NSE7_PBC-6.4 Online Practice Questions and Answers

When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

A. Intrusion prevention policies

B. Threat protection policies

C. Data loss prevention policies

D. Compliance policies

E. Antivirus policies

Refer to the exhibit. A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.

What are two possible reasons for this behavior? (Choose two.)

A. The web servers are not configured with the default gateway.

B. The Internet gateway (IGW) is not added to VPC (virtual private cloud).

C. AWS source and destination checks are enabled on the FortiGate interfaces.

D. AWS security groups may be blocking the traffic.

An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.

What action will the worker node automatically perform to restore access to the black-holed subnet?

A. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.

B. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.

C. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.

D. The worker node migrates the subnet to a different availability zone.

Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true? (Choose two.)

A. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.

B. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.

C. Network ACLs must be manually applied to virtual network interfaces.

D. Network ACLs support allow rules and deny rules.

When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.

In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

A. Less than 10 seconds

B. 30 seconds

C. 20 seconds

D. 16 seconds

Refer to the exhibit. You attempted to deploy the FortiGate-VM in Microsoft Azure with the JSON template, and it failed to boot up. The exhibit shows an excerpt from the JSON template.

What is incorrect with the template?

A. The LUN ID is not defined.

B. FortiGate-VM does not support managedDisk from Azure.

C. The caching parameter should be None.

D. The CreateOptions parameter should be FromImage.

An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.

Which action can you take to accomplish this?

A. None, you cannot create and add additional ENIs to an existing FortiGate-VM.

B. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.

C. Create the ENI, attach it to FortiGate, and then restart FortiGate.

D. Create the ENI and attach it to FortiGate.

You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.

Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

A. The uniqueString() function must be used.

B. The storageAccount name must use special characters.

C. The storageAccount name must be in lowercase.

D. The storageAccount name must contain between 3 and 24 alphanumeric characters.

Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.

Which three methods can the customer use to ensure that all traffic from the data center is sent through A. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute

B. Configure a user-defined route table

C. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table

D. Configure the gateway subnet as the subnet in the user-defined route table

E. Define a default route where the next hop IP is the FortiGate WAN interface

You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The

following are the requirements of your deployment:

Two FortiGate devices must be deployed; each in a different availability zone.

Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other

will connect to a private subnet.

An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an

active-active topology.

An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to

both FortiGate devices in an active-active topology.

Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this

topology.

Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the

FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate

devices?

A. config system sdn-connector

B. config system ha

C. config system auto-scale

D. config system session-sync