Cloud_Forti

In which type of FortiCNP insights can an administrator examine the findings triggered by this policy?. Data. Threat. Risk. User activity.

An experienced AWS administrator is creating a new virtual public cloud (VPC) flow log with the settings shown in the exhibit. What is the purpose of this configuration?. To maximize the number of logs saved. To monitor logs in real time. To retain logs for a long term. To troubleshoot a log flow issue.

In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet. However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful. Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC. How do you correct this issue with minimal configuration changes? (Choose three.). Add a route with your local internet public IP address as the destination and the internet gateway as the target. Add a route with your local internet public IP address as the destination and the transit gateway as the target. Add a route to the destination 0.0.0.0/0 with the transit gateway as the target. Deploy an internet gateway, associate an EIP with the Customer VPC private subnet, and then add a new route with destination 0.0.0.0/0 with the internet gateway as the target. Deploy an internet gateway, attach it to the Customer VPC, and then associate an EIP with the port1 of the FortiGate in the Customer VPC.

The cloud administration team is reviewing an AWS deployment that was done using CloudFormation. The deployment includes six FortiGate instances that required custom configuration changes after being deployed. The team notices that unwanted traffic is reaching some of the FortiGate instances because the template is missing a security group. To resolve this issue, the team decides to update the JSON template with the missing security group and then apply the updated template directly, without using a change set. What is the result of following this approach?. If new FortiGate instances are deployed later they will include the updated changes. Some of the FortiGate instances may be deleted and replaced with new copies. The update is applied, and the security group is added to all instances without interruption. CloudFormation rejects the update and warns that a new full stack is required.

The cloud administration team is reviewing an AWS deployment that was done using CloudFormation. The deployment includes six FortiGate instances that required custom configuration changes after being deployed. The team notices that unwanted traffic is reaching some of the FortiGate instances because the template is missing a security group. To resolve this issue, the team decides to update the JSON template with the missing security group and then apply the updated template directly, without using a change set. What is the result of following this approach?. If new FortiGate instances are deployed later they will include the updated changes. Some of the FortiGate instances may be deleted and replaced with new copies. The update is applied, and the security group is added to all instances without interruption. CloudFormation rejects the update and warns that a new full stack is required.

An organization is deploying FortiDevSec to enhance security for containerized applications, and they need to ensure containers are monitored for suspicious behavior at runtime. Which FortiDevSec feature is best for detecting runtime threats?. FortiDevSec software composition analysis (SCA). FortiDevSec static application security testing (SAST). FortiDevSec dynamic application security testing (DAST). FortiDevSec container scanner.

The exhibit shows an active-passive high availability FortiGate pair with external and internal Azure load balancers There is no SDN connector used in this solution. Which configuration must the administrator implement on each FortiGate?. Single BGP route to Azure probe IP address. One static route to Azure Lambda IP address. Two static routes to Azure probe IP address. Two BGP routes lo Azure probe IP address.

You have deployed a FortiGate HA cluster in Azure using a gateway load balancer for traffic inspection. However, traffic is not being routed correctly through the firewalls. What can be the cause of the issue?. The FortiNet VMs have IP forwarding disabled, which is required for traffic inspection. The health probes for the gateway load balancer are failing, which causes traffic to bypass the HA cluster. The gateway load balancer is not associated with the correct network security group (NSG) rules, which allow traffic to pass through. The protected VMs are in a different Azure subscription, which prevents the gateway load balancer from forwarding traffic.

Your administrator instructed you to deploy an Azure vWAN solution to create a connection between the main company site and branch sites to the other company VNETs. What is the best connection solution available between your company headquarters, branch sites, and the Azure vWAN hub? (Choose one answer). An L2TP connection. SSL VPN connections. GRE tunnels. ExpressRoute.

A customer would like to use FortiGate fabric integration with FortiCNP. When adding a FortiGate VM to FortiCNP, which three mandatory configuration steps must you follow on FortiGate? (Choose three answers). Enable pre-shared key on both sides. Import the FortiGate certificate into FortiCNP. Configure FortiGate to send logs to FortiCNP. Create an IPS sensor and a firewall policy. Create an SSL/SSH inspection profile.

An administrator is trying to implement FortiCNP with Microsoft Azure Security integration. However, FortiCNP is not able to extract any cloud integration data from Azure; therefore, real-time cloud security monitoring is not possible. What is causing this issue?. The organization is using a free Azure AD license. The Azure account doesn't have the global administrator role. The administrator enabled the wrong defender plan for servers. The FortiCNP account in Azure has the Storage Blob Data Reader role.

After analyzing the native monitoring tools available in Azure, an administrator decides to use the tool displayed in the exhibit. Why would an administrator choose this tool?. To view details about Azure resources and their relationships across multiple regions. To obtain, and later examine, traffic flow data with a visualization tool. To help debug issues affecting virtual network gateways. To compare the latency of an on-premises site with the latency of an Azure application.

As part of your organization's monitoring plan, you have been tasked with obtaining and analyzing detailed information about the traffic sourced at one of your FortiGate EC2 instances. What can you do to achieve this goal?. Use AWS CloudTrail to capture and then examine traffic from the EC2 instance. Create a virtual public cloud (VPC) flow log at the network interface level for the EC2 instance. Add the EC2 instance as a target in CloudWatch to collect its traffic logs. Configure a network access analyzer scope with the EC2 instance as a match finding.

You deployed a FortiGate HA active-passive cluster in Microsoft Azure. Which two statements regarding this particular deployment are true? (Choose two.). You can use the vdom-exception command to synchronize the configuration. During a failover, all existing sessions are transferred to the new active FortiGate. The configuration does not synchronize between the primary and secondary devices. There is no SLA for API calls from Microsoft Azure.

You have onboarded the organization’s Microsoft Azure account on FortiCNAPP using the automated configuration approach. However, FortiCNAPP does not appear to be receiving any workload scanning data. How can you remedy this? (Choose one answer). Add a new Azure App Registration. Add a service principal in the Azure Cloud Shell. Add a FortiCNAPP threat policy to monitor Azure workloads. Add the appropriate integration type using the guided configuration.

An administrator used the what-if tool to preview the changes to an Azure Bicep file. What will happen if the administrator applies these changes in Azure? (Choose one answer). A new subnet will be added to vnet-002. The vnet-002 VNet will be renamed Production. The resulting VNet will have a single subnet. The VNet address space will be updated.

You need a solution to safeguard public cloud-hosted web applications from the OWASP Top 10 vulnerabilities. The solution must support the same region in which your applications reside, with minimum traffic cost. Which solution meets the requirements?. Use FortiGate. Use FortiCNP. Use FortiWeb. Use FortiADC.

You must add an Amazon Web Services (AWS) network access list (NACL) rule to allow SSH traffic to a subnet for temporary testing purposes. When you review the current inbound and outbound NACL rules, you notice that the rules with number 5 deny SSH and telnet traffic to the subnet. What can you do to allow SSH traffic?. You do not have to create any NACL rules because the default security group rule automatically allows SSH traffic to the subnet. You must create a new allow SSH rule anywhere in the network ACL rule base to allow SSH traffic. You must create two new allow SSH rules, each with a number bigger than 5. You must create two new allow SSH rules, each with a number smaller than 5.

An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure. However, the SDN connector is failing on the connection. What must the administrator do to correct this issue?. Make sure to add the Tenant ID on FortiGate side of the configuration. Make sure to add the Client secret on FortiGate side of the configuration. Make sure to enable the system assigned managed identity on Azure. Make sure to set the type to system managed identity on FortiGate SDN connector settings.

You are using Ansible to modify the configuration of several FortiGate VMs. What is the minimum number of files you need to create, and in which file should you configure the target FortiGate IP addresses?. One playbook file for each target and the required tasks, and one inventory file. One .yaml file with the targets IP addresses, and one playbook file with the tasks. One inventory file for each target device, and one playbook file. One text file for all target devices, and one playbook file.

Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true?. Both the TGW attachment and propagation must be in the same TGW route table. TGW can have multiple TGW route tables. A TGW attachment can be associated with multiple TGW route tables. The TGW default route table cannot be disabled.

Your team notices an unusually high volume of traffic sourced at one of the organizations FortiGate EC2 instances. They create a flow log to obtain and analyze detailed information about this traffic. However, when they checked the log, they found that it included traffic that was not associated with the FortiGate instance in question. What can they do to obtain the correct logs? (Choose one answer). Create a new flow log at the interface level. Change the maximum aggregation time to 1 minute. Ensure that the flow log data is not mixed with the rest of the traffic. Send the logs to Amazon Data Firehose instead to get more granular information.

What are two main features in Amazon Web Services (AWS) network access control lists (NACLs)? (Choose two answers). NACLs are stateless, and inbound and outbound rules are used for traffic filtering. NACLs are tied to an instance. The default NACL is configured to allow all traffic. You cannot use NACLs and Security Groups at the same time.

What is the main advantage of using SD-WAN Transit Gateway Connect over traditional SD-WAN?. You can use BGP over IPsec for maximum throughput. You can combine it with IPsec to achieve higher bandwidth. It eliminates the use of ECMP. You can use GRE-based tunnel attachments.

You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS. However, your connection is not successful. Given the network topology, what can be the issue?. There is no connection between VPC A and VPC B. There is no internet gateway attached to the Spoke VPC A. The Transit Gateway BGP IP address is incorrect. There is no elastic IP address attached to FortiGate in the Security VPC.

In an SD-WAN TGW Connect topology, which three initial steps are mandatory when routing traffic from a spoke VPC to a security VPC through a Transit Gateway? (Choose three.). From the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the FortiGate internal port. From the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the TGW. From both spoke VPCs, and the security VPC, point 0.0.0.0/0 traffic to the Internet Gateway. From the security VPC FortiGate internal subnet routing table, point 0.0.0.0/0 traffic to the TGW. From the spoke VPC internal routing table, point 0.0.0.0/0 traffic to the TGW.

A senior administrator in a multinational organization needs to include a comment in the template shown in the exhibit to ensure that administrators from other regions change the EC2 instance size value to one that meets the requirements in their local deployments. How can the administrator add the comment in that section of the file? (Choose one answer). The administrator can run the aws cloudformation update-stack and include the comment. The administrator must update the AWSTemplateFormatVersion to a more current version. The administrator must convert the template to JSON format before adding the comment. The administrator can add the comment with the # character next to the InstanceType section.

A managed security service provider (MSSP) administration team is trying to deploy a new HA cluster in Azure to filter traffic to and from a client that is also using Azure. However, every deployment attempt fails, and only some of the resources are deployed successfully. While troubleshooting this issue, the team runs the command shown in the exhibit. What are the implications of the output of the command?. The team will not be able to deploy an A-P FortiGate HA cluster with Azure gateway load balancer. The team will not be able to deploy an A-P FortiGate HA cluster with Azure load balancer. The team will not be able to deploy an active-passive (A-P) FortiGate high availability (HA) cluster with SDN connector. The team will not be able to deploy an active-active (A-P) FortiGate HA cluster with Azure load balancer.