[UPDATED 2024] Free Fortinet NSE7_PBC-6.4 Exam Questions Self-Assess Preparation [Q10-Q32]

[UPDATED 2024] Free Fortinet NSE7_PBC-6.4 Exam Questions Self-Assess Preparation

NSE7_PBC-6.4 Free Sample Questions to Practice One Year Update

Fortinet NSE7_PBC-6.4 exam is a vendor-specific exam and is designed for professionals who have experience with Fortinet's public cloud security solutions. NSE7_PBC-6.4 exam covers a broad range of topics, including cloud security architecture, public cloud security best practices, cloud security configuration, and management, among others.

 

NEW QUESTION # 10

Refer to the exhibit. Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?

• A. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
• B. Delete the address object and recreate a new address object with the type set to FQDN.
• C. Run diagnose debug application azd -lon FortiGate.
• D. In the Microsoft Azure portal, set the correct tag values for the windows server.

Answer: A

Explanation:
Explanation

NEW QUESTION # 11
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

• A. Less than 10 seconds
• B. 16 seconds
• C. 30 seconds
• D. 20 seconds

Answer: C

NEW QUESTION # 12
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

• A. They can create additional vNICs in the UI console.
• B. They can use the Compute Engine API Explorer.
• C. They can create additional vNICs using the Cloud Shell.
• D. They cannot create and add additional vNICs to an existing FortiGate-VM.

Answer: B

NEW QUESTION # 13
Which two statements about Amazon Web Services (AWS) networking are correct? (Choose two.)

• A. 802.1q VLAN tags are allowed inside the same virtual private cloud.
• B. AWS DNS reserves the first host IP address of each subnet.
• C. Proxy ARP entries are disregarded.
• D. Multicast traffic is not allowed.

Answer: C,D

Explanation:
Explanation
https://blog.ipspace.net/2018/05/amazon-web-services-networking-overview.html

NEW QUESTION # 14
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
* Two FortiGate devices must be deployed; each in a different availability zone.
* Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
* An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
* An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
* Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

• A. config system auto-scale
• B. config system session-sync
• C. config system ha
• D. config system sdn-connector

Answer: C

NEW QUESTION # 15
Refer to the exhibit.

You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?

• A. You selected the Bring Your Own License (BYOL) licensing mode.
• B. You selected the incorrect resource group.
• C. You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.
• D. You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.

Answer: D

Explanation:
Explanation
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources

NEW QUESTION # 16
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

• A. Threat protection policies
• B. Data loss prevention policies
• C. Intrusion prevention policies
• D. Antivirus policies
• E. Compliance policies

Answer: A,B,E

Explanation:
Explanation
Policy setting allows you to configure each policy to fit the need of your usage. You can select any type of Policy (Data Analysis, Threat Protection or Compliance)
https://docs.fortinet.com/document/forticasb/20.1.0/online-help/482958/policy-configuration

NEW QUESTION # 17
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

• A. Sequence number
• B. Destination port ranges
• C. Source port ranges
• D. Source and destination IP ranges
• E. Action

Answer: B,C,E

Explanation:
Explanation
Under "Default security rules" we read source, destination, source port, destination port and access. However under "Security rules" we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured. I would mark A D and E and source/destination port are to be seen in the table, maybe old documentation.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

NEW QUESTION # 18
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

• A. They can create additional vNICs in the UI console.
• B. They can use the Compute Engine API Explorer.
• C. They can create additional vNICs using the Cloud Shell.
• D. They cannot create and add additional vNICs to an existing FortiGate-VM.

Answer: B

Explanation:
Explanation/Reference: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/62d32ecf-687f-11ea-
9384-00505692583a/FortiOS-6.4-GCP_Cookbook.pdf

NEW QUESTION # 19
Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
• B. Configure VNet peering between the spokes only.
• C. Configure VNet peering between the hub and spokes.
• D. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.

Answer: C,D

NEW QUESTION # 20
Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?

• A. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
• B. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
• C. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
• D. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.

Answer: D

NEW QUESTION # 21
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

• A. A single VPC deployment with multiple subnets
• B. A multiple VPC deployment utilizing a transit gateway
• C. A single VPC deployment with multiple subnets and a NAT gateway
• D. A multiple VPC deployment utilizing a transit VPC topology

Answer: A,D

NEW QUESTION # 22
Refer to the exhibit.

Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?

• A. Delete the address object and recreate a new address object with the type set to FQDN.
• B. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
• C. Run diagnose debug application azd -l on FortiGate.
• D. In the Microsoft Azure portal, set the correct tag values for the windows server.

Answer: D

Explanation:
Explanation
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/azure-administration-guide/985498/troubleshooti

NEW QUESTION # 23
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

• A. Threat protection policies
• B. Data loss prevention policies
• C. Intrusion prevention policies
• D. Antivirus policies
• E. Compliance policies

Answer: A,B,E

NEW QUESTION # 24
Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
• B. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
• C. Configure VNet peering between the spokes only.
• D. Configure VNet peering between the hub and spokes.

Answer: A,D

NEW QUESTION # 25
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

• A. Configure a user-defined route table
• B. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
• C. Configure the gateway subnet as the subnet in the user-defined route table
• D. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
• E. Define a default route where the next hop IP is the FortiGate WAN interface

Answer: C,D,E

NEW QUESTION # 26
An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

• A. The worker node migrates the subnet to a different availability zone.
• B. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.
• C. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
• D. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.

Answer: C

Explanation:
Explanation
Official documentation, failover process on a single AZ,
https://github.com/fortinet/aws-cloudformation-templates/blob/main/FGCP/7.0/SingleAZ/README.md#failove
|| Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate 1's private interface to FortiGate 2's private interface. ##Additionally any route targets referencing FortiGate 1's private interface will be updated to reference FortiGate 2's private interface.##
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

NEW QUESTION # 27
You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.
Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

• A. The storageAccount name must use special characters.
• B. The storageAccount name must be in lowercase.
• C. The uniqueString() function must be used.
• D. The storageAccount name must contain between 3 and 24 alphanumeric characters.

Answer: B,C

NEW QUESTION # 28
Refer to the exhibit.

You attempted to deploy the FortiGate-VM in Microsoft Azure with the JSON template, and it failed to boot up. The exhibit shows an excerpt from the JSON template.
What is incorrect with the template?

• A. The caching parameter should be None.
• B. FortiGate-VM does not support managedDisk from Azure.
• C. The LUN ID is not defined.
• D. The CreateOptions parameter should be FromImage.

Answer: D

NEW QUESTION # 29
Refer to the exhibit.

The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)

• A. The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.
• B. The design shows an active-active FortiGate-VM architecture.
• C. The design shows an active-passive FortiGate-VM architecture.
• D. The Cloud Load Balancer Session Affinity setting should use the default value.

Answer: A,B

Explanation:
Explanation
https://github.com/fortinet/fortigate-autoscale-gcp/blob/main/network.tf session_affinity = "CLIENT_IP" A - we using A-A architecture with GCP NLB B to ensure that the same client always reach the same machine regardless the protocol we must configure a session affinity that route the same source IP to the same instance as we can see in the TF deployment file
https://github.com/fortinet/fortigate-autoscale-gcp/blob/main/network.tf
"### Target Pools ###
resource "google_compute_target_pool" "default" {
name = "${var.cluster_name}-instancepool-${random_string.random_name_post.result}" session_affinity = "CLIENT_IP" health_checks = [
"${google_compute_http_health_check.default.name}",
]
}
"

NEW QUESTION # 30
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true? (Choose two.)

• A. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.
• B. Network ACLs must be manually applied to virtual network interfaces.
• C. Network ACLs support allow rules and deny rules.
• D. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.

Answer: A,C

NEW QUESTION # 31
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

• A. Configure a user-defined route table
• B. Configure the gateway subnet as the subnet in the user-defined route table
• C. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
• D. Define a default route where the next hop IP is the FortiGate WAN interface
• E. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table

Answer: B,C,D

Explanation:
Explanation
https://docs.microsoft.com/en-us/answers/questions/618005/adding-a-inline-fw-to-express-route.html

NEW QUESTION # 32
......

Fortinet NSE7_PBC-6.4 exam covers a wide range of topics that are essential for securing public cloud environments. These topics include cloud security fundamentals, cloud security architecture, cloud security operations, and cloud security services. Fortinet NSE 7 - Public Cloud Security 6.4 certification exam is designed to test the knowledge and skills of professionals in these areas to ensure that they can provide effective security solutions for public cloud environments.

 

Real exam questions are provided for NSE 7 Network Security Architect tests, which can make sure you 100% pass: https://www.exam-killer.com/NSE7_PBC-6.4-valid-questions.html

Download NSE7_PBC-6.4 exam with Fortinet NSE7_PBC-6.4 Real Exam Questions: https://drive.google.com/open?id=1CHO_7L5sWXLsP6urturrI0xUim7BTPt5