[2023年11月29日] 無料Fortinet NSE7_PBC-6.4試験問題と解答 [Q12-Q37]

[2023年11月29日] 無料Fortinet NSE7_PBC-6.4試験問題と解答

検証済みNSE7_PBC-6.4問題集と解答は最新NSE7_PBC-6.4をダウンロード

Fortinet NSE7_PBC-6.4試験では、クラウドセキュリティアーキテクチャ、クラウドセキュリティサービス、クラウドセキュリティオペレーション、クラウドセキュリティ管理など、パブリッククラウドセキュリティに関連する幅広いトピックをカバーしています。この試験では、Fortigate Cloud、Fortiweb Cloud、ForticWP、Forticasbなど、パブリッククラウドセキュリティに関するFortinet Solutionsに関連するトピックもカバーしています。

 

質問 # 12
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

• A. They can create additional vNICs using the Cloud Shell.
• B. They cannot create and add additional vNICs to an existing FortiGate-VM.
• C. They can use the Compute Engine API Explorer.
• D. They can create additional vNICs in the UI console.

正解：C

解説：
Explanation/Reference: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/62d32ecf-687f-11ea-
9384-00505692583a/FortiOS-6.4-GCP_Cookbook.pdf

質問 # 13
Which statement about FortiSandbox in Amazon Web Services (AWS) is true?

• A. FortiSandbox in AWS uses Windows virtual machines (VMs) to inspect files.
• B. FortiSandbox in AWS can have a maximum of eight virtual machines (VMs) that inspect files.
• C. In AWS, virtual machines (VMs) that inspect files are constantly up and running.
• D. In AWS, virtual machines (VMs) that inspect files do not have to be reset after inspecting a file.

正解：A

解説：
Explanation
FortiSandbox deploys new EC2 instances with the custom Windows VMs, and then it sends malware, runs it, and captures the results for analysis. FortiSandbox for AWS does not need more resources because it performs management and analysis tasks only. Note that the cost varies based on the number of EC2 instances deployed, size of the instances, and duration of the running time.

質問 # 14
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

• A. Network ACLs must be manually applied to virtual network interfaces.
• B. Network ACLs support allow rules and deny rules.
• C. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
• D. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.

正解：B、D

解説：
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
https://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/
-Network ACLs are stateless. You must define rules for both outbound and inbound traffic.

質問 # 15
Which two statements about Microsoft Azure network security groups are true? (Choose two.)

• A. Network security groups can be applied to subnets only.
• B. Network security groups can be applied to subnets and virtual network interfaces.
• C. Network security groups are stateless inbound and outbound rules used for traffic filtering.
• D. Network security groups are a stateful inbound and outbound rules used for traffic filtering.

正解：A、D

質問 # 16
Refer to the exhibit.

Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)

• A. The network interface of the active unit moves to itself
• B. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01
• C. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT- 0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01
• D. 172.29.32.71 is set as a next hop IP for all routes under FortigateUDR-01

正解：C、D

質問 # 17
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

• A. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
• B. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
• C. Configure a user-defined route table
• D. Define a default route where the next hop IP is the FortiGate WAN interface
• E. Configure the gateway subnet as the subnet in the user-defined route table

正解：A、D、E

解説：
Explanation
https://docs.microsoft.com/en-us/answers/questions/618005/adding-a-inline-fw-to-express-route.html

質問 # 18
Which statement about FortiSandbox in Amazon Web Services (AWS) is true?

• A. FortiSandbox in AWS uses Windows virtual machines (VMs) to inspect files.
• B. In AWS, virtual machines (VMs) that inspect files are constantly up and running.
• C. FortiSandbox in AWS can have a maximum of eight virtual machines (VMs) that inspect files.
• D. In AWS, virtual machines (VMs) that inspect files do not have to be reset after inspecting a file.

正解：B

質問 # 19
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

• A. Compliance policies
• B. Antivirus policies
• C. Data loss prevention policies
• D. Intrusion prevention policies
• E. Threat protection policies

正解：A、C、E

解説：
Explanation
Policy setting allows you to configure each policy to fit the need of your usage. You can select any type of Policy (Data Analysis, Threat Protection or Compliance)
https://docs.fortinet.com/document/forticasb/20.1.0/online-help/482958/policy-configuration

質問 # 20
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

• A. A multiple VPC deployment utilizing a transit VPC topology
• B. A single VPC deployment with multiple subnets and a NAT gateway
• C. A single VPC deployment with multiple subnets
• D. A multiple VPC deployment utilizing a transit gateway

正解：A、C

質問 # 21
Refer to the exhibit.

The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)

• A. The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.
• B. The Cloud Load Balancer Session Affinity setting should use the default value.
• C. The design shows an active-passive FortiGate-VM architecture.
• D. The design shows an active-active FortiGate-VM architecture.

正解：A、D

質問 # 22
You have been asked to secure your organization's salesforce application that is running on Microsoft Azure, and find an effective method for inspecting shadow IT activities in the organization. After an initial investigation, you find that many users access the salesforce application remotely as well as on-premises.
Your goal is to find a way to get more visibility, control over shadow IT-related activities, and identify any data leaks in the salesforce application.
Which three steps should you take to achieve your goal? (Choose three.)

• A. Use FortiGate, FortiGuard, and FortiAnalyzer solutions.
• B. Deploy and configure FortiCASB with a Fortinet FortiCASB subscription license.
• C. Deploy and configure FortiGate with Security Fabric solutions, and FortiCWP with a storage guardian advance license.
• D. Deploy and configure FortiCWP with a workload guardian license.
• E. Configure FortiCASB and set up access rights, privileges, and data protection policies.

正解：A、B、E

質問 # 23
Which two statements about Microsoft Azure network security groups are true? (Choose two.)

• A. Network security groups are stateless inbound and outbound rules used for traffic filtering.
• B. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
• C. Network security groups can be applied to subnets and virtual network interfaces.
• D. Network security groups can be applied to subnets only.

正解：B、C

解説：
Explanation
You can deploy resources from several Azure services into an Azure virtual network. For a complete list, see Services that can be deployed into a virtual network. You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works

質問 # 24
An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

• A. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.
• B. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
• C. The worker node migrates the subnet to a different availability zone.
• D. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.

正解：C

質問 # 25
What is the bandwidth limitation of an Amazon Web Services (AWS) transit gateway VPC attachment?

• A. Up to 10 Gbps per attachment
• B. Up to 1 Gbps per attachment
• C. Up to 50 Gbps per attachment
• D. Up to 1.25 Gbps per attachment

正解：D

解説：
Explanation/Reference: https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network- infrastructure.pdf (5)

質問 # 26
Refer to the exhibit.

You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.
After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.
What should you do to correct this issue?

• A. Delete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.
• B. Nothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.
• C. Configure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).
• D. Configure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.

正解：D

質問 # 27
Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
• B. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
• C. Configure VNet peering between the hub and spokes.
• D. Configure VNet peering between the spokes only.

正解：B、C

質問 # 28
Refer to the exhibit.

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.
What are two possible reasons for this behavior? (Choose two.)

• A. AWS source and destination checks are enabled on the FortiGate interfaces.
• B. The Internet gateway (IGW) is not added to VPC (virtual private cloud).
• C. AWS security groups may be blocking the traffic.
• D. The web servers are not configured with the default gateway.

正解：A、C

解説：
Explanation
You need to check if source/destination are enabled. Public_Cloud_6.4_Study_Guide Page 67

質問 # 29
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

• A. Source and destination IP ranges
• B. Source port ranges
• C. Sequence number
• D. Action
• E. Destination port ranges

正解：B、D、E

解説：
Explanation
Under "Default security rules" we read source, destination, source port, destination port and access. However under "Security rules" we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured. I would mark A D and E and source/destination port are to be seen in the table, maybe old documentation.
https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

質問 # 30
You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.
Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

• A. The storageAccount name must use special characters.
• B. The storageAccount name must be in lowercase.
• C. The uniqueString() function must be used.
• D. The storageAccount name must contain between 3 and 24 alphanumeric characters.

正解：B、C

質問 # 31
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
*Two FortiGate devices must be deployed; each in a different availability zone.
*Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
*An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
*An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
*Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

• A. config system ha
• B. config system sdn-connector
• C. config system auto-scale
• D. config system session-sync

正解：A

解説：
Explanation
FTG HA Active/Active requires the following configuration to sync the session by FGSP config system ha set session-pickup enable set session-pickup-connectionless enable set session-pickup-nat enable set session-pickup-expectation enable set override disable end config system cluster-sync edit 0 set peerip 10.0.1.x set syncvd "root" next end
https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB

質問 # 32
An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

• A. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.
• B. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
• C. The worker node migrates the subnet to a different availability zone.
• D. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.

正解：B

解説：
Explanation
Official documentation, failover process on a single AZ,
https://github.com/fortinet/aws-cloudformation-templates/blob/main/FGCP/7.0/SingleAZ/README.md#failove
|| Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate 1's private interface to FortiGate 2's private interface. ##Additionally any route targets referencing FortiGate 1's private interface will be updated to reference FortiGate 2's private interface.##
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

質問 # 33
Which two statements about Microsoft Azure network security groups are true? (Choose two.)

• A. Network security groups can be applied to subnets only.
• B. Network security groups can be applied to subnets and virtual network interfaces.
• C. Network security groups are stateless inbound and outbound rules used for traffic filtering.
• D. Network security groups are a stateful inbound and outbound rules used for traffic filtering.

正解：A、D

解説：
Explanation/Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

質問 # 34
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

• A. Network ACLs must be manually applied to virtual network interfaces.
• B. Network ACLs support allow rules and deny rules.
• C. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
• D. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.

正解：B、D

解説：
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

質問 # 35
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

• A. 16 seconds
• B. 30 seconds
• C. Less than 10 seconds
• D. 20 seconds

正解：B

質問 # 36
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

• A. Less than 10 seconds
• B. 16 seconds
• C. 20 seconds
• D. 30 seconds

正解：A

解説：
Explanation
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.
-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.
Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.

質問 # 37
......

Fortinet NSE7_PBC -6.4（Fortinet NSE 7-パブリッククラウドセキュリティ6.4）認定試験は、パブリッククラウド環境を確保する専門知識を検証したい専門家向けに設計されています。この試験は、クラウドコンピューティングを強く理解し、クラウドセキュリティテクノロジーの経験がある候補者を対象としています。

Fortinet NSE7_PBC-6.4認定試験は、パブリッククラウド環境をセキュアにするセキュリティ専門家の知識とスキルを検証するために設計されています。この試験は、Amazon Web Services（AWS）、Microsoft Azure、Google Cloud Platformなどのパブリッククラウドサービスの経験がある個人を対象としています。試験は、クラウドセキュリティアーキテクチャ、クラウドセキュリティサービス、およびクラウドセキュリティオペレーションなどのトピックをカバーしています。この試験に合格することで、候補者はパブリッククラウド環境をセキュアにする能力を証明し、パブリッククラウドセキュリティの専門家として認められます。

 

リアル問題集を使おう 100%無料NSE7_PBC-6.4試験問題集：https://www.goshiken.com/Fortinet/NSE7_PBC-6.4-mondaishu.html