Fortinet NSE7_CDS_AR-7.6 Exam Questions Free Practice Test

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions

Questions # 11:

Exhibit.

Question # 11

In which type of FortiCNP insights can an administrator examine the findings triggered by this policy?

Options:

Data

Threat

Risk

User activity

Expert Solution

Questions # 12:

Refer to the exhibit.

Question # 12

The exhibit shows an active-passive high availability FortiGate pair with external and internal Azure load balancers There is no SDN connector used in this solution.

Which configuration must the administrator implement on each FortiGate?

Options:

Single BGP route to Azure probe IP address.

One static route to Azure Lambda IP address.

Two static routes to Azure probe IP address.

Two BGP routes lo Azure probe IP address.

Expert Solution

Questions # 13:

Refer to the exhibit.

Question # 13

You deployed a FortiGate HA active-passive cluster in Microsoft Azure.

Which two statements regarding this particular deployment are true? (Choose two.)

Options:

You can use the vdom-exception command to synchronize the configuration.

During a failover, all existing sessions are transferred to the new active FortiGate.

The configuration does not synchronize between the primary and secondary devices.

There is no SLA for API calls from Microsoft Azure.

Expert Solution

Questions # 14:

Refer to the exhibit.

Question # 14

You deployed an HA active-active load balance sandwich with two FortiGate VMs in Microsoft Azure.

After the deployment, you prefer to use FGSP to synchronize sessions, and allow asymmetric return traffic. In the environment, FortiGate port 1 and port 2 are facing external and internal load balancers respectively.

What IP address must you use in the peerip configuration?

Options:

The opposite FortiGate port 2 IP address.

The public load balancer port 2 IP address.

The internal load balancer port 1 IP address.

The opposite FortiGate port 1 IP address.

Expert Solution

Questions # 15:

Refer to the exhibit.

Question # 15

You are managing an active-passive FortiGate HA cluster in AWS that was deployed using CloudFormation. You have created a change set to examine the effects of some proposed changes to the current infrastructure. The exhibit shows some sections of the change set.

What will happen if you apply these changes?

Options:

This deployment can be done without any traffic interruption.

Both FortiGate VMs will get a new PhysicalResourceId.

The updated FortiGate VMs will not have the latest configuration changes.

CloudFormation checks if you will surpass your account quota.

Expert Solution

Questions # 16:

You have deployed a FortiGate HA cluster in Azure using a gateway load balancer for traffic inspection. However, traffic is not being routed correctly through the firewalls.

What can be the cause of the issue?

Options:

The FortiNet VMs have IP forwarding disabled, which is required for traffic inspection.

The health probes for the gateway load balancer are failing, which causes traffic to bypass the HA cluster.

The gateway load balancer is not associated with the correct network security group (NSG) rules, which allow traffic to pass through.

The protected VMs are in a different Azure subscription, which prevents the gateway load balancer from forwarding traffic.

Expert Solution

Answer

Explanation

According to the FortiOS 7.6 Azure Administration Guide and the Cloud Security 7.4 Public Cloud Study Guide, the integration of FortiGate-VMs with an Azure Gateway Load Balancer (GWLB) requires specific network configurations to ensure packet transit:

IP Forwarding Requirement (Option A): By default, Azure Network Interfaces (NICs) drop any traffic that does not originate from or is not destined for the IP address assigned to that NIC. For a FortiGate to act as a "bump-in-the-wire" or transparent inspector, it must receive traffic destined for other IPs and forward it. This requires the IP Forwarding setting to be explicitly enabled on the FortiGate's network interfaces within the Azure portal. If this is disabled, the Azure fabric will discard the traffic being steered through the FortiGate HA cluster by the GWLB.

VXLAN Encapsulation: The Azure GWLB uses VXLAN to encapsulate traffic (adding a VXLAN header with a specific VNI) before sending it to the FortiGate. The FortiGate must terminate this VXLAN tunnel. While the VXLAN configuration is crucial, the underlying infrastructure check for IP Forwarding is the most common cause of traffic being blocked at the NIC level before the FortiOS stack can process the packet.

Why other options are incorrect:

Option B: If health probes fail, the GWLB will typically stop sending traffic to that specific instance. While this affects the HA cluster's availability, the question states traffic is not being routed correctly through the firewalls (implying an active flow issue), and the primary mechanism for allowing a VM to process third-party traffic in Azure is IP Forwarding.

Option C: NSGs are typically applied to the NIC or Subnet. While incorrect NSG rules can block traffic, "IP Forwarding" is a specific requirement for the FortiGate to function as a network appliance (NVA) regardless of the NSG state.

Option D: Azure GWLB supports cross-subscription and cross-tenant chaining. The consumer (protected VMs) and the provider (FortiGate HA cluster) do not need to be in the same subscription, provided the GWLB endpoint is correctly mapped.

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions

Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

Pass the Fortinet Fortinet Network Security Expert NSE7_CDS_AR-7.6 Questions and answers with CertsForce