NSE7_PBC-6.4 Dumps To Pass Fortinet Exam in 24 Hours - Free4Torrent
Buy Latest NSE7_PBC-6.4 Exam Q&A PDF - One Year Free Update
NEW QUESTION # 16
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)
- A. Configure a user-defined route table
- B. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
- C. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
- D. Configure the gateway subnet as the subnet in the user-defined route table
- E. Define a default route where the next hop IP is the FortiGate WAN interface
Answer: B,D,E
NEW QUESTION # 17
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)
- A. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.
- B. Network ACLs support allow rules and deny rules.
- C. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
- D. Network ACLs must be manually applied to virtual network interfaces.
Answer: A,B
Explanation:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
NEW QUESTION # 18
What is the bandwidth limitation of an Amazon Web Services (AWS) transit gateway VPC attachment?
- A. Up to 10 Gbps per attachment
- B. Up to 50 Gbps per attachment
- C. Up to 1.25 Gbps per attachment
- D. Up to 1 Gbps per attachment
Answer: C
NEW QUESTION # 19
Refer to the exhibit.
Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)
- A. The network interface of the active unit moves to itself
- B. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01
- C. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT-
0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01 - D. 172.29.32.71 is set as a next hop IP for all routes under FortigateUDR-01
Answer: C,D
NEW QUESTION # 20
Refer to the exhibit.
Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)
- A. Configure VNet peering between the spokes only.
- B. Configure VNet peering between the hub and spokes.
- C. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
- D. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
Answer: B,C
NEW QUESTION # 21
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)
- A. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.
- B. Network ACLs support allow rules and deny rules.
- C. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
- D. Network ACLs must be manually applied to virtual network interfaces.
Answer: A,B
Explanation:
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
https://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/
-Network ACLs are stateless. You must define rules for both outbound and inbound traffic.
NEW QUESTION # 22
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)
- A. Intrusion prevention policies
- B. Threat protection policies
- C. Antivirus policies
- D. Compliance policies
- E. Data loss prevention policies
Answer: B,D,E
Explanation:
Explanation
Policy setting allows you to configure each policy to fit the need of your usage. You can select any type of Policy (Data Analysis, Threat Protection or Compliance)
https://docs.fortinet.com/document/forticasb/20.1.0/online-help/482958/policy-configuration
NEW QUESTION # 23
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?
- A. They cannot create and add additional vNICs to an existing FortiGate-VM.
- B. They can create additional vNICs in the UI console.
- C. They can use the Compute Engine API Explorer.
- D. They can create additional vNICs using the Cloud Shell.
Answer: A
Explanation:
Explanation
GCP Limitations: You cannot add or remove network interfaces from an existing VM.
https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#limitations
NEW QUESTION # 24 
Refer to the exhibit. Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)
- A. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
- B. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
- C. Configure VNet peering between the spokes only.
- D. Configure VNet peering between the hub and spokes.
Answer: B,D
NEW QUESTION # 25
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
* Two FortiGate devices must be deployed; each in a different availability zone.
* Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
* An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
* An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
* Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?
- A. config system auto-scale
- B. config system ha
- C. config system session-sync
- D. config system sdn-connector
Answer: B
NEW QUESTION # 26
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?
- A. Less than 10 seconds
- B. 16 seconds
- C. 30 seconds
- D. 20 seconds
Answer: A
Explanation:
Explanation
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.
-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.
Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.
NEW QUESTION # 27
Which two statements about Microsoft Azure network security groups are true? (Choose two.)
- A. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
- B. Network security groups can be applied to subnets only.
- C. Network security groups are stateless inbound and outbound rules used for traffic filtering.
- D. Network security groups can be applied to subnets and virtual network interfaces.
Answer: A,B
Explanation:
Explanation/Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
NEW QUESTION # 28
You have previously deployed an Amazon Web Services (AWS) transit virtual private cloud (VPC) with a pair of FortiGate firewalls (VM04 / c4.xlarge) as your security perimeter. You are beginning to see high CPU usage on the FortiGate instances.
Which action will fix this issue?
- A. Migrate the transit VPNs to new and larger instances (VM08 / c4.2xlarge).
- B. Convert the transit VPC firewalls into an auto-scaling group and launch additional EC2 instances in that group.
- C. Convert the c4.xlarge instances to m4.xlarge instances.
- D. Convert from IPsec tunnels to generic routing encapsulation (GRE) tunnels, for the VPC peering connections.
Answer: B
NEW QUESTION # 29
You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
* You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
* Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
* To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?
- A. Two public subnets and two private subnets
- B. One public subnet and two private subnets
- C. One public subnet and one private subnet
- D. Two public subnets and one private subnet
Answer: B
NEW QUESTION # 30
An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?
- A. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.
- B. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
- C. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.
- D. The worker node migrates the subnet to a different availability zone.
Answer: D
NEW QUESTION # 31
You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
*You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
*Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
*To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?
- A. One public subnet and one private subnet
- B. Two public subnets and two private subnets
- C. Two public subnets and one private subnet
- D. One public subnet and two private subnets
Answer: B
Explanation:
Explanation
https://github.com/fortinet/aws-cloudformation-templates/blob/master/LambdaAA-RouteFailover/6.0/README
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0
NEW QUESTION # 32
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?
- A. 30 seconds
- B. 16 seconds
- C. Less than 10 seconds
- D. 20 seconds
Answer: A
NEW QUESTION # 33
Refer to the exhibit.
Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?
- A. Run diagnose debug application azd -l on FortiGate.
- B. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
- C. In the Microsoft Azure portal, set the correct tag values for the windows server.
- D. Delete the address object and recreate a new address object with the type set to FQDN.
Answer: C
Explanation:
Explanation
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/azure-administration-guide/985498/troubleshooti
NEW QUESTION # 34
Refer to the exhibit.
The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)
- A. The Cloud Load Balancer Session Affinity setting should use the default value.
- B. The design shows an active-active FortiGate-VM architecture.
- C. The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.
- D. The design shows an active-passive FortiGate-VM architecture.
Answer: B,C
NEW QUESTION # 35 
Refer to the exhibit. Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)
- A. The network interface of the active unit moves to itself
- B. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01
- C. 172.29.32.71is set as a next hop IP for all routes under FortigateUDR-01
- D. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT-
0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01
Answer: C,D
NEW QUESTION # 36
Which two statements about Amazon Web Services (AWS) networking are correct? (Choose two.)
- A. Multicast traffic is not allowed.
- B. AWS DNS reserves the first host IP address of each subnet.
- C. Proxy ARP entries are disregarded.
- D. 802.1q VLAN tags are allowed inside the same virtual private cloud.
Answer: A,C
Explanation:
Explanation
https://blog.ipspace.net/2018/05/amazon-web-services-networking-overview.html
NEW QUESTION # 37
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?
- A. GuardDuty, CloudWatch, S3, and DynamoDB.
- B. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.
- C. WAF, Shield, GuardDuty, S3, and DynamoDB.
- D. Inspector, Shield, GuardDuty, S3, and DynamoDB.
Answer: A
Explanation:
Explanation
You must subscribe to GuardDuty, CloudWatch, S3, and DynamoDB.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/908646/populating-thr
NEW QUESTION # 38
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)
- A. Action
- B. Source and destination IP ranges
- C. Sequence number
- D. Source port ranges
- E. Destination port ranges
Answer: A,D,E
Explanation:
Explanation
Under "Default security rules" we read source, destination, source port, destination port and access. However under "Security rules" we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured. I would mark A D and E and source/destination port are to be seen in the table, maybe old documentation.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
NEW QUESTION # 39
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?
- A. They can use the Compute Engine API Explorer.
- B. They cannot create and add additional vNICs to an existing FortiGate-VM.
- C. They can create additional vNICs in the UI console.
- D. They can create additional vNICs using the Cloud Shell.
Answer: A
Explanation:
Explanation/Reference: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/62d32ecf-687f-11ea-
9384-00505692583a/FortiOS-6.4-GCP_Cookbook.pdf
NEW QUESTION # 40
Refer to the exhibit.
In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?
- A. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.
- B. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
- C. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
- D. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
Answer: D
Explanation:
Explanation
AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services without using NAT instance. the main routing table sends internet traffic from the private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP address of the elastic IP address.
Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
NEW QUESTION # 41
......
Fortinet NSE7_PBC-6.4 exam is a challenging exam that requires candidates to have a deep understanding of public cloud security concepts, as well as hands-on experience with Fortinet's public cloud security solutions. NSE7_PBC-6.4 exam consists of multiple-choice questions, and candidates are required to answer 60 questions in 120 minutes.
Download the Latest NSE7_PBC-6.4 Dump - 2023 NSE7_PBC-6.4 Exam Question Bank: https://validdumps.free4torrent.com/NSE7_PBC-6.4-valid-dumps-torrent.html