As part of your organization monitoring plan, you have been tasked with obtaining and analyzing detailed information about the traffic sourced at one of your FortiGate EC2 instances.
What can you do to achieve this goal?
AAdd the EC2 instance as a target in CloudWatch to collect its traffic logs.
BUse AWS CloudTrail to capture and then examine traffic from the EC2 instance.
CConfigure a network access analyzer scope with the EC2 instance as a match finding.
DCreate a virtual public cloud (VPC) flow log at the network interface level for the EC2 instance.
You must add an Amazon Web Services (AWS) network access list (NACL) rule to allow SSH traffic to a subnet for temporary testing purposes. When you review the current inbound and outbound NACL rules, you notice that the rules with number 5 deny SSH and telnet traffic to the subnet.
What can you do to allow SSH traffic?
AYou do not have to create any NACL rules because the default security group rule automatically allows SSH traffic to the subnet.
BYou must create two new allow SSH rules, each with a number bigger than 5.
CYou must create a new allow SSH rule anywhere in the network ACL rule base to allow SSH traffic.
DYou must create two new allow SSH rules, each with a number smaller than 5.
An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure. However, the SDN connector is failing on the connection.
What must the administrator do to correct this issue?
AMake sure to add the Tenant ID on FortiGate side of the configuration.
BMake sure to enable the system assigned managed identity on Azure.
CMake sure to add the Client secret on FortiGate side of the configuration.
DMake sure to set the type to system managed identity on FortiGate SDN connector settings.
Refer to the exhibit.
An administrator implements FortiWeb ingress controller to protect containerized web applications in an AWS Elastic Kubernetes Service (EKS) cluster.
What can you conclude about the topology shown in FortiView?
AThis topology has two services and two ingress controllers deployed.
BAdding a new service will update the FortiWeb configuration automatically.
CThe FortiWeb VM gets the latest cluster information through an SDN connector.
DBoth services will be load balanced among the two nodes and the four pods.
An administrator is relying on an Azure Bicep linter to find possible issues in Bicep files.
Which problem can the administrator expect to find?
AThe resources to be deployed exceed the quota for a region.
BThere are output statements that contain passwords.
COne or more modules are not using runtime values as parameters.
DSome resources are missing dependsON statements.
Question 6
Cloud Security
0
Question 7
Cloud Security
Question 8
Cloud Security
Question 9
Cloud Security
Question 10
Cloud Security
Question 11
Cloud Security
Question 12
Cloud Security
Question 13
Cloud Security
Question 14
Cloud Security
Question 15
Cloud Security
Question 16
Cloud Security
Question 17
Cloud Security
Question 18
Cloud Security
Question 19
Cloud Security
Question 20
Cloud Security
Question 21
Cloud Security
Question 22
Cloud Security
Question 23
Cloud Security
Question 24
Cloud Security
Question 25
Cloud Security
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Refer to the exhibit.
You are managing an active-passive FortiGate HA cluster in AWS that was deployed using CloudFormation. You have created a change set to examine the effects of some proposed changes to the current infrastructure. The exhibit shows some sections of the change set.
What will happen if you apply these changes?
AThis deployment can be done without any traffic interruption.
BThe updated FortiGate VMs will not have the latest configuration changes.
CCloudFormation checks if you will surpass your account quota.
DBoth FortiGate VMs will get a new PhysicalResourceId.
The cloud administration team is reviewing an AWS deployment that was done using CloudFormation.
The deployment includes six FortiGate instances that required custom configuration changes after being deployed. The team notices that unwanted traffic is reaching some of the FortiGate instances because the template is missing a security group.
To resolve this issue, the team decides to update the JSON template with the missing security group and then apply the updated template directly, without using a change set.
What is the result of following this approach?
ASome of the FortiGate instances may be deleted and replaced with new copies.
BIf new FortiGate instances are deployed later they will include the updated changes.
CThe update is applied, and the security group is added to all instances without interruption.
DCloudFormation rejects the update and warns that a new full stack is required.
Refer to the exhibit.
The exhibit shows a customer deployment of two Linux instances and their main routing table in Amazon Web Services (AWS). The customer also created a Transit Gateway (TGW) and two attachments.
Which two steps are required to route traffic from Linux instances to the TGW? (Choose two.)
AIn the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop TGW.
BIn the TGW route table, associate two attachments.
CIn the TGW route table, add route propagation to 192.168.0.0/16.
DIn the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop Internet gateway (IGW).
Refer to the exhibit.
Which FortiCNP policy type generated the finding shown in the exhibit?
AThis finding was generated by a file collection policy.
BThis finding was generated by a threat detection policy.
CThis finding was generated by a risk management policy.
DThis finding was generated by a data scan policy.
Refer to the exhibit.
The exhibit shows an active-passive high availability FortiGate pair with external and internal Azure load balancers. There is no SDN connector used in this solution.
Which configuration must the administrator implement on each FortiGate?
ATwo static routes to Azure probe IP address.
BSingle BGP route to Azure probe IP address.
COne static route to Azure Lambda IP address.
DTwo BGP routes to Azure probe IP address.
Refer to the exhibit.
You are tasked with deploying FortiGate using Terraform. When you run the terraform version command during the Terraform installation, you get an error message.
What could you do to resolve the command not found error?
AYou must change the directory location to the root directory.
BYou must assign correct permissions to the ec2-user.
CYou must move the binary file to the bin directory.
DYou must reinstall Terraform.
Refer to the exhibit.
What is the purpose of this section of an Azure Bicep file?
ATo restrict which FortiOS versions are accepted for deployment
BTo indicate the correct FortiOS upgrade path after deployment
CTo add a comment with the permitted FortiOS versions that can be deployed
DTo document the FartiOS versions in the resulting topology
A customer would like to use FortiGate fabric integration with FortiCNP.
When adding a FortiGate VM to FortiCNP, which three mandatory configuration steps must you follow on FortiGate? (Choose three.)
ACreate an SSL/SSH inspection profile.
BConfigure FortiGate to send logs to FortiCNP.
CImport the FortiGate certificate into FortiCNP.
DEnable pre-shared key on both sides.
ECreate and IPS sensor and a firewall policy.
Refer to the exhibit.
An administrator has deployed a FortiGate VM in Amazon Web Services (AWS) and is trying to access it using its public IP address from their local computer. However, the connection is not successful, and at the same time FortiGate is not receiving any HTTPS or SSH traffic to its external interface.
What should the administrator check for possible issue?
ACheck the debug flow for any network ACLs.
BCheck the inbound rules of the security groups.
CCheck the FortiGate firewall policies.
DCheck the FortiGate instance ID.
Refer to the exhibit.
You deployed an HA active-active load balance sandwich with two FortiGate VMs in Microsoft Azure.
After the deployment, you prefer to use FGSP to synchronize sessions, and allow asymmetric return traffic. In the environment, FortiGate port 1 and port 2 are facing external and internal load balancers respectively.
What IP address must you use in the peerip configuration?
AThe public load balancer port 2 IP address.
BThe opposite FortiGate port 1 IP address.
CThe opposite FortiGate port 2 IP address.
DThe internal load balancer port 1 IP address.
An administrator would like to use FortiCNP to keep track of sensitive data files located in the Amazon Web Services (AWS) S3 bucket and protect it from malware.
Which FortiCNP feature should the administrator use?
AFortiCNP Compliance policies
BFortiCNP Threat Detection policies
CFortiCNP Risk Management policies
DFortiCNP Data Scan policies
Refer to the exhibit.
You are deploying two FortiGate VMs in HA active-passive mode with load balancers in Microsoft Azure.
Which two statements are true in this load balancing scenario? (Choose two.)
AThe public IP of the active FortiGate is the next-hop for all the incoming traffic.
BA dedicated management interface can be used for load balancing.
CThe internal load balancer is the next-hop for outgoing traffic.
DYou must add routes to the IP address used by the load balancers to send probes.
You need a solution to safeguard public cloud-hosted web applications from the OWASP Top 10 vulnerabilities. The solution must support the same region in which your applications reside, with minimum traffic cost.
Which solution meets the requirement?
AUse FortiGate
BUse FortiWeb
CUse FortiCNP
DUse FortiADC
Refer to the exhibit.
In which type of FortiCNP insights can an administrator examine the findings triggered by this policy?
AUser activity
BData
CThreat
DRisk
What is the main advantage of using SD-WAN Transit Gateway Connect over traditional SD-WAN?
AIt eliminates the use of ECMP.
BYou can use GRE-based tunnel attachments.
CYou can combine it with IPsec to achieve higher bandwidth.
DYou can use BGP over IPsec for maximum throughput.
An AWS administrator needs to determine which deployment tasks require CloudFormation permissions to ensure each team member has appropriate access rights. The administrator is investigating specific tasks that must be executed using CloudFormation.
What task is performed using CloudFormation?
ADeploying a new pod with a service in an Elastic Kubernetes Service (EKS) cluster using the kubectl command
BChanging the number of nodes in a EKS cluster from AWS CloudShell
CCreating an EKS cluster with the eksctl create cluster command
DInstalling a Helm chart to deploy a FortiWeb ingress controller in an EKS cluster
Refer to the exhibit.
You have deployed a Linux EC2 instance in Amazon Web Services (AWS) with the settings shown on the exhibit.
What step must the administrator take to access this instance from the internet?
ACreate a NAT gateway associated with the terraform-subnet.
BConfigure the user name and password.
CEnable SSH and allocate it to the device.
DAllocate an Elastic IP address and assign it to the instance.
Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true?
ATGW can have multiple TGW route tables.
BThe TGW default route table cannot be disabled.
CA TGW attachment can be associated with multiple TGW route tables.
DBoth the TGW attachment and propagation must be in the same TGW route table.
Refer to the exhibit.
You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS. However, your connection is not successful.
Given the network topology, what can be the issue?
AThere is no elastic IP address attached to FortiGate in the Security VPC.
BThe Transit Gateway BGP IP address is incorrect.
CThere is no internet gateway attached to the Spoke VPC A.
DThere is no connection between VPC A and VPC B.
Refer to the exhibit.
After the initial Terraform configuration in Microsoft Azure, the terraform plan command is run.
Which two statements about running the terraform plan commend are true? (Choose two.)
AYou cannot run the terraform apply command before the terraform plan command.
BThe terraform plan command makes terraform do a dry run.
CYou must run the terraform init. command once, before the terraform plan command.
DThe terraform plan command will deploy the rest of the resources except the service principle details.
