Azure Active Directory service.

Select the application name under the App Registrations.

Select Certificates & Secrets > New client secret to create a new client secret.

Add a description and an expiration date for the client secret and select Add.

Copy the value of the new client secret immediately as it will not be shown again.

Generate new Client Secret and link to key-vault | Microsoft Learn

Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn

Answer : C

For administrators seeking to gain insights into user activities and data within major SaaS applications across multicloud environments, deploying FortiCASB (Cloud Access Security Broker) is the most effective solution (Option C).

Role of FortiCASB: FortiCASB is specifically designed to provide security visibility, compliance, data security, and threat protection for cloud-based services. It acts as a mediator between users and cloud service providers, offering deep visibility into the operations and data handled by SaaS applications.

Capabilities of FortiCASB: This product enables administrators to monitor and control the access and usage of SaaS applications. It helps in assessing security configurations, tracking user activities, and evaluating data movement across the cloud services. By doing so, it assists organizations in enforcing security policies, detecting anomalous behaviors, and ensuring compliance with regulatory standards.

Integration and Functionality: FortiCASB integrates seamlessly with major SaaS platforms, providing a centralized management interface that allows for comprehensive analysis and real-time protection measures. This integration ensures that organizations can maintain control over their data across various cloud services, enhancing the overall security posture in a multicloud environment.