NSE7_PBC-7.2練習テスト問題は更新された91問題あります
Fortinet NSE7_PBC-7.2問題集で一発合格できる問題を試そう!
質問 # 53
Which three properties are configurable Microsoft Azure network security group rule settings?
(Choose three.)
- A. Destination port ranges
- B. Sequence number
- C. Source and destination IP ranges
- D. Source port ranges
- E. Action
正解:A、D、E
解説:
Under "Default security rules" we read source, destination, source port, destination port and access. However under "Security rules" we read action, port ranges and source and destination, and essentially Options A, C, D and E are valid are those parameters can be configured.
質問 # 54
Which two statements are true about Transit Gateway Connect peers in anlPv4 BGP configuration'? (Choose two.)
- A. You must configure the second address from the IPv4 range on the device as the BGP IP address
- B. You must specify a /29CIDR block from the 169.254.0.0/16 range
- C. You cannot use IPv6 addresses
- D. The inside CIDR blocks are used for BGP peering
正解:B、D
解説:
For Transit Gateway Connect peers in an IPv4 BGP configuration, the correct statements are:
* The inside CIDR blocks are used for BGP peering (Option A):In a BGP configuration for Transit Gateway Connect, the inside CIDR blocks, typically within the 169.254.0.0/16 range, are designated for the BGP peering connections. These blocks are reserved for internal network protocols and are commonly used in AWS for automatic IP address assignment within managed networking services.
* You must specify a /29 CIDR block from the 169.254.0.0/16 range (Option C):It is a requirement to specify a /29 CIDR block within the 169.254.0.0/16 range for setting up the network interfaces that facilitate BGP peering. This specific range allows for the necessary number of IP addresses to establish BGP sessions effectively between the transit gateway and on-premises or other virtual appliances.
References:These practices are in line with AWS guidelines for Transit Gateway Connect, which stipulate the use of specified CIDR blocks for internal networking and BGP configurations, ensuring seamless connectivity and routing management.
質問 # 55
Refer to the exhibit. You deployed an HA active-passive FortiGate VM in Microsoft Azure.
Which two statements regarding this particular deployment are true? (Choose two.)
- A. Use the vdom-excepticn command to synchronize the configuration.
- B. There is no SLA for API calls from Microsoft Azure.
- C. By default, the configuration does not synchromze between the primary and secondary devices.
- D. During the failover, the passive FortiGate issues API calls to Azure
正解:C、D
解説:
A is correct because in this deployment, the passive FortiGate issues API calls to Azure to update the routing table and the public IP address of the active FortiGate. This way, the traffic is redirected to the new active FortiGate after a failover.
B is incorrect because the vdom-exception command is used to exclude specific VDOMs from being synchronized in an HA cluster. This command is not related to this deployment scenario.
C is incorrect because Microsoft Azure does provide an SLA for API calls. According to the Azure Service Level Agreements, the API Management service has a monthly uptime percentage of at least 99.9% for the standard tier and higher.
D is correct because by default, the configuration is not synchronized between the primary and secondary devices in this deployment. The administrator needs to manually enable configuration synchronization on both devices. Alternatively, the administrator can use FortiManager to manage and synchronize the configuration of both devices.
質問 # 56
What are three important steps required to get Terraform ready using Microsoft Azure Cloud Shell? (Choose three.)
- A. Use the wget (te=aform vession) command to upload Terraform.
- B. use the -O command to download Terraform.
- C. Set up a storage account in Azure.
- D. Move the Terraform file to the bin directory.
- E. Subscribe to Terraform in Azure.
正解:A、C、D
解説:
To get Terraform ready using Microsoft Azure Cloud Shell, you need to perform the following steps:
* Set up a storage account in Azure. This is required to store the Terraform state file in a blob container, which enables collaboration and persistence of the infrastructure configuration1.
* Use the wget (terraform_version) command to upload Terraform. This command downloads the latest version of Terraform from the official website and saves it as a zip file in the current directory2.
* Move the Terraform file to the bin directory. This step extracts the Terraform executable from the zip file and moves it to the bin directory, which is part of the PATH environment variable. This allows you to run Terraform commands from any directory in Cloud Shell2.
The other options are incorrect because:
* You do not need to use the -O command to download Terraform. This command is used to specify a different output file name for the downloaded file, but it is not necessary for this task3.
* You do not need to subscribe to Terraform in Azure. Terraform is an open-source tool that can be used with any cloud provider, and there is no subscription or registration required to use it with Azure4. References:
* Updating the route table and adding an IAM policy
* Configure Terraform in Azure Cloud Shell with Bash
* wget(1) - Linux man page
* Terraform by HashiCorp
質問 # 57
Refer to the exhibit
You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?
- A. Terraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.
- B. Terraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.
- C. Terraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.
- D. Terraform will not deploy a FortiGate VM
正解:C
解説:
Explanation
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to "eu-west-1" and the availability_zone variable is set to
"eu-west-1a". The vpc_id variable is set to "vpc-0e9d6a6f" and the subnets variable is set to a list of two subnet IDs: "subnet-0f9d6a6f" and "subnet-1f9d6a6f". The license_type variable is set to "on-demand" and the ami_id variable is set to "ami-0e9d6a6f".
References:
https://docs.fortinet.com/document/fortigate/6.4.0/aws-cookbook/236478/deploying-fortigate-vm-on-aws-using-t
質問 # 58
You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM.
Which two queries does that SDN connector use to interact with the Azure management API?
(Choose two.)
- A. Some queries are made to manage public IP addresses.
- B. The first query is targeted to a special IP address to get a token.
- C. There is only one query initiating from FortiGate port1 -
- D. The first query is targeted to IP address 8.8
正解:A、B
解説:
The Azure SDN connector uses two types of queries to interact with the Azure management API.
The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM.
質問 # 59
Refer to the exhibit
Consider the active-active load balance sandwich scenario in Microsoft Azure.
What are two important facts in the active-active load balance sandwich scenario? (Choose two )
- A. It is recommended to enable NAT on FortiGate policies.
- B. It uses the FGCP protocol
- C. It supports session synchronization for handling asynchronous traffic.
- D. It uses the vdom-exception command to exclude the configuration from being synced
正解:A、C
解説:
B: It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1. If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1. Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2. For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.
The other options are incorrect because:
* It does not use the vdom-exception command to exclude the configuration from being synced. The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.
* It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.
質問 # 60
In an SD-WAN TGW Connect topology, which three initial steps are mandatory when routing traffic from a spoke VPC to a security VPC through a Transit Gateway? (Choose three.)
- A. From the spoke VPC internal routing table, point 0.0.0.0/0 traffic to the TGW
- B. From both spoke VPCs and the security VPC, point 0.0.0.0/0 traffic to the Internet Gateway
- C. From the security VPC TGW subnet routing table: point 0.0.0.0/0 traffic to the FortiGate internal port
- D. From the security VPC TGW subnet routing table: point 0.0.0.0/0 traffic to the TGW
- E. From the security VPC FortiGate internal subnet routing table, point 0.0.0.0/0 traffic to the TGW
正解:A、C、E
解説:
Spoke VPC Routing: The 0.0.0.0/0 (default) route in the spoke VPC must point to the Transit Gateway attachment for traffic to reach other VPCs or external destinations. Security VPC Routing: Traffic from the security VPC needs to pass through the FortiGate for inspection and security controls. Therefore, the 0.0.0.0/0 route in the security VPC's TGW subnet routing table must point to the FortiGate's internal port. FortiGate Routing: The FortiGate's internal subnet must have its 0.0.0.0/0 route configured to point to the Transit Gateway attachment, allowing traffic to be returned to other VPCs or reach the internet.
In an SD-WAN TGW Connect topology, when routing traffic from a spoke VPC to a security VPC through a Transit Gateway, the mandatory initial steps include:
From the spoke VPC internal routing table, point 0.0.0.0/0 traffic to the TGW (Option A): This step is crucial for ensuring that all traffic from the spoke VPC destined for external networks is directed through the Transit Gateway, allowing for centralized management and security inspection.
From the security VPC TGW subnet routing table: point 0.0.0.0/0 traffic to the FortiGate internal port (Option B): Routing all traffic from the TGW subnet in the security VPC to the FortiGate's internal port ensures that traffic is subjected to the necessary security policies and inspections provided by the FortiGate appliance before it proceeds to other destinations or returns to the spoke VPCs.
From the security VPC FortiGate internal subnet routing table, point 0.0.0.0/0 traffic to the TGW (Option D): This configuration ensures that traffic returning from the security processes handled by the FortiGate is routed back through the Transit Gateway, maintaining the integrity of the secure transit path and ensuring proper routing back to the originating spoke or onward to the internet.
質問 # 61
Refer to the exhibit. Which two conditions will enable you to segregate and secure the traffic between the hub and the spokes in Microsoft Azure? (Choose two.)
- A. Use ExpressRoute to interconnect the hub VNets and spoke VNets.
- B. Implement the FortiGate-VM network virtual appliance (NVA) in the hub and use user-defined routes (UDRs) in the spokes.
- C. Configure VNet peering between the spokes only.
- D. Configure VNet peering between the hub and spokes.
正解:B、D
質問 # 62
An administrator is looking for a solution that can provide insight into users and data stored in major SaaS applications in the multicloud environment Which product should the administrator deploy to have secure access to SaaS applications?
- A. FortiProxy
- B. FortiSandbox
- C. FortiWeb
- D. ForliCASB
正解:D
解説:
For administrators seeking to gain insights into user activities and data within major SaaS applications across multicloud environments, deploying FortiCASB (Cloud Access Security Broker) is the most effective solution (Option C).
Role of FortiCASB: FortiCASB is specifically designed to provide security visibility, compliance, data security, and threat protection for cloud-based services. It acts as a mediator between users and cloud service providers, offering deep visibility into the operations and data handled by SaaS applications.
Capabilities of FortiCASB: This product enables administrators to monitor and control the access and usage of SaaS applications. It helps in assessing security configurations, tracking user activities, and evaluating data movement across the cloud services. By doing so, it assists organizations in enforcing security policies, detecting anomalous behaviors, and ensuring compliance with regulatory standards.
Integration and Functionality: FortiCASB integrates seamlessly with major SaaS platforms, providing a centralized management interface that allows for comprehensive analysis and real- time protection measures. This integration ensures that organizations can maintain control over their data across various cloud services, enhancing the overall security posture in a multicloud environment.
質問 # 63
You are automating configuration changes on one of the FortiGate VMS using Linux Red Hat Ansible.
How does Linux Red Hat Ansible connect to FortiGate to make the configuration change?
- A. It uses YAML
- B. It uses a FortiGate internal or external IP address with TCP port 21
- C. It uses an API.
- D. It uses SSH as a connection method to FortiOS.
正解:C
解説:
Ansible connects to FortiGate using an API, which is a method of communication between different software components. Ansible uses the fortios_* modules to interact with the FortiOS API, which is a RESTful API that allows configuration and monitoring of FortiGate devices.
Ansible can use either HTTP or HTTPS as the transport protocol, and can authenticate with either a username and password or an API token.
質問 # 64
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate- VM to support different workloads in their environment.
How can they do this?
- A. They can create additional vNICs using the Cloud Shell.
- B. They cannot create and add additional vNICs to an existing FortiGate-VM.
- C. They can use the Compute Engine API Explorer.
- D. They can create additional vNICs in the UI console.
正解:B
解説:
GCP Limitations: You cannot add or remove network interfaces from an existing VM.
質問 # 65
Refer to the exhibit.
You deployed an HA active-active load balance sandwich with two FortiGate VMs in Microsoft Azure.
After the deployment, you prefer to use FGSP to synchronize sessions, and allow asymmetric return traffic In the environment, FortiGate port 1 and port 2 are facing external and internal load balancers respectively What IP address must you use in the peerip configuration?
- A. The public load balancer port 2 IP address
- B. The opposite FortiGate port 2 IP address.
- C. The opposite FortiGate port 1 IP address.
- D. The internal load balancer port 1 IP address.
正解:B
解説:
HA Synchronization Requirements: FGSP requires direct communication between the FortiGates to synchronize the session table. This synchronization typically occurs over a dedicated HA link that connects the HA pair.
Asymmetric Traffic Considerations: FGSP allows asymmetric traffic to rejoin the correct session by synchronizing session information, including NAT and TCP sequence tracking between the FortiGate units in a cluster.
Configuration Specifics: For port 2, which is facing the internal load balancer, the peerip should be set to the corresponding port 2 IP address of the opposite FortiGate. This allows the internal interfaces to communicate directly with each other for session synchronization purposes, which is crucial in an active-active deployment to ensure sessions persist during failover scenarios.
Explanation:
In an HA active-active load balance configuration with FortiGate VMs, especially in Microsoft Azure where FGSP (FortiGate Session Life Support Protocol) is used for session synchronization, the correct configuration for the peerip is:
質問 # 66
Refer to the exhibit
Consider the active-active load balance sandwich scenario in Microsoft Azure.
What are two important facts in the active-active load balance sandwich scenario? (Choose two )
- A. It is recommended to enable NAT on FortiGate policies.
- B. It uses the FGCP protocol
- C. It supports session synchronization for handling asynchronous traffic.
- D. It uses the vdom-exception command to exclude the configuration from being synced
正解:A、C
解説:
Explanation
B: It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1. If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1. Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2. For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.
The other options are incorrect because:
It does not use the vdom-exception command to exclude the configuration from being synced. The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.
It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.
質問 # 67
What is the main advantage of using SD-WAN Transit Gateway Connect over traditional SD-WAN?
- A. You can use BGP over IPsec for maximum throughput
- B. You can combine it with IPsec to achieve higher bandwidth
- C. You can use GRE-based tunnel attachments
- D. It eliminates the use of ECMP
正解:C
質問 # 68
How does the immutable infrastructure strategy work in automation?
- A. It runs one idle and a single live environment for configuration changes.
- B. It runs two live environments for configuration changes.
- C. It runs one idle and two live environments for configuration changes.
- D. It runs a single live environment for configuration changes.
正解:B
解説:
Immutable infrastructure is a DevOps approach that emphasizes the creation of disposable resources instead of modifying existing ones. This approach helps to achieve stability, consistency, and predictability in IT operations by reducing the risk of configuration drift and eliminating stateful components.
One way to implement immutable infrastructure is to use a blue-green deployment strategy, which runs two live environments for configuration changes. The blue environment is the current production environment, while the green environment is the new version of the application or service. When the green environment is ready, the traffic is switched from blue to green, and the blue environment is destroyed or kept as a backup. This way, there is no need to update or patch the existing infrastructure, but rather replace it with a new one.
質問 # 69
Refer to the exhibit
In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.
Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?
(Choose three.)
- A. Add a route With your local internet public IP address as thedestination and target transit gateway
- B. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway
- C. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC,
- D. Add route destination 0 0.0 0/0 to target the transit gateway
- E. Add a route With your local internet public IP address as the destination and target internet gateway
正解:B、C、D
解説:
Explanation
B: Add route destination 0.0.0.0/0 to target the transit gateway. This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1. The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway. This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3. An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC. This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.
The other options are incorrect because:
Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
質問 # 70
Refer to the exhibit
You are tasked with deploying a webserver and FortiGate VMS in AWS_ You are using Terraform to automate the process Which two important details should you know about the Terraform files? (Choose two.)
- A. All the output values are available after a successful terraform apply command
- B. You must specify all the AWS credentials in the output. of file.
- C. The subnet_private 1 value is defined in the variables . tf file
- D. After the deployment, Terraform output values are visible only through AWS CloudShell.
正解:A、C
解説:
Explanation
A: All the output values are available after a successful terraform apply command. This means that after the deployment, you can view the output values by running terraform output or terraform show in the same directory where you ran terraform apply1. You can also use the output values in other Terraform configurations or external systems by using the terraform output command with various options2. B. The subnet_private_1 value is defined in the variables.tf file. This means that the subnet_private_1 value is an input variable that can be customized by passing a different value when running terraform apply or by setting an environment variable3. The variables.tf file is where you declare all the input variables for your Terraform configuration4.
The other options are incorrect because:
After the deployment, Terraform output values are not visible only through AWS CloudShell. You can access them from any shell or terminal where you have Terraform installed and configured with your AWS credentials.
You do not need to specify all the AWS credentials in the output.tf file. The output.tf file is where you declare all the output values for your Terraform configuration4. You can specify your AWS credentials in a separate file, such as provider.tf, or use environment variables or shared credentials files. References:
Output Values - Configuration Language | Terraform - HashiCorp Developer Command: output - Terraform by HashiCorp Input Variables - Configuration Language | Terraform - HashiCorp Developer Configuration Language | Terraform - HashiCorp Developer
質問 # 71
Refer to the exhibit
You are deploying two FortiGate VMS in HA active-passive mode with load balancers in Microsoft Azure Which two statements are true in this load balancing scenario? (Choose two.)
- A. The FortiGate public IP is the next-hop for all the traffic.
- B. You must add a route to the Microsoft VIP used for the health check.
- C. A dedicated management interface can be used for load balancing.
- D. An internal load balancer listener is the next-hop for outgoing traffic.
正解:C、D
解説:
* A is incorrect because the FortiGate public IP is not the next-hop for all the traffic. The FortiGate public IP is only used for incoming traffic from the internet. The Azure load balancer distributes the incoming traffic to the active FortiGate VM based on a health probe123. The FortiGate public IP is not used for outgoing traffic or internal traffic.
* B is correct because an internal load balancer listener is the next-hop for outgoing traffic. The internal load balancer listener is configured with a floating IP address that is assigned to the active FortiGate VM. The internal load balancer listener also has a health probe to monitor the status of the FortiGate VMs123. The internal load balancer listener forwards the outgoing traffic to the internet through the public load balancer.
* C is incorrect because you do not need to add a route to the Microsoft VIP used for the health check. The Microsoft VIP is an internal IP address that is used by the Azure load balancer to send health probes to the FortiGate VMs123. The Microsoft VIP is not reachable from outside the Azure network and does not require any routing configuration on the FortiGate VMs.
* D is correct because a dedicated management interface can be used for load balancing. In this deployment, port4 is used as a dedicated management interface that connects to the management network3. The dedicated management interface can be used to access the FortiGate VMs for configuration and monitoring purposes. The dedicated management interface can also be used to synchronize the configuration and session information between the primary and secondary devices in an HA cluster2.
質問 # 72
Which two statements are true about Transit Gateway Connect peers in anlPv4 BGP configuration'? (Choose two.)
- A. You must configure the second address from the IPv4 range on the device as the BGP IP address
- B. You must specify a /29CIDR block from the 169.254.0.0/16 range
- C. You cannot use IPv6 addresses
- D. The inside CIDR blocks are used for BGP peering
正解:B、D
解説:
For Transit Gateway Connect peers in an IPv4 BGP configuration, the correct statements are:
The inside CIDR blocks are used for BGP peering (Option A): In a BGP configuration for Transit Gateway Connect, the inside CIDR blocks, typically within the 169.254.0.0/16 range, are designated for the BGP peering connections. These blocks are reserved for internal network protocols and are commonly used in AWS for automatic IP address assignment within managed networking services.
You must specify a /29 CIDR block from the 169.254.0.0/16 range (Option C): It is a requirement to specify a /29 CIDR block within the 169.254.0.0/16 range for setting up the network interfaces that facilitate BGP peering. This specific range allows for the necessary number of IP addresses to establish BGP sessions effectively between the transit gateway and on-premises or other virtual appliances.
質問 # 73
Refer to the exhibit
An administrator deployed a FortiGate-VM in a high availability (HA)
(active/passive) architecture in Amazon Web Services (AWS) using Terraform for testing purposes. At the same time, the administrator deployed a single Linux server using AWS Marketplace Which two options are available for the administrator to delete all the resources created in this test? (Choose two.)
- A. The administrator must manually delete the Linux server.
- B. Use the terraform destroy all command.
- C. Use the terraform destroy command
- D. Use the terraform validate command.
正解:A、C
解説:
Explanation
A: Use the terraform destroy command. This command is used to remove all the resources that were created using the Terraform configuration1. It is the opposite of the terraform apply command, which is used to create resources. The terraform destroy command will first show a plan of what resources will be destroyed, and then ask for confirmation before proceeding. The command will also update the state file to reflect the changes. D.
The administrator must manually delete the Linux server. This is because the Linux server was not deployed using Terraform, but using AWS Marketplace2. Therefore, Terraform does not have any information about the Linux server in its state file, and cannot manage or destroy it. The administrator will have to use the AWS console or CLI to delete the Linux server manually.
The other options are incorrect because:
There is no terraform validate command. The correct command is terraform plan, which is used to show a plan of what changes will be made by applying the configuration3. However, this command does not delete any resources, it only shows what will happen if terraform apply or terraform destroy is run.
There is no terraform destroy all command. The correct command is terraform destroy, which will destroy all the resources in the current configuration by default1. There is no need to add an all argument to the command.
質問 # 74
......
Fortinet NSE7_PBC-7.2試験問題集で[2025年最新] 練習有効な試験問題集解答:https://www.jpntest.com/shiken/NSE7_PBC-7.2-mondaishu
NSE7_PBC-7.2問題集を掴み取れ![最新2025]Fortinet試験が合格できます:https://drive.google.com/open?id=1UoYuEKH2xUlWTrB92jrlXvyRXlaW2nEM