• Home
  • Articles
  • [Feb-2024] Fortinet NSE7_PBC-7.2 Exam Practice Test Questions - ActualTestsIT [Q14-Q29]

[Feb-2024] Fortinet NSE7_PBC-7.2 Exam Practice Test Questions - ActualTestsIT [Q14-Q29]

Share

[Feb-2024] Fortinet NSE7_PBC-7.2 Exam Practice Test Questions - ActualTestsIT

Updated Certification Exam NSE7_PBC-7.2 Dumps - Practice Test Questions


Fortinet NSE7_PBC-7.2 certification exam is a rigorous and challenging exam that requires candidates to demonstrate a deep understanding of public cloud security concepts, principles, and best practices. NSE7_PBC-7.2 exam format includes multiple-choice questions, scenario-based questions, and hands-on lab exercises. NSE7_PBC-7.2 exam is proctored and timed, and candidates have three hours to complete it.

 

NEW QUESTION # 14
Refer to Exhibit:

The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)

  • A. The Transit Gateway GRE address is auto-generated
  • B. The BGP inside CIDR blocks can be any CIDR block with /29
  • C. The peer GRE address is the FortiGate external interface IP address.
  • D. The Peer GRE address is the FortiGate internal interface IP address

Answer: A,C

Explanation:
Explanation
A: The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B. The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.


NEW QUESTION # 15
You have created a TGW route table to route traffic from your spoke VPC to the security VPC where two FortiGate devices are inspecting traffic. Your spoke VPC CIDR block is already propagated to the Transit Gateway (TGW) route table.
Which type of attachment should you use to advertise routes through BGP from the spoke VPC to the security VPC?

  • A. Route attachment
  • B. Connect attachment
  • C. VPC attachment
  • D. GRE attachment

Answer: C

Explanation:
Explanation
A VPC attachment is the type of attachment that allows you to connect a VPC to a TGW and advertise routes through BGP. A VPC attachment creates a VPN connection between the VPC and the TGW, and enables dynamic routing with BGP. A connect attachment is used to connect a VPN or Direct Connect gateway to a TGW. A route attachment is not a valid type of attachment for TGW. A GRE attachment is used to connect a FortiGate device to a TGW using GRE tunnels. References:
Creating the TGW and related resources
Configuring TGW route tables
FortiGate Public Cloud 7.2.0 - Fortinet Documentation
Updating the route table and adding an IAM policy


NEW QUESTION # 16
Refer to the exhibit

An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform However, during the configuration, the Azure client secret is no longer visible in the Azure portal.
How would the administrator obtain the Azure
client secret to configure on Terratorm?

  • A. The administrator must create a new Azure account
  • B. The administrator can create a new client secret
  • C. Log in to the Azure CLI with power user to obtain the client secret
  • D. The administrator must obtain the client secret through Azure Cloud Shell.

Answer: B

Explanation:
Explanation
The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform. To create a new client secret, they need to follow these steps12:
Sign in to the Azure portal and navigate to the Azure Active Directory service.
Select the application name under the App Registrations.
Select Certificates & Secrets > New client secret to create a new client secret.
Add a description and an expiration date for the client secret and select Add.
Copy the value of the new client secret immediately as it will not be shown again.
References:
Generate new Client Secret and link to key-vault | Microsoft Learn
Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn


NEW QUESTION # 17
Which two Amazon Web Services (AWS) features support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  • A. A transit gateway with an attachment
  • B. A transit VPC
  • C. A NAT gateway with an EIP
  • D. An Internet gateway with an EIP

Answer: A,B

Explanation:
Explanation
The correct answer is B and D. A transit gateway with an attachment and a transit VPC support east-west traffic inspection within the AWS cloud by the FortiGate VM.
According to the Fortinet documentation for Public Cloud Security, a transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway.By using a transit gateway with an attachment, you can route traffic from your spoke VPCs to your security VPC, where the FortiGate VM can inspect the traffic1.
A transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs).By using a transit VPC, you can deploy the FortiGate VM as a virtual appliance that provides network security and threat prevention for your VPCs2.
The other options are incorrect because:
A NAT gateway with an EIP is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.A NAT gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM3.
An Internet gateway with an EIP is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.An Internet gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM4.
1:Fortinet Documentation Library - Deploying FortiGate VMs on AWS2: [Fortinet Documentation Library - Transit VPC on AWS]3: [NAT Gateways - Amazon Virtual Private Cloud]4: [Internet Gateways - Amazon Virtual Private Cloud]


NEW QUESTION # 18
Refer to the exhibit.

You are configuring a second route table on a Transit Gateway to accommodate east-west traffic inspection between two VPCs_ However, you are getting an error during the transit gateway route table association With the Connect attachment.
Which action Should you take to fulfill your requirement?

  • A. Add both Associations and Propagations in the second TGW route table.
  • B. Delete the both Connect and Transport attachments from the first TGW route table
  • C. In the second route table: create a propagation with the Connect attachment.
  • D. Add a static route in the Routes section

Answer: C

Explanation:
Explanation
The error message indicates that the Connect attachment is already associated with another transit gateway route table. You cannot associate the same attachment with more than one route table. However, you can propagate the same attachment to multiple route tables. Therefore, to fulfill your requirement of configuring a second route table for east-west traffic inspection between two VPCs, you need to create a propagation with the Connect attachment in the second route table. This will allow the second route table to learn the routes from the Connect attachment and forward the traffic to the securityVPC1. You also need to associate the second route table with the Transport attachment, which is the transit gateway attachment for the security VPC1.
References:
Transit gateway route tables - Amazon VPC | AWS Documentation
Getting started with transit gateways - Amazon VPC | AWS Documentation
Configuring TGW route tables | FortiGate Public Cloud 7.4.0 | Fortinet Document Library


NEW QUESTION # 19
You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  • A. Create an AWS Identity and Access Management (IAM) user With permissions.
  • B. Use CloudSheIl to install Terraform.
  • C. Create an AWS Active Directory user with permissions.
  • D. Enable automation on the AWS portal.

Answer: A,B

Explanation:
Explanation
To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.
References:
Deploying FortiGate-VM using Terraform | AWS Administration Guide
Setting up IAM roles | AWS Administration Guide
Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp


NEW QUESTION # 20
How does the immutable infrastructure strategy work in automation?

  • A. It runs two live environments for configuration changes.
  • B. It runs a single live environment for configuration changes.
  • C. It runs one idle and two live environments for configuration changes.
  • D. It runs one idle and a single live environment for configuration changes.

Answer: A

Explanation:
Explanation
Immutable infrastructure is a DevOps approach that emphasizes the creation of disposable resources instead of modifying existing ones1. This approach helps to achieve stability, consistency, and predictability in IT operations by reducing the risk of configuration drift and eliminating stateful components1.
One way to implement immutable infrastructure is to use a blue-green deployment strategy, which runs two live environments for configuration changes2. The blue environment is the current production environment, while the green environment is the new version of the application or service. When the green environment is ready, the traffic is switched from blue to green, and the blue environment is destroyed or kept as a backup2.
This way, there is no need to update or patch the existing infrastructure, but rather replace it with a new one.
References:
1: Immutable Infrastructure, Architecture, and its benefits
2: Introduction to Immutable Infrastructure - BMC Software | Blogs


NEW QUESTION # 21
Refer to Exhibit:

You are troubleshooting a Microsoft Azure SDN connector issue on your FortiGate VM in Azure Which three settings should you check while troubleshooting this problem? (Choose three.)

  • A. use the diag sys va command.
  • B. Ensure IP address 169.254.169_254 is not blocked
  • C. Ensure FortiGate portl has internet access
  • D. Use the show vdom command to see hidden VDOMs.
  • E. Ensure FortiGate port4 can resolve DNS.

Answer: B,C,E

Explanation:
Explanation
The three settings that should be checked while troubleshooting this problem are:
Ensure FortiGate port4 can resolve DNS. This is because the Azure SDN connector requires DNS resolution to communicate with the Azure API1. If the FortiGate port4 cannot resolve DNS, the SDN connector will not be able to retrieve the Azure resources and display them in the GUI.
Ensure FortiGate portl has internet access. This is because the Azure SDN connector requires internet access to communicate with the Azure API1. If the FortiGate portl does not have internet access, the SDNconnector will not be able to connect to the Azure cloud and display an error in the CLI.
Ensure IP address 169.254.169_254 is not blocked. This is because the Azure SDN connector uses this IP address to obtain metadata information from the Azure instance2. If this IP address is blocked by a firewall policy or a network ACL, the SDN connector will not be able to get the required information and display an error in the CLI.


NEW QUESTION # 22
Refer to the exhibit

You are deploying two FortiGate VMS in HA active-passive mode with load balancers in Microsoft Azure Which two statements are true in this load balancing scenario? (Choose two.)

  • A. A dedicated management interface can be used for load balancing.
  • B. The FortiGate public IP is the next-hop for all the traffic.
  • C. An internal load balancer listener is the next-hop for outgoing traffic.
  • D. You must add a route to the Microsoft VIP used for the health check.

Answer: A,C

Explanation:
A is incorrect because the FortiGate public IP is not the next-hop for all the traffic. The FortiGate public IP is only used for incoming traffic from the internet. The Azure load balancer distributes the incoming traffic to the active FortiGate VM based on a health probe123. The FortiGate public IP is not used for outgoing traffic or internal traffic.
B is correct because an internal load balancer listener is the next-hop for outgoing traffic. The internal load balancer listener is configured with a floating IP address that is assigned to the active FortiGate VM. The internal load balancer listener also has a health probe to monitor the status of the FortiGate VMs123. The internal load balancer listener forwards the outgoing traffic to the internet through the public load balancer.
C is incorrect because you do not need to add a route to the Microsoft VIP used for the health check. The Microsoft VIP is an internal IP address that is used by the Azure load balancer to send health probes to the FortiGate VMs123. The Microsoft VIP is not reachable from outside the Azure network and does not require any routing configuration on the FortiGate VMs.
D is correct because a dedicated management interface can be used for load balancing. In this deployment, port4 is used as a dedicated management interface that connects to the management network3. The dedicated management interface can be used to access the FortiGate VMs for configuration and monitoring purposes. The dedicated management interface can also be used to synchronize the configuration and session information between the primary and secondary devices in an HA cluster2.


NEW QUESTION # 23
Refer to the exhibit

The exhibit shows the results of a FortiCNP registry scan
Which two statements are correct? (Choose two )

  • A. The registry scan is part of the FortiCNP container protection.
  • B. When adding a repository, you can leave the Tag section blank to scan all images-
  • C. When adding a repository, you can add a minimum number of images to be imported through the CAP section.
  • D. The registry scan is part of the FortiCNP cloud protection.

Answer: A,B

Explanation:
Explanation
The exhibit shows the results of a FortiCNP registry scan, which is part of the FortiCNP container protection. FortiCNP's Container Protection provides deep visibility into the security posture of container registries and images1. The registry scan utilizes Common Vulnerabilities and Exposures (CVE) index regularly updated by NVD to detect underlying vulnerabilities, security flaws, and provides security best practices2. The registry scan is performed at the registry level, and it can scan all images in a repository if the Tag section is left blank when adding a repository2. The CAP section stands for Container Assurance Policy, which defines the minimum number of images to be scanned per repository3. Therefore, the correct statements are A and C. References: Container Image Scan | FortiCNP 22.3.a, FortiCNP, Cloud Native Application Protection Platform | FortiCNP


NEW QUESTION # 24
You are asked to find a solution to replace the existing VPC peering topology to have a higher bandwidth connection from Amazon Web Services (AWS) to the on-premises data center Which two solutions will satisfy the requirement? (Choose two.)

  • A. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
  • B. Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
  • C. Use ECMP and VPN to achieve higher bandwidth.
  • D. Use transit VPC to build multiple VPC connections to the on-premises data center

Answer: A,B

Explanation:
Explanation
The correct answer is C and D. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center.
According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels1.
A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels2.
The other options are incorrect because:
Using ECMP and VPN to achieve higher bandwidth is not a complete solution, as it does not specify how to replace the existing VPC peering topology or how to connect the AWS VPCs to the on-premises data center.
Using transit VPC to build multiple VPC connections to the on-premises data center is not a correct solution, as it does not specify how to use a hub and spoke topology or how to leverage ECMP routing for higher bandwidth.
1:Fortinet Documentation Library - Transit VPC on AWS2:Fortinet Documentation Library - Deploying FortiGate VMs on AWS


NEW QUESTION # 25
You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  • A. Create an AWS Identity and Access Management (IAM) user With permissions.
  • B. Use CloudSheIl to install Terraform.
  • C. Create an AWS Active Directory user with permissions.
  • D. Enable automation on the AWS portal.

Answer: A,B

Explanation:
Explanation
To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.
References:
Deploying FortiGate-VM using Terraform | AWS Administration Guide
Setting up IAM roles | AWS Administration Guide
Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp


NEW QUESTION # 26
Refer to the exhibit

You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?

  • A. Terraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.
  • B. Terraform will not deploy a FortiGate VM
  • C. Terraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.
  • D. Terraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.

Answer: A

Explanation:
Explanation
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to "eu-west-1" and the availability_zone variable is set to
"eu-west-1a". The vpc_id variable is set to "vpc-0e9d6a6f" and the subnets variable is set to a list of two subnet IDs: "subnet-0f9d6a6f" and "subnet-1f9d6a6f". The license_type variable is set to "on-demand" and the ami_id variable is set to "ami-0e9d6a6f".
References:
https://docs.fortinet.com/document/fortigate/6.4.0/aws-cookbook/236478/deploying-fortigate-vm-on-aws-using-t


NEW QUESTION # 27
What are two main features in Amazon Web Services (AWS) network access control lists (ACLs)? (Choose two.)

  • A. The default network ACL is configured to allow all traffic
  • B. Network ACLs are tied to an instance
  • C. You cannot use Network ACL and Security Group at the same time.
  • D. NetworkACLs are stateless, and inbound and outbound rules are used for traffic filtering

Answer: A,D

Explanation:
Explanation
B: The default network ACL is configured to allow all traffic. This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC1. By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic1. You can modify the default network ACL, but you cannot delete it1. C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering. This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately1. Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny1. For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address2.
The other options are incorrect because:
You can use network ACL and security group at the same time. Network ACL and security group are two different types of security layers for your VPC that can work together to control traffic3. Network ACLacts as a firewall for your subnets, while security group acts as a firewall for your instances3. You can use both of them to create a more granular and effective security policy for your VPC.
Network ACLs are not tied to an instance. Network ACLs are associated with subnets, not instances1. This means that network ACLs apply to all the instances in the subnets that they are associated with1. You cannot associate a network ACL with a specific instance. However, you can associate a security group with a specific instance or multiple instances3.


NEW QUESTION # 28
You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM Which two queries does that SDN connector use to interact with the Azure management API? (Choose two.)

  • A. There is only one query initiating from FortiGate port1 -
  • B. The first query is targeted to IP address 8.8
  • C. The first query is targeted to a special IP address to get a token.
  • D. Some queries are made to manage public IP addresses.

Answer: C,D

Explanation:
Explanation
The Azure SDN connector uses two types of queries to interact with the Azure management API. The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM. References: Configuring an SDN connector in Azure, Azure SDN connector using service principal, Troubleshooting Azure SDN connector


NEW QUESTION # 29
......

Updated Verified NSE7_PBC-7.2 dumps Q&As - Pass Guarantee or Full Refund: https://www.actualtestsit.com/Fortinet/NSE7_PBC-7.2-exam-prep-dumps.html

NSE7_PBC-7.2 PDF Questions and Testing Engine With 40 Questions: https://drive.google.com/open?id=1AOP6P9nORvsW5_LxCfgZPGk4d6_hSYS1

Related Articles

more
Fortinet NSE7_PBC-7.2 Certification Practice Exam