NSE7_PBC-7.2無料試験問題と解答PDF最新問題2025年09月 [Q24-Q42]

Share

NSE7_PBC-7.2無料試験問題と解答PDF最新問題2025年09月

最新NSE7_PBC-7.2試験問題集で最近更新された91問題


Fortinet NSE7_PBC-7.2 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Deploying FortiGate-VM with automation tools: In this area of the exam, aspiring Fortinet network and security professionals learn about deploying Fortinet solutions in AWS and Azure using Terraform. Moroever, they get knowledge about configuring HA solutions in Azure.
トピック 2
  • FortiGate deployments in the public cloud: This section covers how to recognize various FortiGate solutions available for public cloud environments, implement transit VPC and transit gateway architectures, and explore Fortinet's offerings for container security.
トピック 3
  • Automation: In this section, candidates are tested for their knowledge of foundational elements needed for automation processes, the implementation of Terraform and Ansible for deployment purposes, and an overview of crucial Azure security principles. It also delves into the routing complexities and constraints within public cloud ecosystems, methods for deploying FortiGate-VM instances using automation tools, and techniques for leveraging Terraform to set up Fortinet solutions in both AWS and Azure environments.
トピック 4
  • Troubleshooting and FortiCNP: This section focuses on problem-solving strategies for various cloud-related issues. It covers methods to tackle connectivity problems with AWS EC2 instances, approaches to resolving SD-WAN connection difficulties, and techniques for identifying and rectifying issues related to Azure SDN connectors. Additionally, it explores how to effectively use FortiCNP to detect and mitigate potential security risks in cloud environments.

 

質問 # 24
Refer to Exhibit:

The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)

  • A. The Transit Gateway GRE address is auto-generated
  • B. The peer GRE address is the FortiGate external interface IP address.
  • C. The Peer GRE address is the FortiGate internal interface IP address
  • D. The BGP inside CIDR blocks can be any CIDR block with /29

正解:A、B

解説:
Explanation
A: The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B. The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.


質問 # 25
Which two Amazon Web Services (AWS) topologies support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  • A. A single VPC deployment with multiple subnets and a NAT gateway
  • B. A multiple VPC deployment utilizing a transit VPC topology
  • C. A multiple VPC deployment utilizing a transit gateway
  • D. A single VPC deployment with multiple subnets

正解:B、C

解説:
Multi-VPC design. AWS recommends segmenting networks at the VPC level. In this approach, workloads are grouped together at the VPC level instead of the subnet level. All traffic between VPCs will be inspected by network security virtual firewalls at each VPC or at a shared VPC.
Design patterns such as Transit VPC or AWS Transit Gateway can be used to achieve this in an automated and scalable fashion.


質問 # 26
Refer to the exhibit.


What value or values must the administrator use in the SSH Key section to deploy a FortiGate VM using Terraform in Amazon Web Services (AWS)?

  • A. Use the Name and ID values of the key pair
  • B. Use the Name of the key pair
  • C. Use the ID value of the key pair.
  • D. Use the Fingerprint value of the key pair

正解:B

解説:
For deploying a FortiGate VM using Terraform in AWS, the administrator must use:
B . Use the Name of the key pair.
Terraform and AWS SSH Keys: When deploying instances in AWS using Terraform, it is required to specify the name of the SSH key pair to enable key-based authentication to the instance post-deployment.
Configuration Syntax: The variable keyname within the Terraform configuration should match the exact name of the SSH key pair as it is stored in AWS. This ensures that Terraform can reference the correct key during the deployment process to set up SSH access to the FortiGate VM.
Terraform Variables: The variable "keyname" block in the Terraform configuration will look for the key pair name as it should be declared in the terraform.tfvars file or passed as a variable during execution. This does not require the key pair's ID or fingerprint, just its name.


質問 # 27
What are two main features in Amazon Web Services (AWS) network access control lists (ACLs)? (Choose two.)

  • A. Network ACLs are tied to an instance
  • B. You cannot use Network ACL and Security Group at the same time.
  • C. The default network ACL is configured to allow all traffic
  • D. NetworkACLs are stateless, and inbound and outbound rules are used for traffic filtering

正解:C、D

解説:
The default network ACL is configured to allow all traffic. This means that when you create a VPC, AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets in the VPC. By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can modify the default network ACL, but you cannot delete it.
Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering. This means that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each packet separately. Therefore, you need to create both inbound and outbound rules for each type of traffic that you want to allow or deny. For example, if you want to allow SSH traffic from a specific IP address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP address.


質問 # 28
Refer to the exhibit

Consider the active-active load balance sandwich scenario in Microsoft Azure.
What are two important facts in the active-active load balance sandwich scenario? (Choose two )

  • A. It uses the FGCP protocol
  • B. It uses the vdom-exception command to exclude the configuration from being synced
  • C. It is recommended to enable NAT on FortiGate policies.
  • D. It supports session synchronization for handling asynchronous traffic.

正解:C、D

解説:
Explanation
B: It is recommended to enable NAT on FortiGate policies. This is because the Azure load balancer uses a hash-based algorithm to distribute traffic to the FortiGate instances, and it relies on the source and destination IP addresses and ports of the packets1. If NAT is not enabled, the source IP address of the packets will be the same as the load balancer's frontend IP address, which will result in uneven distribution of traffic and possible asymmetric routing issues1. Therefore, it is recommended to enable NAT on the FortiGate policies to preserve the original source IP address of the packets and ensure optimal load balancing and routing1. D. It supports session synchronization for handling asynchronous traffic. This means that the FortiGate instances can synchronize their session tables with each other, so that they can handle traffic that does not follow the same path as the initial packet of a session2. For example, if a TCP SYN packet is sent to FortiGate A, but the TCP SYN-ACK packet is sent to FortiGate B, FortiGate B can forward the packet to FortiGate A by looking up the session table2. This feature allows the FortiGate instances to handle asymmetric traffic that may occur due to the Azure load balancer's hash-based algorithm or other factors.
The other options are incorrect because:
It does not use the vdom-exception command to exclude the configuration from being synced. The vdom-exception command is used to exclude certain configuration settings from being synchronized between FortiGate devices in a cluster or a high availability group3. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, but they are standalone devices with standalone configuration synchronization enabled. This feature allows them to synchronize most of their configuration settings with each other, except for some settings that identify the FortiGate to the network, such as the hostname.
It does not use the FGCP protocol. FGCP stands for FortiGate Clustering Protocol, which is used to synchronize configuration and state information between FortiGate devices in a cluster or a high availability group. However, in this scenario, the FortiGate devices are not in a cluster or a high availability group, and they use standalone configuration synchronization instead of FGCP.


質問 # 29
Refer to the exhibit

You are tasked to deploy a FortiGate VM with private and public subnets in Amazon Web Services (AWS).
You examined the variables.tf file.
What will be the final result after running the terraform init and terraform apply commands?

  • A. Terraform will deploy a FortiGate VM in the eu-West-Ia region with private and public subnets.
  • B. Terraform will deploy a FortiGate VM in the eu-West-1a region with two subnets and byol license.
  • C. Terraform will deploy a FortiGate VM in the eu-West-Ia region without any subnets.
  • D. Terraform will not deploy a FortiGate VM

正解:B

解説:
The variables.tf file shows that the FortiGate VM will be deployed in the eu-West-Ia region with private and public subnets. The region variable is set to "eu-west-1" and the availability_zone variable is set to "eu-west-1a". The vpc_id variable is set to "vpc-0e9d6a6f" and the subnets variable is set to a list of two subnet IDs: "subnet-0f9d6a6f" and "subnet-1f9d6a6f". The license_type variable is set to "on-demand" and the ami_id variable is set to "ami-0e9d6a6f".


質問 # 30
Refer to the exhibit. An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform. However, during the configuration, the Azure client secret is no longer visible in the Azure portal.

How would the administrator obtain the Azure client secret to configure on Terratorm?

  • A. The administrator can create a new client secret
  • B. Log in to the Azure CLI with power user to obtain the client secret
  • C. The administrator must create a new Azure account
  • D. The administrator must obtain the client secret through Azure Cloud Shell.

正解:A

解説:
The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal.
However, they can create a new client secret and use it to configure Terraform. To create a new client secret, they need to follow these steps:
Sign in to the Azure portal and navigate to the Azure Active Directory service. Select the application name under the App Registrations. Select Certificates & Secrets > New client secret to create a new client secret. Add a description and an expiration date for the client secret and select Add. Copy the value of the new client secret immediately as it will not be shown again.


質問 # 31
You are configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure. Which two mandatory settings are required after the initial deployment? (Choose two)

  • A. Subscription-id
  • B. FortiGate license file
  • C. Resource group name
  • D. Active FortiGate serial number

正解:A、C

解説:
For configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure, the two mandatory settings required after the initial deployment are:
A: Subscription-id
D: Resource group name
Subscription ID: This is a unique identifier for your Azure subscription under which all resources are created and billed. FortiGate needs this to interact with the Azure resources associated with that subscription.
Resource Group Name: A resource group in Azure is a container that holds related resources for an Azure solution. The SDN connector requires the resource group name to correctly identify and manage the resources it should control, especially in a failover scenario.


質問 # 32
You must allow an SSH traffic rule in an Amazon Web Services (AWS) network access list (NACL) to allow SSH traffic to travel to a subnetfor temporary testing purposes. When you review the current inbound network ACL rules, you notice that rule number 5 demes SSH and telnet traffic to the subnet What can you do to allow SSH traffic?

  • A. You must create a new allow SSH rule below rule number 5
  • B. You do not have to create any NACL rules because the default security group rule automatically allows SSH traffic to the subnet.
  • C. You must create a new allow SSH rule above rule number 5-
  • D. You must create a new allow SSH rule anywhere in the network ACL rule base to allow SSH traffic.

正解:C

解説:
Explanation
Network ACLs are stateless, and they evaluate each packet separately based on the rules that you define. The rules are processed in order, starting with the lowest numbered rule1. If the traffic matches a rule, the rule is applied and no further rules are evaluated1. Therefore, if you want to allow SSH traffic to a subnet, you must create a new allow SSH rule above rule number 5, which denies SSH and telnet traffic. Otherwise, the deny rule will take precedence and block the SSH traffic.
The other options are incorrect because:
Creating a new allow SSH rule below rule number 5 will not allow SSH traffic, because the deny rule will be evaluated first and block the traffic.
Creating a new allow SSH rule anywhere in the network ACL rule base will not guarantee that SSH traffic will be allowed, because it depends on the order of the rules. If the allow SSH rule is below the deny rule, it will not be effective.
You cannot rely on the default security group rule to allow SSH traffic to the subnet, because network ACLs act as an additional layer of security for your VPC. Even if your security group allows SSH traffic, your network ACL must also allow it. Otherwise, the traffic will be blocked at the subnet level.


質問 # 33
An administrator decides to use the Use managed identity option on the FortiGate SDN connector with Microsoft Azure However, the SDN connector is failing on the connection What must the administrator do to correct this issue?

  • A. Make sure to enable the system assigned managed identity on Azure
  • B. Make sure to set the type to system managed identity on FortiGate SDN connector settings
  • C. Make sure to add the Client secret on FortiGate side of the configuration
  • D. Make sure to add the Tenant ID on FortiGate side of the configuration

正解:A

解説:
When an administrator decides to use the 'Use managed identity' option for the FortiGate SDN connector with Microsoft Azure and faces a connection failure, the correct action to take is: C.
Make sure to enable the system assigned managed identity on Azure.
Managed Identity Configuration: The system assigned managed identity is a feature in Azure that provides an identity for the Azure service instance (in this case, the FortiGate SDN connector) within Azure Active Directory and eliminates the need for credentials to be stored in the configuration.
Troubleshooting Connection Issues: If the SDN connector is failing to connect, it could be because the system assigned managed identity has not been enabled or configured properly in Azure for the FortiGate service.


質問 # 34
You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM Which two queries does that SDN connector use to interact with the Azure management API? (Choose two.)

  • A. The first query is targeted to IP address 8.8
  • B. The first query is targeted to a special IP address to get a token.
  • C. There is only one query initiating from FortiGate port1 -
  • D. Some queries are made to manage public IP addresses.

正解:B、D

解説:
Explanation
The Azure SDN connector uses two types of queries to interact with the Azure management API. The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM. References: Configuring an SDN connector in Azure, Azure SDN connector using service principal, Troubleshooting Azure SDN connector


質問 # 35
Refer to the exhibit

You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS.
However, your connection is not successful.
Given the network topology, what can be the issue?

  • A. There is no internet gateway attached to the Spoke VPC A.
  • B. There is no connection between VPC A and VPC B.
  • C. The Transit Gateway BGP IP address is incorrect.
  • D. There is no elastic IP address attached to FortiGate in the Security VPC.

正解:A

解説:
This is because the Linux1 EC2 instance is not accessible directly from the internet using its public IP address in AWS.
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. Without an internet gateway, the Linux1 EC2 instance cannotreceive or send traffic to or from the internet, even if it has a public IP address assigned to it.
To fix this issue, you need to attach an internet gateway to the Spoke VPC A and configure a route table that directs internet-bound traffic to the internet gateway. You also need to ensure that the Linux1 EC2 instance has a security group that allows inbound and outbound traffic on the desired ports.
[Internet Gateways - Amazon Virtual Private Cloud] : [Attach an Internet Gateway to Your VPC - Amazon Virtual Private Cloud] : [Security Groups for Your VPC - Amazon Virtual Private Cloud]


質問 # 36
Refer to Exhibit:

The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)

  • A. The Transit Gateway GRE address is auto-generated
  • B. The peer GRE address is the FortiGate external interface IP address.
  • C. The Peer GRE address is the FortiGate internal interface IP address
  • D. The BGP inside CIDR blocks can be any CIDR block with /29

正解:A、B

解説:
A . The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B . The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.


質問 # 37
You are configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure. Which two mandatory settings are required after the initial deployment? (Choose two)

  • A. Subscription-id
  • B. FortiGate license file
  • C. Resource group name
  • D. Active FortiGate serial number

正解:A、C

解説:
For configuring the failover settings on a FortiGate active-passive SDN connector solution in Microsoft Azure, the two mandatory settings required after the initial deployment are:
A:Subscription-id
D:Resource group name
* Subscription ID:This is a unique identifier for your Azure subscription under which all resources are created and billed. FortiGate needs this to interact with the Azure resources associated with that subscription.
* Resource Group Name:A resource group in Azure is a container that holds related resources for an
* Azure solution. The SDN connector requires the resource group name to correctly identify and manage the resources it should control, especially in a failover scenario.
References:The requirement for these specific details is found in Azure's best practices for resource management and Fortinet's documentation on deploying and configuring FortiGate appliances in Azure environments.


質問 # 38
You are tasked with deploying a FortiGate HA solution in Amazon Web Services (AWS) using Terraform What are two steps you must take to complete this deployment? (Choose two.)

  • A. Enable automation on the AWS portal.
  • B. Use CloudSheIl to install Terraform.
  • C. Create an AWS Active Directory user with permissions.
  • D. Create an AWS Identity and Access Management (IAM) user With permissions.

正解:B、D

解説:
Explanation
To deploy a FortiGate HA solution in AWS using Terraform, you need to create an AWS IAM user with permissions to access the AWS resources and services required by the FortiGate-VM. You also need to use CloudShell to install Terraform, which is a tool for building, changing, and versioning infrastructure as code.
References:
Deploying FortiGate-VM using Terraform | AWS Administration Guide
Setting up IAM roles | AWS Administration Guide
Launching the instance using roles and user data | AWS Administration Guide Terraform by HashiCorp


質問 # 39
You are adding more spoke VPCs to an existing hub and spoke topology Your goal is to finish this task in the minimum amount of time without making errors.
Which Amazon AWS services must you subscribe to accomplish your goal?

  • A. WAF, DynamoDB
  • B. CloudWatch, S3
  • C. Inspector, S3
  • D. GuardDuty, CloudWatch

正解:B

解説:
The correct answer is D. CloudWatch and S3.
According to the GitHub repository for the Fortinet aws-lambda-tgw script1, this function requires the following AWS services:
CloudWatch: A monitoring and observability service that collects and processes events from various AWS resources, including Transit Gateway attachments and route tables.
S3: A scalable object storage service that can store the configuration files and logs generated by the Lambda function.
By using the Fortinet aws-lambda-tgw script, you can automate the creation and configuration of Transit Gateway Connect attachments for your FortiGate devices. This can help you save time and avoid errors when adding more spoke VPCs to an existing hub and spoke topology1.
The other AWS services mentioned in the options are not required for this task. GuardDuty is a threat detection service that monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. WAF is a web application firewall that helps protect web applications from common web exploits. Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. DynamoDB is a fast and flexible NoSQL database service that can store various types of data.
1: GitHub - fortinet/aws-lambda-tgw


質問 # 40
You are troubleshooting an Azure SDN connectivity issue with your FortiGate VM Which two queries does that SDN connector use to interact with the Azure management API? (Choose two.)

  • A. The first query is targeted to IP address 8.8
  • B. The first query is targeted to a special IP address to get a token.
  • C. There is only one query initiating from FortiGate port1 -
  • D. Some queries are made to manage public IP addresses.

正解:B、D

解説:
The Azure SDN connector uses two types of queries to interact with the Azure management API. The first query is targeted to a special IP address to get a token. This token is used to authenticate the subsequent queries. The second type of query is used to retrieve information about the Azure resources, such as virtual machines, network interfaces, network security groups, and public IP addresses. Some queries are made to manage public IP addresses, such as assigning or releasing them from the FortiGate VM. References: Configuring an SDN connector in Azure, Azure SDN connector using service principal, Troubleshooting Azure SDN connector


質問 # 41
What are three important steps required to get Terraform ready using Microsoft Azure Cloud Shell? (Choose three.)

  • A. Set up a storage account in Azure.
  • B. Move the Terraform file to the bin directory.
  • C. use the -O command to download Terraform.
  • D. Use the wget (te=aform vession) command to upload Terraform.
  • E. Subscribe to Terraform in Azure.

正解:A、B、D

解説:
To get Terraform ready using Microsoft Azure Cloud Shell, you need to perform the following steps:
Set up a storage account in Azure. This is required to store the Terraform state file in a blob container, which enables collaboration and persistence of the infrastructure configuration.
Use the wget (terraform_version) command to upload Terraform. This command downloads the latest version of Terraform from the official website and saves it as a zip file in the current directory.
Move the Terraform file to the bin directory. This step extracts the Terraform executable from the zip file and moves it to the bin directory, which is part of the PATH environment variable. This allows you to run Terraform commands from any directory in Cloud Shell.


質問 # 42
......

Fortinet NSE7_PBC-7.2リアル2025年最新のブレーン問題集で模擬試験問題集:https://www.passtest.jp/Fortinet/NSE7_PBC-7.2-shiken.html

NSE7_PBC-7.2試験問題リアルNSE7_PBC-7.2練習問題集:https://drive.google.com/open?id=1qWkjNs60Jz92ymHIInCvOz_bFiWPa3cZ