An organization has created a VPC with two subnets and deployed a FortiGate-VM (VM04/c4.xlarge) in AWS.
The EC2 instance is initially configured with two Elastic Network Interfaces (ENIs). The primary ENI is configured on the public subnet, and the secondary ENI is configured on the private subnet. To provide internet access for the FortiGate-VM, they now want to associate an EIP to its primary ENI, but the assignment is failing.
Which action would allow the EIP assignment to be successful?
Internet Gateway Requirement:
For an Elastic IP (EIP) to be assigned to an instance's primary ENI, the VPC must have an Internet Gateway (IGW) attached. The IGW enables the VPC to communicate with the internet, allowing the EIP to function properly (Option C).
Process of Assigning EIP:
Once the Internet Gateway is attached to the VPC, the EIP can be successfully assigned to the primary ENI of the FortiGate VM, providing it with internet access.
Other Options Analysis:
Option A is incorrect because the primary ENI is already in a public subnet.
Option B is not necessary and may not solve the issue without an attached Internet Gateway.
Option D is partially correct about the routing table but does not address the primary issue of needing an Internet Gateway.
A customer has deployed FortiGate Cloud-Native Firewall (CNF).
Which two statements are correct about policy sets? (Choose two.)
Implicit Deny Rule:
Similar to traditional firewall rule sets, FortiGate Cloud-Native Firewall (CNF) includes an implicit deny rule at the bottom of each policy set. This means any traffic that does not match an existing rule in the policy set is automatically denied (Option A).
Policy Set Creation:
When a new CNF instance is deployed, a new policy set is created specifically for that instance. This ensures that each CNF instance can have a tailored set of security policies based on the specific needs of the deployment (Option C).
Other Options Analysis:
Option B is incorrect because policy sets do not require manual synchronization; they are applied automatically once configured.
Option D is incorrect as a single CNF instance operates with a single policy set at a time.
FortiGate CNF Documentation: FortiGate CNF
Firewall Policy Best Practices: Fortinet Policies
Your organization is deciding between deploying an active-active (A-A) or active-passive (A-P) FortiGate high availability (HA) cluster in AWS cloud.
Which two statements are true about A-A clusters compared to A-P clusters? (Choose two.)
Symmetric Traffic Flow with SNAT:
In active-active (A-A) clusters, symmetric traffic flow is essential for maintaining session integrity across multiple instances. Source Network Address Translation (SNAT) is performed inbound to ensure that return traffic is routed correctly (Option A).
Load Balancer Requirement:
A-A clusters require a load balancer to distribute incoming traffic evenly across the active instances. This is crucial for balancing the load and providing high availability (Option C).
API Calls and Failovers:
Option B is incorrect because failovers in A-A clusters do not typically rely on API calls but are managed by the load balancer and the clustering mechanism itself.
Software-Defined Network (SDN) Failover:
Option D is incorrect as SDN is not specifically required for performing failovers in A-A clusters. The failover mechanism is typically managed by the load balancer and FortiGate's clustering technology.
FortiGate High Availability on AWS: FortiGate HA
Refer to the exhibit.
An organization deployed the application servers in the AWS VPC that connects to the corporate data center using Transit Gateway Connect. Demand for the applications has grown and the connection requires more bandwidth.
What is required to achieve higher bandwidth?
Understanding Transit Gateway Connect:
Transit Gateway Connect is a feature of AWS Transit Gateway that simplifies the integration of SD-WAN networks with AWS. It uses Generic Routing Encapsulation (GRE) tunnels to facilitate this connection.
GRE Tunnels and Bandwidth:
GRE tunnels can dynamically scale to meet increasing bandwidth demands. They allow multiple tunnels between the same endpoints, which can aggregate bandwidth without requiring additional configuration.
Scaling Bandwidth with GRE:
The GRE protocol used by Transit Gateway Connect can support high bandwidth requirements by spreading traffic across multiple tunnels. As demand grows, additional tunnels can be automatically used to handle the increased traffic load.
Comparison with Other Options:
Option A suggests using public IP addresses, which is not relevant to bandwidth scaling.
Option B is incorrect because bandwidth can be increased through GRE scaling.
Option D suggests adding a Transit VPC, which is unnecessary for increasing bandwidth when using Transit Gateway Connect.
Refer to the exhibit.
You deployed an active-passive FortiGate HA cluster using a CloudFormation template on an existing VPC. Now you want to test active-passive FortiGate HA failover by running a debug so you can see the API calls to change the Elastic and secondary IP addresses.
Which statement is correct about the output of the debug?
HA Event and Failover:
The debug output indicates that a failover event occurred and the secondary instance (Fgt2) is now taking over as the master.
Elastic IP Association:
The debug output shows the process of moving the Elastic IP (eipalloc-090425f83f912c8d6) to the new master instance. This involves associating the Elastic IP with the appropriate network interface (eni) of the new master.
Specific IP Address Association:
The Elastic IP is specifically associated with port1 of Fgt2. The message 'associate elastic ip eipalloc-090425f83f912c8d6 to 10.0.0.13 of eni eni-0f6b35f8fccd24eb0' indicates that the Elastic IP is now linked to the primary IP address (10.0.0.13) on port1 of the new master.
Other Options Analysis:
Option A is incorrect because the routing table update details are not explicitly stated.
Option C is incorrect because the IP address association mentioned relates to an Elastic IP, not eni-0b61d8afc0aefb8a2.
Option D is incorrect because it specifically mentions port2 for the Elastic IP association, which is not indicated in the debug output.
FortiGate HA Configuration Guide: FortiGate HA
