NSE7_CDS_AR-7.6 Fortinet NSE 7 - Public Cloud Security 7.6.4 Architect Questions and Answers

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

Based on the Fortinet NSE 7 - Public Cloud Security 7.4/7.6 study materials and the FortiOS 7.6 AWS Administration Guide , understanding the underlying mechanisms of AWS deployment tools is essential for permission management.

Infrastructure as Code and eksctl (Option C): In the context of Amazon EKS, the eksctl command-line tool is the official CLI for creating and managing clusters on EKS. When an administrator executes the eksctl create cluster command, eksctl does not interact with the EKS API directly to provision infrastructure; instead, it generates and executes AWS CloudFormation stacks to provision the necessary VPC, IAM roles, and the EKS control plane. Therefore, users running this command must have explicit permissions to create and manage CloudFormation stacks.

Resource Provisioning via Stacks: CloudFormation is AWS ' s native service for Infrastructure as Code (IaC), allowing users to define resources in JSON or YAML templates. Commands like eksctl leverage these templates to ensure repeatable and organized deployments of complex architectures, such as those required for a FortiGate or FortiWeb cloud integration.

Why other options are incorrect:

Option A: The kubectl command interacts directly with the Kubernetes API server inside the cluster to manage pods and services; it does not trigger AWS CloudFormation processes.

Option B: Helm is a package manager for Kubernetes. While it manages " releases " within the EKS cluster, the installation of a Helm chart for a FortiWeb ingress controller happens at the Kubernetes software layer and does not utilize AWS CloudFormation stacks.

Option D: Changing the node count via CloudShell using the AWS CLI or kubectl typically modifies an Auto Scaling Group or a Kubernetes Deployment/DaemonSet directly, rather than initiating a new CloudFormation stack execution.

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

Based on the FortiOS 7.6 Automation Guide and the provided documentation for Ansible workflows, the following structure is required for managing multiple FortiGate nodes:

Inventory File (The Target List): The inventory is a single file that defines the list of managed nodes. It specifies critical information such as hostnames, connection details, and specifically the IP addresses of the target devices. According to the study guide, this inventory is a text file that lists all the systems you want to manage.

Playbook File (The Task List): You create and edit a separate file that acts as the playbook . This file is written in YAML format and contains the series of tasks that Ansible performs on the managed nodes to reach a desired state.

Minimum File Count: A basic Ansible workflow consists of exactly two files : one inventory file (text) and one playbook file (YAML). By listing the target IP address (e.g., 10.0.206.131) within the inventory text file, the administrator can manage the FortiGate device without needing individual files for every target.

Why other options are incorrect:

Option A & C: Creating a separate playbook or inventory file for each target is inefficient and contradicts the core Ansible workflow, which uses a single inventory to manage multiple hosts.

Option B: While the playbook is a .yaml file, the study guide specifically defines the inventory (where IP addresses are configured) as a text file in the context of the basic workflow.

According to the FortiOS 7.6 AWS Administration Guide and the Fortinet Public Cloud Security 7.4 training materials regarding centralized security inspection:

Multiple Route Tables (Option B): A single AWS Transit Gateway is designed to support multiple TGW route tables. By default, there is a soft limit of 20 route tables per Transit Gateway, which allows administrators to implement sophisticated network segmentation and granular routing policies. In a FortiGate-centric " Security Hub " or " Transit VPC " architecture, multiple route tables are used to separate " Spoke " traffic from " Security " traffic, ensuring all inter-VPC traffic is forced through the FortiGate-VM for inspection.

Associations and Propagations: * Association: Each individual TGW attachment (VPC, VPN, or Direct Connect) can be associated with exactly one TGW route table at any given time. This table dictates where packets coming from that attachment will be sent. Because of this 1:1 relationship, Option C is incorrect.

Propagation: An attachment can propagate its routes to one or many TGW route tables. This flexibility allows a VPC ' s prefix to be known in multiple routing domains, meaning that association and propagation do not need to occur in the same table, making Option A incorrect.

Default Route Table Management: When creating an AWS Transit Gateway, the options for " Default route table association " and " Default route table propagation " are enabled by default, but they can be disabled during or after creation. Disabling these is a security best practice when deploying FortiGate-VMs to prevent the TGW from automatically creating a " full-mesh " connectivity that bypasses the firewall, making Option D incorrect.

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

According to the FortiOS 7.6 Azure Administration Guide and the Public Cloud Security documentation regarding Azure Gateway Load Balancer (GWLB) integration:

Encapsulation Overhead: Azure Gateway Load Balancer uses VXLAN (Virtual eXtensible LAN) to encapsulate the traffic before sending it to the FortiGate-VM HA cluster. This encapsulation adds a header that typically consists of 50 bytes for regular IPv4 traffic (Ethernet, IP, UDP, and VXLAN headers).

MTU Mismatch (Option A): The default maximum transmission unit (MTU) in Azure is 1500 bytes . If a protected VM sends a packet at the maximum default size (1500 bytes), and the GWLB then adds the 50-byte VXLAN header, the resulting encapsulated packet becomes 1550 bytes .

Packet Drops: If the FortiGate-VM ' s network interfaces are left at the default MTU of 1500 bytes , they will not be able to process the 1550-byte encapsulated frames without fragmentation. Because many network paths or configurations (including Azure ' s fabric for certain flows) may drop packets that require fragmentation or have the Don ' t Fragment (DF) flag set, this results in the observed intermittent connectivity issues and dropped traffic .

Required Resolution: To resolve this issue, administrators must increase the MTU on the FortiGate-VM interfaces (specifically the one receiving GWLB traffic) to at least 1570 bytes to accommodate both IPv4 and IPv6 VXLAN overhead.

Why other options are incorrect:

Option B: While an incorrect health probe port would cause the GWLB to mark the FortiGate as down, it would typically lead to a complete loss of traffic flow through that instance rather than intermittent packet drops within an active flow.

Option C: The GWLB itself is the component adding the overhead; it is the FortiGate ' s inability to receive the larger resulting frame (due to its own default MTU setting) that causes the failure.

Option D: Packet fragmentation by the application is a secondary effect. The primary " intermittent " issue described in GWLB deployments is almost always related to the tunneling overhead exceeding the receiving interface ' s MTU.

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

Based on the FortiOS 7.6 Cloud Security Study Guide regarding AWS Transit Gateway (TGW) integration and VPC routing, the following steps are mandatory to establish connectivity between Spoke VPCs via a TGW:

VPC Route Table Configuration (Option A): For traffic to leave a VPC and reach the Transit Gateway, the VPC ' s subnet route table must have a specific entry. While the exhibit shows local routes for internal VPC traffic (192.168.50.0/24 and 192.168.100.0/24), any traffic destined for " outside " the local VPC (such as the other Spoke VPC) must be directed to the TGW. Adding a default route ( 0.0.0.0/0 ) with the TGW ID as the next hop ensures that all non-local traffic is forwarded to the Transit Gateway for processing.

TGW Association (Option B): Within the Transit Gateway itself, connectivity is managed through Associations and Propagations . An " Association " links a specific VPC attachment to a TGW route table. Without associating the two attachments (for Spoke VPC A and Spoke VPC B) to a TGW route table, the TGW will not know which route table to use to make forwarding decisions for packets arriving from those VPCs.

Why Option C is incorrect: Route propagation is used to automatically populate the TGW route table with the CIDR blocks of the attached VPCs. While propagation is a valid step for dynamic routing, Option C specifically mentions propagating a static summary range (192.168.0.0/16) which is not the standard automated mechanism; usually, you propagate the specific VPC CIDRs. Furthermore, without the Association (Option B), propagation alone does not allow the TGW to process incoming traffic from the attachment.

Why Option D is incorrect: Directing traffic to an Internet Gateway (IGW) would send the traffic to the public internet. This would not facilitate internal routing between the two Spoke VPCs via the Transit Gateway.

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

According to the FortiOS 7.6 Docker Administration Guide and the Public Cloud Security study materials, container security is addressed through granular visibility into container-specific protocols.

Application Control for Containers (Option A): FortiOS includes a dedicated set of application control signatures specifically for Docker traffic . These signatures allow the FortiGate-VM to identify and control specific actions within a container environment, such as:

Docker_Pull.Blob / Docker_Pull.Manifest: Identifying when a container image is being pulled from a registry.

Docker_Push.Blob / Docker_Push.Manifest: Monitoring when images are uploaded to a registry.

Enforcing Security Policies: By using these Docker-related signatures, an administrator can create firewall policies that only allow container pulls from known clean, private registries while blocking traffic from unauthorized or public registries that may contain vulnerable or malicious images. 5

Defense-in-Depth: While traditional network-related signatures (Option C) or AWS-specific infrastructure signatures (Option B) protect the underlying network and cloud services, they do not provide the necessary visibility into the Docker API calls and manifest transfers required to secure the container lifecycle itself. FortiGate further enhances this by scanning the actual payload of these transfers using the Intrusion Prevention Service (IPS) and Advanced Malware Protection (AMP) .

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

According to the FortiCNP 24.x Administration Guide and the FortiOS 7.6 Security Fabric Integration documentation, integrating a FortiGate-VM with FortiCNP requires specific local configurations on the FortiGate to ensure the cloud security platform can ingest and analyze traffic data.

Configuring Logging (Option C): Before adding the FortiGate VM to FortiCNP, the administrator must Enable Send Logs on the FortiGate. This allows the FortiGate to forward the necessary security telemetry and traffic logs to the FortiCNP cloud endpoint for threat correlation and risk analysis.

Policy and Inspection Setup (Option D): The integration relies on the FortiGate ' s ability to identify and block threats at the network layer. Specifically, the administrator must Create a FortiGate IPS Sensor and Create a FortiGate Firewall Policy . The IPS sensor detects malicious patterns, while the firewall policy dictates which traffic is subjected to this inspection.

Deep Packet Inspection (Option E): To provide visibility into encrypted traffic—which is critical for identifying threats hidden in HTTPS flows—the administrator must Create an SSL/SSH Inspection Profile on the FortiGate. Without this profile, FortiCNP would lose significant visibility into potential attack vectors utilizing encrypted channels.

Why other options are incorrect:

Option A: While pre-shared keys are used in VPN and some Fabric setups, they are not listed as one of the specific mandatory steps for the initial FortiGate-to-FortiCNP fabric integration workflow.

Option B: While certificate exchange is part of the overall trust relationship, the primary " mandatory configuration steps on FortiGate " defined in the official setup guide focus on the logging and security profile components required to generate the data FortiCNP needs.

Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:

According to the FortiWeb 7.4 Administration Guide and the FortiWeb Ingress Controller Installation Guide , the status of backend servers in the FortiView Topology dashboard is a direct reflection of the health check results.

Interpreting the Status Icon (Orange): In the FortiView Topology view, a green circle indicates that the server is up and responding to health checks, while an orange circle indicates that the server is not running or is unreachable.

Connectivity and Routing (Option B): For the FortiWeb ingress controller to accurately monitor and protect a containerized application, it must have a valid network path to the Kubernetes (K8s) worker nodes. If the FortiWeb VM is missing a route to the specific subnet where the K8s nodes reside, the health check packets will fail to reach their destination. As a result, FortiWeb identifies the backend servers (192.168.0.1, 192.168.0.2, and 192.168.0.3) as " Down, " leading to the orange status shown in the exhibit.

Health Check Failures: When the status is orange, it implies that the Server Health Check (configured in the server pool) is detecting that the web servers are not responsive to connections. While this could be caused by an application-level failure, in a fresh cloud deployment of an ingress controller, the most common underlying cause is a network routing misconfiguration preventing the FortiWeb appliance from reaching the node IPs. 12

Why other options are incorrect: 34

Option A: If the SDN connector were not authenticated correctly, FortiWeb would likely fail to discover the containerized resources entirely, rather than discovering them and repor 5 ting them as " Down " . 6

Option C: While wron 7 g IP addresses would cause a failure, the Ingress Controller ' s job is to dynamically sync these addresses from the K8s API; a manual configuration error in a manifest file regarding IP addresses is less likely in an automated ingress environment.

Option D: The load balancing algorithm (Round Robin, Least Connections, etc.) affects how traffic is distributed, but it does not influence the up/down health status of the individual backend servers.

https://github.com/fortinet/fortigate-terraform-deploy

According to the Terraform documentation for installing Terraform on Linux, you need to download a zip archive that contains a single binary file called terraform. You need to unzip the archive and move the binary file to a directory that is included in your system ' s PATH environment variable, such as /usr/local/bin. This way, you can run the terraform command from any directory without specifying the full path.

If you do not move the binary file to the bin directory, you will get a command not found error when you try to run the terraform version command, as shown in the screenshot. To fix this error, you need to move the binary file to the bin directory or specify the full path of the binary file when running the command.