[Q13-Q35] 100% Guaranteed Results NSE7_PBC-6.4 Unlimited 30 Questions [2023]

100% Guaranteed Results NSE7_PBC-6.4 Unlimited 30 Questions [2023]

NSE7_PBC-6.4 Dumps PDF - Want To Pass NSE7_PBC-6.4 Fast

NEW QUESTION # 13
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

• A. 20 seconds
• B. Less than 10 seconds
• C. 30 seconds
• D. 16 seconds

Answer: B

Explanation:
Explanation
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.
-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.
Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.

NEW QUESTION # 14

Refer to the exhibit. Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
• B. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
• C. Configure VNet peering between the hub and spokes.
• D. Configure VNet peering between the spokes only.

Answer: B,C

NEW QUESTION # 15
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

• A. A multiple VPC deployment utilizing a transit VPC topology
• B. A single VPC deployment with multiple subnets
• C. A multiple VPC deployment utilizing a transit gateway
• D. A single VPC deployment with multiple subnets and a NAT gateway

Answer: A,C

Explanation:
Explanation
Multi-VPC design. AWS recommends segmenting networks at the VPC level. In this approach, workloads are grouped together at the VPC level instead of the subnet level. All traffic between VPCs will be inspected by network security virtual firewalls at each VPC or at a shared VPC. Design patterns such as Transit VPC or AWS Transit Gateway can be used to achieve this in an automated and scalable fashion.

NEW QUESTION # 16
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

• A. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
• B. Network ACLs must be manually applied to virtual network interfaces.
• C. Network ACLs support allow rules and deny rules.
• D. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.

Answer: C,D

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

NEW QUESTION # 17

Refer to the exhibit. Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?

• A. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
• B. In the Microsoft Azure portal, set the correct tag values for the windows server.
• C. Delete the address object and recreate a new address object with the type set to FQDN.
• D. Run diagnose debug application azd -lon FortiGate.

Answer: A

Explanation:
Explanation

NEW QUESTION # 18
Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?

• A. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
• B. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
• C. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.
• D. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

Answer: D

Explanation:
Explanation
AWS NAT gateway allows instances in a private subnet to connect to the internet or other AWS services without using NAT instance. the main routing table sends internet traffic from the private subnet instances to the NAT gateway, then NAT gateway sends traffic to the IGW using the source IP address of the elastic IP address.
Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

NEW QUESTION # 19
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

• A. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
• B. Network ACLs must be manually applied to virtual network interfaces.
• C. Network ACLs support allow rules and deny rules.
• D. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.

Answer: C,D

Explanation:
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
https://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/
-Network ACLs are stateless. You must define rules for both outbound and inbound traffic.

NEW QUESTION # 20
What is the bandwidth limitation of an Amazon Web Services (AWS) transit gateway VPC attachment?

• A. Up to 1 Gbps per attachment
• B. Up to 50 Gbps per attachment
• C. Up to 1.25 Gbps per attachment
• D. Up to 10 Gbps per attachment

Answer: B

Explanation:
Explanation
-The maximum bandwidth per "VPC attachment", AWS Direct Connect gateway, or peered transit gateway connection Up to 50 Gbps https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html with Transit Gateway, Maximum bandwidth (burst) per Availability Zone per VPC connection is 50 Gbps.
VPC peering has no aggregate bandwidth. Individual instance network performance limits and flow limits (10 Gbps within a placement group and 5 Gbps otherwise) apply to both options. Only VPC peering supports placement groups. Reference:
https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf

NEW QUESTION # 21
Refer to the exhibit.

Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)

• A. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT- 0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01
• B. The network interface of the active unit moves to itself
• C. 172.29.32.71 is set as a next hop IP for all routes under FortigateUDR-01
• D. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01

Answer: A,C

NEW QUESTION # 22
Which two statements about Amazon Web Services (AWS) networking are correct? (Choose two.)

• A. AWS DNS reserves the first host IP address of each subnet.
• B. 802.1q VLAN tags are allowed inside the same virtual private cloud.
• C. Proxy ARP entries are disregarded.
• D. Multicast traffic is not allowed.

Answer: A,D

NEW QUESTION # 23
Which two statements about Microsoft Azure network security groups are true? (Choose two.)

• A. Network security groups can be applied to subnets only.
• B. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
• C. Network security groups are stateless inbound and outbound rules used for traffic filtering.
• D. Network security groups can be applied to subnets and virtual network interfaces.

Answer: A,B

Explanation:
Explanation/Reference: https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

NEW QUESTION # 24
Refer to the exhibit.

Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)

• A. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT-
  0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01
• B. The network interface of the active unit moves to itself
• C. 172.29.32.71 is set as a next hop IP for all routes under FortigateUDR-01
• D. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01

Answer: A,C

NEW QUESTION # 25
You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
* You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
* Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
* To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?

• A. One public subnet and two private subnets
• B. One public subnet and one private subnet
• C. Two public subnets and two private subnets
• D. Two public subnets and one private subnet

Answer: A

NEW QUESTION # 26

Refer to the exhibit. The exhibit shows a topology where multiple connections from clients to the same FortiGate-VM instance, regardless of the protocol being used, are required.
Which two statements are correct? (Choose two.)

• A. The design shows an active-passive FortiGate-VM architecture.
• B. The design shows an active-active FortiGate-VM architecture.
• C. The Cloud Load Balancer Session Affinity setting should be changed to CLIENT_IP.
• D. The Cloud Load Balancer Session Affinity setting should use the default value.

Answer: B,C

NEW QUESTION # 27
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

• A. GuardDuty, CloudWatch, S3, and DynamoDB.
• B. Inspector, Shield, GuardDuty, S3, and DynamoDB.
• C. WAF, Shield, GuardDuty, S3, and DynamoDB.
• D. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.

Answer: A

Explanation:
Explanation
You must subscribe to GuardDuty, CloudWatch, S3, and DynamoDB.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/aws-administration-guide/908646/populating-thr

NEW QUESTION # 28
An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.
Which action can you take to accomplish this?

• A. None, you cannot create and add additional ENIs to an existing FortiGate-VM.
• B. Create the ENI and attach it to FortiGate.
• C. Create the ENI, attach it to FortiGate, and then restart FortiGate.
• D. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.

Answer: D

NEW QUESTION # 29
Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
• B. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
• C. Configure VNet peering between the hub and spokes.
• D. Configure VNet peering between the spokes only.

Answer: B,C

NEW QUESTION # 30
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

• A. Source port ranges
• B. Sequence number
• C. Destination port ranges
• D. Source and destination IP ranges
• E. Action

Answer: A,C,E

NEW QUESTION # 31
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

• A. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
• B. Configure the gateway subnet as the subnet in the user-defined route table
• C. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
• D. Define a default route where the next hop IP is the FortiGate WAN interface
• E. Configure a user-defined route table

Answer: B,C,D

Explanation:
Explanation
https://docs.microsoft.com/en-us/answers/questions/618005/adding-a-inline-fw-to-express-route.html

NEW QUESTION # 32
Refer to the exhibit.

You attempted to deploy the FortiGate-VM in Microsoft Azure with the JSON template, and it failed to boot up. The exhibit shows an excerpt from the JSON template.
What is incorrect with the template?

• A. The caching parameter should be None.
• B. The CreateOptions parameter should be FromImage.
• C. The LUN ID is not defined.
• D. FortiGate-VM does not support managedDisk from Azure.

Answer: B

Explanation:
Explanation
https://github.com/fortinet/azure-templates/blob/main/FortiGate/A-Single-VM/azuredeploy.json

NEW QUESTION # 33
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
* Two FortiGate devices must be deployed; each in a different availability zone.
* Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
* An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
* An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
* Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

• A. config system sdn-connector
• B. config system auto-scale
• C. config system session-sync
• D. config system ha

Answer: D

NEW QUESTION # 34
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

• A. GuardDuty, CloudWatch, S3, and DynamoDB.
• B. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.
• C. Inspector, Shield, GuardDuty, S3, and DynamoDB.
• D. WAF, Shield, GuardDuty, S3, and DynamoDB.

Answer: B

NEW QUESTION # 35
......

Fortinet NSE7_PBC-6.4 exam is a challenging exam that requires candidates to have a deep understanding of public cloud security concepts, as well as hands-on experience with Fortinet's public cloud security solutions. NSE7_PBC-6.4 exam consists of multiple-choice questions, and candidates are required to answer 60 questions in 120 minutes.

 

Updated Verified NSE7_PBC-6.4 Q&As - Pass Guarantee: https://examtorrent.actual4test.com/NSE7_PBC-6.4_examcollection.html