NSE7_PBC-7.2 Fortinet NSE 7 Public Cloud Security 7.2 (FCSS) Questions and Answers

The next step the administrator must take to access the Linux EC2 instance from the internet is:

D. Allocate an Elastic IP address and assign it to the instance.

Elastic IP (EIP) Requirement: By default, when an EC2 instance is launched in AWS, it receives a public IP address from Amazon ' s pool, which is not static. This IP address can change, for example, if the instance is stopped and started again. To have a static IP address, you need to allocate an Elastic IP (EIP), which is a persistent public IP address, and then associate it with the instance.

Public Accessibility: Without an Elastic IP, the instance may not be accessible over the internet after a reboot or stop/start sequence. Assigning an Elastic IP ensures the instance can be accessed consistently using the same IP address.

References: The AWS documentation on EC2 instances details the process and need for Elastic IPs to ensure consistent internet access to instances.

When an administrator decides to use the ' Use managed identity ' option for the FortiGate SDN connector with Microsoft Azure and faces a connection failure, the correct action to take is:

C. Make sure to enable the system assigned managed identity on Azure.

Managed Identity Configuration: The system assigned managed identity is a feature in Azure that provides an identity for the Azure service instance (in this case, the FortiGate SDN connector) within Azure Active Directory and eliminates the need for credentials to be stored in the configuration.

Troubleshooting Connection Issues: If the SDN connector is failing to connect, it could be because the system assigned managed identity has not been enabled or configured properly in Azure for the FortiGate service.

References: Azure documentation on managed identities explains the need to enable and configure this feature for services to authenticate and interact securely with Azure resources.

B. It is recommended to enable NAT on FortiGate policies.  This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets 1 .  If NAT is not enabled, the source IP address of the packets will be the same as the load balancer’s frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues 1 .  Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing 1 . D. It supports session synchronization for handling asynchronous traffic.  This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session 2 .  For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table 2 . This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer’s hash-based algorithm or other factors.

The other options are incorrect because:

It does not use the vdom-exception command to exclude the configuration from being synced.  The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group 3 . However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.

It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.

In this scenario, the issue is caused by the Azure service principle account not having a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover.  References : Fortinet Public Cloud Security knowledge source documents or study guide.

https://docs.fortinet.com/product/fortigate-public-cloud/7.2

A. Use the terraform destroy command.  This command is used to remove all the resources that were created using the Terraform configuration 1 . It is the opposite of the terraform apply command, which is used to create resources. The terraform destroy command will first show a plan of what resources will be destroyed, and then ask for confirmation before proceeding. The command will also update the state file to reflect the changes. D. The administrator must manually delete the Linux server.  This is because the Linux server was not deployed using Terraform, but using AWS Marketplace 2 . Therefore, Terraform does not have any information about the Linux server in its state file, and cannot manage or destroy it. The administrator will have to use the AWS console or CLI to delete the Linux server manually.

The other options are incorrect because:

There is no terraform validate command.  The correct command is terraform plan, which is used to show a plan of what changes will be made by applying the configuration 3 . However, this command does not delete any resources, it only shows what will happen if terraform apply or terraform destroy is run.

There is no terraform destroy all command.  The correct command is terraform destroy, which will destroy all the resources in the current configuration by default 1 . There is no need to add an all argument to the command.

The statement that best describes the concept of immutable infrastructure in the context of automation is:

A. It is the practice of deploying a new server for every configuration change.

Immutable Infrastructure Concept: This approach to infrastructure management involves replacing servers or components entirely rather than making changes to existing configurations once they are deployed. When a change is needed, a new server instance is provisioned with the desired configuration and the old one is decommissioned after the new one is successfully deployed and tested.

Benefits: Immutable infrastructure minimizes the risks associated with in-place updates, such as inconsistencies or failures due to configuration drift. It enhances reliability and predictability by ensuring that the deployed environment matches exactly what was tested in staging. This practice is particularly aligned with modern deployment strategies like blue/green or canary deployments.

References: The concept of immutable infrastructure is widely discussed in DevOps and cloud computing literature as a method to increase consistency and fault tolerance in automated environments.

B. FortiGate A and FortiGate B are two independent devices. This means that they are not part of a cluster or a high availability group, and they do not share the same configuration or state information.  They are configured as standalone FortiGates with standalone configuration synchronization enabled 1 .  This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname 1 . D. It does not synchronize the FortiGate hostname. This is one of the settings that are excluded from the standalone configuration synchronization, as mentioned above.  The hostname is a unique identifier for each FortiGate device, and it should not be changed by the synchronization process 1 .

The other options are incorrect because:

FortiGate-VM instances are not scaled out automatically according to predefined workload levels.  This is a feature of the auto scaling solution for FortiGate-VM on Azure, which requires a different deployment and configuration than the one shown in the exhibit 2 . The exhibit shows a static deployment of two FortiGate-VM instances behind an Azure load balancer, which does not support auto scaling.

By default, FortiGate does not use FGCP.  FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group 3 . However, the exhibit shows that the FortiGates are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.

The correct answer is A and C. A transport attachment and a connect attachment are necessary to connect a transit gateway to an existing VPC with BGP.

According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To connect a transit gateway to an existing VPC with BGP, you need to do the following steps:

Create a transport attachment. A transport attachment is a resource that connects a VPC or VPN to a transit gateway. You can specify the BGP options for the transport attachment, such as the autonomous system number (ASN) and the BGP peer IP address.

Create a connect attachment. A connect attachment is a resource that enables you to use your own appliance to provide network services for traffic that flows through the transit gateway. You can use a connect attachment to route traffic between the transport attachment and your appliance using GRE tunnels and BGP.

The other options are incorrect because:

A BGP attachment is not a valid type of attachment for a transit gateway. BGP is a protocol that enables dynamic routing between the transit gateway and the VPC or VPN.

A GRE attachment is not a valid type of attachment for a transit gateway. GRE is a protocol that encapsulates packets for tunneling purposes. GRE tunnels are established between the connect attachment and your appliance.

[Transit Gateways - Amazon Virtual Private Cloud] : [Transit Gateway Connect - Amazon Virtual Private Cloud]

Immutable infrastructure is a DevOps approach that emphasizes the creation of disposable resources instead of modifying existing ones 1 .  This approach helps to achieve stability, consistency, and predictability in IT operations by reducing the risk of configuration drift and eliminating stateful components 1 .

One way to implement immutable infrastructure is to use a blue-green deployment strategy, which runs two live environments for configuration changes 2 . The blue environment is the current production environment, while the green environment is the new version of the application or service.  When the green environment is ready, the traffic is switched from blue to green, and the blue environment is destroyed or kept as a backup 2 . This way, there is no need to update or patch the existing infrastructure, but rather replace it with a new one.

References :

1 :  Immutable Infrastructure, Architecture, and its benefits

2 :  Introduction to Immutable Infrastructure – BMC Software | Blogs

For configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure, the two mandatory settings required after the initial deployment are:

A. Subscription-id

D. Resource group name

Subscription ID: This is a unique identifier for your Azure subscription under which all resources are created and billed. FortiGate needs this to interact with the Azure resources associated with that subscription.

Resource Group Name: A resource group in Azure is a container that holds related resources for an Azure solution. The SDN connector requires the resource group name to correctly identify and manage the resources it should control, especially in a failover scenario.

References: The requirement for these specific details is found in Azure ' s best practices for resource management and Fortinet ' s documentation on deploying and configuring FortiGate appliances in Azure environments.

According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks.  A transit gateway route table is a set of rules that determines how traffic is routed among the attachments to the transit gateway 1 .

A transit gateway can have multiple route tables, and you can associate different attachments with different route tables.  This allows you to control how traffic is routed between your VPCs and VPNs based on your network design and security requirements 1 .

The other options are incorrect because:

Both the TGW attachment and propagation must be in the same TGW route table is not true. You can associate an attachment with one route table and enable propagation from another attachment to a different route table.  This allows you to separate the routing domains for your attachments 1 .

A TGW attachment can be associated with multiple TGW route tables is not true. You can only associate an attachment with one route table at a time.  However, you can change the association at any time 1 .

The TGW default route table cannot be disabled is not true. You can disable the default route table by deleting all associations and propagations from it.  However, you cannot delete the default route table itself 1 .

1 :  Transit Gateways - Amazon Virtual Private Cloud

In using Red Hat Ansible for changing the configuration of a FortiGate VM, the minimum number of files you must create and the file to configure the target FortiGate IP address are:

B. Create two files and use the hosts file.

Ansible Playbook File (YAML): The playbook file, which is typically a YAML file, contains the desired states and tasks that Ansible will execute on the target hosts.

Inventory File (Hosts): The inventory file, commonly named hosts , is where you define the target machines, including the FortiGate VM ' s IP address. Ansible uses this file to determine on which machines to run the playbook.

By creating these two files, you will have the necessary components to configure Ansible for the deployment. The playbook contains the automation tasks, and the hosts file lists the machines where those tasks will be executed.

References: This structure is specified in the Ansible documentation, which details the use of playbooks and inventory files to manage and configure target systems.

The two best connection solutions available between your company headquarters, branch sites, and the Azure vWAN hub are A. ExpressRoute and E. VPN Gateway.

According to the Azure documentation for Virtual WAN, ExpressRoute and VPN Gateway are two of the supported connectivity options for connecting your on-premises sites and Azure virtual networks to the Azure vWAN hub 1 . These options provide secure, reliable, and high-performance connectivity for your network traffic.

ExpressRoute is a service that lets you create private connections between your on-premises sites and Azure. ExpressRoute connections do not go over the public internet, and offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the internet 2 .

VPN Gateway is a service that lets you create encrypted connections between your on-premises sites and Azure over the internet using IPsec/IKE protocols. VPN Gateway also supports point-to-site VPN connections for individual clients using OpenVPN or IKEv2 protocols 3 .

The other options are incorrect because:

GRE tunnels are not a supported connectivity option for Azure vWAN. GRE is a protocol that encapsulates packets for tunneling purposes. GRE tunnels are established between the connect attachment and your appliance in Azure vWAN 4 .

SSL VPN connections are not a supported connectivity option for Azure vWAN. SSL VPN is a type of VPN that uses the Secure Sockets Layer (SSL) protocol to secure the connection between a client and a server. SSL VPN is not compatible with the Azure vWAN hub 5 .

An L2TP connection is not a supported connectivity option for Azure vWAN. L2TP is a protocol that creates a tunnel between two endpoints at the data link layer (Layer 2) of the OSI model. L2TP is not compatible with the Azure vWAN hub.

1 : Azure Virtual WAN Overview | Microsoft Learn 2 : [ExpressRoute overview - Azure ExpressRoute | Microsoft Docs] 3 : [VPN Gateway - Virtual Networks | Microsoft Azure] 4 : [Transit Gateway Connect - Amazon Virtual Private Cloud] 5 : [SSL VPN - Wikipedia] : [Layer 2 Tunneling Protocol - Wikipedia]