[2023年05月] 無料NSE7_PBC-6.4試験問題集試験点数を伸ばそう [Q17-Q42]

[2023年05月] 無料NSE7_PBC-6.4試験問題集試験点数を伸ばそう

2023年最新のNSE7_PBC-6.4実際問題集には試験のコツがあるPDF試験材料

質問 # 17
Which two statements about Amazon Web Services (AWS) networking are correct? (Choose two.)

• A. AWS DNS reserves the first host IP address of each subnet.
• B. 802.1q VLAN tags are allowed inside the same virtual private cloud.
• C. Multicast traffic is not allowed.
• D. Proxy ARP entries are disregarded.

正解：C、D

解説：
Explanation
https://blog.ipspace.net/2018/05/amazon-web-services-networking-overview.html

質問 # 18
Which two statements about Amazon Web Services (AWS) networking are correct? (Choose two.)

• A. 802.1q VLAN tags are allowed inside the same virtual private cloud.
• B. Proxy ARP entries are disregarded.
• C. Multicast traffic is not allowed.
• D. AWS DNS reserves the first host IP address of each subnet.

正解：C、D

質問 # 19
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

• A. Network ACLs must be manually applied to virtual network interfaces.
• B. Network ACLs support allow rules and deny rules.
• C. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.
• D. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.

正解：B、C

解説：
Explanation
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
https://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/
-Network ACLs are stateless. You must define rules for both outbound and inbound traffic.

質問 # 20
An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

• A. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.
• B. The worker node migrates the subnet to a different availability zone.
• C. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
• D. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.

正解：B

質問 # 21
Refer to the exhibit.

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.
What are two possible reasons for this behavior? (Choose two.)

• A. The Internet gateway (IGW) is not added to VPC (virtual private cloud).
• B. The web servers are not configured with the default gateway.
• C. AWS security groups may be blocking the traffic.
• D. AWS source and destination checks are enabled on the FortiGate interfaces.

正解：B、C

質問 # 22

Refer to the exhibit. Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?

• A. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.
• B. Delete the address object and recreate a new address object with the type set to FQDN.
• C. In the Microsoft Azure portal, set the correct tag values for the windows server.
• D. Run diagnose debug application azd -lon FortiGate.

正解：A

解説：
Explanation

質問 # 23
You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.
Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

• A. The uniqueString() function must be used.
• B. The storageAccount name must use special characters.
• C. The storageAccount name must contain between 3 and 24 alphanumeric characters.
• D. The storageAccount name must be in lowercase.

正解：C、D

解説：
Explanation
-Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep Property values / storageAccounts name --> The resource name :
* string (required)
* Character limit: 3-24
* Valid characters: Lowercase letters and numbers.
* Resource name must be unique across Azure.

質問 # 24
You are deploying Amazon Web Services (AWS) GuardDuty to monitor malicious or unauthorized behaviors related to AWS resources. You will also use the Fortinet aws-lambda-guardduty script to translate feeds from AWS GuardDuty findings into a list of malicious IP addresses. FortiGate can then consume this list as an external threat feed.
Which Amazon AWS services must you subscribe to in order to use this feature?

• A. Inspector, Shield, GuardDuty, S3, and DynamoDB.
• B. GuardDuty, CloudWatch, S3, Inspector, WAF, and Shield.
• C. GuardDuty, CloudWatch, S3, and DynamoDB.
• D. WAF, Shield, GuardDuty, S3, and DynamoDB.

正解：B

質問 # 25
Which three properties are configurable Microsoft Azure network security group rule settings? (Choose three.)

• A. Source and destination IP ranges
• B. Destination port ranges
• C. Sequence number
• D. Source port ranges
• E. Action

正解：B、D、E

質問 # 26

Refer to the exhibit. Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)

• A. The network interface of the active unit moves to itself
• B. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01
• C. 172.29.32.71is set as a next hop IP for all routes under FortigateUDR-01
• D. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT-
  0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01

正解：C、D

質問 # 27
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

• A. They can create additional vNICs in the UI console.
• B. They cannot create and add additional vNICs to an existing FortiGate-VM.
• C. They can use the Compute Engine API Explorer.
• D. They can create additional vNICs using the Cloud Shell.

正解：C

質問 # 28
You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web Services (AWS) cloud. The requirements for your deployment are as follows:
*You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active topology.
*Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other will connect to a private subnet.
*To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?

• A. Two public subnets and two private subnets
• B. One public subnet and two private subnets
• C. Two public subnets and one private subnet
• D. One public subnet and one private subnet

正解：A

解説：
Explanation
https://github.com/fortinet/aws-cloudformation-templates/blob/master/LambdaAA-RouteFailover/6.0/README
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0

質問 # 29
Which statement about FortiSandbox in Amazon Web Services (AWS) is true?

• A. FortiSandbox in AWS can have a maximum of eight virtual machines (VMs) that inspect files.
• B. FortiSandbox in AWS uses Windows virtual machines (VMs) to inspect files.
• C. In AWS, virtual machines (VMs) that inspect files are constantly up and running.
• D. In AWS, virtual machines (VMs) that inspect files do not have to be reset after inspecting a file.

正解：B

解説：
Explanation
FortiSandbox deploys new EC2 instances with the custom Windows VMs, and then it sends malware, runs it, and captures the results for analysis. FortiSandbox for AWS does not need more resources because it performs management and analysis tasks only. Note that the cost varies based on the number of EC2 instances deployed, size of the instances, and duration of the running time.

質問 # 30
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

• A. They can create additional vNICs in the UI console.
• B. They can create additional vNICs using the Cloud Shell.
• C. They cannot create and add additional vNICs to an existing FortiGate-VM.
• D. They can use the Compute Engine API Explorer.

正解：C

解説：
Explanation
GCP Limitations: You cannot add or remove network interfaces from an existing VM.
https://cloud.google.com/vpc/docs/create-use-multiple-interfaces#limitations

質問 # 31
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

• A. A single VPC deployment with multiple subnets
• B. A multiple VPC deployment utilizing a transit gateway
• C. A multiple VPC deployment utilizing a transit VPC topology
• D. A single VPC deployment with multiple subnets and a NAT gateway

正解：A、C

解説：
Explanation/Reference: https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-aws-reference- architecture.pdf

質問 # 32
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

• A. They can create additional vNICs in the UI console.
• B. They cannot create and add additional vNICs to an existing FortiGate-VM.
• C. They can use the Compute Engine API Explorer.
• D. They can create additional vNICs using the Cloud Shell.

正解：C

解説：
Explanation/Reference: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/62d32ecf-687f-11ea-
9384-00505692583a/FortiOS-6.4-GCP_Cookbook.pdf

質問 # 33
An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.
Which action can you take to accomplish this?

• A. Create the ENI and attach it to FortiGate.
• B. Create the ENI, attach it to FortiGate, and then restart FortiGate.
• C. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.
• D. None, you cannot create and add additional ENIs to an existing FortiGate-VM.

正解：C

質問 # 34
You have previously deployed an Amazon Web Services (AWS) transit virtual private cloud (VPC) with a pair of FortiGate firewalls (VM04 / c4.xlarge) as your security perimeter. You are beginning to see high CPU usage on the FortiGate instances.
Which action will fix this issue?

• A. Convert the c4.xlarge instances to m4.xlarge instances.
• B. Convert the transit VPC firewalls into an auto-scaling group and launch additional EC2 instances in that group.
• C. Convert from IPsec tunnels to generic routing encapsulation (GRE) tunnels, for the VPC peering connections.
• D. Migrate the transit VPNs to new and larger instances (VM08 / c4.2xlarge).

正解：B

解説：
Explanation
Multiple FortiGate-VM instances form an Auto Scaling group to provide highly efficient clustering at times of high workloads. FortiGate-VM instances can be scaled out automatically according to predefined workload levels.
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/aws-administration-guide/397979/deploying-auto

質問 # 35
What is the bandwidth limitation of an Amazon Web Services (AWS) transit gateway VPC attachment?

• A. Up to 1.25 Gbps per attachment
• B. Up to 10 Gbps per attachment
• C. Up to 1 Gbps per attachment
• D. Up to 50 Gbps per attachment

正解：A

解説：
Explanation/Reference: https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network- infrastructure.pdf (5)

質問 # 36
Your company deploys FortiGate VM devices in high availability (HA) (active-active) mode with Microsoft Azure load balancers using the Microsoft Azure ARM template. Your senior administrator instructs you to connect to one of the FortiGate devices and configure the necessary firewall rules. However, you are not sure now to obtain the correct public IP address of the deployed FortiGate VM and identify the access ports.
How do you obtain the public IP address of the FortiGate VM and identify the correct ports to access the device?

• A. In the configured load balancer, access the inbound and outbound NAT rules section.
• B. In the configured load balancer, access the backend pools section.
• C. In the configured load balancer, access the health probes section.
• D. In the configured load balancer, access the inbound NAT rules section.

正解：A

質問 # 37
Refer to the exhibit.

You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.
After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.
What should you do to correct this issue?

• A. Configure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).
• B. Nothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.
• C. Delete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.
• D. Configure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.

正解：D

質問 # 38
Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?

• A. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.
• B. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.
• C. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
• D. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.

正解：A

質問 # 39
When configuring the FortiCASB policy, which three configuration options are available? (Choose three.)

• A. Intrusion prevention policies
• B. Data loss prevention policies
• C. Threat protection policies
• D. Antivirus policies
• E. Compliance policies

正解：B、C、E

解説：
Explanation
Policy setting allows you to configure each policy to fit the need of your usage. You can select any type of Policy (Data Analysis, Threat Protection or Compliance)
https://docs.fortinet.com/document/forticasb/20.1.0/online-help/482958/policy-configuration

質問 # 40
Refer to the exhibit.

Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)

• A. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
• B. Configure VNet peering between the hub and spokes.
• C. Configure VNet peering between the spokes only.
• D. Use ExpressRoute to interconnect the hub VNets and spoke VNets.

正解：B、D

質問 # 41
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

• A. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
• B. Define a default route where the next hop IP is the FortiGate WAN interface
• C. Configure a user-defined route table
• D. Configure the gateway subnet as the subnet in the user-defined route table
• E. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute

正解：B、D、E

解説：
Explanation
https://docs.microsoft.com/en-us/answers/questions/618005/adding-a-inline-fw-to-express-route.html

質問 # 42
......

心強いNSE7_PBC-6.4のPDF問題集はNSE7_PBC-6.4問題：https://www.jpntest.com/shiken/NSE7_PBC-6.4-mondaishu