更新された2023年10月22日検証済み！合格できるNSE7_PBC-6.4試験一発合格保証付き [Q14-Q34]

更新された2023年10月22日検証済み！合格できるNSE7_PBC-6.4試験一発合格保証付き

無料で使えるNSE7_PBC-6.4サンプルには問題100%カバー率でリアル試験問題（更新された30問あります)

質問 # 14
Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?

• A. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
• B. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
• C. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
• D. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.

正解：D

質問 # 15
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

• A. A single VPC deployment with multiple subnets and a NAT gateway
• B. A single VPC deployment with multiple subnets
• C. A multiple VPC deployment utilizing a transit gateway
• D. A multiple VPC deployment utilizing a transit VPC topology

正解：B、D

質問 # 16
Which two statements about Microsoft Azure network security groups are true? (Choose two.)

• A. Network security groups are stateless inbound and outbound rules used for traffic filtering.
• B. Network security groups can be applied to subnets and virtual network interfaces.
• C. Network security groups can be applied to subnets only.
• D. Network security groups are a stateful inbound and outbound rules used for traffic filtering.

正解：C、D

質問 # 17
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

• A. Inspector, Shield, GuardDuty, S3, and DynamoDB.
• B. GuardDuty, CloudWatch, S3, and DynamoDB.
• C. WAF, Shield, GuardDuty, S3, and DynamoDB.
• D. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.

正解：B

解説：
Explanation
You must subscribe to GuardDuty, CloudWatch, S3, and DynamoDB.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/908646/populating-thr

質問 # 18
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

• A. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.
• B. Inspector, Shield, GuardDuty, S3, and DynamoDB.
• C. WAF, Shield, GuardDuty, S3, and DynamoDB.
• D. GuardDuty, CloudWatch, S3, and DynamoDB.

正解：A

質問 # 19
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

• A. A single VPC deployment with multiple subnets and a NAT gateway
• B. A multiple VPC deployment utilizing a transit gateway
• C. A single VPC deployment with multiple subnets
• D. A multiple VPC deployment utilizing a transit VPC topology

正解：B、D

解説：
Explanation
Multi-VPC design. AWS recommends segmenting networks at the VPC level. In this approach, workloads are grouped together at the VPC level instead of the subnet level. All traffic between VPCs will be inspected by network security virtual firewalls at each VPC or at a shared VPC. Design patterns such as Transit VPC or AWS Transit Gateway can be used to achieve this in an automated and scalable fashion.

質問 # 20
Refer to the exhibit.

You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.
After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.
What should you do to correct this issue?

• A. Delete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.
• B. Nothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.
• C. Configure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.
• D. Configure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).

正解：C

質問 # 21
Refer to the exhibit.

You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?

• A. You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.
• B. You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.
• C. You selected the Bring Your Own License (BYOL) licensing mode.
• D. You selected the incorrect resource group.

正解：D

質問 # 22

Refer to the exhibit. Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
• B. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
• C. Configure VNet peering between the hub and spokes.
• D. Configure VNet peering between the spokes only.

正解：B、C

質問 # 23
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

• A. 16 seconds
• B. 20 seconds
• C. Less than 10 seconds
• D. 30 seconds

正解：C

解説：
Explanation
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.
-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.
Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.

質問 # 24
Refer to the exhibit.

You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?

• A. You selected the incorrect resource group.
• B. You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.
• C. You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.
• D. You selected the Bring Your Own License (BYOL) licensing mode.

正解：C

解説：
Explanation
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources

質問 # 25
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
*Two FortiGate devices must be deployed; each in a different availability zone.
*Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
*An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
*An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
*Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

• A. config system session-sync
• B. config system sdn-connector
• C. config system ha
• D. config system auto-scale

正解：C

解説：
Explanation
FTG HA Active/Active requires the following configuration to sync the session by FGSP config system ha set session-pickup enable set session-pickup-connectionless enable set session-pickup-nat enable set session-pickup-expectation enable set override disable end config system cluster-sync edit 0 set peerip 10.0.1.x set syncvd "root" next end
https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB

質問 # 26
Your company deploys FortiGate VM devices in high availability (HA) (active-active) mode with Microsoft Azure load balancers using the Microsoft Azure ARM template. Your senior administrator instructs you to connect to one of the FortiGate devices and configure the necessary firewall rules. However, you are not sure now to obtain the correct public IP address of the deployed FortiGate VM and identify the access ports.
How do you obtain the public IP address of the FortiGate VM and identify the correct ports to access the device?

• A. In the configured load balancer, access the inbound NAT rules section.
• B. In the configured load balancer, access the health probes section.
• C. In the configured load balancer, access the backend pools section.
• D. In the configured load balancer, access the inbound and outbound NAT rules section.

正解：A

解説：
Explanation
From the resource group Overview page, click the external load balancer name to load it. From the navigation column, click Inbound NAT Rules.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/azure-administration-guide/889158/connecting-to
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#azure-v it is more economical and secure to associate a public IP address to a load balancer or to an individual virtual machine (also known as a jumpbox), which then routes incoming connections to scale set virtual machines as needed (for example, through inbound NAT rules).

質問 # 27
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

• A. Configure a user-defined route table
• B. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
• C. Configure the gateway subnet as the subnet in the user-defined route table
• D. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
• E. Define a default route where the next hop IP is the FortiGate WAN interface

正解：C、D、E

質問 # 28
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

• A. Sequence number
• B. Action
• C. Source port ranges
• D. Destination port ranges
• E. Source and destination IP ranges

正解：B、C、D

解説：
Explanation/Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

質問 # 29
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

• A. Antivirus policies
• B. Threat protection policies
• C. Compliance policies
• D. Data loss prevention policies
• E. Intrusion prevention policies

正解：B、C、D

質問 # 30
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

• A. Sequence number
• B. Action
• C. Source port ranges
• D. Destination port ranges
• E. Source and destination IP ranges

正解：B、C、D

解説：
Explanation
Under "Default security rules" we read source, destination, source port, destination port and access. However under "Security rules" we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured. I would mark A D and E and source/destination port are to be seen in the table, maybe old documentation.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

質問 # 31
Refer to the exhibit.

You attempted to deploy the FortiGate-VM in Microsoft Azure with the JSON template, and it failed to boot up. The exhibit shows an excerpt from the JSON template.
What is incorrect with the template?

• A. The LUN ID is not defined.
• B. The CreateOptions parameter should be FromImage.
• C. The caching parameter should be None.
• D. FortiGate-VM does not support managedDisk from Azure.

正解：B

質問 # 32
You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
*You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
*Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
*To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?

• A. Two public subnets and two private subnets
• B. One public subnet and one private subnet
• C. Two public subnets and one private subnet
• D. One public subnet and two private subnets

正解：A

解説：
Explanation
https://github.com/fortinet/aws-cloudformation-templates/blob/master/LambdaAA-RouteFailover/6.0/README
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

質問 # 33
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

• A. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.
• B. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
• C. Network ACLs support allow rules and deny rules.
• D. Network ACLs must be manually applied to virtual network interfaces.

正解：A、C

解説：
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

質問 # 34
......

Fortinet NSE7_PBC-6.4認定資格は、認定プロフェッショナルが公共クラウド環境を効果的に保護するスキルと知識を持っていることを示すため、IT業界で高く評価されています。この認定は、グローバルに認知され、公共クラウドプラットフォームを使用する組織によって広く求められています。この認証は、自己のキャリアの展望を改善し、公共クラウドセキュリティのスキルを向上させたいプロフェッショナルにとって優れた資格です。

 

今すぐダウンロード！リアルFortinet NSE7_PBC-6.4試験問題集テストエンジン試験問題：https://www.goshiken.com/Fortinet/NSE7_PBC-6.4-mondaishu.html