• Home
  • Articles
  • [Jan-2024] Get 100% Real Free NSE 7 Network Security Architect NSE7_PBC-7.2 Sample Questions [Q21-Q40]

[Jan-2024] Get 100% Real Free NSE 7 Network Security Architect NSE7_PBC-7.2 Sample Questions [Q21-Q40]

Share

[Jan-2024] Get 100% Real Free NSE 7 Network Security Architect NSE7_PBC-7.2 Sample Questions

Accurate NSE7_PBC-7.2 Questions with Free and Fast Updates


Fortinet NSE7_PBC-7.2 exam is a certification exam designed for IT professionals who specialize in public cloud security. NSE7_PBC-7.2 exam is designed to test the candidate's knowledge and skills in securing public cloud environments using Fortinet's security solutions. NSE7_PBC-7.2 exam covers a wide range of topics, including cloud security architecture, security management, data protection, and compliance.

 

NEW QUESTION # 21
You must allow an SSH traffic rule in an Amazon Web Services (AWS) network access list (NACL) to allow SSH traffic to travel to a subnetfor temporary testing purposes. When you review the current inbound network ACL rules, you notice that rule number 5 demes SSH and telnet traffic to the subnet What can you do to allow SSH traffic?

  • A. You must create a new allow SSH rule above rule number 5-
  • B. You must create a new allow SSH rule anywhere in the network ACL rule base to allow SSH traffic.
  • C. You must create a new allow SSH rule below rule number 5
  • D. You do not have to create any NACL rules because the default security group rule automatically allows SSH traffic to the subnet.

Answer: A

Explanation:
Explanation
Network ACLs are stateless, and they evaluate each packet separately based on the rules that you define. The rules are processed in order, starting with the lowest numbered rule1. If the traffic matches a rule, the rule is applied and no further rules are evaluated1. Therefore, if you want to allow SSH traffic to a subnet, you must create a new allow SSH rule above rule number 5, which denies SSH and telnet traffic. Otherwise, the deny rule will take precedence and block the SSH traffic.
The other options are incorrect because:
Creating a new allow SSH rule below rule number 5 will not allow SSH traffic, because the deny rule will be evaluated first and block the traffic.
Creating a new allow SSH rule anywhere in the network ACL rule base will not guarantee that SSH traffic will be allowed, because it depends on the order of the rules. If the allow SSH rule is below the deny rule, it will not be effective.
You cannot rely on the default security group rule to allow SSH traffic to the subnet, because network ACLs act as an additional layer of security for your VPC. Even if your security group allows SSH traffic, your network ACL must also allow it. Otherwise, the traffic will be blocked at the subnet level.


NEW QUESTION # 22
Refer to the exhibit

You are tasked with deploying a webserver and FortiGate VMS in AWS_ You are using Terraform to automate the process Which two important details should you know about the Terraform files? (Choose two.)

  • A. The subnet_private 1 value is defined in the variables . tf file
  • B. After the deployment, Terraform output values are visible only through AWS CloudShell.
  • C. You must specify all the AWS credentials in the output. of file.
  • D. All the output values are available after a successful terraform apply command

Answer: A,D

Explanation:
Explanation
A: All the output values are available after a successful terraform apply command. This means that after the deployment, you can view the output values by running terraform output or terraform show in the same directory where you ran terraform apply1. You can also use the output values in other Terraform configurations or external systems by using the terraform output command with various options2. B. The subnet_private_1 value is defined in the variables.tf file. This means that the subnet_private_1 value is an input variable that can be customized by passing a different value when running terraform apply or by setting an environment variable3. The variables.tf file is where you declare all the input variables for your Terraform configuration4.
The other options are incorrect because:
After the deployment, Terraform output values are not visible only through AWS CloudShell. You can access them from any shell or terminal where you have Terraform installed and configured with your AWS credentials.
You do not need to specify all the AWS credentials in the output.tf file. The output.tf file is where you declare all the output values for your Terraform configuration4. You can specify your AWS credentials in a separate file, such as provider.tf, or use environment variables or shared credentials files. References:
Output Values - Configuration Language | Terraform - HashiCorp Developer Command: output - Terraform by HashiCorp Input Variables - Configuration Language | Terraform - HashiCorp Developer Configuration Language | Terraform - HashiCorp Developer


NEW QUESTION # 23
Refer to Exhibit:

The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)

  • A. The peer GRE address is the FortiGate external interface IP address.
  • B. The Peer GRE address is the FortiGate internal interface IP address
  • C. The BGP inside CIDR blocks can be any CIDR block with /29
  • D. The Transit Gateway GRE address is auto-generated

Answer: A,D

Explanation:
Explanation
A: The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B. The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.


NEW QUESTION # 24
When adding the Amazon Web Services (AWS) account to the FortiCNP, which three mandatory configuration steps must you follow? (Choose three.)

  • A. Accept FortiCNP to create CloudTrail for the account
  • B. Enable cloud protection through AWS Guard Duty and AWS Inspector
  • C. Add AWS accounts through FortiCNP.
  • D. Enable cross-reg Ion aggregation
  • E. Launch the CloudFormation template.

Answer: A,C,E

Explanation:
Explanation
When adding the Amazon Web Services (AWS) account to the FortiCNP, you must follow these three mandatory configuration steps:
Add AWS accounts through FortiCNP. This is the first step to enable cloud protection for your AWS account. You can add one or multiple accounts automatically or manually. You need to provide the AWS account ID and a name for the account. You also need to select the optional permissions to be granted to FortiCNP as needed1.
Accept FortiCNP to create CloudTrail for the account. This is required for FortiCNP to collect and analyze the AWS API calls and events. You can choose to let FortiCNP create a CloudTrail for the account or use an existing one. You also need to specify the aggregation region for the CloudTrail1.
Launch the CloudFormation template. This is required for FortiCNP to create a stack and a role in your AWS account. The stack contains the resources that FortiCNP needs to access and monitor your AWS account. The role allows FortiCNP to assume it and perform actions on your behalf. You need to enter a custom or default role name and a unique UUID that is designated for your company on FortiCNP1.
References: Add AWS Account Automatically
https://docs.fortinet.com/document/forticnp/22.4.a/online-help/246021/add-aws-account-automatically


NEW QUESTION # 25
You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  • A. Create an AWS Active Directory user with permissions.
  • B. Enable automation on the AWS portal.
  • C. Create an AWS Identity and Access Management (IAM) user With permissions.
  • D. Use CloudSheIl to install Terraform.

Answer: C,D

Explanation:
Explanation
To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.
References:
Deploying FortiGate-VM using Terraform | AWS Administration Guide
Setting up IAM roles | AWS Administration Guide
Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp


NEW QUESTION # 26
Refer to the exhibit

Consider the active-active load balance sandwich scenario in Microsoft Azure.
What are two important facts in the active-active load balance sandwich scenario? (Choose two )

  • A. It is recommended to enable NAT on FortiGate policies.
  • B. It uses the vdom-exception command to exclude the configuration from being synced
  • C. It uses the FGCP protocol
  • D. It supports session synchronization for handling asynchronous traffic.

Answer: A,D

Explanation:
Explanation
B: It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1. If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1. Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2. For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.
The other options are incorrect because:
It does not use the vdom-exception command to exclude the configuration from being synced. The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.
It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.


NEW QUESTION # 27
Refer to the exhibit

You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?

  • A. Terraform will not deploy a FortiGate VM
  • B. Terraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.
  • C. Terraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.
  • D. Terraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.

Answer: C

Explanation:
Explanation
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to "eu-west-1" and the availability_zone variable is set to
"eu-west-1a". The vpc_id variable is set to "vpc-0e9d6a6f" and the subnets variable is set to a list of two subnet IDs: "subnet-0f9d6a6f" and "subnet-1f9d6a6f". The license_type variable is set to "on-demand" and the ami_id variable is set to "ami-0e9d6a6f".
References:
https://docs.fortinet.com/document/fortigate/6.4.0/aws-cookbook/236478/deploying-fortigate-vm-on-aws-using-t


NEW QUESTION # 28
You need a solution to safeguard public cloud-hosted web applications from the OWASP Top 10 vulnerabilities. The solution must support the same region in which your applications reside, with minimum traffic cost Which solution meets the requirements?

  • A. Use FortiCNP
  • B. Use FortiWebCloud
  • C. Use FortiGate
  • D. Use FortiADC

Answer: B

Explanation:
Explanation
The correct answer is C. Use FortiWebCloud.
FortiWebCloud is a SaaS cloud-based web application firewall (WAF) that protects public cloud hosted web applications from the OWASP Top 10, zero day threats, and other application layer attacks1.FortiWebCloud also includes robust features such as API discovery and protection, bot mitigation, threat analytics, and advanced reporting2.FortiWebCloud supports multiple regions across the world, and you can choose the region that is closest to your applications to minimize traffic cost3.
The other options are incorrect because:
FortiADC is an application delivery controller that provides load balancing, acceleration, and security for web applications.It is not a dedicated WAF solution and does not offer the same level of protection as FortiWebCloud4.
FortiCNP is a cloud-native platform that provides security and visibility for containerized applications.It is not a WAF solution and does not protect web applications from the OWASP Top 10 vulnerabilities5.
FortiGate is a next-generation firewall (NGFW) that provides network security and threat prevention. It is not a WAF solution and doesnot offer the same level of protection as FortiWebCloud for web applications.It also requires additional configuration and management to deploy in the public cloud6.
1:Overview | FortiWeb Cloud 23.3.0 - Fortinet Documentation2:Web Application Firewall (WAF) & API Protection | Fortinet3: [FortiWeb Cloud WAF-as-a-Service | Fortinet]4: [Application Delivery Controller (ADC) | Fortinet]5: [Fortinet Cloud Native Platform | Fortinet]6: [FortiGate Next-Generation Firewall (NGFW) | Fortinet]


NEW QUESTION # 29
Refer to the exhibit

In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.
Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?
(Choose three.)

  • A. Add route destination 0 0.0 0/0 to target the transit gateway
  • B. Add a route With your local internet public IP address as thedestination and target transit gateway
  • C. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC,
  • D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway
  • E. Add a route With your local internet public IP address as the destination and target internet gateway

Answer: A,C,D

Explanation:
Explanation
B: Add route destination 0.0.0.0/0 to target the transit gateway. This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1. The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway. This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3. An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC. This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.
The other options are incorrect because:
Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.


NEW QUESTION # 30
Refer to the exhibit

You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS.
However, your connection is not successful.
Given the network topology, what can be the issue?

  • A. There is no internet gateway attached to the Spoke VPC A.
  • B. There is no connection between VPC A and VPC B.
  • C. There is no elastic IP address attached to FortiGate in the Security VPC.
  • D. The Transit Gateway BGP IP address is incorrect.

Answer: A

Explanation:
Explanation
This is because the Linux1 EC2 instance is not accessible directly from the internet using its public IP address in AWS.
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. Without an internet gateway, the Linux1 EC2 instance cannotreceive or send traffic to or from the internet, even if it has a public IP address assigned to it.
To fix this issue, you need to attach an internet gateway to the Spoke VPC A and configure a route table that directs internet-bound traffic to the internet gateway. You also need to ensure that the Linux1 EC2 instance has a security group that allows inbound and outbound traffic on the desired ports.
[Internet Gateways - Amazon Virtual Private Cloud] : [Attach an Internet Gateway to Your VPC - Amazon Virtual Private Cloud] : [Security Groups for Your VPC - Amazon Virtual Private Cloud]


NEW QUESTION # 31
You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  • A. Create an AWS Active Directory user with permissions.
  • B. Enable automation on the AWS portal.
  • C. Create an AWS Identity and Access Management (IAM) user With permissions.
  • D. Use CloudSheIl to install Terraform.

Answer: C,D

Explanation:
Explanation
To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.
References:
Deploying FortiGate-VM using Terraform | AWS Administration Guide
Setting up IAM roles | AWS Administration Guide
Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp


NEW QUESTION # 32
Refer to the exhibit.

You are troubleshooting a FortiGate HA floating IP issue with Microsoft Azure. After the failover, the new primary device does not have the previous primary device floating IP address.
What could be the possible issue With this scenario?

  • A. A wrong client secret credential is used
  • B. The error is caused by credential time expiration.
  • C. FortiGate port4 does not have internet access.
  • D. The Azure service principle account must have a contributor role.

Answer: D

Explanation:
Explanation
In this scenario, the issue is caused by the Azure service principle account nothaving a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover. References: Fortinet Public Cloud Security knowledge source documents or study guide.
https://docs.fortinet.com/product/fortigate-public-cloud/7.2


NEW QUESTION # 33
Which two attachments are necessary to connect a transit gateway to an existing VPC with BGP? (Choose two )

  • A. A GRE attachment
  • B. A connect attachment
  • C. A BGP attachment
  • D. A transport attachment

Answer: B,D

Explanation:
Explanation
The correct answer is A and C. A transport attachment and a connect attachment are necessary to connect a transit gateway to an existing VPC with BGP.
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To connect a transit gateway to an existing VPC with BGP, you need to do the following steps:
Create a transport attachment. A transport attachment is a resource that connects a VPC or VPN to a transit gateway. You can specify the BGP options for the transport attachment, such as the autonomous system number (ASN) and the BGP peer IP address.
Create a connect attachment. A connect attachment is a resource that enables you to use your own appliance to provide network services for traffic that flows through the transit gateway. You can use a connect attachment to route traffic between the transport attachment and your appliance using GRE tunnels and BGP.
The other options are incorrect because:
A BGP attachment is not a valid type of attachment for a transit gateway. BGP is a protocol that enables dynamic routing between the transit gateway and the VPC or VPN.
A GRE attachment is not a valid type of attachment for a transit gateway. GRE is a protocol that encapsulates packets for tunneling purposes. GRE tunnels are established between the connect attachment and your appliance.
[Transit Gateways - Amazon Virtual Private Cloud] : [Transit Gateway Connect - Amazon Virtual Private Cloud]


NEW QUESTION # 34
Refer to the exhibit

You are tasked with deploying FortiGate using Terraform. When you run the terraform version command during the Terraform installation, you get an error message.
What could be the reason that you are getting the command not found error?

  • A. You must move the binary file to the bin directory.
  • B. You must reinstall Terraform
  • C. You must assign correct permissions to the ec2-user.
  • D. You must change the directory location to the root directory

Answer: A

Explanation:
Explanation
According to the Terraform documentation for installing Terraform on Linux1, you need to download a zip archive that contains a single binary file called terraform. You need to unzip the archive and move the binary file to a directory that is included in your system's PATH environment variable, such as /usr/local/bin. This way, you can run the terraform command from any directory without specifying the full path1.
If you do not move the binary file to the bin directory, you will get a command not found error when you try to run the terraform version command, as shown in the screenshot. To fix this error, you need to move the binary file to the bin directory or specify the full path of the binary file when running the command1.
1: Install Terraform | Terraform - HashiCorp Learn


NEW QUESTION # 35
Refer to the exhibit

An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform However, during the configuration, the Azure client secret is no longer visible in the Azure portal.
How would the administrator obtain the Azure
client secret to configure on Terratorm?

  • A. Log in to the Azure CLI with power user to obtain the client secret
  • B. The administrator must create a new Azure account
  • C. The administrator can create a new client secret
  • D. The administrator must obtain the client secret through Azure Cloud Shell.

Answer: C

Explanation:
Explanation
The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform. To create a new client secret, they need to follow these steps12:
Sign in to the Azure portal and navigate to the Azure Active Directory service.
Select the application name under the App Registrations.
Select Certificates & Secrets > New client secret to create a new client secret.
Add a description and an expiration date for the client secret and select Add.
Copy the value of the new client secret immediately as it will not be shown again.
References:
Generate new Client Secret and link to key-vault | Microsoft Learn
Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn


NEW QUESTION # 36
Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true?

  • A. The TGW default route table cannot be disabled.
  • B. TGW can have multiple TGW route tables.
  • C. Both the TGW attachment and propagation must be in the same TGW route table
  • D. A TGW attachment can be associated with multiple TGW route tables.

Answer: B

Explanation:
Explanation
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway route table is a set of rules that determines how traffic is routed among the attachments to the transit gateway1.
A transit gateway can have multiple route tables, and you can associate different attachments with different route tables. This allows you to control how traffic is routed between your VPCs and VPNs based on your network design and security requirements1.
The other options are incorrect because:
Both the TGW attachment and propagation must be in the same TGW route table is not true. You can associate an attachment with one route table and enable propagation from another attachment to a different route table. This allows you to separate the routing domains for your attachments1.
A TGW attachment can be associated with multiple TGW route tables is not true. You can only associate an attachment with one route table at a time. However, you can change the association at any time1.
The TGW default route table cannot be disabled is not true. You can disable the default route table by deleting all associations and propagations from it. However, you cannot delete the default route table itself1.
1: Transit Gateways - Amazon Virtual Private Cloud


NEW QUESTION # 37
......

NSE7_PBC-7.2 Study Guide Realistic Verified Dumps: https://pass4sure.actual4dump.com/Fortinet/NSE7_PBC-7.2-actualtests-dumps.html

Related Articles

more
Fortinet NSE7_PBC-7.2 Certification Practice Exam