March Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Fortinet NSE7_PBC-6.4 Fortinet NSE 7 - Public Cloud Security 6.4 Exam Practice Test

Demo: 9 questions
Total 30 questions

Fortinet NSE 7 - Public Cloud Security 6.4 Questions and Answers

Question 1

Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.

Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

Options:

A.

Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute

B.

Configure a user-defined route table

C.

Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table

D.

Configure the gateway subnet as the subnet in the user-defined route table

E.

Define a default route where the next hop IP is the FortiGate WAN interface

Question 2

Refer to the exhibit.

Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.

If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named

SSTENTAZFGT-0302? (Choose two.)

Options:

A.

SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT- 0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01

B.

172.29.32.71 is set as a next hop IP for all routes under FortigateUDR-01

C.

The network interface of the active unit moves to itself

D.

SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01

Question 3

An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.

Which action can you take to accomplish this?

Options:

A.

None, you cannot create and add additional ENIs to an existing FortiGate-VM.

B.

Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.

C.

Create the ENI, attach it to FortiGate, and then restart FortiGate.

D.

Create the ENI and attach it to FortiGate.

Question 4

An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.

How can they do this?

Options:

A.

They can create additional vNICs using the Cloud Shell.

B.

They cannot create and add additional vNICs to an existing FortiGate-VM.

C.

They can create additional vNICs in the UI console.

D.

They can use the Compute Engine API Explorer.

Question 5

You have been asked to secure your organization’s salesforce application that is running on Microsoft Azure, and find an effective method for inspecting shadow IT activities in the organization. After an initial investigation, you find that many users access the salesforce application remotely as well as on-premises.

Your goal is to find a way to get more visibility, control over shadow IT-related activities, and identify any data leaks in the salesforce application.

Which three steps should you take to achieve your goal? (Choose three.)

Options:

A.

Deploy and configure FortiCASB with a Fortinet FortiCASB subscription license.

B.

Configure FortiCASB and set up access rights, privileges, and data protection policies.

C.

Use FortiGate, FortiGuard, and FortiAnalyzer solutions.

D.

Deploy and configure FortiCWP with a workload guardian license.

E.

Deploy and configure FortiGate with Security Fabric solutions, and FortiCWP with a storage guardian advance license.

Question 6

An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.

This has now black-holed the private subnet in this availability zone.

What action will the worker node automatically perform to restore access to the black-holed subnet?

Options:

A.

The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.

B.

The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.

C.

The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.

D.

The worker node migrates the subnet to a different availability zone.

Question 7

Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

Options:

A.

Action

B.

Sequence number

C.

Source and destination IP ranges

D.

Destination port ranges

E.

Source port ranges

Question 8

Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.

Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).

How do you achieve this outcome with minimum configuration?

Options:

A.

Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.

B.

Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.

C.

Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.

D.

Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

Question 9

Which two statements about Microsoft Azure network security groups are true? (Choose two.)

Options:

A.

Network security groups can be applied to subnets and virtual network interfaces.

B.

Network security groups can be applied to subnets only.

C.

Network security groups are stateless inbound and outbound rules used for traffic filtering.

D.

Network security groups are a stateful inbound and outbound rules used for traffic filtering.

Demo: 9 questions
Total 30 questions