[Aug 24, 2023] Free NSE 7 Network Security Architect NSE7_PBC-6.4 Exam Question
NSE7_PBC-6.4 dumps & NSE 7 Network Security Architect sure practice dumps
Fortinet NSE7_PBC-6.4 exam covers a wide range of topics that are essential for securing public cloud environments. These topics include cloud security fundamentals, cloud security architecture, cloud security operations, and cloud security services. Fortinet NSE 7 - Public Cloud Security 6.4 certification exam is designed to test the knowledge and skills of professionals in these areas to ensure that they can provide effective security solutions for public cloud environments.
To prepare for the Fortinet NSE7_PBC-6.4 certification exam, IT professionals need to have a solid understanding of public cloud security concepts, principles, and technologies. They must also have experience working with public cloud platforms and be familiar with the tools and techniques used to secure these environments.
NEW QUESTION # 15
Refer to the exhibit.
In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?
- A. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.
- B. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
- C. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
- D. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
Answer: C
Explanation:
Explanation
AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services without using NAT instance. the main routing table sends internet traffic from the private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP address of the elastic IP address.
Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
NEW QUESTION # 16
Refer to the exhibit.
Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)
- A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
- B. Configure VNet peering between the spokes only.
- C. Configure VNet peering between the hub and spokes.
- D. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
Answer: A,C
NEW QUESTION # 17
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?
- A. 16 seconds
- B. 30 seconds
- C. Less than 10 seconds
- D. 20 seconds
Answer: B
NEW QUESTION # 18 
Refer to the exhibit. The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)
- A. The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.
- B. The Cloud Load Balancer Session Affinity setting should use the default value.
- C. The design shows an active-active FortiGate-VM architecture.
- D. The design shows an active-passive FortiGate-VM architecture.
Answer: A,C
NEW QUESTION # 19
Your company deploys FortiGate VM devices in high availability (HA) (active-active) mode with Microsoft Azure load balancers using the Microsoft Azure ARM template. Your senior administrator instructs you to connect to one of the FortiGate devices and configure the necessary firewall rules. However, you are not sure now to obtain the correct public IP address of the deployed FortiGate VM and identify the access ports.
How do you obtain the public IP address of the FortiGate VM and identify the correct ports to access the device?
- A. In the configured load balancer, access the backend pools section.
- B. In the configured load balancer, access the inbound and outbound NAT rules section.
- C. In the configured load balancer, access the health probes section.
- D. In the configured load balancer, access the inbound NAT rules section.
Answer: D
Explanation:
Explanation
From the resource group Overview page, click the external load balancer name to load it. From the navigation column, click Inbound NAT Rules.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/azure-administration-guide/889158/connecting-to
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#azure-v it is more economical and secure to associate a public IP address to a load balancer or to an individual virtual machine (also known as a jumpbox), which then routes incoming connections to scale set virtual machines as needed (for example, through inbound NAT rules).
NEW QUESTION # 20
A company deployed a FortiGate-VM with an on-demand license using Amazon Web Services (AWS) Market Place Cloud Formation template. After deployment, the administrator cannot remember the default admin password.
What is the default admin password for the FortiGate-VM instance?
- A. <blank>
- B. admin
- C. The admin password cannot be recovered and the customer needs to deploy the FortiGate-VM again.
- D. The instance-ID value
Answer: D
Explanation:
Explanation/Reference: https://docs.fortinet.com/document/fortigate/6.2.0/aws-cookbook/828256/connecting-to-the- fortigate-vm
NEW QUESTION # 21
Refer to the exhibit.
Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)
- A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
- B. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
- C. Configure VNet peering between the spokes only.
- D. Configure VNet peering between the hub and spokes.
Answer: B,D
NEW QUESTION # 22
Refer to the exhibit.
You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.
After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.
What should you do to correct this issue?
- A. Configure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).
- B. Configure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.
- C. Nothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.
- D. Delete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.
Answer: B
NEW QUESTION # 23 
Refer to the exhibit. Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)
- A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
- B. Configure VNet peering between the spokes only.
- C. Configure VNet peering between the hub and spokes.
- D. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
Answer: A,C
NEW QUESTION # 24
Which two statements about Microsoft Azure network security groups are true? (Choose two.)
- A. Network security groups are stateless inbound and outbound rules used for traffic filtering.
- B. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
- C. Network security groups can be applied to subnets only.
- D. Network security groups can be applied to subnets and virtual network interfaces.
Answer: B,C
NEW QUESTION # 25
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)
- A. A multiple VPC deployment utilizing a transit gateway
- B. A single VPC deployment with multiple subnets
- C. A single VPC deployment with multiple subnets and a NAT gateway
- D. A multiple VPC deployment utilizing a transit VPC topology
Answer: B,D
NEW QUESTION # 26
Refer to the exhibit.
You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?
- A. You selected the incorrect resource group.
- B. You selected the Bring Your Own License (BYOL) licensing mode.
- C. You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.
- D. You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.
Answer: A
NEW QUESTION # 27
What is the bandwidth limitation of an Amazon Web Services (AWS) transit gateway VPC attachment?
- A. Up to 50 Gbps per attachment
- B. Up to 1.25 Gbps per attachment
- C. Up to 10 Gbps per attachment
- D. Up to 1 Gbps per attachment
Answer: B
Explanation:
Explanation/Reference: https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network- infrastructure.pdf (5)
NEW QUESTION # 28
An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.
Which action can you take to accomplish this?
- A. Create the ENI, attach it to FortiGate, and then restart FortiGate.
- B. None, you cannot create and add additional ENIs to an existing FortiGate-VM.
- C. Create the ENI and attach it to FortiGate.
- D. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.
Answer: D
NEW QUESTION # 29
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)
- A. Data loss prevention policies
- B. Threat protection policies
- C. Intrusion prevention policies
- D. Antivirus policies
- E. Compliance policies
Answer: A,B,E
Explanation:
Explanation
Policy setting allows you to configure each policy to fit the need of your usage. You can select any type of Policy (Data Analysis, Threat Protection or Compliance)
https://docs.fortinet.com/document/forticasb/20.1.0/online-help/482958/policy-configuration
NEW QUESTION # 30
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?
- A. GuardDuty, CloudWatch, S3, and DynamoDB.
- B. Inspector, Shield, GuardDuty, S3, and DynamoDB.
- C. WAF, Shield, GuardDuty, S3, and DynamoDB.
- D. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.
Answer: A
Explanation:
Explanation
You must subscribe to GuardDuty, CloudWatch, S3, and DynamoDB.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/908646/populating-thr
NEW QUESTION # 31
Which two statements about Microsoft Azure network security groups are true? (Choose two.)
- A. Network security groups are stateless inbound and outbound rules used for traffic filtering.
- B. Network security groups can be applied to subnets and virtual network interfaces.
- C. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
- D. Network security groups can be applied to subnets only.
Answer: B,C
Explanation:
Explanation
You can deploy resources from several Azure services into an Azure virtual network. For a complete list, see Services that can be deployed into a virtual network. You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works
NEW QUESTION # 32
Refer to the exhibit.
Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?
- A. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
- B. In the Microsoft Azure portal, set the correct tag values for the windows server.
- C. Delete the address object and recreate a new address object with the type set to FQDN.
- D. Run diagnose debug application azd -l on FortiGate.
Answer: B
Explanation:
Explanation
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/azure-administration-guide/985498/troubleshooti
NEW QUESTION # 33
......
Fortinet NSE7_PBC-6.4 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Fortinet NSE7_PBC-6.4 Actual Questions and Braindumps: https://torrentvce.exam4free.com/NSE7_PBC-6.4-valid-dumps.html
