NSE7_PBC-7.2 Fortinet NSE 7 Public Cloud Security 7.2 (FCSS) Questions and Answers

The correct answer is C. Use FortiWebCloud.

FortiWebCloud is a SaaS cloud-based web application firewall (WAF) that protects public cloud hosted web applications from the OWASP Top 10, zero day threats, and other application layer attacks1.FortiWebCloud also includes robust features such as API discovery and protection, bot mitigation, threat analytics, and advanced reporting2.FortiWebCloud supports multiple regions across the world, and you can choose the region that is closest to your applications to minimize traffic cost3.

The other options are incorrect because:

• FortiADC is an application delivery controller that provides load balancing, acceleration, and security for web applications.It is not a dedicated WAF solution and does not offer the same level of protection as FortiWebCloud4.
• FortiCNP is a cloud-native platform that provides security and visibility for containerized applications.It is not a WAF solution and does not protect web applications from the OWASP Top 10 vulnerabilities5.
• FortiGate is a next-generation firewall (NGFW) that provides network security and threat prevention. It is not a WAF solution and doesnot offer the same level of protection as FortiWebCloud for web applications.It also requires additional configuration and management to deploy in the public cloud6.

1:Overview | FortiWeb Cloud 23.3.0 - Fortinet Documentation2:Web Application Firewall (WAF) & API Protection | Fortinet3: [FortiWeb Cloud WAF-as-a-Service | Fortinet]4: [Application Delivery Controller (ADC) | Fortinet]5: [Fortinet Cloud Native Platform | Fortinet]6: [FortiGate Next-Generation Firewall (NGFW) | Fortinet]

In this scenario, the issue is caused by the Azure service principle account nothaving a contributor role. This is required for the FortiGate HA floating IP to work properly. Without this role, the new primary device will not have the previous primary device floating IP address after failover. References: Fortinet Public Cloud Security knowledge source documents or study guide.

https://docs.fortinet.com/product/fortigate-public-cloud/7.2

The correct answer is C and D. FortiGate NGFW can inspect north-south container traffic with label aware policies and FortiGate NGFW and FortiSandbox can be used to secure container traffic.

According to the Fortinet documentation for container security1, FortiGate NGFW can provide the following benefits for securing container infrastructure:

• It can inspect north-south traffic between containers and external networks using label aware policies, which allow for dynamic policy enforcement based on Kubernetes labels and metadata.
• It can integrate with FortiSandbox to provide advanced threat protection for container traffic, by sending suspicious files or URLs to a cloud-based sandbox for analysis and detection.
• It can leverage FortiGuard Security Services to provide real-time threat intelligence and updates for container traffic, such as antivirus, web filtering, IPS, and application control.

The other options are incorrect because:

• FortiGate NGFW cannot be placed between each application container for north-south traffic inspection, as this would create unnecessary complexity and overhead. Instead, FortiGate NGFW can be deployed at the edge of the container network or as a sidecar proxy to inspect traffic at the ingress and egress points.
• FortiGate NGFW cannot connect to the worker node and protect the container, as this would not provide sufficient visibility and control over the container traffic. Instead, FortiGate NGFW can leverage the native Kubernetes APIs and services to monitor and secure the container traffic.

1:Fortinet Documentation Library - Container Security

Securing container environments from newly emerged security threats involves employing specific security mechanisms tailored to the technology and structure of containers. In this context, the use of Docker-related application control signatures (Option D) is critical for effectively managing and mitigating threats in containerized environments.

• Docker-Specific Threats:Docker containers, being a prevalent form of container technology, are targeted by various security threats, including those that exploit vulnerabilities specific to the Docker environment and runtime. Using Docker-related application control signatures means implementing security measures that are specifically designed to detect and respond to anomalies and threats that are unique to Docker containers.
• Application Control Signatures:These are sets of definitions that help identify and block potentially malicious activities within application traffic. By focusing on Docker-related signatures, administrators can ensure that the security tools are finely tuned to the operational specifics of Docker containers, thereby providing a robust defense against exploits that target container-specific vulnerabilities.

References:The recommendation to use Docker-related application control signatures is based on best practices for securing container environments, emphasizing the need for specialized security measures that address the unique challenges posed by container technologies.

A. All the output values are available after a successful terraform apply command. This means that after the deployment, you can view the output values by running terraform output or terraform show in the same directory where you ran terraform apply1. You can also use the output values in other Terraform configurations or external systems by using the terraform output command with various options2. B. The subnet_private_1 value is defined in the variables.tf file. This means that the subnet_private_1 value is an input variable that can be customized by passing a different value when running terraform apply or by setting an environment variable3. The variables.tf file is where you declare all the input variables for your Terraform configuration4.

The other options are incorrect because:

• After the deployment, Terraform output values are not visible only through AWS CloudShell. You can access them from any shell or terminal where you have Terraform installed and configured with your AWS credentials.
• You do not need to specify all the AWS credentials in the output.tf file. The output.tf file is where you declare all the output values for your Terraform configuration4. You can specify your AWS credentials in a separate file, such as provider.tf, or use environment variables or shared credentials files. References:
• Output Values - Configuration Language | Terraform - HashiCorp Developer
• Command: output - Terraform by HashiCorp
• Input Variables - Configuration Language | Terraform - HashiCorp Developer
• Configuration Language | Terraform - HashiCorp Developer

• Simplified and Scalable Connectivity: Transit Gateway Connect allows you to establish GRE tunnels to your SD-WAN appliances natively within the AWS network. This eliminates the complexity of managing individual IPsec VPN connections, especially as your cloud presence grows.
• Potential for Enhanced Performance: GRE offers lower overhead compared to IPsec, which can result in higher throughput for bandwidth-intensive SD-WAN applications.
• Flexibility: While IPsec is supported for scenarios requiring strong encryption, the focus on GRE highlights the performance and scalability benefits that are often prioritized when integrating SD-WAN with AWS.
• Dynamic Routing: The integration with BGP further streamlines network management by automating route updates and distribution.

Addressing the IPsec Consideration:

It's important to acknowledge that SD-WAN Transit Gateway Connect does support IPsec. If your question is specifically framed within the context of Fortinet's FCSS 7.2 materials and they emphasize the hybrid usage of GRE and IPsec, then a modified answer might be appropriate:

For deploying a FortiGate VM using Terraform in AWS, the administrator must use:

B.Use the Name of the key pair.

• Terraform and AWS SSH Keys:When deploying instances in AWS using Terraform, it is required to specify the name of the SSH key pair to enable key-based authentication to the instance post-deployment.
• Configuration Syntax:The variablekeynamewithin the Terraform configuration should match the exact name of the SSH key pair as it is stored in AWS. This ensures that Terraform can reference the correct key during the deployment process to set up SSH access to the FortiGate VM.
• Terraform Variables:Thevariable "keyname"block in the Terraform configuration will look for the key pair name as it should be declared in theterraform.tfvarsfile or passed as a variable during execution. This does not require the key pair's ID or fingerprint, just its name.

References:The need for the SSH key pair's name in Terraform configurations for AWS deployments is outlined in the Terraform AWS Provider documentation, which specifies how resources should be provisioned using Terraform.

A VPC attachment is the type of attachment that allows you to connect a VPC to a TGW and advertise routes through BGP. A VPC attachment creates a VPN connection between the VPC and the TGW, and enables dynamic routing with BGP. A connect attachment is used to connect a VPN or Direct Connect gateway to a TGW. A route attachment is not a valid type of attachment for TGW. A GRE attachment is used to connect a FortiGate device to a TGW using GRE tunnels. References:

• Creating the TGW and related resources
• Configuring TGW route tables
• FortiGate Public Cloud 7.2.0 - Fortinet Documentation
• Updating the route table and adding an IAM policy

To get Terraform ready using Microsoft Azure Cloud Shell, you need to perform the following steps:

• Set up a storage account in Azure. This is required to store the Terraform state file in a blob container, which enables collaboration and persistence of the infrastructure configuration1.
• Use the wget (terraform_version) command to upload Terraform. This command downloads the latest version of Terraform from the official website and saves it as a zip file in the current directory2.
• Move the Terraform file to the bin directory. This step extracts the Terraform executable from the zip file and moves it to the bin directory, which is part of the PATH environment variable. This allows you to run Terraform commands from any directory in Cloud Shell2.

The other options are incorrect because:

• You do not need to use the -O command to download Terraform. This command is used to specify a different output file name for the downloaded file, but it is not necessary for this task3.
• You do not need to subscribe to Terraform in Azure. Terraform is an open-source tool that can be used with any cloud provider, and there is no subscription or registration required to use it with Azure4. References:
• Updating the route table and adding an IAM policy
• Configure Terraform in Azure Cloud Shell with Bash
• wget(1) - Linux man page
• Terraform by HashiCorp

To configure a FortiGate VM to add to FortiCNP, you need to perform three steps on FortiGate:

• Enable send logs in FortiGate to allow FortiCNP to receive the IPS logs from FortiGate.
• Create an SSL/SSH inspection profile on FortiGate to inspect the encrypted traffic and apply IPS protection.
• Create an IPS sensor and a firewall policy on FortiGate to enable IPS detection and prevention for the traffic.

References:

• FortiCNP 22.4.a Administration Guide, page 22-24
• FortiGate IPS Administration Guide, page 9-10

B. Add route destination 0.0.0.0/0 to target the transit gateway. This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1. The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway. This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3. An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC. This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.

The other options are incorrect because:

• Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
• Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.

The Azure SDN connector uses two types of queries to interact with the Azure management API. The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM. References: Configuring an SDN connector in Azure, Azure SDN connector using service principal, Troubleshooting Azure SDN connector

The statement that best describes the concept of immutable infrastructure in the context of automation is:

A. It is the practice of deploying a new server for every configuration change.

• Immutable Infrastructure Concept:This approach to infrastructure management involves replacing servers or components entirely rather than making changes to existing configurations once they are deployed. When a change is needed, a new server instance is provisioned with the desired configuration and the old one is decommissioned after the new one is successfully deployed and tested.
• Benefits:Immutable infrastructure minimizes the risks associated with in-place updates, such as inconsistencies or failures due to configuration drift. It enhances reliability and predictability by ensuring that the deployed environment matches exactly what was tested in staging. Thispractice is particularly aligned with modern deployment strategies like blue/green or canary deployments.

References:The concept of immutable infrastructure is widely discussed in DevOps and cloud computing literature as a method to increase consistency and fault tolerance in automated environments.

Network ACLs are stateless, and they evaluate each packet separately based on the rules that you define. The rules are processed in order, starting with the lowest numbered rule1. If the traffic matches a rule, the rule is applied and no further rules are evaluated1. Therefore, if you want to allow SSH traffic to a subnet, you must create a new allow SSH rule above rule number 5, which denies SSH and telnet traffic. Otherwise, the deny rule will take precedence and block the SSH traffic.

The other options are incorrect because:

• Creating a new allow SSH rule below rule number 5 will not allow SSH traffic, because the deny rule will be evaluated first and block the traffic.
• Creating a new allow SSH rule anywhere in the network ACL rule base will not guarantee that SSH traffic will be allowed, because it depends on the order of the rules. If the allow SSH rule is below the deny rule, it will not be effective.
• You cannot rely on the default security group rule to allow SSH traffic to the subnet, because network ACLs act as an additional layer of security for your VPC. Even if your security group allows SSH traffic, your network ACL must also allow it. Otherwise, the traffic will be blocked at the subnet level.