Fortinet NSE7_CDS_AR-7.6 시험

Question No : 1

Refer to the exhibit.



After analyzing the native monitoring tools available in Azure, an administrator decides to use the tool displayed in the exhibit.
Why would an administrator choose this tool?

• A.To view details about Azure resources and their relationships across multiple regions.
• B.To obtain, and later examine, traffic flow data with a visualization tool.
• C.To help debug issues affecting virtual network gateways.
• D.To compare the latency of an on-premises site with the latency of an Azure application.

답을 확인하기

정답:

Question No : 2

Refer to the exhibit.



An administrator used the what-if tool to preview changes to an Azure Bicep file.
What will happen if the administrator decides to apply these changes in Azure?

• A.Subnet 10.0.1.0/24 will replace subnet 10.0.2.0/24.
• B.This deployment will fail and no changes will be applied.
• C.A new subnet will be added to ServerApps.
• D.The ServerApps VNet will be renamed.

답을 확인하기

정답:
Explanation:
Based on the Fortinet NSE 7 - Public Cloud Security 7.4/7.6 curriculum and Azure Resource Manager (ARM) deployment logic, the what-if tool provides a predictive analysis of infrastructure changes.
Analyzing the Modification Symbols (Option B): The exhibit shows several critical changes being attempted simultaneously on the ServerApps_vnet.
VNet Address Space Change: The symbol - (Delete) is next to the address space 10.0.0.0/16, and + (Create) is next to 192.168.0.0/24.
Subnet Modification: Further down, the symbol ~ (Modify) indicates an attempt to change the prefix of an existing subnet from 10.0.1.0/24 to 10.0.2.0/24.
Azure Deployment Constraints: According to the FortiOS 7.6 Azure Administration Guide, Azure networking has strict dependencies. You cannot delete or modify an address space that contains active subnets or resources.
Why the deployment fails: The what-if output shows the administrator is trying to remove the 10.0.0.0/16 address range. However, the existing subnet 10.0.1.0/24 is still "resident" within that range during the transaction. Because the subnet is currently attached to the address space being deleted, Azure Resource Manager will reject the deployment as an invalid operation. The attempt to add a new 192.168.0.0/24 range does not resolve the conflict of removing the active range.
Why other options are incorrect:
Option A: The tool shows that 10.0.1.0/24 is being changed to 10.0.2.0/24, not that one is replacing the other as a new entity.
Option C: The symbols show a modification (~) of an existing subnet (index 0:), not the creation (+) of an entirely new subnet.
Option D: The VNet name ServerApps_vnet is not being changed; only its internal properties (tags, address space, and subnets) are being modified.

Question No : 3

Exhibit.



You are tasked with deploying FortiGate using Terraform. When you run the terraform version command during the Terraform installation, you get an error message.
What could you do to resolve the command not found error?

• A.You must move the binary file to the bin directory.
• B.You must reinstall Terraform.
• C.You must change the directory location to the root directory.
• D.You must assign correct permissions to the ec2-user.

답을 확인하기

정답:
Explanation:
https://github.com/fortinet/fortigate-terraform-deploy
According to the Terraform documentation for installing Terraform on Linux, you need to download a zip archive that contains a single binary file called terraform. You need to unzip the archive and move the binary file to a directory that is included in your system's PATH environment variable, such as /usr/local/bin. This way, you can run the terraform command from any directory without specifying the full path.
If you do not move the binary file to the bin directory, you will get a command not found error when you try to run the terraform version command, as shown in the screenshot. To fix this error, you need to move the binary file to the bin directory or specify the full path of the binary file when running the command.

Question No : 4

Refer to the exhibit.



You deployed a FortiGate HA active-passive cluster in Microsoft Azure.
Which two statements regarding this particular deployment are true? (Choose two.)

• A.You can use the vdom-exception command to synchronize the configuration.
• B.During a failover, all existing sessions are transferred to the new active FortiGate.
• C.The configuration does not synchronize between the primary and secondary devices.
• D.There is no SLA for API calls from Microsoft Azure.

답을 확인하기

정답:

Question No : 5

Refer to the exhibit.



A managed security service provider (MSSP) administration team is trying to deploy a new HA cluster in Azure to filter traffic to and from a client that is also using Azure. However, every deployment attempt fails, and only some of the resources are deployed successfully. While troubleshooting this issue, the team runs the command shown in the exhibit.
What are the implications of the output of the command?

• A.The team will not be able to deploy an A-P FortiGate HA cluster with Azure gateway load balancer.
• B.The team will not be able to deploy an A-P FortiGate HA cluster with Azure load balancer.
• C.The team will not be able to deploy an active-passive (A-P) FortiGate high availability (HA) cluster with SDN connector.
• D.The team will not be able to deploy an active-active (A-P) FortiGate HA cluster with Azure load balancer.

답을 확인하기

정답:

Question No : 6

An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure. However, the SDN connector is failing on the connection.
What must the administrator do to correct this issue?

• A.Make sure to add the Client secret on FortiGate side of the configuration.
• B.Make sure to add the Tenant ID on FortiGate side of the configuration.
• C.Make sure to enable the system assigned managed identity on Azure.
• D.Make sure to set the type to system managed identity on FortiGate SDN connector settings.

답을 확인하기

정답:

Question No : 7

An AWS administrator must ensure that each member of the cloud deployment team has the correct permissions to deploy and manage resources using CloudFormation. The administrator is researching which tasks must be executed with CloudFormation and therefore require CloudFormation permissions.
Which task is run using CloudFormation?

• A.Deploying a new pod with a service in an Elastic Kubernetes Service (EKS) cluster using the kubectl command
• B.Installing a Helm chart to deploy a FortiWeb ingress controller in an EKS cluster
• C.Creating an EKS cluster with the eksctl create cluster command
• D.Changing the number of nodes in a EKS cluster from AWS CloudShell

답을 확인하기

정답:
Explanation:
Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:
Based on the Fortinet NSE 7 - Public Cloud Security 7.4/7.6 study materials and the FortiOS 7.6 AWS Administration Guide, understanding the underlying mechanisms of AWS deployment tools is essential for permission management.
Infrastructure as Code and eksctl (Option C): In the context of Amazon EKS, the eksctl command-line tool is the official CLI for creating and managing clusters on EKS. When an administrator executes the eksctl create cluster command, eksctl does not interact with the EKS API directly to provision infrastructure; instead, it generates and executes AWS CloudFormation stacks to provision the necessary VPC, IAM roles, and the EKS control plane. Therefore, users running this command must have explicit permissions to create and manage CloudFormation stacks.
Resource Provisioning via Stacks: CloudFormation is AWS's native service for Infrastructure as Code (IaC), allowing users to define resources in JSON or YAML templates. Commands like eksctl leverage these templates to ensure repeatable and organized deployments of complex architectures, such as those required for a FortiGate or FortiWeb cloud integration.
Why other options are incorrect:
Option A: The kubectl command interacts directly with the Kubernetes API server inside the cluster to manage pods and services; it does not trigger AWS CloudFormation processes.
Option B: Helm is a package manager for Kubernetes. While it manages "releases" within the EKS cluster, the installation of a Helm chart for a FortiWeb ingress controller happens at the Kubernetes software layer and does not utilize AWS CloudFormation stacks.
Option D: Changing the node count via CloudShell using the AWS CLI or kubectl typically modifies an Auto Scaling Group or a Kubernetes Deployment/DaemonSet directly, rather than initiating a new CloudFormation stack execution.

Question No : 8

In an SD-WAN TGW Connect topology, which three initial steps are mandatory when routing traffic from a spoke VPC to a security VPC through a Transit Gateway? (Choose three.)

• A.From the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the FortiGate internal port.
• B.From the security VPC TGW subnet routing table, point 0.0.0.0/0 traffic to the TG
• C.From both spoke VPCs, and the security VPC, point 0.0.0.0/0 traffic to the Internet Gateway.
• D.From the security VPC FortiGate internal subnet routing table, point 0.0.0.0/0 traffic to the TG
• E.From the spoke VPC internal routing table, point 0.0.0.0/0 traffic to the TG

답을 확인하기

정답:
Explanation:
Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:
In an AWS SD-WAN Transit Gateway (TGW) Connect topology, traffic flow must be meticulously orchestrated through VPC route tables to ensure that the FortiGate-VM (Security VPC) can inspect traffic transitioning between spokes.
Spoke to TGW Redirection (Option E): For traffic to leave a Spoke VPC and reach the inspection hub, the Spoke VPC internal routing table must be configured to send all non-local traffic (0.0.0.0/0) to the Transit Gateway (TGW). This is the first step in the traffic chain.
TGW to FortiGate Redirection (Option A): Once the traffic arrives at the TGW and is forwarded to the Security VPC via a TGW attachment, it lands in the TGW subnet (or attachment subnet). To ensure this traffic is inspected, the Security VPC TGW subnet routing table must point the default route (0.0.0.0/0) to the FortiGate's internal network interface (ENI).
FortiGate Return/Egress Path (Option D): After the FortiGate processes the packet, it must be sent back to the TGW to reach its final destination in a different spoke or to exit via a different gateway. Therefore, the Security VPC FortiGate internal subnet routing table (the subnet where the FortiGate's internal leg resides) must have a default route (0.0.0.0/0) pointing back to the TGW.
Why other options are incorrect:
Option B: If the Security VPC TGW subnet routing table points to the TGW as the next hop, it creates a routing loop where traffic arrives from the TGW and is immediately sent back without being inspected by the FortiGate.
Option C: Pointing all traffic to an Internet Gateway (IGW) would bypass the Transit Gateway entirely and send traffic to the public internet rather than through the internal security fabric.

Question No : 9

Refer to the exhibit.



What is the purpose of this section of an Azure Bicep file?

• A.To restrict which FortiOS versions are accepted for deployment
• B.To indicate the correct FortiOS upgrade path after deployment
• C.To add a comment with the permitted FortiOS versions that can be deployed
• D.To document the FortiOS versions in the resulting topology

답을 확인하기

정답:

Question No : 10

Refer to the exhibit.



You are managing an active-passive FortiGate HA cluster in AWS that was deployed using CloudFormation. You have created a change set to examine the effects of some proposed changes to the current infrastructure. The exhibit shows some sections of the change set.
What will happen if you apply these changes?

• A.This deployment can be done without any traffic interruption.
• B.Both FortiGate VMs will get a new PhysicalResourceId.
• C.The updated FortiGate VMs will not have the latest configuration changes.
• D.CloudFormation checks if you will surpass your account quota.

답을 확인하기

정답:

Question No : 11

As part of your organization's monitoring plan, you have been tasked with obtaining and analyzing detailed information about the traffic sourced at one of your FortiGate EC2 instances.
What can you do to achieve this goal?

• A.Use AWS CloudTrail to capture and then examine traffic from the EC2 instance.
• B.Create a virtual public cloud (VPC) flow log at the network interface level for the EC2 instance.
• C.Add the EC2 instance as a target in CloudWatch to collect its traffic logs.
• D.Configure a network access analyzer scope with the EC2 instance as a match finding.

답을 확인하기

정답:

Question No : 12

Refer to the exhibit.



You are troubleshooting a Microsoft Azure SDN connector issue on your FortiGate VM in Azure.
Which command can you use to examine details about API calls sent by the connector?

• A.diag debug application cloud-connector -1
• B.diag test application azd 1
• C.diag debug application azd -1
• D.get system sdn-connector

답을 확인하기

정답:

Question No : 13

An organization is deploying FortiDevSec to enhance security for containerized applications, and they need to ensure containers are monitored for suspicious behavior at runtime.
Which FortiDevSec feature is best for detecting runtime threats?

• A.FortiDevSec software composition analysis (SCA)
• B.FortiDevSec static application security testing (SAST)
• C.FortiDevSec dynamic application security testing (DAST)
• D.FortiDevSec container scanner

답을 확인하기

정답:

Question No : 14

A Network security administrator is searching for a solution to secure traffic going in and out of the container infrastructure.
In which two ways can Fortinet container security help secure container infrastructures? (Choose two.)

• A.FortiGate NGFW can inspect north-south container traffic with label aware policies.
• B.FortiGate NGFW and FortiWeb can be used to secure container traffic.
• C.FortiGate NGFW can connect to the worker nodes and protect the containers.
• D.FortiGate NGFW can be placed between each application container for north-south traffic inspection.

답을 확인하기

정답:

Question No : 15

Refer to the exhibit.



After the initial Terraform configuration in Microsoft Azure, the terraform plan command is run.
Which two statements about running the terraform plan command are true? (Choose two.)

• A.The terraform plan command will deploy the rest of the resources except the service principle details.
• B.You cannot run the terraform apply command before the terraform plan command.
• C.The terraform plan command makes terraform do a dry run.
• D.You must run the terraform init command once, before the terraform plan command.

답을 확인하기

정답: