Fortinet NSE7_PBC-7.2 Exam Practice Test Instant Access

Question 1

You are automating configuration changes on one of the FortiGate VMS using Linux Red Hat Ansible.

How does Linux Red Hat Ansible connect to FortiGate to make the configuration change?

AIt uses a FortiGate internal or external IP address with TCP port 21

BIt uses SSH as a connection method to FortiOS.

CIt uses an API.

DIt uses YAML

Answer : C

Ansible connects to FortiGate using an API, which is a method of communication between different software components.Ansible uses the fortios_* modules to interact with the FortiOS API, which is a RESTful API that allows configuration and monitoring of FortiGate devices12.Ansible can use either HTTP or HTTPS as the transport protocol, and can authenticate with either a username and password or an API token3.

The other options are incorrect because:

Ansible does not use TCP port 21 to connect to FortiGate.Port 21 is typically used for FTP, which is not supported by FortiOS4.

Ansible does not use SSH as a connection method to FortiOS. SSH is a secure shell protocol that allows remote command execution and file transfer, but it is not the preferred way of automating configuration changes on FortiGate devices.

Ansible does not use YAML to connect to FortiGate. YAML is a data serialization language that Ansible uses to write playbooks and inventory files, but it is not a connection method.Reference:

Fortinet.Fortios --- Ansible Documentation

FortiOS REST API Reference

FortiOS Module Guide --- Ansible Documentation

FortiOS 7.0 CLI Reference

[Connection methods and details --- Ansible Documentation]

[YAML Syntax --- Ansible Documentation]

Question 2

You are adding more spoke VPCs to an existing hub and spoke topology Your goal is to finish this task in the minimum amount of time without making errors.

Which Amazon AWS services must you subscribe to accomplish your goal?

AGuardDuty, CloudWatch

BWAF, DynamoDB

CInspector, S3

DCloudWatch, S3

Answer : D

The correct answer is D. CloudWatch and S3.

According to the GitHub repository for the Fortinet aws-lambda-tgw script1, this function requires the following AWS services:

CloudWatch: A monitoring and observability service that collects and processes events from various AWS resources, including Transit Gateway attachments and route tables.

S3: A scalable object storage service that can store the configuration files and logs generated by the Lambda function.

By using the Fortinet aws-lambda-tgw script, you can automate the creation and configuration of Transit Gateway Connect attachments for your FortiGate devices. This can help you save time and avoid errors when adding more spoke VPCs to an existing hub and spoke topology1.

The other AWS services mentioned in the options are not required for this task. GuardDuty is a threat detection service that monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. WAF is a web application firewall that helps protect web applications from common web exploits. Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. DynamoDB is a fast and flexible NoSQL database service that can store various types of data.

1: GitHub - fortinet/aws-lambda-tgw

Question 3

Refer to the exhibit

The exhibit shows a customer deployment of two Linux instances and their main routing table in Amazon Web Services (AWS). The customer also created a Transit Gateway (TGW) and two attachments

Which two steps are required to route traffic from Linux instances to the TGWQ (Choose two.)

AIn the TGW route table, add route propagation to 192.168.0 0/16

BIn the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop Internet gateway (IGW).

CIn the TGW route table, associate two attachments.

DIn the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop TGW.

Answer : A, B

According to the AWS documentation for Transit Gateway, a Transit Gateway is a network transit hub that connects VPCs and on-premises networks. To route traffic from Linux instances to the TGW, you need to do the following steps:

In the TGW route table, associate two attachments. An attachment is a resource that connects a VPC or VPN to a Transit Gateway. By associating the attachments to the TGW route table, you enable the TGW to route traffic between the VPCs and the VPN.

In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.

The other options are incorrect because:

In the TGW route table, adding route propagation to 192.168.0 0/16 is not necessary, as this is already the default route for the TGW. Route propagation allows you to automatically propagate routes from your VPC or VPN to your TGW route table.

In the main subnet routing table in VPC A and B, adding a new route with destination 0_0.0.0/0, next hop Internet gateway (IGW) is not correct, as this would bypass the TGW and send all traffic directly to the internet. An IGW is a VPC component that enables communication between instances in your VPC and the internet.

: [Transit Gateways - Amazon Virtual Private Cloud]

Question 4

Refer to the exhibit

You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).

You examined the variables.tf file.

What will be the final result after running the terraform init and terraform apply commands?

ATerraform will not deploy a FortiGate VM

BTerraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.

CTerraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.

DTerraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.

Answer : C

The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to ''eu-west-1'' and the availability_zone variable is set to ''eu-west-1a''. The vpc_id variable is set to ''vpc-0e9d6a6f'' and the subnets variable is set to a list of two subnet IDs: ''subnet-0f9d6a6f'' and ''subnet-1f9d6a6f''. The license_type variable is set to ''on-demand'' and the ami_id variable is set to ''ami-0e9d6a6f''.

Question 5

In an SD-WAN TGW Connect topology, which three initial steps are mandatory when routing traffic from a spoke VPC to a security VPC through a Transit Gateway? (Choose three.)

AFrom the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the FortiGate internal port.

BFrom the security VPC FortiGate internal subnet routing table, point 0.0.0.0/0 traffic to the TGW.

CFrom the spoke VPC internal routing table, point 0.0.0.0/0 traffic to the TGW.

DFrom the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the TGW.

EFrom both spoke VPCs, and the security VPC, point 0.0.0.0/0 traffic to the Internet Gateway.

Answer : A, B, C

Question 6

Refer to the exhibit

An administrator deployed an HA active-active load balance sandwich in Microsoft Azure. The setup requires configuration synchronization between devices-

What are two outcomes from the configured settings? (Choose two.)

AFortiGate-VM instances are scaled out automatically according to predefined workload levels.

BFortiGate A and FortiGate B are two independent devices.

CBy default, FortiGate uses FGCP

DIt does not synchronize the FortiGate hostname

Answer : B, D

B . FortiGate A and FortiGate B are two independent devices. This means that they are not part of a cluster or a high availability group, and they do not share the same configuration or state information.They are configured as standalone FortiGates with standalone configuration synchronization enabled1.This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname1. D. It does not synchronize the FortiGate hostname. This is one of the settings that are excluded from the standalone configuration synchronization, as mentioned above.The hostname is a unique identifier for each FortiGate device, and it should not be changed by the synchronization process1.

The other options are incorrect because:

FortiGate-VM instances are not scaled out automatically according to predefined workload levels.This is a feature of the auto scaling solution for FortiGate-VM on Azure, which requires a different deployment and configuration than the one shown in the exhibit2. The exhibit shows a static deployment of two FortiGate-VM instances behind an Azure load balancer, which does not support auto scaling.

By default, FortiGate does not use FGCP.FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group3. However, the exhibit shows that the FortiGates are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.

Question 7

How does the immutable infrastructure strategy work in automation?