Updated Apr 06, 2023 Verified Pass NSE7_PBC-6.4 Exam in First Attempt Guaranteed [Q14-Q36]

Posted On April 6, 2023

Updated Apr 06, 2023 Verified Pass NSE7_PBC-6.4 Exam in First Attempt Guaranteed

Free NSE7_PBC-6.4 Sample Questions and 100% Cover Real Exam Questions (Updated 30 Questions)

NO.14 Refer to the exhibit.

You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?

You selected the incorrect resource group.

You selected the Bring Your Own License (BYOL) licensing mode.

You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.

You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.

NO.15 Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute

Configure a user-defined route table

Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table

Configure the gateway subnet as the subnet in the user-defined route table

Define a default route where the next hop IP is the FortiGate WAN interface

NO.16 Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

Action

Sequence number

Source and destination IP ranges

Destination port ranges

Source port ranges

NO.17 Refer to the exhibit.

You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.
After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.
What should you do to correct this issue?

Configure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).

Delete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.

Configure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.

Nothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.

NO.18 What is the bandwidth limitation of an Amazon Web Services (AWS) transit gateway VPC attachment?

Up to 1.25 Gbps per attachment

Up to 50 Gbps per attachment

Up to 10 Gbps per attachment

Up to 1 Gbps per attachment

Explanation
-The maximum bandwidth per “VPC attachment”, AWS Direct Connect gateway, or peered transit gateway connection Up to 50 Gbps https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html with Transit Gateway, Maximum bandwidth (burst) per Availability Zone per VPC connection is 50 Gbps.
VPC peering has no aggregate bandwidth. Individual instance network performance limits and flow limits (10 Gbps within a placement group and 5 Gbps otherwise) apply to both options. Only VPC peering supports placement groups. Reference:
https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf

NO.19 An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.

The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node’s private subnet interface.

The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node’s private subnet interface.

The worker node migrates the subnet to a different availability zone.

NO.20 You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
*Two FortiGate devices must be deployed; each in a different availability zone.
*Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
*An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
*An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
*Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

config system sdn-connector

config system ha

config system auto-scale

config system session-sync

Explanation
FTG HA Active/Active requires the following configuration to sync the session by FGSP config system ha set session-pickup enable set session-pickup-connectionless enable set session-pickup-nat enable set session-pickup-expectation enable set override disable end config system cluster-sync edit 0 set peerip 10.0.1.x set syncvd “root” next end
https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB

NO.21

Refer to the exhibit. The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)

The design shows an active-active FortiGate-VM architecture.

The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.

The design shows an active-passive FortiGate-VM architecture.

The Cloud Load Balancer Session Affinity setting should use the default value.

NO.22 An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.

The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node’s private subnet interface.

The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node’s private subnet interface.

The worker node migrates the subnet to a different availability zone.

Explanation
Official documentation, failover process on a single AZ,
https://github.com/fortinet/aws-cloudformation-templates/blob/main/FGCP/7.0/SingleAZ/README.md#failove
|| Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate 1’s private interface to FortiGate 2’s private interface. ##Additionally any route targets referencing FortiGate 1’s private interface will be updated to reference FortiGate 2’s private interface.##
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

NO.23 Which statement about FortiSandbox in Amazon Web Services (AWS) is true?

In AWS, virtual machines (VMs) that inspect files do not have to be reset after inspecting a file.

FortiSandbox in AWS uses Windows virtual machines (VMs) to inspect files.

In AWS, virtual machines (VMs) that inspect files are constantly up and running.

FortiSandbox in AWS can have a maximum of eight virtual machines (VMs) that inspect files.

NO.24 Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.

Use ExpressRoute to interconnect the hub VNets and spoke VNets.

Configure VNet peering between the spokes only.

Configure VNet peering between the hub and spokes.

NO.25 When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

Intrusion prevention policies

Threat protection policies

Data loss prevention policies

Compliance policies

Antivirus policies

Explanation
Policy setting allows you to configure each policy to fit the need of your usage. You can select any type of Policy (Data Analysis, Threat Protection or Compliance)
https://docs.fortinet.com/document/forticasb/20.1.0/online-help/482958/policy-configuration

NO.26 Which two statements about Microsoft Azure network security groups are true? (Choose two.)

Network security groups can be applied to subnets and virtual network interfaces.

Network security groups can be applied to subnets only.

Network security groups are stateless inbound and outbound rules used for traffic filtering.

Network security groups are a stateful inbound and outbound rules used for traffic filtering.

NO.27 You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
*You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
*Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
*To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?

One public subnet and two private subnets

Two public subnets and one private subnet

Two public subnets and two private subnets

One public subnet and one private subnet

Explanation
https://github.com/fortinet/aws-cloudformation-templates/blob/master/LambdaAA-RouteFailover/6.0/README
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

NO.28 A company deployed a FortiGate-VM with an on-demand license using Amazon Web Services (AWS) Market Place Cloud Formation template. After deployment, the administrator cannot remember the default admin password.
What is the default admin password for the FortiGate-VM instance?

The admin password cannot be recovered and the customer needs to deploy the FortiGate-VM again.

<blank>

admin

The instance-ID value

NO.29 Refer to the exhibit.

The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)

The design shows an active-active FortiGate-VM architecture.

The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.

The design shows an active-passive FortiGate-VM architecture.

The Cloud Load Balancer Session Affinity setting should use the default value.

NO.30 You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.

GuardDuty, CloudWatch, S3, and DynamoDB.

Inspector, Shield, GuardDuty, S3, and DynamoDB.

WAF, Shield, GuardDuty, S3, and DynamoDB.

NO.31 Your company deploys FortiGate VM devices in high availability (HA) (active-active) mode with Microsoft Azure load balancers using the Microsoft Azure ARM template. Your senior administrator instructs you to connect to one of the FortiGate devices and configure the necessary firewall rules. However, you are not sure now to obtain the correct public IP address of the deployed FortiGate VM and identify the access ports.
How do you obtain the public IP address of the FortiGate VM and identify the correct ports to access the device?

In the configured load balancer, access the inbound NAT rules section.

In the configured load balancer, access the backend pools section.

In the configured load balancer, access the inbound and outbound NAT rules section.

In the configured load balancer, access the health probes section.

NO.32 You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.

GuardDuty, CloudWatch, S3, and DynamoDB.

Inspector, Shield, GuardDuty, S3, and DynamoDB.

WAF, Shield, GuardDuty, S3, and DynamoDB.

Explanation
You must subscribe to GuardDuty, CloudWatch, S3, and DynamoDB.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/908646/populating-thr

NO.33

Refer to the exhibit. Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.

Use ExpressRoute to interconnect the hub VNets and spoke VNets.

Configure VNet peering between the spokes only.

Configure VNet peering between the hub and spokes.

NO.34 Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?

Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.

Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.

Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.

Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

NO.35 Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

A single VPC deployment with multiple subnets and a NAT gateway

A single VPC deployment with multiple subnets

A multiple VPC deployment utilizing a transit VPC topology

A multiple VPC deployment utilizing a transit gateway

NO.36 You have previously deployed an Amazon Web Services (AWS) transit virtual private cloud (VPC) with a pair of FortiGate firewalls (VM04 / c4.xlarge) as your security perimeter. You are beginning to see high CPU usage on the FortiGate instances.
Which action will fix this issue?

Convert the c4.xlarge instances to m4.xlarge instances.

Migrate the transit VPNs to new and larger instances (VM08 / c4.2xlarge).

Convert from IPsec tunnels to generic routing encapsulation (GRE) tunnels, for the VPC peering connections.

Convert the transit VPC firewalls into an auto-scaling group and launch additional EC2 instances in that group.

Explanation
Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels.
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/aws-administration-guide/397979/deploying-auto

Loading …

The Fortinet NSE7_PBC-6.4 certification exam is designed to validate the knowledge and skills of security professionals in securing public cloud environments. This exam is targeted towards individuals who have experience with public cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. The exam covers topics such as cloud security architectures, cloud security services, and cloud security operations. Upon passing this exam, candidates will demonstrate their ability to secure public cloud environments and will be recognized as experts in public cloud security.

Download Real Fortinet NSE7_PBC-6.4 Exam Dumps Test Engine Exam Questions: https://www.exams4sures.com/Fortinet/NSE7_PBC-6.4-practice-exam-dumps.html