リリースFortinet NSE7_PBC-7.2更新された問題PDF
NSE7_PBC-7.2問題集と練習テスト(91試験問題)
質問 # 38
You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM.
Which two queries does that SDN connector use to interact with the Azure management API?
(Choose two.)
- A. The first query is targeted to a special IP address to get a token.
- B. The first query is targeted to IP address 8.8
- C. Some queries are made to manage public IP addresses.
- D. There is only one query initiating from FortiGate port1 -
正解:A、C
解説:
The Azure SDN connector uses two types of queries to interact with the Azure management API.
The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM.
質問 # 39
You are configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure. Which two mandatory settings are required after the initial deployment? (Choose two)
- A. Active FortiGate serial number
- B. Subscription-id
- C. FortiGate license file
- D. Resource group name
正解:B、D
解説:
For configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure, the two mandatory settings required after the initial deployment are:
A:Subscription-id
D:Resource group name
* Subscription ID:This is a unique identifier for your Azure subscription under which all resources are created and billed. FortiGate needs this to interact with the Azure resources associated with that subscription.
* Resource Group Name:A resource group in Azure is a container that holds related resources for an
* Azure solution. The SDN connector requires the resource group name to correctly identify and manage the resources it should control, especially in a failover scenario.
References:The requirement for these specific details is found in Azure's best practices for resource management and Fortinet's documentation on deploying and configuring FortiGate appliances in Azure environments.
質問 # 40
An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure However, the SDN connector is failing on the connection What must the administrator do to correct this issue?
- A. Make sure to enable the system assigned managed identity on Azure
- B. Make sure to add the Client secret on FortiGate side of the configuration
- C. Make sure to set the type to system managed identity on FortiGate SDN connector settings
- D. Make sure to add the Tenant ID on FortiGate side of the configuration
正解:A
解説:
When an administrator decides to use the 'Use managed identity' option for the FortiGate SDN connector with Microsoft Azure and faces a connection failure, the correct action to take is: C.
Make sure to enable the system assigned managed identity on Azure.
Managed Identity Configuration: The system assigned managed identity is a feature in Azure that provides an identity for the Azure service instance (in this case, the FortiGate SDN connector) within Azure Active Directory and eliminates the need for credentials to be stored in the configuration.
Troubleshooting Connection Issues: If the SDN connector is failing to connect, it could be because the system assigned managed identity has not been enabled or configured properly in Azure for the FortiGate service.
質問 # 41
Refer to the exhibit
In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.
Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?
(Choose three.)
- A. Add a route With your local internet public IP address as the destination and target internet gateway
- B. Add a route With your local internet public IP address as thedestination and target transit gateway
- C. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC,
- D. Add route destination 0 0.0 0/0 to target the transit gateway
- E. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway
正解:C、D、E
解説:
Explanation
B: Add route destination 0.0.0.0/0 to target the transit gateway. This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1. The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway. This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3. An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC. This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.
The other options are incorrect because:
Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
質問 # 42
You are asked to find a solution to replace the existing VPC peering topology to have a higher bandwidth connection from Amazon Web Services (AWS) to the on-premises data center.
Which two solutions will satisfy the requirement? (Choose two.)
- A. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on- premises data center.
- B. Use transit VPC to build multiple VPC connections to the on-premises data center
- C. Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
- D. Use ECMP and VPN to achieve higher bandwidth.
正解:A、C
解説:
Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on- premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center. According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention. A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels. A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention. A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels.
質問 # 43
Refer to the exhibit.

What could be the reason that the administrator cannot access the EC2 instance?
- A. There is no . pem key created on in Amazon Web Services (AWS)
- B. The directory location of the . pem file is incorrect.
- C. You must elevate the permissions to access the EC2 instance
- D. You must run the chmod 400 Staging-key.peracommand before accessing the instance.
正解:B
解説:
The reason the administrator cannot access the EC2 instance could be:
D:The directory location of the .pem file is incorrect.
* SSH Key Location:When initiating an SSH connection to an AWS EC2 instance, you must specify the private key file (.pem file) location that corresponds to the public key used when the instance was launched. The error "Warning: Identity file Staging-key.pem not accessible: No such file or directory" indicates that the SSH client cannot find the .pem file at the specified location.
* Correct File Path:The administrator needs to ensure that the path to theStaging-key.pemfile is correctly specified when running the SSH command. If the file is not in the current directory from which the command is executed, the full or relative path to the file must be provided.
References:This behavior is in line with standard SSH connection practices and AWS guidelines for accessing EC2 instances. It is a common issue that occurs when the private key file is not located in the directory from which the SSH command is being executed or the path provided is incorrect.
質問 # 44
Refer to the exhibit
You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?
- A. Terraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.
- B. Terraform will not deploy a FortiGate VM
- C. Terraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.
- D. Terraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.
正解:A
解説:
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to "eu-west-1" and the availability_zone variable is set to "eu-west-1a". The vpc_id variable is set to "vpc-0e9d6a6f" and the subnets variable is set to a list of two subnet IDs: "subnet-0f9d6a6f" and "subnet-1f9d6a6f". The license_type variable is set to "on-demand" and the ami_id variable is set to "ami-0e9d6a6f".
質問 # 45
An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure However, the SDN connector is failing on the connection What must the administrator do to correct this issue?
- A. Make sure to enable the system assigned managed identity on Azure
- B. Make sure to add the Client secret on FortiGate side of the configuration
- C. Make sure to set the type to system managed identity on FortiGate SDN connector settings
- D. Make sure to add the Tenant ID on FortiGate side of the configuration
正解:A
解説:
When an administrator decides to use the 'Use managed identity' option for the FortiGate SDN connector with Microsoft Azure and faces a connection failure, the correct action to take is:
C . Make sure to enable the system assigned managed identity on Azure.
Managed Identity Configuration: The system assigned managed identity is a feature in Azure that provides an identity for the Azure service instance (in this case, the FortiGate SDN connector) within Azure Active Directory and eliminates the need for credentials to be stored in the configuration.
Troubleshooting Connection Issues: If the SDN connector is failing to connect, it could be because the system assigned managed identity has not been enabled or configured properly in Azure for the FortiGate service.
質問 # 46
You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
- You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
- Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
- To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?
- A. Two public subnets and one private subnet
- B. Two public subnets and two private subnets
- C. One public subnet and one private subnet
- D. One public subnet and two private subnets
正解:B
質問 # 47
What are two main features in Amazon Web Services (AWS) network access control lists (ACLs)? (Choose two.)
- A. The default network ACL is configured to allow all traffic
- B. NetworkACLs are stateless, and inbound and outbound rules are used for traffic filtering
- C. Network ACLs are tied to an instance
- D. You cannot use Network ACL and Security Group at the same time.
正解:A、B
解説:
The default network ACL is configured to allow all traffic. This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC. By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can modify the default network ACL, but you cannot delete it.
Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering. This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately. Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny. For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address.
質問 # 48
Which two attachments are necessary to connect a transit gateway to an existing VPC with BGP? (Choose two )
- A. A BGP attachment
- B. A transport attachment
- C. A GRE attachment
- D. A connect attachment
正解:B、D
解説:
The correct answer is A and C. A transport attachment and a connect attachment are necessary to connect a transit gateway to an existing VPC with BGP.
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To connect a transit gateway to an existing VPC with BGP, you need to do the following steps:
* Create a transport attachment. A transport attachment is a resource that connects a VPC or VPN to a transit gateway. You can specify the BGP options for the transport attachment, such as the autonomous system number (ASN) and the BGP peer IP address.
* Create a connect attachment. A connect attachment is a resource that enables you to use your own appliance to provide network services for traffic that flows through the transit gateway. You can use a connect attachment to route traffic between the transport attachment and your appliance using GRE tunnels and BGP.
The other options are incorrect because:
* A BGP attachment is not a valid type of attachment for a transit gateway. BGP is a protocol that enables dynamic routing between the transit gateway and the VPC or VPN.
* A GRE attachment is not a valid type of attachment for a transit gateway. GRE is a protocol that encapsulates packets for tunneling purposes. GRE tunnels are established between the connect attachment and your appliance.
[Transit Gateways - Amazon Virtual Private Cloud] : [Transit Gateway Connect - Amazon Virtual Private Cloud]
質問 # 49
You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.
Which two are restrictions for a storageAccount name in an Azure Resource Manager template?
(Choose two.)
- A. The storageAccount name must use special characters.
- B. The storageAccount name must contain between 3 and 24 alphanumeric characters.
- C. The storageAccount name must be in lowercase.
- D. The uniqueString() function must be used.
正解:B、C
質問 # 50
Refer to the exhibit
Consider the active-active load balance sandwich scenario in Microsoft Azure.
What are two important facts in the active-active load balance sandwich scenario? (Choose two )
- A. It uses the vdom-exception command to exclude the configuration from being synced
- B. It uses the FGCP protocol
- C. It supports session synchronization for handling asynchronous traffic.
- D. It is recommended to enable NAT on FortiGate policies.
正解:C、D
解説:
B . It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1. If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1. Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2. For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.
The other options are incorrect because:
It does not use the vdom-exception command to exclude the configuration from being synced. The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.
It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.
質問 # 51
Refer to the exhibit. A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Linux1 and Linux2 instances to the internet through the security VPC (virtual private cloud). The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface. Assume there are no issues with the Transit Gateway (TGW) configuration.
Which two settings must the customer add to correct the issue? (Choose two.)
- A. The four landing subnets in all the VPCs must have a 0.0.0.0/0 traffic route to the TGW
- B. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the TGW
- C. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
- D. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the Internet Gateway (IOW).
正解:B、C
解説:
The correct answer is B and C. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the TGW. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To send outbound traffic from the Linux instances to the internet through the security VPC, you need to do the following steps:
In the main subnet routing table in the spoke VPCs, add a new route with destination 0.0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table. In the main subnet routing table in the security VPC, add a new route with destination 0.0.0.0/0, next hop FortiGate port2.
This route directs all traffic from the TGW to the FortiGate internal interface, where it can be inspected and allowed by the FortiGate policies.
質問 # 52
What are three important steps required to get Terraform ready using Microsoft Azure Cloud Shell? (Choose three.)
- A. Move the Terraform file to the bin directory.
- B. Use the wget (te=aform vession) command to upload Terraform.
- C. use the -O command to download Terraform.
- D. Set up a storage account in Azure.
- E. Subscribe to Terraform in Azure.
正解:A、B、D
解説:
To get Terraform ready using Microsoft Azure Cloud Shell, you need to perform the following steps:
Set up a storage account in Azure. This is required to store the Terraform state file in a blob container, which enables collaboration and persistence of the infrastructure configuration.
Use the wget (terraform_version) command to upload Terraform. This command downloads the latest version of Terraform from the official website and saves it as a zip file in the current directory.
Move the Terraform file to the bin directory. This step extracts the Terraform executable from the zip file and moves it to the bin directory, which is part of the PATH environment variable. This allows you to run Terraform commands from any directory in Cloud Shell.
質問 # 53
Refer to the exhibit
An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform However, during the configuration, the Azure client secret is no longer visible in the Azure portal.
How would the administrator obtain the Azure
client secret to configure on Terratorm?
- A. The administrator can create a new client secret
- B. Log in to the Azure CLI with power user to obtain the client secret
- C. The administrator must create a new Azure account
- D. The administrator must obtain the client secret through Azure Cloud Shell.
正解:A
解説:
Explanation
The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform. To create a new client secret, they need to follow these steps12:
Sign in to the Azure portal and navigate to the Azure Active Directory service.
Select the application name under the App Registrations.
Select Certificates & Secrets > New client secret to create a new client secret.
Add a description and an expiration date for the client secret and select Add.
Copy the value of the new client secret immediately as it will not be shown again.
References:
Generate new Client Secret and link to key-vault | Microsoft Learn
Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn
質問 # 54
Refer to the exhibit.
You are troubleshooting a FortiGate HA floating IP issue with Microsoft Azure. After the failover, the new primary device does not have the previous primary device floating IP address.
What could be the possible issue With this scenario?
- A. The error is caused by credential time expiration.
- B. The Azure service principle account must have a contributor role.
- C. FortiGate port4 does not have internet access.
- D. A wrong client secret credential is used
正解:B
解説:
Explanation
In this scenario, the issue is caused by the Azure service principle account nothaving a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover. References: Fortinet Public Cloud Security knowledge source documents or study guide.
https://docs.fortinet.com/product/fortigate-public-cloud/7.2
質問 # 55
A customer would like to use FortiGate fabric integration With FortiCNP When configuring a FortiGate VM to add to FortiCNP, which three mandatory configuration steps must you follow on FortiGate? (Choose three.)
- A. Enable send logs-
- B. Create an IPsec tunnel.
- C. Enable two-factor authentication.
- D. Create an SSL]SSH inspection profile.
- E. Create and IPS sensor and a firewall policy
正解:A、D、E
解説:
To configure a FortiGate VM to add to FortiCNP, you need to perform three steps on FortiGate:
Enable send logs in FortiGate to allow FortiCNP to receive the IPS logs from FortiGate.
Create an SSL/SSH inspection profile on FortiGate to inspect the encrypted traffic and apply IPS protection.
Create an IPS sensor and a firewall policy on FortiGate to enable IPS detection and prevention for the traffic.
Reference:
FortiCNP 22.4.a Administration Guide, page 22-24
FortiGate IPS Administration Guide, page 9-10
質問 # 56
Refer to the exhibit. The exhibit shows a customer deployment of two Linux instances and their main routing table in Amazon Web Services (AWS). The customer also created a Transit Gateway (TGW) and two attachments.
Which two steps are required to route traffic from Linux instances to the TGWQ (Choose two.)
- A. In the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop TGW.
- B. In the TGW route table, associate two attachments.
- C. In the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop Internet gateway (IGW).
- D. In the TGW route table, add route propagation to 192.168.0.0/16
正解:A、B
解説:
According to the AWS documentation for Transit Gateway, a Transit Gateway is a network transit hub that connects VPCs and on-premises networks. To route traffic from Linux instances to the TGW, you need to do the following steps:
In the TGW route table, associate two attachments. An attachment is a resource that connects a VPC or VPN to a Transit Gateway. By associating the attachments to the TGW route table, you enable the TGW to route traffic between the VPCs and the VPN.
In the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.
質問 # 57
Refer to the exhibit
A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Linux1 and Linux2 instances to the internet through the security VPC (virtual private cloud). The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface. Assume there are no issues with the Transit Gateway (TGW) configuration Which two settings must the customer add to correct the issue? (Choose two.)
- A. Both landing subnets in the spoke VPCs must have a 0.0 00/0 traffic route to the TGW
- B. The four landing subnets in all the VPCs must have a 0.0 0 0/0 traffic route to the TGW
- C. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
- D. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the Internet Gateway (IOW).
正解:A、C
解説:
The correct answer is B and C. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the TGW. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To send outbound traffic from the Linux instances to the internet through the security VPC, you need to do the following steps:
* In the main subnet routing table in the spoke VPCs, add a new route with destination 0.0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.
* In the main subnet routing table in the security VPC, add a new route with destination 0.0.0.0/0, next hop FortiGate port2. This route directs all traffic from the TGW to the FortiGate internal interface, where it can be inspected and allowed by the FortiGate policies.
The other options are incorrect because:
* Adding a 0.0.0.0/0 traffic route to the Internet Gateway (IGW) in the spoke VPCs is not correct, as this would bypass the TGW and the security VPC and send all traffic directly to the internet.
* Adding a 0.0.0.0/0 traffic route to the TGW in all the VPCs is not necessary, as only the spoke VPCs need to send traffic to the TGW. The security VPC needs to send traffic to the FortiGate port2.
Transit Gateways - Amazon Virtual Private Cloud:Fortinet Documentation Library - Deploying FortiGate VMs on AWS
質問 # 58
Refer to the exhibit. You have deployed a Linux EC2 instance in Amazon Web Services (AWS) with the settings shown on the exhibit What next step must the administrator take to access this instance from the internet?
- A. Enable SSH and allocate it to the device
- B. Enable source and destination checks on the instance
- C. Allocate an Elastic IP address and assign it to the instance
- D. Configure the user name and password.
正解:C
解説:
The next step the administrator must take to access the Linux EC2 instance from the internet is:
D: Allocate an Elastic IP address and assign it to the instance.
Elastic IP (EIP) Requirement: By default, when an EC2 instance is launched in AWS, it receives a public IP address from Amazon's pool, which is not static. This IP address can change, for example, if the instance is stopped and started again. To have a static IP address, you need to allocate an Elastic IP (EIP), which is a persistent public IP address, and then associate it with the instance.
Public Accessibility: Without an Elastic IP, the instance may not be accessible over the internet after a reboot or stop/start sequence. Assigning an Elastic IP ensures the instance can be accessed consistently using the same IP address.
質問 # 59
Your administrator instructed you to deploy an Azure vWAN solution to create a connection between the main company site and branch sites to the other company VNETs.
What are the two best connection solutions available between your company headquarters, branch sites, and the Azure vWAN hub? (Choose two.)
- A. SSL VPN connections
- B. GRE tunnels
- C. VPN Gateway
- D. ExpressRoute
- E. An L2TP connection
正解:C、D
解説:
Explanation
The two best connection solutions available between your company headquarters, branch sites, and the Azure vWAN hub are A. ExpressRoute and E. VPN Gateway.
According to the Azure documentation for Virtual WAN, ExpressRoute and VPN Gateway are two of the supported connectivity options for connecting your on-premises sites and Azure virtual networks to the Azure vWAN hub1. These options provide secure, reliable, and high-performance connectivity for your network traffic.
ExpressRoute is a service that lets you create private connections between your on-premises sites and Azure.ExpressRoute connections do not go over the public internet, and offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the internet2.
VPN Gateway is a service that lets you create encrypted connections between your on-premises sites and Azure over the internet using IPsec/IKE protocols.VPN Gateway also supports point-to-site VPN connections for individual clients using OpenVPN or IKEv2 protocols3.
The other options are incorrect because:
GRE tunnels are not a supported connectivity option for Azure vWAN. GRE is a protocol that encapsulates packets for tunneling purposes.GRE tunnels are established between the connect attachment and your appliance in Azure vWAN4.
SSL VPN connections are not a supported connectivity option for Azure vWAN. SSL VPN is a type of VPN that uses the Secure Sockets Layer (SSL) protocol to secure the connection between a client and a server.SSL VPN is not compatible with the Azure vWAN hub5.
An L2TP connection is not a supported connectivity option for Azure vWAN. L2TP is a protocol that creates a tunnel between two endpoints at the data link layer (Layer 2) of the OSI model.L2TP is not compatible with the Azure vWAN hub.
1:Azure Virtual WAN Overview | Microsoft Learn2: [ExpressRoute overview - Azure ExpressRoute | Microsoft Docs]3: [VPN Gateway - Virtual Networks | Microsoft Azure]4: [Transit Gateway Connect - Amazon Virtual Private Cloud]5: [SSL VPN - Wikipedia] : [Layer 2 Tunneling Protocol - Wikipedia]
質問 # 60
......
NSE7_PBC-7.2試験問題集合格させるのは更新されたのは2025年年最新の認証済み試験問題:https://jp.fast2test.com/NSE7_PBC-7.2-premium-file.html