NSE 7

Q1. What are two main features in Amazon Web Services (AWS) network access control lists (NACLs)? (Choose two answers). A. NACLs are stateless, and inbound and outbound rules are used for traffic filtering. B. NACLs are tied to an instance. C. The default NACL is configured to allow all traffic. D. You cannot use NACLs and Security Groups at the same time.

Q2. How does an administrator secure container environments in Amazon AWS from newly emerged security threats? (Choose one answer). A. Using Docker-related application control signatures. B. Using Amazon AWS-related application control signatures. C. Using distributed network-related application control signatures. D. Using Amazon AWS_S3-related application control signatures.

Q3. Refer to the exhibit. The exhibit shows a customer deployment of two Linux instances and their main routing table in Amazon Web Services (AWS). The customer also created a Transit Gateway (TGW) and two attachments. Which two steps are required to route traffic from Linux instances to the TGW? (Choose two answers). A. In the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop TGW. B. In the TGW route table, associate two attachments. C. In the TGW route table, add route propagation to 192.168.0.0/16. D. In the main subnet routing table in VPC A and B, add a new route with destination 0.0.0.0/0, next hop Internet gateway (IGW).

Q4. You have deployed a FortiGate HA cluster in Azure using a gateway load balancer for traffic inspection. However, traffic is not being routed correctly through the firewalls. What can be the cause of the issue? (Choose one answer). A. The gateway load balancer is not associated with the correct network security group (NSG) rules, which allow traffic to pass through. B. The health probes for the gateway load balancer are failing, which causes traffic to bypass the HA cluster. C. The protected VMs are in a different Azure subscription, which prevents the gateway load balancer from forwarding traffic. D. The Fortinet VMs have IP forwarding disabled, which is required for traffic inspection.

Q5. Your organization has several FortiGate VMs deployed in Azure. You need to implement a solution with Azure native tools that allows you to determine whether packets are being permitted or blocked by the FortiGate VMs. Which solution can you use to meet these requirements? (Choose one answer). A. Install the Azure Monitor agent in all VMs. B. Use IP flow verify for each of the VMs. C. Configure Azure Advisor to analyze the network traffic. D. Insert the VM traffic logs in Azure Sentinel.

Q6. Refer to the exhibit. Your team notices an unusually high volume of traffic sourced at one of the organizations FortiGate EC2 instances. They create a flow log to obtain and analyze detailed information about this traffic. However, when they checked the log, they found that it included traffic that was not associated with the FortiGate instance in question. What can they do to obtain the correct logs? (Choose one answer). A. Create a new flow log at the interface level. B. Change the maximum aggregation time to 1 minute. C. Ensure that the flow log data is not mixed with the rest of the traffic. D. Send the logs to Amazon Data Firehose instead to get more granular information.

Q7. Your administrator instructed you to deploy an Azure vWAN solution to create a connection between the main company site and branch sites to the other company VNETs. What is the best connection solution available between your company headquarters, branch sites, and the Azure vWAN hub? (Choose one answer). A. An L2TP connection. B. SSL VPN connections. C. GRE tunnels. D. ExpressRoute.

Q8. Refer to the exhibit. Which FortiCNP policy type generated the finding shown in the exhibit? (Choose one answer). A. This finding was generated by a data scan policy. B. This finding was generated by a threat detection policy. C. This finding was generated by a risk management policy. D. This finding was generated by a file collection policy.

Q9. A Network security administrator is searching for a solution to secure traffic going in and out of the container infrastructure. In which two ways can Fortinet container security help secure container infrastructures? (Choose two answers). A. FortiGate NGFW and FortiWeb can be used to secure container traffic. B. FortiGate NGFW can connect to the worker nodes and protect the containers. C. FortiGate NGFW can inspect north-south container traffic with label aware policies. D. FortiGate NGFW can be placed between each application container for north-south traffic inspection.

Q10. Refer to the exhibit. An administrator used the what-if tool to preview the changes to an Azure Bicep file. What will happen if the administrator applies these changes in Azure? (Choose one answer). A. A new subnet will be added to vnet-002. B. The vnet-002 VNet will be renamed Production. C. The resulting VNet will have a single subnet. D. The VNet address space will be updated.

Q11. Which two mandatory SDN connector settings are required for a successful deployment? (Choose two answers). A. Active FortiGate serial number. B. FortiGate license file. C. Client secret. D. Directory ID.

Q12. Refer to the exhibit. The exhibit shows partial output of changes that AWS found after you created a new change set. What can you conclude from this output if you decide to execute this change set? (Choose one answer). A. Executing this change set will create a new VM, unless you do not have proper permissions. B. You should refer to the AWS documentation to prevent unplanned service interruptions. C. CloudFormation will check your account quota before executing the change set, to prevent errors. D. Resources deployed successfully will remain, even if other resources fail during execution.

Q13. Refer to the exhibit. What would be the impact of confirming to delete all the resources in Terraform? (Choose one answer). A. It destroys all the resources in the resource group. B. It destroys all the resources in the state file. C. It destroys all the resources tied to the AWS Identity and Access Management (IAM) user. D. It destroys all the resources in the .tfvars file.

Q14. Refer to the exhibit. You have deployed a Linux EC2 instance in Amazon Web Services (AWS) with the settings shown on the exhibit. What next step must the administrator take to access this instance from the internet? (Choose one answer). A. Configure the user name and password. B. Create a VIP on FortiGate to allow access. C. Allocate an Elastic IP address and assign it to the instance. D. Enable SSH and allocate it to the device.

Q15. A customer would like to use FortiGate fabric integration with FortiCNP. When adding a FortiGate VM to FortiCNP, which three mandatory configuration steps must you follow on FortiGate? (Choose three answers). A. Enable pre-shared key on both sides. B. Import the FortiGate certificate into FortiCNP. C. Configure FortiGate to send logs to FortiCNP. D. Create an IPS sensor and a firewall policy. E. Create an SSL/SSH inspection profile.

Q16. Refer to the exhibit. An administrator has deployed a FortiGate VM in Amazon Web Services (AWS) and is trying to access it using its public IP address from their local computer. However, the connection is not successful, and at the same time FortiGate is not receiving any HTTPS or SSH traffic to its external interface. What should the administrator check for possible issue? (Choose one answer). A. Check the debug flow for any network ACLs. B. Check the FortiGate instance ID. C. Check the inbound rules of the security groups. D. Check the FortiGate firewall policies.

Q17. Refer to the exhibit. An administrator deployed an HA active-active load balance sandwich in Microsoft Azure. The setup requires configuration synchronization between devices. What can you conclude from the configured settings shown in the exhibit? (Choose two answers). A. By default, FortiGate uses FGCP. B. FortiGate A and FortiGate B are two independent devices. C. FortiGate-VM instances are scaled out automatically according to predefined workload levels. D. It does not synchronize the FortiGate hostname.

Q18. Which statement about immutable infrastructure in automation is true? (Choose one answer). A. It is the practice of modifying the existing server configuration after it is deployed. B. It is the practice of deploying a new server for every configuration change. C. It is the practice of applying hotfixes and OS patches after deployment. D. It is the practice of deploying two parallel servers for high availability.

Q19. Your DevOps team is evaluating different Infrastructure as Code (IaC) solutions for deploying complex Azure environments. What is an advantage of choosing Azure Bicep over other IaC tools available? (Choose one answer). A. Azure Bicep provides immediate support for all Azure services, including those in preview. B. Azure Bicep generates deployment logs that are optimized to improve error handling. C. Azure Bicep can reduce deployment costs by limiting resource utilization during testing. D. Azure Bicep requires less frequent schema updates than Azure Resource Manager (ARM) templates.

Q20. A VM in Azure is failing to communicate with other VMs in the same subnet. What is the most likely cause? (Choose one answer). A. The VMs do not have a public IP address configured. B. There is at least one user-defined route blocking traffic within the subnet. C. Some of the VMs are beyond your allowed quota for the Azure region. D. A network security group (NSG) has overridden the default intrasubnet communication rule.

Q21. You are automating configuration changes on one of the FortiGate VMs using Linux Red Hat Ansible. How does Linux Red Hat Ansible connect to FortiGate to make the configuration change? (Choose one answer). A. It uses SSH. B. It uses a FortiGate VIP. C. It uses an API. D. It uses a YAML file.

Q22. An administrator is relying on Azure Bicep linter to find possible issues in Bicep files. Which problem can the administrator expect to find? (Choose one answer). A. Region-specific SKU availability for objects included in the code. B. Conflicts with the Azure policy for resource configurations. C. Code issues such as unused parameters or variables. D. Missing dependencies among resources that could cause failures.

Q23. Refer to the exhibit. An administrator installed a FortiWeb ingress controller to protect a containerized web application. What is the reason for the status shown in FortiView? (Choose one answer). A. The SDN connector is not authenticated correctly. B. The FortiWeb VM is missing a route to the node subnet. C. The manifest file deployed is configured with the wrong node IP addresses. D. The load balancing type is not set to round-robin.

Q24. Refer to the exhibit. A senior administrator in a multinational organization needs to include a comment in the template shown in the exhibit to ensure that administrators from other regions change the EC2 instance size value... How can the administrator add the comment in that section of the file? (Choose one answer). A. The administrator can run the aws cloudformation update-stack and include the comment. B. The administrator must update the AWSTemplateFormatVersion to a more current version. C. The administrator must convert the template to JSON format before adding the comment. D. The administrator can add the comment with the # character next to the InstanceType section.

Q25. Refer to the exhibit. Consider the active-active load balance sandwich scenario in Microsoft Azure. What are two important facts in the active-active load balance sandwich scenario? (Choose two answers). A. It is recommended to enable NAT on FortiGate policies. B. It uses the vdom-exception to exclude the configuration from being synced by default. C. It uses the FGCP protocol for session synchronization by default. D. It supports session synchronization for handling asynchronous traffic.

Q26. Refer to the exhibit. You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS). You examined the variables.tf file. Assume that all the other terraform files are in place. What will be the final result after running the terraform init and terraform apply commands? (Choose one answer). A. Terraform will not deploy a FortiGate VM. B. Terraform will deploy a FortiGate VM in the eu-West-1a availability zone without any subnets. C. Terraform will deploy a FortiGate VM in the eu-West-1 region with private and public subnets. D. Terraform will deploy a FortiGate VM in the eu-West-1a availability zone with two subnets and BYOL license.

Q27. An administrator is looking for a solution that can provide insight into users and data stored in major SaaS applications in the multicloud environment. Which product should the administrator deploy to have secure access to SaaS applications? (Choose one answer). A. FortiSandbox. B. FortiCASB. C. FortiWeb. D. FortiSIEM.

Q28. Refer to the exhibit. A team of AWS administrators is in the process of installing a FortiWeb ingress controller to protect containerized web applications in an Amazon Elastic Kubernetes Service (EKS) cluster. While customizing the manifest file... they do not know the correct value to enter in the fortiweb-login field. How can they determine the correct value for this field? (Choose one answer). A. They must create a Kubernetes secret with the kubectl command. B. The correct value is the password of the FortiWeb admin account. C. They can find the expected value in the manifest file used to deploy the pods. D. They can refer to the output of the EKS cluster deployment.

Q29. An administrator is trying to implement FortiCNP with Microsoft Azure Security integration. However, FortiCNP is not able to extract any cloud integration data from Azure... What is causing this issue? (Choose one answer). A. The Azure account doesn't have the global administrator role. B. The administrator enabled the wrong defender plan for servers. C. The organization is using a free Azure AD license. D. The FortiCNP account in Azure has the Storage Blob Data Reader role.

Q30. Refer to the exhibit. You are deploying two FortiGate VMs in HA active-passive mode with load balancers in Microsoft Azure. Which two statements are true in this load balancing scenario? (Choose two answers). A. A dedicated management interface can be used for load balancing. B. You must add routes to the IP address used by the load balancers to send probes. C. The public IP of the active FortiGate is the next-hop for all the incoming traffic. D. The internal load balancer is the next-hop for outgoing traffic.

Q31. An AWS administrator must ensure that each member of the cloud deployment team has the correct permissions to deploy and manage resources using CloudFormation. Which task is run using CloudFormation? (Choose one answer). A. Deploying a new pod with a service in an Elastic Kubernetes Service (EKS) cluster using the kubectl command. B. Creating an EKS cluster with the eksctl create cluster command. C. Installing a Helm chart to deploy a FortiWeb ingress controller in an EKS cluster. D. Changing the number of nodes in an EKS cluster from AWS CloudShell.

Q32. You are experiencing intermittent connectivity issues in a FortiGate HA cluster deployed with Azure gateway load balancer. Traffic is being dropped when it passes through the cluster. What is the cause of the issue? (Choose one answer). A. The FortiGate firewalls are using the default maximum transmission unit (MTU) size supported by Azure. B. The Azure gateway load balancer is configured with an incorrect health probe port. C. The Azure gateway load balancer is blocking large packets, causing traffic failures. D. The protected VMs are running an application that fragments packets.

Q33. Refer to the exhibit. You are troubleshooting a FortiGate HA floating IP issue with Microsoft Azure. After the failover, the new primary device does not have the previous primary device floating IP address. What could be the possible issue with this scenario? (Choose one answer). A. The Azure service principal account must have a contributor role. B. The error is caused by credential time expiration. C. A wrong client secret credential is used.

Q34. Refer to the exhibit. An AWS administrator created a change set to examine the effects of proposed changes to the current infrastructure. Based on only the output shown in the exhibit, what will happen if the administrator applies these changes? (Choose one answer). A. CloudFormation will roll back the current stack before updating it. B. The PhysicalResourceId will remain the same. C. The deployment will take place without any service interruption. D. The resulting FortiGate instance will lose its current local users.

Q35. An Azure administrator is trying to optimize the Azure Bicep files currently used for cloud deployments. Which technique can Azure administrators use to improve the code in Azure Bicep files? (Choose one answer). A. Limit the allowed parameters with the use of decorators. B. Always use parameter files with the .json extension. C. Avoid nesting related resources to improve readability. D. Use the what-if operation before deploying new resources.

Q36. Refer to the exhibit. You deployed a FortiGate HA active-passive cluster in Microsoft Azure. Which two statements regarding this particular deployment are true? (Choose two answers). A. There is no SLA for API calls from Microsoft Azure. B. The configuration does not synchronize between the primary and secondary devices. C. You can use the vdom-exception command to synchronize the configuration. D. During a failover, all existing sessions are transferred to the new active FortiGate.

Q37. Refer to the exhibit. An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform. However, during the configuration, the Azure client secret is no longer visible in the Azure portal. How would the administrator obtain the Azure client secret to configure on Terraform? (Choose one answer). A. Create a new client secret and take note of it. B. Use the Terraform output file values to obtain the client secret. C. Log in to the Azure CLI as a power user to obtain the client secret. D. Create a new Azure account and assign it the Administrator role.

Q38. An experienced AWS administrator is creating a new virtual public cloud (VPC) flow log with the settings shown in the exhibit. What is the purpose of this configuration? (Choose one answer). A. To retain logs for a long term. B. To maximize the number of logs saved. C. To monitor logs in real time.

Q39. Your monitoring team reports performance issues with a web application hosted in Azure. You suspect that the bottleneck might be due to unexpected inbound traffic spikes. Which method should you use to identify and analyze the traffic pattern? (Choose one answer). A. Enable NSG Flow Logs and analyze logs with Azure Monitor. B. Enable Azure DDoS protection to prevent inbound traffic spikes. C. Use Azure Traffic Manager to visualize all traffic to the application. D. Deploy Azure Firewall to log traffic by IP address.

Q40. Refer to the exhibit. You deployed an HA active-active load balance sandwich with two FortiGate VMs in Microsoft Azure. After the deployment, you prefer to use FGSP to synchronize sessions, and allow asymmetric return traffic. In the environment, FortiGate port 1 and port 2 are facing external and internal load balancers respectively. What IP address must you use in the peerip configuration? (Choose one answer). A. The public load balancer port 2 IP address. B. The internal load balancer port 1 IP address. C. The opposite FortiGate port 2 IP address. D. The opposite FortiGate port 1 IP address.

Q41. You need a solution to safeguard public cloud-hosted web applications from the OWASP Top 10 vulnerabilities. The solution must support the same... (incomplete in source, but starts here). A. Use FortiWeb. B. Use FortiADC. C. Use FortiGate. D. Use FortiCNP.

Q42. Refer to the exhibit. In which type of FortiCNP insights can an administrator examine the findings triggered by this policy? (Choose one answer). A. User activity. B. Data. C. Threat. D. Risk.

Q43. Refer to the exhibit. What is the purpose of this section of an Azure Bicep file? (Choose one answer). A. To indicate the correct FortiOS upgrade path after deployment. B. To add a comment with the permitted FortiOS versions that can be deployed. C. To document the FortiOS versions in the resulting topology. D. To restrict which FortiOS versions are accepted for deployment.

Q44. Refer to the exhibit. ... (Change set for FortiGate instances) What will happen if you apply these changes? (Choose one answer). A. CloudFormation checks if you will surpass your account quota. B. This deployment can be done without any traffic interruption. C. The updated FortiGate VMs will not have the latest configuration changes. D. Both FortiGate VMs will get a new PhysicalResourceId.

Q45. Refer to the exhibit. An administrator implements FortiWeb ingress controller to protect containerized web applications in an AWS Elastic Kubernetes Service (EKS) cluster. What can you conclude about the topology shown in FortiView? (Choose one answer). A. The FortiWeb VM gets the latest cluster information through an SDN connector. B. Adding a new service will update the FortiWeb configuration automatically. C. Both services will be load balanced among the two nodes and the four pods. D. This topology has two services and two ingress controllers deployed.

Q46. Refer to the exhibit. The exhibit shows an active-passive high availability FortiGate pair with external and internal Azure load balancers. There is no SDN connector used in this solution. Which configuration must the administrator implement on each FortiGate? (Choose one answer). A. One static route to Azure Lambda IP address. B. Single BGP route to Azure probe IP address. C. Two BGP routes to Azure probe IP address. D. Two static routes to Azure probe IP address.

Q47. An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure. However, the SDN connector is failing on the connection. What must the administrator do to correct this issue? (Choose one answer). A. Make sure to add the Client secret on FortiGate side of the configuration. B. Make sure to enable the system assigned managed identity on Azure. C. Make sure to add the Tenant ID on FortiGate side of the configuration. D. Make sure to set the type to system managed identity on FortiGate SDN connector settings.

Q48. Refer to the exhibit. After the initial Terraform configuration in Microsoft Azure, the terraform plan command is run. Which two statements about running the terraform plan command are true? (Choose two answers). A. The terraform plan command makes terraform do a dry run. B. You cannot run the terraform apply command before the terraform plan command. C. The terraform plan command will deploy the rest of the resources except the service principle details. D. You must run the terraform init command once, before the terraform plan command.

Q49. Refer to the exhibit. An administrator used the what-if tool to preview changes to an Azure Bicep file. What will happen if the administrator decides to apply these changes in Azure? (Choose one answer). A. Subnet 10.0.1.0/24 will replace subnet 10.0.2.0/24. B. A new subnet will be added to ServerApps. C. The ServerApps VNet will be renamed. D. This deployment will fail and no changes will be applied.

Q50. You must add an Amazon Web Services (AWS) network access list (NACL) rule to allow SSH traffic to a subnet for temporary testing purposes... What can you do to allow SSH traffic? (Choose one answer). A. You must create two new allow SSH rules, each with a number smaller than 5. B. You must create a new allow SSH rule anywhere in the network ACL rule base to allow SSH traffic. C. You must create two new allow SSH rules, each with a number bigger than 5. D. You do not have to create any NACL rules because the default security group rule automatically allows SSH traffic to the subnet.

Q51. An organization is deploying FortiDevSec to enhance security for containerized applications... Which FortiDevSec feature is best for detecting runtime threats? (Choose one answer). A. FortiDevSec software composition analysis (SCA). B. FortiDevSec container scanner. C. FortiDevSec static application security testing (SAST). D. FortiDevSec dynamic application security testing (DAST).

Q52. What is the main advantage of using SD-WAN Transit Gateway Connect over traditional SD-WAN? (Choose one answer). A. You can combine it with IPsec to achieve higher bandwidth. B. You can use BGP over IPsec for maximum throughput. C. You can use GRE-based tunnel attachments. D. It eliminates the use of ECMP.

Q53. The cloud administration team is reviewing an AWS deployment that was done using CloudFormation... What is the result of following this approach? (Choose one answer). A. The update is applied, and the security group is added to all instances without interruption. B. Some of the FortiGate instances may be deleted and replaced with new copies. C. If new FortiGate instances are deployed later they will include the updated changes. D. CloudFormation rejects the update and warns that a new full stack is required.

Q54. Refer to the exhibit. You are tasked with deploying FortiGate using Terraform... What could you do to resolve the command not found error? (Choose one answer). A. You must change the directory location to the root directory. B. You must move the binary file to the bin directory. C. You must reinstall Terraform. D. You must assign correct permissions to the ec2-user.

Q55. Refer to the exhibit. A managed security service provider (MSSP) administration team is trying to deploy a new HA cluster in Azure to filter traffic to and from a client that is also using Azure. However, every deployment attempt fails, and only some of the resources are deployed successfully. While troubleshooting this issue, the team runs the command shown in the exhibit. What are the implications of the output of the command? (Choose one answer). A. The team will not be able to deploy an A-P FortiGate HA cluster with Azure gateway load balancer. B. The team will not be able to deploy an active-active (A-A) FortiGate HA cluster with Azure load balancer. C. The team will not be able to deploy an active-passive (A-P) FortiGate high availability (HA) cluster with SDN connector. D. The team will not be able to deploy an A-P FortiGate HA cluster with Azure load balancer.

Q56. Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true? (Choose one answer). A. A TGW attachment can be associated with multiple TGW route tables. B. The TGW default route table cannot be disabled. C. TGW can have multiple TGW route tables. D. Both the TGW attachment and propagation must be in the same TGW route table.

Q57. An administrator would like to use FortiCNP to keep track of sensitive data files located in the Amazon Web Services (AWS) S3 bucket and protect it from malware. Which FortiCNP feature should the administrator use? (Choose one answer). A. FortiCNP Data Scan policies. B. FortiCNP Risk Management policies. C. FortiCNP Threat Detection policies. D. FortiCNP Compliance policies.

Q58. As part of your organization monitoring plan, you have been tasked with obtaining and analyzing detailed information about the traffic sourced at one of your FortiGate EC2 instances. What can you do to achieve this goal? (Choose one answer). A. Configure a network access analyzer scope with the EC2 instance as a match finding. B. Create a virtual public cloud (VPC) flow log at the network interface level for the EC2 instance. C. Add the EC2 instance as a target in CloudWatch to collect its traffic logs. D. Use AWS CloudTrail to capture and then examine traffic from the EC2 instance.

Q59. Refer to the exhibit. You are troubleshooting a Microsoft Azure SDN connector issue on your FortiGate VM in Azure. Which command can you use to examine details about API calls sent by the connector? (Choose one answer). A. diag debug application azd -1. B. diag debug application cloud-connector -1. C. get system sdn-connector. D. diag test-application azd 1.

Q60. Refer to the exhibit. You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS. However, your connection is not successful. Given the network topology, what can be the issue? (Choose one answer). A. There is no connection between VPC A and VPC B. B. There is no elastic IP address attached to FortiGate in the Security VPC. C. There is no internet gateway attached to the Spoke VPC A. D. The Transit Gateway BGP IP address is incorrect.

Q61. In an SD-WAN TGW Connect topology, which three initial steps are mandatory when routing traffic from a spoke VPC to a security VPC through a Transit Gateway? (Choose three answers). A. From the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the FortiGate internal port. B. From the security VPC FortiGate internal subnet routing table, point 0.0.0.0/0 traffic to the TGW. C. From both spoke VPCs, and the security VPC, point 0.0.0.0/0 traffic to the Internet Gateway. D. From the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the TGW. E. From the spoke VPC internal routing table, point 0.0.0.0/0 traffic to the TGW.

Q62. Refer to the exhibit. In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet. However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful. Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC. How do you correct this issue with minimal configuration changes? (Choose three answers). A. Deploy an internet gateway, associate an EIP with the Customer VPC private subnet, and then add a new route with destination 0.0.0.0/0 with the internet gateway as the target. B. Deploy an internet gateway, attach it to the Customer VPC, and then associate an EIP with the port1 of the FortiGate in the Customer VPC. C. Add a route with your local internet public IP address as the destination and the transit gateway as the target. D. Add a route to the destination 0.0.0.0/0 with the transit gateway as the target. E. Add a route with your local internet public IP address as the destination and the internet gateway as the target.

Q63. Refer to the exhibit. After analyzing the native monitoring tools available in Azure, an administrator decides to use the tool displayed in the exhibit. Why would an administrator choose this tool? (Choose one answer). A. To view details about Azure resources and their relationships across multiple regions. B. To help debug issues affecting virtual network gateways. C. To compare the latency of an on-premises site with the latency of an Azure application. D. To obtain, and later examine, traffic flow data with a visualization tool.

Q64. An administrator is configuring a software-defined network (SDN) connector in FortiWeb to dynamically obtain information about existing objects in an Amazon Elastic Kubernetes Service (EKS) cluster. Which AWS policy should the administrator attach to a user to achieve this goal? (Choose one answer). A. AmazonEKSConnectorServiceRolePolicy. B. AmazonEKSServicePolicy. C. AmazonEKSComputePolicy. D. AmazonEKSClusterPolicy.

Q65. You are using Ansible to modify the configuration of several FortiGate VMs. What is the minimum number of files you need to create, and in which file should you configure the target FortiGate IP addresses? (Choose one answer). A. One playbook file for each target and the required tasks, and one inventory file. B. One inventory.yaml file with the targets IP addresses, and one playbook file with the tasks. C. One text file for all target devices, and one playbook file. D. One inventory file for each target device, and one playbook file.

Q66. Refer to the exhibit. A senior administrator in a multinational organization needs to include a comment in the template shown in the exhibit to ensure that administrators from other regions change the Amazon Machine Image (AMI) ID to one that is valid in their location. How can the administrator add the required comment in that section of the file? (Choose one answer). A. The administrator can add the comment starting with the # character next to the "Resources" section. B. The administrator must convert the template file to YAML format to add a comment. C. The administrator must update the AWSTemplateFormatVersion to the latest version. D. The administrator can include the comment with the aws cloudformation update-stack command.

Q67. An administrator is relying on an Azure Bicep linter to find possible issues in Bicep files. Which problem can the administrator expect to find? (Choose one answer). A. The resources to be deployed exceed the quota for a region. B. There are output statements that contain passwords. C. One or more modules are not using runtime values as parameters. D. Some resources are missing dependsOn statements.

Q68. You are using Ansible to modify the configuration of several FortiGate VMs. What is the minimum number of files you need to create, and in which file should you configure the target FortiGate IP addresses? (Choose one answer). A. One playbook file for each target and the required tasks, and one inventory file. B. One inventory.yaml file with the targets IP addresses, and one playbook file with the tasks. C. One inventory file for each target device, and one playbook file. D. One inventory file for all target devices, and one playbook file.

Q69. You have onboarded the organization's Microsoft Azure account on FortiCNAPP using the automated configuration approach. However, FortiCNAPP does not appear to be receiving any workload scanning data. How can you remedy this? (Choose one answer). A. Add a new Azure App Registration. B. Add a service principal in the Azure Cloud Shell. C. Add a FortiCNAPP threat policy to monitor Azure workloads. D. Add the appropriate integration type using the guided configuration.

Q70. An AWS administrator needs to determine which deployment tasks require CloudFormation permissions... What task is performed using CloudFormation? (Choose one answer). A. Deploying a new pod with a service in an Elastic Kubernetes Service (EKS) cluster using the kubectl command. B. Creating an EKS cluster with the eksctl create cluster command. C. Installing a Helm chart to deploy a FortiWeb ingress controller in an EKS cluster. D. Changing the number of nodes in an EKS cluster from AWS CloudShell.

Q71. A FortiCNAPP administrator used the FortiCNAPP Explorer to reveal all hosts exposed to the internet that are running active packages with vulnerabilities of all severity levels. Why do only the first two results have an attack path? (Choose one answer). A. Attack paths are available only for AWS resources with public IP addresses. B. Attack paths are available only for AWS resources with high impact scores. C. Attack paths are available only for resources with potential multi-hop exposure. D. Attack paths are available only for resources that have critical vulnerabilities.

Q72. You are investigating an attack path for a top risky host. You notice that the Common Vulnerability Scoring System (CVSS) and the vulnerability impact scores are very high. However, the attack path severity for the top risky host itself is low. Which two pieces of contextualized information can help you understand why? (Choose two answers). A. The FortiCNAPP risk score. B. The package status. C. The vulnerability score. D. The fix version.