• Home
  • Articles
  • [Apr 22, 2024] Ultimate NSE7_PBC-7.2 Guide to Prepare Free Latest Fortinet Practice Tests Dumps [Q14-Q36]

[Apr 22, 2024] Ultimate NSE7_PBC-7.2 Guide to Prepare Free Latest Fortinet Practice Tests Dumps [Q14-Q36]

Share

[Apr 22, 2024] Ultimate NSE7_PBC-7.2 Guide to Prepare Free Latest Fortinet Practice Tests Dumps

Get Top-Rated Fortinet NSE7_PBC-7.2 Exam Dumps Now


Fortinet NSE7_PBC-7.2 certification exam is intended for professionals who work in public cloud security roles, such as security engineers, cloud security architects, and security operations center (SOC) professionals. NSE7_PBC-7.2 exam is an excellent opportunity for these professionals to demonstrate their expertise in deploying and managing security solutions for public cloud environments. Fortinet NSE 7 - Public Cloud Security 7.2 certification confirms that the individual possesses the required knowledge and skills to secure public cloud environments using Fortinet security solutions.

 

NEW QUESTION # 14
You are asked to find a solution to replace the existing VPC peering topology to have a higher bandwidth connection from Amazon Web Services (AWS) to the on-premises data center Which two solutions will satisfy the requirement? (Choose two.)

  • A. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
  • B. Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
  • C. Use ECMP and VPN to achieve higher bandwidth.
  • D. Use transit VPC to build multiple VPC connections to the on-premises data center

Answer: A,B

Explanation:
Explanation
The correct answer is C and D. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center.
According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels1.
A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels2.
The other options are incorrect because:
Using ECMP and VPN to achieve higher bandwidth is not a complete solution, as it does not specify how to replace the existing VPC peering topology or how to connect the AWS VPCs to the on-premises data center.
Using transit VPC to build multiple VPC connections to the on-premises data center is not a correct solution, as it does not specify how to use a hub and spoke topology or how to leverage ECMP routing for higher bandwidth.
1:Fortinet Documentation Library - Transit VPC on AWS2:Fortinet Documentation Library - Deploying FortiGate VMs on AWS


NEW QUESTION # 15
Refer to the exhibit.

You are troubleshooting a FortiGate HA floating IP issue with Microsoft Azure. After the failover, the new primary device does not have the previous primary device floating IP address.
What could be the possible issue With this scenario?

  • A. A wrong client secret credential is used
  • B. FortiGate port4 does not have internet access.
  • C. The Azure service principle account must have a contributor role.
  • D. The error is caused by credential time expiration.

Answer: C

Explanation:
Explanation
In this scenario, the issue is caused by the Azure service principle account nothaving a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover. References: Fortinet Public Cloud Security knowledge source documents or study guide.
https://docs.fortinet.com/product/fortigate-public-cloud/7.2


NEW QUESTION # 16
Refer to the exhibit

You are deploying two FortiGate VMS in HA active-passive mode with load balancers in Microsoft Azure Which two statements are true in this load balancing scenario? (Choose two.)

  • A. A dedicated management interface can be used for load balancing.
  • B. An internal load balancer listener is the next-hop for outgoing traffic.
  • C. You must add a route to the Microsoft VIP used for the health check.
  • D. The FortiGate public IP is the next-hop for all the traffic.

Answer: A,B

Explanation:
A is incorrect because the FortiGate public IP is not the next-hop for all the traffic. The FortiGate public IP is only used for incoming traffic from the internet. The Azure load balancer distributes the incoming traffic to the active FortiGate VM based on a health probe123. The FortiGate public IP is not used for outgoing traffic or internal traffic.
B is correct because an internal load balancer listener is the next-hop for outgoing traffic. The internal load balancer listener is configured with a floating IP address that is assigned to the active FortiGate VM. The internal load balancer listener also has a health probe to monitor the status of the FortiGate VMs123. The internal load balancer listener forwards the outgoing traffic to the internet through the public load balancer.
C is incorrect because you do not need to add a route to the Microsoft VIP used for the health check. The Microsoft VIP is an internal IP address that is used by the Azure load balancer to send health probes to the FortiGate VMs123. The Microsoft VIP is not reachable from outside the Azure network and does not require any routing configuration on the FortiGate VMs.
D is correct because a dedicated management interface can be used for load balancing. In this deployment, port4 is used as a dedicated management interface that connects to the management network3. The dedicated management interface can be used to access the FortiGate VMs for configuration and monitoring purposes. The dedicated management interface can also be used to synchronize the configuration and session information between the primary and secondary devices in an HA cluster2.


NEW QUESTION # 17
You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM Which two queries does that SDN connector use to interact with the Azure management API? (Choose two.)

  • A. Some queries are made to manage public IP addresses.
  • B. The first query is targeted to IP address 8.8
  • C. There is only one query initiating from FortiGate port1 -
  • D. The first query is targeted to a special IP address to get a token.

Answer: A,D

Explanation:
Explanation
The Azure SDN connector uses two types of queries to interact with the Azure management API. The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM. References: Configuring an SDN connector in Azure, Azure SDN connector using service principal, Troubleshooting Azure SDN connector


NEW QUESTION # 18
When adding the Amazon Web Services (AWS) account to the FortiCNP, which three mandatory configuration steps must you follow? (Choose three.)

  • A. Add AWS accounts through FortiCNP.
  • B. Accept FortiCNP to create CloudTrail for the account
  • C. Enable cloud protection through AWS Guard Duty and AWS Inspector
  • D. Launch the CloudFormation template.
  • E. Enable cross-reg Ion aggregation

Answer: A,B,D

Explanation:
Explanation
When adding the Amazon Web Services (AWS) account to the FortiCNP, you must follow these three mandatory configuration steps:
Add AWS accounts through FortiCNP. This is the first step to enable cloud protection for your AWS account. You can add one or multiple accounts automatically or manually. You need to provide the AWS account ID and a name for the account. You also need to select the optional permissions to be granted to FortiCNP as needed1.
Accept FortiCNP to create CloudTrail for the account. This is required for FortiCNP to collect and analyze the AWS API calls and events. You can choose to let FortiCNP create a CloudTrail for the account or use an existing one. You also need to specify the aggregation region for the CloudTrail1.
Launch the CloudFormation template. This is required for FortiCNP to create a stack and a role in your AWS account. The stack contains the resources that FortiCNP needs to access and monitor your AWS account. The role allows FortiCNP to assume it and perform actions on your behalf. You need to enter a custom or default role name and a unique UUID that is designated for your company on FortiCNP1.
References: Add AWS Account Automatically
https://docs.fortinet.com/document/forticnp/22.4.a/online-help/246021/add-aws-account-automatically


NEW QUESTION # 19
Refer to the exhibit

You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?

  • A. Terraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.
  • B. Terraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.
  • C. Terraform will not deploy a FortiGate VM
  • D. Terraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.

Answer: A

Explanation:
Explanation
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to "eu-west-1" and the availability_zone variable is set to
"eu-west-1a". The vpc_id variable is set to "vpc-0e9d6a6f" and the subnets variable is set to a list of two subnet IDs: "subnet-0f9d6a6f" and "subnet-1f9d6a6f". The license_type variable is set to "on-demand" and the ami_id variable is set to "ami-0e9d6a6f".
References:
https://docs.fortinet.com/document/fortigate/6.4.0/aws-cookbook/236478/deploying-fortigate-vm-on-aws-using-t


NEW QUESTION # 20
Refer to the exhibit

You are tasked with deploying a webserver and FortiGate VMS in AWS_ You are using Terraform to automate the process Which two important details should you know about the Terraform files? (Choose two.)

  • A. After the deployment, Terraform output values are visible only through AWS CloudShell.
  • B. The subnet_private 1 value is defined in the variables . tf file
  • C. All the output values are available after a successful terraform apply command
  • D. You must specify all the AWS credentials in the output. of file.

Answer: B,C

Explanation:
Explanation
A: All the output values are available after a successful terraform apply command. This means that after the deployment, you can view the output values by running terraform output or terraform show in the same directory where you ran terraform apply1. You can also use the output values in other Terraform configurations or external systems by using the terraform output command with various options2. B. The subnet_private_1 value is defined in the variables.tf file. This means that the subnet_private_1 value is an input variable that can be customized by passing a different value when running terraform apply or by setting an environment variable3. The variables.tf file is where you declare all the input variables for your Terraform configuration4.
The other options are incorrect because:
After the deployment, Terraform output values are not visible only through AWS CloudShell. You can access them from any shell or terminal where you have Terraform installed and configured with your AWS credentials.
You do not need to specify all the AWS credentials in the output.tf file. The output.tf file is where you declare all the output values for your Terraform configuration4. You can specify your AWS credentials in a separate file, such as provider.tf, or use environment variables or shared credentials files. References:
Output Values - Configuration Language | Terraform - HashiCorp Developer Command: output - Terraform by HashiCorp Input Variables - Configuration Language | Terraform - HashiCorp Developer Configuration Language | Terraform - HashiCorp Developer


NEW QUESTION # 21
You are adding more spoke VPCs to an existing hub and spoke topology Your goal is to finish this task in the minimum amount of time without making errors.
Which Amazon AWS services must you subscribe to accomplish your goal?

  • A. Inspector, S3
  • B. GuardDuty, CloudWatch
  • C. CloudWatch, S3
  • D. WAF, DynamoDB

Answer: C

Explanation:
Explanation
The correct answer is D. CloudWatch and S3.
According to the GitHub repository for the Fortinet aws-lambda-tgw script1, this function requires the following AWS services:
CloudWatch: A monitoring and observability service that collects and processes events from various AWS resources, including Transit Gateway attachments and route tables.
S3: A scalable object storage service that can store the configuration files and logs generated by the Lambda function.
By using the Fortinet aws-lambda-tgw script, you can automate the creation and configuration of Transit Gateway Connect attachments for your FortiGate devices.This can help you save time and avoid errors when adding more spoke VPCs to an existing hub and spoke topology1.
The other AWS services mentioned in the options are not required for this task. GuardDuty is a threat detection service that monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. WAF is a web application firewall that helps protect web applications from common web exploits.
Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. DynamoDB is a fast and flexible NoSQL database service that can store various types of data.
1:GitHub - fortinet/aws-lambda-tgw


NEW QUESTION # 22
Which statement about Transit Gateway (TGW) in Amazon Web Services (AWS) is true?

  • A. Both the TGW attachment and propagation must be in the same TGW route table
  • B. A TGW attachment can be associated with multiple TGW route tables.
  • C. The TGW default route table cannot be disabled.
  • D. TGW can have multiple TGW route tables.

Answer: D

Explanation:
Explanation
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway route table is a set of rules that determines how traffic is routed among the attachments to the transit gateway1.
A transit gateway can have multiple route tables, and you can associate different attachments with different route tables. This allows you to control how traffic is routed between your VPCs and VPNs based on your network design and security requirements1.
The other options are incorrect because:
Both the TGW attachment and propagation must be in the same TGW route table is not true. You can associate an attachment with one route table and enable propagation from another attachment to a different route table. This allows you to separate the routing domains for your attachments1.
A TGW attachment can be associated with multiple TGW route tables is not true. You can only associate an attachment with one route table at a time. However, you can change the association at any time1.
The TGW default route table cannot be disabled is not true. You can disable the default route table by deleting all associations and propagations from it. However, you cannot delete the default route table itself1.
1: Transit Gateways - Amazon Virtual Private Cloud


NEW QUESTION # 23
Refer to the exhibit

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Linux1 and Linux2 instances to the internet through the security VPC (virtual private cloud). The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface. Assume there are no issues with the Transit Gateway (TGW) configuration Which two settings must the customer add to correct the issue? (Choose two.)

  • A. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the Internet Gateway (IOW).
  • B. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
  • C. Both landing subnets in the spoke VPCs must have a 0.0 00/0 traffic route to the TGW
  • D. The four landing subnets in all the VPCs must have a 0.0 0 0/0 traffic route to the TGW

Answer: B,C

Explanation:
Explanation
The correct answer is B and C. Both landing subnets in the spoke VPCs must have a 0.0.0.0/0 traffic route to the TGW. Both landing subnets in the security VPC must have a 0.0.0.0/0 traffic route to the FortiGate port2.
According to the AWS documentation for Transit Gateway, a transit gateway is a network transit hub that connects VPCs and on-premises networks. To send outbound traffic from the Linux instances to the internet through the security VPC, you need to do the following steps:
In the main subnet routing table in the spoke VPCs, add a new route with destination 0.0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.
In the main subnet routing table in the security VPC, add a new route with destination 0.0.0.0/0, next hop FortiGate port2. This route directs all traffic from the TGW to the FortiGate internal interface, where it can be inspected and allowed by the FortiGate policies.
The other options are incorrect because:
Adding a 0.0.0.0/0 traffic route to the Internet Gateway (IGW) in the spoke VPCs is not correct, as this would bypass the TGW and the security VPC and send all traffic directly to the internet.
Adding a 0.0.0.0/0 traffic route to the TGW in all the VPCs is not necessary, as only the spoke VPCs need to send traffic to the TGW. The security VPC needs to send traffic to the FortiGate port2.
Transit Gateways - Amazon Virtual Private Cloud:Fortinet Documentation Library - Deploying FortiGate VMs on AWS


NEW QUESTION # 24
Refer to the exhibit

In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.
Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?
(Choose three.)

  • A. Add a route With your local internet public IP address as the destination and target internet gateway
  • B. Add route destination 0 0.0 0/0 to target the transit gateway
  • C. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway
  • D. Add a route With your local internet public IP address as thedestination and target transit gateway
  • E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC,

Answer: B,C,E

Explanation:
Explanation
B: Add route destination 0.0.0.0/0 to target the transit gateway. This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1. The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway. This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3. An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC. This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.
The other options are incorrect because:
Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.


NEW QUESTION # 25
You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  • A. Use CloudSheIl to install Terraform.
  • B. Create an AWS Identity and Access Management (IAM) user With permissions.
  • C. Enable automation on the AWS portal.
  • D. Create an AWS Active Directory user with permissions.

Answer: A,B

Explanation:
Explanation
To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.
References:
Deploying FortiGate-VM using Terraform | AWS Administration Guide
Setting up IAM roles | AWS Administration Guide
Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp


NEW QUESTION # 26
Refer to the exhibit

An administrator deployed an HA active-active load balance sandwich in Microsoft Azure. The setup requires configuration synchronization between devices- What are two outcomes from the configured settings? (Choose two.)

  • A. FortiGate A and FortiGate B are two independent devices.
  • B. It does not synchronize the FortiGate hostname
  • C. By default, FortiGate uses FGCP
  • D. FortiGate-VM instances are scaled out automatically according to predefined workload levels.

Answer: A,B

Explanation:
Explanation
B: FortiGate A and FortiGate B are two independent devices. This means that they are not part of a cluster or a high availability group, and they do not share the same configuration or state information. They are configured as standalone FortiGates with standalone configuration synchronization enabled1. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname1. D. It does not synchronize the FortiGate hostname. This is one of the settings that are excluded from the standalone configuration synchronization, as mentioned above. The hostname is a unique identifier for each FortiGate device, and it should not be changed by the synchronization process1.
The other options are incorrect because:
FortiGate-VM instances are not scaled out automatically according to predefined workload levels. This is a feature of the auto scaling solution for FortiGate-VM on Azure, which requires a different deployment and configuration than the one shown in the exhibit2. The exhibit shows a static deployment of two FortiGate-VM instances behind an Azure load balancer, which does not support auto scaling.
By default, FortiGate does not use FGCP. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group3. However, the exhibit shows that the FortiGates are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.


NEW QUESTION # 27
What are two main features in Amazon Web Services (AWS) network access control lists (ACLs)? (Choose two.)

  • A. NetworkACLs are stateless, and inbound and outbound rules are used for traffic filtering
  • B. The default network ACL is configured to allow all traffic
  • C. Network ACLs are tied to an instance
  • D. You cannot use Network ACL and Security Group at the same time.

Answer: A,B

Explanation:
Explanation
B: The default network ACL is configured to allow all traffic. This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC1. By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic1. You can modify the default network ACL, but you cannot delete it1. C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering. This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately1. Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny1. For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address2.
The other options are incorrect because:
You can use network ACL and security group at the same time. Network ACL and security group are two different types of security layers for your VPC that can work together to control traffic3. Network ACLacts as a firewall for your subnets, while security group acts as a firewall for your instances3. You can use both of them to create a more granular and effective security policy for your VPC.
Network ACLs are not tied to an instance. Network ACLs are associated with subnets, not instances1. This means that network ACLs apply to all the instances in the subnets that they are associated with1. You cannot associate a network ACL with a specific instance. However, you can associate a security group with a specific instance or multiple instances3.


NEW QUESTION # 28
Refer to Exhibit:

The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)

  • A. The Transit Gateway GRE address is auto-generated
  • B. The peer GRE address is the FortiGate external interface IP address.
  • C. The Peer GRE address is the FortiGate internal interface IP address
  • D. The BGP inside CIDR blocks can be any CIDR block with /29

Answer: A,B

Explanation:
Explanation
A: The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B. The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.


NEW QUESTION # 29
A Network security administrator is searching for a solution to secure traffic going in and out of the container infrastructure.
In which two ways can Fortinet container security help secure container infrastructure?(Choose two.)

  • A. FortiGate NGFW can connect to the worker node and protects the container-
  • B. FortiGate NGFW can be placed between each application container for north-south traffic inspection
  • C. FortiGate NGFW can inspect north-south container traffic with label aware policies
  • D. FortiGate NGFW and FortiSandbox can be used to secure container traffic

Answer: C,D

Explanation:
Explanation
The correct answer is C and D. FortiGate NGFW can inspect north-south container traffic with label aware policies and FortiGate NGFW and FortiSandbox can be used to secure container traffic.
According to the Fortinet documentation for container security1, FortiGate NGFW can provide the following benefits for securing container infrastructure:
It can inspect north-south traffic between containers and external networks using label aware policies, which allow for dynamic policy enforcement based on Kubernetes labels and metadata.
It can integrate with FortiSandbox to provide advanced threat protection for container traffic, by sending suspicious files or URLs to a cloud-based sandbox for analysis and detection.
It can leverage FortiGuard Security Services to provide real-time threat intelligence and updates for container traffic, such as antivirus, web filtering, IPS, and application control.
The other options are incorrect because:
FortiGate NGFW cannot be placed between each application container for north-south traffic inspection, as this would create unnecessary complexity and overhead. Instead, FortiGate NGFW can be deployed at the edge of the container network or as a sidecar proxy to inspect traffic at the ingress and egress points.
FortiGate NGFW cannot connect to the worker node and protect the container, as this would not provide sufficient visibility and control over the container traffic. Instead, FortiGate NGFW can leverage the native Kubernetes APIs and services to monitor and secure the container traffic.
1:Fortinet Documentation Library - Container Security


NEW QUESTION # 30
......

Passing Key To Getting NSE7_PBC-7.2 Certified Exam Engine PDF: https://www.briandumpsprep.com/NSE7_PBC-7.2-prep-exam-braindumps.html

NSE7_PBC-7.2 Exam Dumps Pass with Updated Tests Dumps: https://drive.google.com/open?id=1eA1TZNv3DasZI1g9uQNduqOQiQTv4Lh7

Related Articles

more
Fortinet NSE7_PBC-7.2 Certification Practice Exam

Our exam braindumps and prep exam torrent are with the high quality and can help you pass with guaranteed pass score. 365 days free update is the privilege for you after purchase of our exam training dumps. 100% pass is an easy thigh for you.

Tags

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 BraindumpsPrep NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy