Question No. 1

You have previously deployed an Amazon Web Services (AWS) transit virtual private cloud (VPC) with a pair of FortiGate firewalls (VM04 / c4.xlarge) as your security perimeter. You are beginning to see high CPU usage on the FortiGate instances.

Which action will fix this issue?

AConvert the c4.xlarge instances to m4.xlarge instances.

BMigrate the transit VPNs to new and larger instances (VM08 / c4.2xlarge).

CConvert from IPsec tunnels to generic routing encapsulation (GRE) tunnels, for the VPC peering connections.

DConvert the transit VPC firewalls into an auto-scaling group and launch additional EC2 instances in that group.

Show Answer

Correct Answer: D

Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels. https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/aws-administration-guide/397979/deploying-auto-scaling-on-aws

Question No. 2

Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

AAction

BSequence number

CSource and destination IP ranges

DDestination port ranges

ESource port ranges

Show Answer

Correct Answer: A, D, E

Under 'Default security rules' we read source, destination, source port, destination port and access. However under 'Security rules' we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured. I would mark A D and E and source/destination port are to be seen in the table, maybe old documentation. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Question No. 3

Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.

Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).

How do you achieve this outcome with minimum configuration?

ADeploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.

BDeploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.

CDeploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.

DDeploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

Show Answer

Correct Answer: D

AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services without using NAT instance. the main routing table sends internet traffic from the private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP address of the elastic IP address.

Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

Question No. 4

You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.

Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

AThe uniqueString() function must be used.

BThe storageAccount name must use special characters.

CThe storageAccount name must be in lowercase.

DThe storageAccount name must contain between 3 and 24 alphanumeric characters.

Show Answer

Correct Answer: C, D

-Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview

https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep

Property values / storageAccounts

name --> The resource name :

* string (required)

* Character limit: 3-24

* Valid characters: Lowercase letters and numbers.

* Resource name must be unique across Azure.

Question No. 5

Refer to the exhibit.

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.

What are two possible reasons for this behavior? (Choose two.)

AThe web servers are not configured with the default gateway.

BThe Internet gateway (IGW) is not added to VPC (virtual private cloud).

CAWS source and destination checks are enabled on the FortiGate interfaces.

DAWS security groups may be blocking the traffic.

Show Answer

Correct Answer: C, D

You need to check if source/destination are enabled. Public_Cloud_6.4_Study_Guide Page 67

Free Fortinet NSE7_PBC-6.4 Exam Actual Questions

The questions for NSE7_PBC-6.4 were last updated On Nov 3, 2024