Fortinet FCP_ZCS_AD-7.4 FCP - Azure Cloud Security 7.4 Administrator Exam Practice Test

Two virtual NICs – The FortiGate Azure Marketplace template deploys the VM with at least two network interfaces: one for the external/public interface and one for the internal/private interface.

One NSG for each interface – The deployment creates separate Network Security Groups (NSGs) attached to each NIC to control inbound and outbound traffic as per Fortinet’s best practices.

The Software-defined network (SDN) connector allows FortiGate to dynamically pull metadata such as tags, IP addresses, and resource groups from Azure resources. This enables automatic policy updates based on dynamic IP changes, such as those of a Linux server in a protected subnet.

In a FortiGate active-active HA deployment in Azure, synchronization between instances is achieved using:

FortiGate Clustering Protocol (FGCP) – This is the primary protocol used to synchronize configuration and session information between HA peers.

Heartbeat interfaces – These interfaces are specifically configured to exchange HA state and sync data between the FortiGate VMs, ensuring cluster consistency.

Enhanced protection for application and data in a single Azure region – Availability Zones provide physical separation of infrastructure within a single Azure region, protecting against datacenter-level failures.

Protect applications and data through high availability with fault isolation and redundancy – They offer fault isolation and redundancy, enabling high availability for applications and services by distributing them across multiple zones within the same region.

In an active-active FortiGate ELB/ILB deployment, the inbound NAT rules configured on the external load balancer are used to allow administrative access (e.g., HTTPS, SSH) to the individual FortiGate VMs. Since the public IP is associated with the load balancer, NAT rules are required to map specific ports to backend FortiGate instances for management access.

The Linux server in the spoke VNet cannot directly peer BGP with the Azure Route Server, as it is not a BGP-enabled device. Instead, Azure propagates routes to VMs through the effective route tables associated with their network interfaces (NICs). Therefore, to diagnose why BGP routes are not reaching the Linux VM, you should monitor the effective routes on the NIC to verify if the routes from the FortiGate (via the Route Server) are being injected properly.

Since port 80 traffic is reaching the FortiGate (as shown in the sniffer output) but port 22 traffic is not, the issue lies before the FortiGate, at the Azure Load Balancer level. Azure Load Balancers require an Inbound NAT rule to forward specific ports (like SSH on port 22) to a specific backend VM. Creating a new Inbound NAT rule for port 22 will allow SSH traffic to be properly routed to the FortiGate VM.

For VMs in the 10.0.1.0/26 subnet to access the internet through the FortiGate VM, their default gateway must be changed to the internal IP address of the FortiGate’s NIC in that subnet (e.g., LAB1-FGT-A-Nic2). This ensures traffic is routed through FortiGate for inspection and NAT, rather than directly using Azure’s default system routes.

A user-defined route (UDR) in Azure is used to redirect traffic from other VMs through a FortiGate VM for inspection. By modifying the routing table, you ensure that outbound or inter-subnet traffic is sent to the FortiGate as the next hop, enabling traffic filtering, logging, and security enforcement.

In an active-passive HA deployment of FortiGate VMs in Azure using the Marketplace template, configuration synchronization is handled via unicast FortiGate Clustering Protocol (FGCP). FGCP allows the primary unit to replicate its configuration and session information to the secondary unit, ensuring seamless failover.