Fortinet fcp wcs ad 7 4 practice test
fcp - aws cloud security 7.4 administrator
Last exam update: Oct 15 ,2024
Question 1
You are troubleshooting network connectivity issues between two VMs deployed in AWS.
One VM is a FortiGate located on subnet LAN that is part of the VPC Encryption. The other VM is a Windows server located on the subnet servers which is also in the Encryption VPC. You are unable to ping the Windows server from FortiGate.
What are two reasons for this? (Choose two.)
- A. The firewall in the Windows VM is blocking the traffic.
- B. The default AWS Network Access Control List (NACL) does not allow this traffic.
- C. By default, AWS does not allow ICMP traffic between subnets.
- D. Add an inbound allow ICMP rule in the security group attached to the windows server.
Answer:
ad
Question 2
Refer to the exhibit.
Which two statements are true about inbound traffic based on the IGW ingress route table and GWLB deployment shown in the exhibit? (Choose two.)
- A. GWLB forwards traffic to FortiGate without encapsulation in its dedicated subnet.
- B. Inbound traffic is directed to the GWLB through a GWLB endpoint.
- C. Inbound traffic is directed to the application subnet through a GWLB endpoint.
- D. GWLB encapsulates traffic with the GENEVE protocol and sends it to FortiGate.
Answer:
bd
Question 3
An administrator needs to attach an Elastic Network Interface (ENI) to an application instance in a VPC with multiple availability zones. An instance runs in availability zone 1.
Which ENI property must the administrator consider when implementing this requirement?
- A. An ENI cannot attach to an instance in availability zone 2.
- B. After the ENI detaches from one instance, it can reattach only to the same instance.
- C. You can detach the primary ENI from an AWS instance.
- D. When you move an ENI, network traffic remains directed to the old instance until you terminate that instance.
Answer:
a
Question 4
Which two statements about the FortiCloud portal are true? (Choose two.)
- A. You can gain remote access to your FortiGate VM directly from the portal.
- B. To assign permissions in the identity and access management (IAM) portal, you must write a JSON script.
- C. You can access the FortiFlex portal only after you purchase a FortiFlex license and register it on FortiCare.
- D. You can access only cloud services that you have subscribed to on AWS marketplace.
Answer:
ad
Question 5
Refer to the exhibit.
An administrator configured a FortiGate device to connect to the AWS API to retrieve resource values from the AWS console to create dynamic objects for the FortiGate policies. The administrator is unable to retrieve AWS dynamic objects on FortiGate.
Which two reasons can explain why? (Choose two.)
- A. The AWS API call is not supported on XML version 1.0.
- B. AWS was not able to validate credentials provided by the AWS Lab SDN connector because of a clock skew between FortiGate and AWS.
- C. The AWS Lab SDN connector is configured with an invalid AWS access or secret key.
- D. The AWS Lab SDN connector failed to connect on port 401.
- E. The AWS Lab SDN did not find any instances in the configured VPC.
Answer:
bc
Question 6
Refer to the exhibit.
Which two statements are correct about traffic flow in FortiWeb Cloud? (Choose two.)
- A. The DNS name for the application servers must point to FortiWeb Cloud.
- B. FortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.
- C. FortiWeb Cloud can protect the application servers only if they are all located in the same virtual public cloud (VPC).
- D. Step 2 requires an AWS S3 bucket to be created.
Answer:
ab
Question 7
Refer to the exhibit.
What occurs during a failover for an active-passive (A-P) cluster that is deployed in two different availability zones? (Choose two.)
- A. The cluster elastic IP address (EIP) is moved from Port1 of FGT-1 to Port1 of FGT-2.
- B. The secondary IP address of Port2 of FGT-1 is moved to Port2 of FGT-2.
- C. The default static route in the Private-AZ1 subnet route table is modified to forward all traffic to Port2 of FGT2.
- D. An additional route is added to the route table of the HA Sync AZ2 subnet to forward all traffic to the Internet GW.
Answer:
ab
Question 8
A cloud administrator is tasked with protecting web applications hosted in AWS cloud.
Which three Fortinet cloud offerings can the administrator choose from to accomplish the task? (Choose three.)
- A. AWS WAF
- B. FortiEDR
- C. FortiGate Cloud-Native Firewall (CNF)
- D. Fortinet Managed Rules for AWS WAF
- E. FortiWeb Cloud
Answer:
cde
Question 9
An AWS administrator is designing internet connectivity for an organization's virtual public cloud (VPC). The organization has web servers with private addresses that must be reachable from the internet. The web servers must be highly available.
Which two configurations can you use to ensure the web servers are highly available and reachable from the internet? (Choose two.)
- A. Deploy a network load balancer.
- B. Configure a network address translation (NAT) Gateway in your VPC. Place web servers behind the NAT Gateway.
- C. Add a route to the default virtual public cloud (VPC) route table forwarding all traffic to the internet gateway.
- D. Deploy web servers in multiple availability zones.
Answer:
ad
Question 10
An organization has the requirement to connect a data VPC to the on-premises infrastructure of a branch office in a hybrid cloud environment. The connectivity needs the higher bandwidth but the organization does not want to use multiple connections between sites.
Which AWS solution meets the requirement?
- A. Transit VPC with IPSec
- B. Internet Gateway
- C. Transit Gateway multicast
- D. Transit Gateway Connect
Answer:
d