• Home
  • Blogs
  • Get Ready to Pass the NSE7_PBC-7.2 exam Right Now Using Our NSE 7 Network Security Architect Exam Package [Q22-Q45]

Get Ready to Pass the NSE7_PBC-7.2 exam Right Now Using Our NSE 7 Network Security Architect Exam Package [Q22-Q45]

Share

Get Ready to Pass the NSE7_PBC-7.2 exam Right Now Using Our NSE 7 Network Security Architect Exam Package

Enhance Your Career With Available Preparation Guide for NSE7_PBC-7.2 Exam


Fortinet NSE 7 - Public Cloud Security 7.2 exam covers a wide range of topics, including cloud security architecture, cloud security operations, and cloud security services. NSE7_PBC-7.2 exam is designed to test the candidate's ability to deploy, manage, and secure public cloud infrastructures using Fortinet's cloud security solutions. It is a comprehensive exam that requires a deep understanding of the latest cloud security concepts, trends, and best practices.

 

NEW QUESTION # 22
Refer to Exhibit:

The exhibit shows the Connect Peers settings on Amazon Web Services (AWS) transit gateway attachments With two FortiGate VMS in a security VPC.
Which two statements are correct? (Choose two.)

  • A. The BGP inside CIDR blocks can be any CIDR block with /29
  • B. The peer GRE address is the FortiGate external interface IP address.
  • C. The Peer GRE address is the FortiGate internal interface IP address
  • D. The Transit Gateway GRE address is auto-generated

Answer: B,D

Explanation:
Explanation
A: The peer GRE address is the FortiGate external interface IP address. This is the IP address of the FortiGate interface that is connected to the transit gateway attachment subnet1. This IP address is used to establish the GRE tunnel between the FortiGate and the transit gateway2. B. The Transit Gateway GRE address is auto-generated. This is the IP address of the transit gateway that is used to establish the GRE tunnel with the FortiGate2. This IP address is automatically assigned by AWS from the Transit Gateway CIDR range that you specify when you create the Connect attachment3.
The other options are incorrect because:
The BGP inside CIDR blocks cannot be any CIDR block with /29. They must be a /29 CIDR block from the 169.254.0.0/16 range for IPv4, or a /125 CIDR block from the fd00::/8 range for IPv64. These are the inside IP addresses that are used for BGP peering over the GRE tunnel4.
The Peer GRE address is not the FortiGate internal interface IP address. The internal interface IP address is used to route traffic from the FortiGate to the VPC subnet where the third-party appliance (such as SD-WAN) is located1. The Peer GRE address is used to route traffic from the FortiGate to the transit gateway over the GRE tunnel2.


NEW QUESTION # 23
You must allow an SSH traffic rule in an Amazon Web Services (AWS) network access list (NACL) to allow SSH traffic to travel to a subnetfor temporary testing purposes. When you review the current inbound network ACL rules, you notice that rule number 5 demes SSH and telnet traffic to the subnet What can you do to allow SSH traffic?

  • A. You must create a new allow SSH rule anywhere in the network ACL rule base to allow SSH traffic.
  • B. You do not have to create any NACL rules because the default security group rule automatically allows SSH traffic to the subnet.
  • C. You must create a new allow SSH rule above rule number 5-
  • D. You must create a new allow SSH rule below rule number 5

Answer: C

Explanation:
Explanation
Network ACLs are stateless, and they evaluate each packet separately based on the rules that you define. The rules are processed in order, starting with the lowest numbered rule1. If the traffic matches a rule, the rule is applied and no further rules are evaluated1. Therefore, if you want to allow SSH traffic to a subnet, you must create a new allow SSH rule above rule number 5, which denies SSH and telnet traffic. Otherwise, the deny rule will take precedence and block the SSH traffic.
The other options are incorrect because:
Creating a new allow SSH rule below rule number 5 will not allow SSH traffic, because the deny rule will be evaluated first and block the traffic.
Creating a new allow SSH rule anywhere in the network ACL rule base will not guarantee that SSH traffic will be allowed, because it depends on the order of the rules. If the allow SSH rule is below the deny rule, it will not be effective.
You cannot rely on the default security group rule to allow SSH traffic to the subnet, because network ACLs act as an additional layer of security for your VPC. Even if your security group allows SSH traffic, your network ACL must also allow it. Otherwise, the traffic will be blocked at the subnet level.


NEW QUESTION # 24
Refer to the exhibit

An administrator is trying to deploy a FortiGate VM in Microsoft Azure using Terraform However, during the configuration, the Azure client secret is no longer visible in the Azure portal.
How would the administrator obtain the Azure
client secret to configure on Terratorm?

  • A. The administrator can create a new client secret
  • B. The administrator must create a new Azure account
  • C. The administrator must obtain the client secret through Azure Cloud Shell.
  • D. Log in to the Azure CLI with power user to obtain the client secret

Answer: A

Explanation:
Explanation
The Azure client secret is a one-time value that is only visible when it is created. If the administrator loses or forgets the client secret, they cannot retrieve it from the Azure portal. However, they can create a new client secret and use it to configure Terraform. To create a new client secret, they need to follow these steps12:
Sign in to the Azure portal and navigate to the Azure Active Directory service.
Select the application name under the App Registrations.
Select Certificates & Secrets > New client secret to create a new client secret.
Add a description and an expiration date for the client secret and select Add.
Copy the value of the new client secret immediately as it will not be shown again.
References:
Generate new Client Secret and link to key-vault | Microsoft Learn
Azure Quickstart - Set and retrieve a secret from Key Vault using Azure portal | Microsoft Learn


NEW QUESTION # 25
You are automating configuration changes on one of the FortiGate VMS using Linux Red Hat Ansible.
How does Linux Red Hat Ansible connect to FortiGate to make the configuration change?

  • A. It uses SSH as a connection method to FortiOS.
  • B. It uses a FortiGate internal or external IP address with TCP port 21
  • C. It uses an API.
  • D. It uses YAML

Answer: C

Explanation:
Explanation
Ansible connects to FortiGate using an API, which is a method of communication between different software components. Ansible uses the fortios_* modules to interact with the FortiOS API, which is a RESTful API that allows configuration and monitoring of FortiGate devices12. Ansible can use either HTTP or HTTPS as the transport protocol, and can authenticate with either a username and password or an API token3.
The other options are incorrect because:
Ansible does not use TCP port 21 to connect to FortiGate. Port 21 is typically used for FTP, which is not supported by FortiOS4.
Ansible does not use SSH as a connection method to FortiOS. SSH is a secure shell protocol that allows remote command execution and file transfer, but it is not the preferred way of automating configuration changes on FortiGate devices.
Ansible does not use YAML to connect to FortiGate. YAML is a data serialization language that Ansible uses to write playbooks and inventory files, but it is not a connection method. References:
Fortinet.Fortios - Ansible Documentation
FortiOS REST API Reference
FortiOS Module Guide - Ansible Documentation
FortiOS 7.0 CLI Reference
[Connection methods and details - Ansible Documentation]
[YAML Syntax - Ansible Documentation]


NEW QUESTION # 26
You are adding more spoke VPCs to an existing hub and spoke topology Your goal is to finish this task in the minimum amount of time without making errors.
Which Amazon AWS services must you subscribe to accomplish your goal?

  • A. WAF, DynamoDB
  • B. GuardDuty, CloudWatch
  • C. Inspector, S3
  • D. CloudWatch, S3

Answer: D

Explanation:
Explanation
The correct answer is D. CloudWatch and S3.
According to the GitHub repository for the Fortinet aws-lambda-tgw script1, this function requires the following AWS services:
CloudWatch: A monitoring and observability service that collects and processes events from various AWS resources, including Transit Gateway attachments and route tables.
S3: A scalable object storage service that can store the configuration files and logs generated by the Lambda function.
By using the Fortinet aws-lambda-tgw script, you can automate the creation and configuration of Transit Gateway Connect attachments for your FortiGate devices.This can help you save time and avoid errors when adding more spoke VPCs to an existing hub and spoke topology1.
The other AWS services mentioned in the options are not required for this task. GuardDuty is a threat detection service that monitors for malicious and unauthorized behavior to help protect AWS accounts and workloads. WAF is a web application firewall that helps protect web applications from common web exploits.
Inspector is a security assessment service that helps improve the security and compliance of applications deployed on AWS. DynamoDB is a fast and flexible NoSQL database service that can store various types of data.
1:GitHub - fortinet/aws-lambda-tgw


NEW QUESTION # 27
You are asked to find a solution to replace the existing VPC peering topology to have a higher bandwidth connection from Amazon Web Services (AWS) to the on-premises data center Which two solutions will satisfy the requirement? (Choose two.)

  • A. Use the transit gateway attachment With VPN option to create multiple VPN connections to the on-premises data center
  • B. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center.
  • C. Use transit VPC to build multiple VPC connections to the on-premises data center
  • D. Use ECMP and VPN to achieve higher bandwidth.

Answer: A,B

Explanation:
Explanation
The correct answer is C and D. Use a transit VPC with hub and spoke topology to create multiple VPN connections to the on-premises data center. Use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center.
According to the Fortinet documentation for Public Cloud Security, a transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs). A transit VPC can use a hub and spoke topology to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit VPC can also leverage Equal-Cost Multi-Path (ECMP) routing to achieve higher bandwidth and load balancing across multiple VPN tunnels1.
A transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway. You can use the transit gateway attachment with VPN option to create multiple VPN connections to the on-premises data center, using the FortiGate VM as a virtual appliance that provides network security and threat prevention.A transit gateway attachment with VPN option can also leverage ECMP routing to achieve higher bandwidth and load balancing across multiple VPN tunnels2.
The other options are incorrect because:
Using ECMP and VPN to achieve higher bandwidth is not a complete solution, as it does not specify how to replace the existing VPC peering topology or how to connect the AWS VPCs to the on-premises data center.
Using transit VPC to build multiple VPC connections to the on-premises data center is not a correct solution, as it does not specify how to use a hub and spoke topology or how to leverage ECMP routing for higher bandwidth.
1:Fortinet Documentation Library - Transit VPC on AWS2:Fortinet Documentation Library - Deploying FortiGate VMs on AWS


NEW QUESTION # 28
Refer to the exhibit

You attempted to access the Linux1 EC2 instance directly from the internet using its public IP address in AWS.
However, your connection is not successful.
Given the network topology, what can be the issue?

  • A. There is no connection between VPC A and VPC B.
  • B. The Transit Gateway BGP IP address is incorrect.
  • C. There is no elastic IP address attached to FortiGate in the Security VPC.
  • D. There is no internet gateway attached to the Spoke VPC A.

Answer: D

Explanation:
Explanation
This is because the Linux1 EC2 instance is not accessible directly from the internet using its public IP address in AWS.
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. Without an internet gateway, the Linux1 EC2 instance cannotreceive or send traffic to or from the internet, even if it has a public IP address assigned to it.
To fix this issue, you need to attach an internet gateway to the Spoke VPC A and configure a route table that directs internet-bound traffic to the internet gateway. You also need to ensure that the Linux1 EC2 instance has a security group that allows inbound and outbound traffic on the desired ports.
[Internet Gateways - Amazon Virtual Private Cloud] : [Attach an Internet Gateway to Your VPC - Amazon Virtual Private Cloud] : [Security Groups for Your VPC - Amazon Virtual Private Cloud]


NEW QUESTION # 29
Refer to the exhibit

In your Amazon Web Services (AWS), you must allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet However, your HTTPS connection to the FortiGate VM in the Customer VPC is not successful.
Also, you must ensure that the Customer VPC FortiGate VM sends all the outbound Internet traffic through the Security VPC How do you correct this Issue with minimal configuration changes?
(Choose three.)

  • A. Add a route With your local internet public IP address as the destination and target internet gateway
  • B. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway
  • C. Add route destination 0 0.0 0/0 to target the transit gateway
  • D. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC,
  • E. Add a route With your local internet public IP address as thedestination and target transit gateway

Answer: B,C,D

Explanation:
Explanation
B: Add route destination 0.0.0.0/0 to target the transit gateway. This will ensure that the Customer VPC FortiGate VM sends all the outbound internet traffic through the Security VPC, where it can be inspected by the Security VPC FortiGate VMs1. The transit gateway is a network device that connects multiple VPCs and on-premises networks in a hub-and-spoke model2. D. Deploy an internet gateway, associate an EIP in the private subnet, edit route tables, and add a new route destination 0.0.0.0/0 to the target internet gateway. This will allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the private subnet where the FortiGate VM is located3. An internet gateway is a service that enables communication between your VPC and the internet4. An EIP is a public IPv4 address that you can allocate to your AWS account and associate with your resources. E. Deploy an internet gateway, associate an EIP in the public subnet, and attach the internet gateway to the Customer VPC. This will also allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, by creating a public route for the public subnet where the FortiGate VM is located3. This is an alternative solution to option D, depending on which subnet you want to use for the FortiGate VM.
The other options are incorrect because:
Adding a route with your local internet public IP address as the destination and target transit gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will only apply to traffic coming from your specific IP address, not from any other source on the internet1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.
Adding a route with your local internet public IP address as the destination and target internet gateway will not allow inbound HTTPS access to the Customer VPC FortiGate VM from the internet, because it will bypass the Security VPC and send the traffic directly to the Customer VPC1. Moreover, it will not ensure that the outbound internet traffic goes through the Security VPC, because it will only apply to traffic going to your specific IP address, not to any other destination on the internet1.


NEW QUESTION # 30
When adding the Amazon Web Services (AWS) account to the FortiCNP, which three mandatory configuration steps must you follow? (Choose three.)

  • A. Enable cloud protection through AWS Guard Duty and AWS Inspector
  • B. Enable cross-reg Ion aggregation
  • C. Add AWS accounts through FortiCNP.
  • D. Launch the CloudFormation template.
  • E. Accept FortiCNP to create CloudTrail for the account

Answer: C,D,E

Explanation:
Explanation
When adding the Amazon Web Services (AWS) account to the FortiCNP, you must follow these three mandatory configuration steps:
Add AWS accounts through FortiCNP. This is the first step to enable cloud protection for your AWS account. You can add one or multiple accounts automatically or manually. You need to provide the AWS account ID and a name for the account. You also need to select the optional permissions to be granted to FortiCNP as needed1.
Accept FortiCNP to create CloudTrail for the account. This is required for FortiCNP to collect and analyze the AWS API calls and events. You can choose to let FortiCNP create a CloudTrail for the account or use an existing one. You also need to specify the aggregation region for the CloudTrail1.
Launch the CloudFormation template. This is required for FortiCNP to create a stack and a role in your AWS account. The stack contains the resources that FortiCNP needs to access and monitor your AWS account. The role allows FortiCNP to assume it and perform actions on your behalf. You need to enter a custom or default role name and a unique UUID that is designated for your company on FortiCNP1.
References: Add AWS Account Automatically
https://docs.fortinet.com/document/forticnp/22.4.a/online-help/246021/add-aws-account-automatically


NEW QUESTION # 31
Refer to Exhibit:

After the initial Terraform configuration in Microsoft Azure, the terraform plan command is run Which two statements about running the plan command are true? (Choose two.)

  • A. You must run the terraform init command once, before the terraform plan command
  • B. The terraform plan command makes terraform do a dry run.
  • C. You cannot run the terraform apply command before the terraform plan command.
  • D. The terraform plan command will deploy the rest of the resources except the service principle details.

Answer: A,B

Explanation:
A is incorrect because the terraform plan command will not deploy any resources at all. It will only show the changes that would be made if the terraform apply command was run. The error message in the exhibit indicates that the service principal details are invalid, which means that Terraform cannot authenticate to Azure and cannot create any resources1.
B is incorrect because you can run the terraform apply command without running the terraform plan command first. The terraform apply command will automatically generate a new plan and prompt you to approve it before applying it2. However, running the terraform plan command first can help you preview the changes and avoid any unwanted or unexpected actions.
C is correct because you must run the terraform init command once before the terraform plan command.
The terraform init command initializes a working directory containing Terraform configuration files. It downloads and installs the provider plugins required for your configuration, such as the Azure provider2. It also creates a hidden directory called .terraform to store the plugin binaries and other metadata1. Without running the terraform init command, the terraform plan command will fail because it cannot find the required plugins or modules.
D is correct because the terraform plan command makes Terraform do a dry run. A dry run is a simulation of what would happen if you executed a certain action, without actually performing it. The terraform plan command creates an execution plan, which is a description of the actions that Terraform would take to make your infrastructure match your configuration2. The execution plan shows you what resources will be created, modified, or destroyed, and what attributes will be changed. The execution plan does not affect your infrastructure or state file until you apply it with the terraform apply command1.


NEW QUESTION # 32
Which two Amazon Web Services (AWS) features support east-west traffic inspection within the AWS cloud by the FortiGate VM? (Choose two.)

  • A. A NAT gateway with an EIP
  • B. A transit VPC
  • C. An Internet gateway with an EIP
  • D. A transit gateway with an attachment

Answer: B,D

Explanation:
Explanation
The correct answer is B and D. A transit gateway with an attachment and a transit VPC support east-west traffic inspection within the AWS cloud by the FortiGate VM.
According to the Fortinet documentation for Public Cloud Security, a transit gateway is a network transit hub that connects VPCs and on-premises networks. A transit gateway attachment is a resource that connects a VPC or VPN to a transit gateway.By using a transit gateway with an attachment, you can route traffic from your spoke VPCs to your security VPC, where the FortiGate VM can inspect the traffic1.
A transit VPC is a VPC that serves as a global network transit center for connecting multiple VPCs, remote networks, and virtual private networks (VPNs).By using a transit VPC, you can deploy the FortiGate VM as a virtual appliance that provides network security and threat prevention for your VPCs2.
The other options are incorrect because:
A NAT gateway with an EIP is a service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.A NAT gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM3.
An Internet gateway with an EIP is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.An Internet gateway with an EIP does not support east-west traffic inspection within the AWS cloud by the FortiGate VM4.
1:Fortinet Documentation Library - Deploying FortiGate VMs on AWS2: [Fortinet Documentation Library - Transit VPC on AWS]3: [NAT Gateways - Amazon Virtual Private Cloud]4: [Internet Gateways - Amazon Virtual Private Cloud]


NEW QUESTION # 33
Refer to the exhibit

You deployed an HA active-passive FortiGate VM in Microsoft Azure.
Which two statements regarding this particular deployment are true? (Choose two.)

  • A. By default, the configuration does not synchromze between the primary and secondary devices.
  • B. During the failover, the passive FortiGate issues API calls to Azure
  • C. Use the vdom-excepticn command to synchronize the configuration.
  • D. There is no SLA for API calls from Microsoft Azure.

Answer: A,B

Explanation:
A is correct because in this deployment, the passive FortiGate issues API calls to Azure to update the routing table and the public IP address of the active FortiGate123. This way, the traffic is redirected to the new active FortiGate after a failover.
B is incorrect because the vdom-exception command is used to exclude specific VDOMs from being synchronized in an HA cluster.This command is not related to this deployment scenario.
C is incorrect because Microsoft Azure does provide an SLA for API calls. According to the Azure Service Level Agreements, the API Management service has a monthly uptime percentage of at least
99.9% for the standard tier and higher.
D is correct because by default, the configuration is not synchronized between the primary and secondary devices in this deployment. The administrator needs to manually enable configuration synchronization on both devices123. Alternatively, the administrator can use FortiManager to manage and synchronize the configuration of both devices4.


NEW QUESTION # 34
You have created a TGW route table to route traffic from your spoke VPC to the security VPC where two FortiGate devices are inspecting traffic. Your spoke VPC CIDR block is already propagated to the Transit Gateway (TGW) route table.
Which type of attachment should you use to advertise routes through BGP from the spoke VPC to the security VPC?

  • A. GRE attachment
  • B. Connect attachment
  • C. VPC attachment
  • D. Route attachment

Answer: C

Explanation:
Explanation
A VPC attachment is the type of attachment that allows you to connect a VPC to a TGW and advertise routes through BGP. A VPC attachment creates a VPN connection between the VPC and the TGW, and enables dynamic routing with BGP. A connect attachment is used to connect a VPN or Direct Connect gateway to a TGW. A route attachment is not a valid type of attachment for TGW. A GRE attachment is used to connect a FortiGate device to a TGW using GRE tunnels. References:
Creating the TGW and related resources
Configuring TGW route tables
FortiGate Public Cloud 7.2.0 - Fortinet Documentation
Updating the route table and adding an IAM policy


NEW QUESTION # 35
How does the immutable infrastructure strategy work in automation?

  • A. It runs one idle and two live environments for configuration changes.
  • B. It runs one idle and a single live environment for configuration changes.
  • C. It runs a single live environment for configuration changes.
  • D. It runs two live environments for configuration changes.

Answer: D

Explanation:
Explanation
Immutable infrastructure is a DevOps approach that emphasizes the creation of disposable resources instead of modifying existing ones1. This approach helps to achieve stability, consistency, and predictability in IT operations by reducing the risk of configuration drift and eliminating stateful components1.
One way to implement immutable infrastructure is to use a blue-green deployment strategy, which runs two live environments for configuration changes2. The blue environment is the current production environment, while the green environment is the new version of the application or service. When the green environment is ready, the traffic is switched from blue to green, and the blue environment is destroyed or kept as a backup2.
This way, there is no need to update or patch the existing infrastructure, but rather replace it with a new one.
References:
1: Immutable Infrastructure, Architecture, and its benefits
2: Introduction to Immutable Infrastructure - BMC Software | Blogs


NEW QUESTION # 36
Refer to the exhibit

The exhibit shows a customer deployment of two Linux instances and their main routing table in Amazon Web Services (AWS). The customer also created a Transit Gateway (TGW) and two attachments Which two steps are required to route traffic from Linux instances to the TGWQ (Choose two.)

  • A. In the TGW route table, add route propagation to 192.168.0 0/16
  • B. In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop Internet gateway(IGW).
  • C. In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop TGW.
  • D. In the TGW route table, associate two attachments.

Answer: C,D

Explanation:
Explanation
According to the AWS documentation for Transit Gateway, a Transit Gateway is a network transit hub that connects VPCs and on-premises networks. To route traffic from Linux instances to the TGW, you need to do the following steps:
In the TGW route table, associate two attachments. An attachment is a resource that connects a VPC or VPN to a Transit Gateway. By associating the attachments to the TGW route table, you enable the TGW to route traffic between the VPCs and the VPN.
In the main subnet routing table in VPC A and B, add a new route with destination 0_0.0.0/0, next hop TGW. This route directs all traffic from the Linux instances to the TGW, which can then forward it to the appropriate destination based on the TGW route table.
The other options are incorrect because:
In the TGW route table, adding route propagation to 192.168.0 0/16 is not necessary, as this is already the default route for the TGW. Route propagation allows you to automatically propagate routes from your VPC or VPN to your TGW route table.
In the main subnet routing table in VPC A and B, adding a new route with destination 0_0.0.0/0, next hop Internet gateway (IGW) is not correct, as this would bypass the TGW and send all traffic directly to the internet. An IGW is a VPC component that enables communication between instances in your VPC and the internet.
[Transit Gateways - Amazon Virtual Private Cloud]


NEW QUESTION # 37
Refer to the exhibit.

You are configuring a second route table on a Transit Gateway to accommodate east-west traffic inspection between two VPCs_ However, you are getting an error during the transit gateway route table association With the Connect attachment.
Which action Should you take to fulfill your requirement?

  • A. In the second route table: create a propagation with the Connect attachment.
  • B. Delete the both Connect and Transport attachments from the first TGW route table
  • C. Add a static route in the Routes section
  • D. Add both Associations and Propagations in the second TGW route table.

Answer: A

Explanation:
Explanation
The error message indicates that the Connect attachment is already associated with another transit gateway route table. You cannot associate the same attachment with more than one route table. However, you can propagate the same attachment to multiple route tables. Therefore, to fulfill your requirement of configuring a second route table for east-west traffic inspection between two VPCs, you need to create a propagation with the Connect attachment in the second route table. This will allow the second route table to learn the routes from the Connect attachment and forward the traffic to the securityVPC1. You also need to associate the second route table with the Transport attachment, which is the transit gateway attachment for the security VPC1.
References:
Transit gateway route tables - Amazon VPC | AWS Documentation
Getting started with transit gateways - Amazon VPC | AWS Documentation
Configuring TGW route tables | FortiGate Public Cloud 7.4.0 | Fortinet Document Library


NEW QUESTION # 38
......


Fortinet NSE7_PBC-7.2 certification exam is a highly valued certification that validates the candidate's expertise in securing public cloud environments. Fortinet NSE 7 - Public Cloud Security 7.2 certification is ideal for cybersecurity professionals who want to specialize in public cloud security and acquire advanced knowledge and skills in this domain. NSE7_PBC-7.2 exam covers essential topics such as cloud security fundamentals, cloud-based application security, cloud-based network security, cloud-based data security, cloud-based security operations, and compliance and assurance.


Fortinet NSE7_PBC-7.2 exam is intended for IT professionals who work with public cloud environments, including cloud administrators, cloud architects, security engineers, and network engineers. NSE7_PBC-7.2 exam is also suitable for IT professionals who are seeking to enhance their knowledge and skills in cloud security.

 

Get Special Discount Offer of NSE7_PBC-7.2 Certification Exam Sample Questions and Answers: https://www.exams-boost.com/NSE7_PBC-7.2-valid-materials.html

New NSE7_PBC-7.2 Dumps For Preparing NSE 7 Network Security Architect Certified Fortinet Exam Well: https://drive.google.com/open?id=1Bou55yMbi5g-2YeqjzrKwzNCZtqMngBK

Related Blogs

more
Fortinet NSE7_PBC-7.2 Certification Practice Exam

Copyright © 2026 EXAMS-BOOST.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.