● FCP - AWS Cloud Security 7.4 Administrator Actual Materials
Please note that the exam " FCP - AWS Cloud Security 7.4 Administrator" is no longer offered by Fortinet and is not available for booking through Pearson VUE, so we opened it on free view,
Question #41
Question #42
Refer to the exhibit.
A customer is using the AWS Elastic Load Balancer (ELB).
Which two statements are correct about the ELB configuration?
(Choose two answers)
- A. The load balancer is configured to load balance traffic among multiple availability zones.
- B. The Amazon Resource Name is used to access the load balancer node and targets.
- C. You can use the DNS name to reach the targets behind the ELB.
- D. The load balancer is configured for the internal traffic of the virtual public cloud (VPC).
Question #43
Refer to the exhibit.
Which statement is correct about the VPC peering connections shown in the exhibit?
(Choose one answer)
- A. To route packets directly from VPC B to VPC C through VPC A, you must add a route for network 192.168.0.0/16 in the VPC A routing table.
- B. You cannot route packets directly from VPC B to VPC C through VPC A.
- C. You can associate VPC ID pcx-23232323 with VPC B to form a VPC peering connection between VPC B and VPC C.
- D. You cannot create a separate VPC peering connection between VPC B and VPC C to route packets directly.
Question #44
What two conclusions can you draw from the FortiGate debug output? (Choose two answers)
- A. The dynamic address object is automatically updated if the IP changes.
- B. The address object AWS Windows Server Lab can be manually changed on FortiGate.
- C. The SDN connector is correctly configured and authorized.
- D. The AWS user account used for software-defined network (SDN) integration must have full administrative rights.
Question #45
Refer to the exhibit.
An administrator configured a FortiGate device to connect to the AWS API to retrieve resource values from the AWS console to create dynamic objects for the FortiGate policies. The administrator is unable to retrieve AWS dynamic objects on FortiGate.
Which two reasons can explain why?
(Choose two answers)
- A. The AWS API call is not supported on XML version 1.0.
- B. AWS was not able to validate credentials provided by the AWS Lab SDN connector because of a clock skew between FortiGate and AWS.
- C. The AWS Lab SDN connector is configured with an invalid AWS access or secret key.
- D. The AWS Lab SDN connector failed to connect on port 401.
- E. The AWS Lab SDN did not find any instances in the configured VPC.
Question #46
Refer to the exhibit.
You deployed an active-passive FortiGate HA cluster using a CloudFormation template on an existing VPC. Now you want to test active-passive FortiGate HA failover by running a debug so you can see the API calls to change the Elastic and secondary IP addresses.
Which statement is correct about the output of the debug?
(Choose one answer)
- A. The routing table for Fgt2 updated successfully, and port2 will provide internet access to Fgt2.
- B. The Elastic IP is associated with port1 of Fgt2.
- C. IP address 10.0.0.13 is now associated with eni-0b61d8afc0aefb8a2.
- D. The Elastic IP is associated with port2 of Fgt2, and the secondary IP address for port1 and port2 was updated successfully.
Question #47
Which two statements are true about inbound traffic based on the IGW ingress route table and GWLB deployment shown in the exhibit? (Choose two answers)
- A. GWLB forwards traffic to FortiGate without encapsulation in its dedicated subnet.
- B. Inbound traffic is directed to the GWLB through a GWLB endpoint.
- C. Inbound traffic is directed to the application subnet through a GWLB endpoint.
- D. GWLB encapsulates traffic with the GENEVE protocol and sends it to FortiGate.
Question #48
Refer to the exhibit.
What occurs during a failover for an active-passive (A-P) cluster that is deployed in two different availability zones?
(Choose two answers)
- A. The cluster elastic IP address (EIP) is moved from Port1 of FGT-1 to Port1 of FGT- 2
- B. The secondary IP address of Port2 of FGT-1 is moved to Port2 of FGT-2.
- C. The default static route in the Private-AZ1 subnet route table is modified to forward all traffic to Port2 of FGT2.
- D. An additional route is added to the route table of the HA Sync AZ2 subnet to forward all traffic to the Internet GW.
Question #49
Which two statements are correct about traffic flow in FortiWeb Cloud? (Choose two answers)
- A. The DNS name for the application servers must point to FortiWeb Cloud.
- B. FortiWeb Cloud filters the incoming traffic from users, blocking the OWASP Top 10 attacks, zero-day threats, and other application layer attacks.
- C. FortiWeb Cloud can protect the application servers only if they are all located in the same virtual public cloud (VPC).
- D. Step 2 requires an AWS S3 bucket to be created.
Question #50
What occurs during failover for an active-passive (A-P) cluster that is deployed in the same availability zone? (Choose two answers)
- A. Port1 of FGT-2 is assigned a new elastic IP address (EIP) in the same subnet as the EIP of port1 of FGT-1.
- B. The secondary IP 10.0.1.9 is moved from port1 of FGT-1 to port1 of FGT- 2
- C. The next hop for the default static route in the Private-AZ1 subnet changes to Internet GW.
- D. The next hop for the default static route in the Private-AZ1 subnet changes to FGT2-Port2.
Refer to the exhibit.
Traffic is initiated from the EC2 instance and is destined for the internet.
Which traffic flow is correct (Choose one answer)