Welcome to TestSimulate

Pass Your Next Certification Exam Fast!

Everything you need to prepare, learn & pass your certification exam easily.

365 days free updates. First attempt guaranteed success.

  • Home
  • Blogs
  • [Dec-2023 Newly Released] NSE7_PBC-6.4 Dumps for NSE 7 Network Security Architect Certified [Q13-Q37]

[Dec-2023 Newly Released] NSE7_PBC-6.4 Dumps for NSE 7 Network Security Architect Certified [Q13-Q37]

Share

[Dec-2023 Newly Released] NSE7_PBC-6.4 Dumps for NSE 7 Network Security Architect Certified

Updated Verified NSE7_PBC-6.4 dumps Q&As - 100% Pass

NEW QUESTION # 13
Refer to the exhibit.

In your Amazon Web Services (AWS) virtual private cloud (VPC), you must allow outbound access to the internet and upgrade software on an EC2 instance, without using a NAT instance. This specific EC2 instance is running in a private subnet: 10.0.1.0/24.
Also, you must ensure that the EC2 instance source IP address is not exposed to the public internet. There are two subnets in this VPC in the same availability zone, named public (10.0.0.0/24) and private (10.0.1.0/24).
How do you achieve this outcome with minimum configuration?

  • A. Deploy a NAT gateway with an EIP in the private subnet, edit route tables, select Private-route, and add a new route destination 0.0.0.0/0 to the target internet gateway.
  • B. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Public-route, and delete the route destination 10.0.0.0/16 to target local.
  • C. Deploy a NAT gateway with an EIP in the private subnet, edit the public main routing table, and change the destination route 0.0.0.0/0 to the target NAT gateway.
  • D. Deploy a NAT gateway with an EIP in the public subnet, edit route tables, select Private-route and add a new route destination 0.0.0.0/0 to target the NAT gateway.

Answer: A


NEW QUESTION # 14
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
* Two FortiGate devices must be deployed; each in a different availability zone.
* Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
* An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
* An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
* Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

  • A. config system sdn-connector
  • B. config system auto-scale
  • C. config system session-sync
  • D. config system ha

Answer: D


NEW QUESTION # 15
Customer XYZ has an ExpressRoute connection from Microsoft Azure to a data center. They want to secure communication over ExpressRoute, and to install an in-line FortiGate to perform intrusion prevention system (IPS) and antivirus scanning.
Which three methods can the customer use to ensure that all traffic from the data center is sent through FortiGate over ExpressRoute? (Choose three.)

  • A. Enable the redirect option in ExpressRoute to send data center traffic to a user-defined route table
  • B. Install FortiGate in Azure and build a VPN tunnel to the data center over ExpressRoute
  • C. Configure the gateway subnet as the subnet in the user-defined route table
  • D. Define a default route where the next hop IP is the FortiGate WAN interface
  • E. Configure a user-defined route table

Answer: A,C,D


NEW QUESTION # 16
A company deployed a FortiGate-VM with an on-demand license using Amazon Web Services (AWS) Market Place Cloud Formation template. After deployment, the administrator cannot remember the default admin password.
What is the default admin password for the FortiGate-VM instance?

  • A. <blank>
  • B. admin
  • C. The admin password cannot be recovered and the customer needs to deploy the FortiGate-VM again.
  • D. The instance-ID value

Answer: D


NEW QUESTION # 17
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?

  • A. They cannot create and add additional vNICs to an existing FortiGate-VM.
  • B. They can create additional vNICs in the UI console.
  • C. They can create additional vNICs using the Cloud Shell.
  • D. They can use the Compute Engine API Explorer.

Answer: D


NEW QUESTION # 18
An Amazon Web Services (AWS) auto-scale FortiGate cluster has just experienced a scale-down event, terminating a FortiGate in availability zone C.
This has now black-holed the private subnet in this availability zone.
What action will the worker node automatically perform to restore access to the black-holed subnet?

  • A. The worker node modifies the route table applied to the black-holed subnet changing its default route to point to a running FortiGate on the worker node's private subnet interface.
  • B. The worker node moves the virtual IP of the terminated FortiGate to a running FortiGate on the worker node's private subnet interface.
  • C. The worker node applies a route table from a non-black-holed subnet to the black-holed subnet.
  • D. The worker node migrates the subnet to a different availability zone.

Answer: A

Explanation:
Explanation
Official documentation, failover process on a single AZ,
https://github.com/fortinet/aws-cloudformation-templates/blob/main/FGCP/7.0/SingleAZ/README.md#failove
|| Outbound failover is provided by reassigning the secondary IP addresses of ENI1\port2 from FortiGate 1's private interface to FortiGate 2's private interface. ##Additionally any route targets referencing FortiGate 1's private interface will be updated to reference FortiGate 2's private interface.##
https://github.com/fortinet/aws-cloudformation-templates/tree/master/LambdaAA-RouteFailover/6.0


NEW QUESTION # 19
An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.
Which action can you take to accomplish this?

  • A. None, you cannot create and add additional ENIs to an existing FortiGate-VM.
  • B. Create the ENI and attach it to FortiGate.
  • C. Create the ENI, attach it to FortiGate, and then restart FortiGate.
  • D. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.

Answer: D


NEW QUESTION # 20
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

  • A. 20 seconds
  • B. Less than 10 seconds
  • C. 30 seconds
  • D. 16 seconds

Answer: C


NEW QUESTION # 21

Refer to the exhibit. Consider an active-passive HA deployment in Microsoft Azure. The exhibit shows an excerpt from the passive FortiGate-VM node.
If the active FortiGate-VM fails, what are the results of the API calls made by the FortiGate named SSTENTAZFGT-0302? (Choose two.)

  • A. SSTENTAZFGT-03-FloatingPIP is assigned to the IP configuration with the name SSTENTAZFGT-
    0302-Nic-01, under the network interface SSTENTAZFGT-0302-Nic-01
  • B. The network interface of the active unit moves to itself
  • C. 172.29.32.71is set as a next hop IP for all routes under FortigateUDR-01
  • D. SSTENTAZFGT-03-FloatingPIP public IP is assigned to NIC SSTENTAZFGT-0302-Nic-01

Answer: A,C


NEW QUESTION # 22
When an organization deploys a FortiGate-VM in a high availability (HA) (active/active) architecture in Microsoft Azure, they need to determine the default timeout values of the load balancer probes.
In the event of failure, how long will Azure take to mark a FortiGate-VM as unhealthy, considering the default timeout values?

  • A. 20 seconds
  • B. Less than 10 seconds
  • C. 30 seconds
  • D. 16 seconds

Answer: B

Explanation:
Explanation
https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-custom-probe-overview
-If your application produces a time-out response just before the next probe arrives, the detection of the events will take 5 seconds plus the duration of the application time-out when the probe arrives. You can assume the detection to take slightly over 5 seconds.
-If your application produces a time-out response just after the next probe arrives, the detection of the events won't begin until the probe arrives and times out, plus another 5 seconds. You can assume the detection to take just under 10 seconds.
Assume the reaction to a time-out response will take a minimum of 5 seconds and a maximum of 10 seconds to react to the change.


NEW QUESTION # 23
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  • A. A multiple VPC deployment utilizing a transit VPC topology
  • B. A multiple VPC deployment utilizing a transit gateway
  • C. A single VPC deployment with multiple subnets and a NAT gateway
  • D. A single VPC deployment with multiple subnets

Answer: A,D


NEW QUESTION # 24
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  • A. A multiple VPC deployment utilizing a transit VPC topology
  • B. A multiple VPC deployment utilizing a transit gateway
  • C. A single VPC deployment with multiple subnets and a NAT gateway
  • D. A single VPC deployment with multiple subnets

Answer: A,D

Explanation:
Explanation/Reference: https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-aws-reference- architecture.pdf


NEW QUESTION # 25
You have been asked to secure your organization's salesforce application that is running on Microsoft Azure, and find an effective method for inspecting shadow IT activities in the organization. After an initial investigation, you find that many users access the salesforce application remotely as well as on-premises.
Your goal is to find a way to get more visibility, control over shadow IT-related activities, and identify any data leaks in the salesforce application.
Which three steps should you take to achieve your goal? (Choose three.)

  • A. Use FortiGate, FortiGuard, and FortiAnalyzer solutions.
  • B. Deploy and configure FortiCASB with a Fortinet FortiCASB subscription license.
  • C. Deploy and configure FortiCWP with a workload guardian license.
  • D. Deploy and configure FortiGate with Security Fabric solutions, and FortiCWP with a storage guardian advance license.
  • E. Configure FortiCASB and set up access rights, privileges, and data protection policies.

Answer: A,B,E


NEW QUESTION # 26
You have been asked to develop an Azure Resource Manager infrastructure as a code template for the FortiGate-VM, that can be reused for multiple deployments. The deployment fails, and errors point to the storageAccount name.
Which two are restrictions for a storageAccount name in an Azure Resource Manager template? (Choose two.)

  • A. The storageAccount name must be in lowercase.
  • B. The storageAccount name must contain between 3 and 24 alphanumeric characters.
  • C. The storageAccount name must use special characters.
  • D. The uniqueString() function must be used.

Answer: A,B

Explanation:
Explanation
-Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=bicep Property values / storageAccounts name --> The resource name :
* string (required)
* Character limit: 3-24
* Valid characters: Lowercase letters and numbers.
* Resource name must be unique across Azure.


NEW QUESTION # 27
Your company deploys FortiGate VM devices in high availability (HA) (active-active) mode with Microsoft Azure load balancers using the Microsoft Azure ARM template. Your senior administrator instructs you to connect to one of the FortiGate devices and configure the necessary firewall rules. However, you are not sure now to obtain the correct public IP address of the deployed FortiGate VM and identify the access ports.
How do you obtain the public IP address of the FortiGate VM and identify the correct ports to access the device?

  • A. In the configured load balancer, access the backend pools section.
  • B. In the configured load balancer, access the inbound and outbound NAT rules section.
  • C. In the configured load balancer, access the inbound NAT rules section.
  • D. In the configured load balancer, access the health probes section.

Answer: C

Explanation:
Explanation
From the resource group Overview page, click the external load balancer name to load it. From the navigation column, click Inbound NAT Rules.
https://docs.fortinet.com/document/fortigate-public-cloud/6.4.0/azure-administration-guide/889158/connecting-to
https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-networking#azure-v it is more economical and secure to associate a public IP address to a load balancer or to an individual virtual machine (also known as a jumpbox), which then routes incoming connections to scale set virtual machines as needed (for example, through inbound NAT rules).


NEW QUESTION # 28
Which two statements about Microsoft Azure network security groups are true? (Choose two.)

  • A. Network security groups can be applied to subnets and virtual network interfaces.
  • B. Network security groups can be applied to subnets only.
  • C. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
  • D. Network security groups are stateless inbound and outbound rules used for traffic filtering.

Answer: A,C

Explanation:
Explanation
You can deploy resources from several Azure services into an Azure virtual network. For a complete list, see Services that can be deployed into a virtual network. You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. The same network security group can be associated to as many subnets and network interfaces as you choose.
https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works


NEW QUESTION # 29
Refer to the exhibit.

A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.
What are two possible reasons for this behavior? (Choose two.)

  • A. AWS security groups may be blocking the traffic.
  • B. AWS source and destination checks are enabled on the FortiGate interfaces.
  • C. The Internet gateway (IGW) is not added to VPC (virtual private cloud).
  • D. The web servers are not configured with the default gateway.

Answer: A,B

Explanation:
Explanation
You need to check if source/destination are enabled. Public_Cloud_6.4_Study_Guide Page 67


NEW QUESTION # 30
An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.
Which action can you take to accomplish this?

  • A. None, you cannot create and add additional ENIs to an existing FortiGate-VM.
  • B. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.
  • C. Create the ENI, attach it to FortiGate, and then restart FortiGate.
  • D. Create the ENI and attach it to FortiGate.

Answer: D

Explanation:
Explanation
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/aws-administration-guide/903457 AWS says that you can attach a network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach). It applies to windows:
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/best-practices-for-configuring-network-interfaces


NEW QUESTION # 31
Refer to the exhibit.

You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?

  • A. You selected the Bring Your Own License (BYOL) licensing mode.
  • B. You selected the incorrect resource group.
  • C. You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.
  • D. You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.

Answer: C

Explanation:
Explanation
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources


NEW QUESTION # 32
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  • A. A multiple VPC deployment utilizing a transit VPC topology
  • B. A single VPC deployment with multiple subnets
  • C. A multiple VPC deployment utilizing a transit gateway
  • D. A single VPC deployment with multiple subnets and a NAT gateway

Answer: A,C

Explanation:
Explanation
Multi-VPC design. AWS recommends segmenting networks at the VPC level. In this approach, workloads are grouped together at the VPC level instead of the subnet level. All traffic between VPCs will be inspected by network security virtual firewalls at each VPC or at a shared VPC. Design patterns such as Transit VPC or AWS Transit Gateway can be used to achieve this in an automated and scalable fashion.


NEW QUESTION # 33
Refer to the exhibit.

Your senior administrator successfully configured a FortiGate fabric connector with the Azure resource manager, and created a dynamic address object on the FortiGate VM to connect with a windows server in Microsoft Azure. However, there is now an error on the dynamic address object, and you must resolve the issue.
How do you resolve this issue?

  • A. In the Microsoft Azure portal, set the correct tag values for the windows server.
  • B. Delete the address object and recreate a new address object with the type set to FQDN.
  • C. Run diagnose debug application azd -l on FortiGate.
  • D. In the Microsoft Azure portal, access the windows server, obtain the private IP address, and assign the IP address under the FortiGate-VM AzureLab address object.

Answer: A

Explanation:
Explanation
https://docs.fortinet.com/document/fortigate-public-cloud/6.2.0/azure-administration-guide/985498/troubleshooti


NEW QUESTION # 34
Which two statements about the Amazon Cloud Services (AWS) network access control lists (ACLs) are true?
(Choose two.)

  • A. Network ACLs are stateful, and inbound and outbound rules are used for traffic filtering.
  • B. Network ACLs must be manually applied to virtual network interfaces.
  • C. Network ACLs support allow rules and deny rules.
  • D. Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering.

Answer: C,D

Explanation:
Explanation/Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html


NEW QUESTION # 35
Refer to the exhibit.

You attempted to deploy the FortiGate-VM in Microsoft Azure with the JSON template, and it failed to boot up. The exhibit shows an excerpt from the JSON template.
What is incorrect with the template?

  • A. The caching parameter should be None.
  • B. The CreateOptions parameter should be FromImage.
  • C. The LUN ID is not defined.
  • D. FortiGate-VM does not support managedDisk from Azure.

Answer: B

Explanation:
Explanation
https://github.com/fortinet/azure-templates/blob/main/FortiGate/A-Single-VM/azuredeploy.json


NEW QUESTION # 36
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The following are the requirements of your deployment:
*Two FortiGate devices must be deployed; each in a different availability zone.
*Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other will connect to a private subnet.
*An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an active- active topology.
*An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to both FortiGate devices in an active-active topology.
*Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate devices?

  • A. config system sdn-connector
  • B. config system auto-scale
  • C. config system session-sync
  • D. config system ha

Answer: D

Explanation:
Explanation
FTG HA Active/Active requires the following configuration to sync the session by FGSP config system ha set session-pickup enable set session-pickup-connectionless enable set session-pickup-nat enable set session-pickup-expectation enable set override disable end config system cluster-sync edit 0 set peerip 10.0.1.x set syncvd "root" next end
https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB


NEW QUESTION # 37
......

Latest NSE7_PBC-6.4 Exam Dumps Fortinet Exam from Training: https://www.testsimulate.com/NSE7_PBC-6.4-study-materials.html

Related Blogs

more
Go To NSE7_PBC-6.4 Questions

Copyright © 2026 TESTSIMULATE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.