You have been tasked with deploying FortiGate VMs in a highly available topology on the Amazon Web
Services (AWS) cloud. The requirements for your deployment are as follows:
You must deploy two FortiGate VMs in a single virtual private cloud (VPC), with an external elastic load
balancer which will distribute ingress traffic from the internet to both FortiGate VMs in an active-active
topology.
Each FortiGate VM must have two elastic network interfaces: one will connect to a public subnet and other
will connect to a private subnet.
To maintain high availability, you must deploy the FortiGate VMs in two different availability zones.
How many public and private subnets will you need to configure within the VPC?
A. One public subnet and two private subnets
B. Two public subnets and one private subnet
C. Two public subnets and two private subnets
D. One public subnet and one private subnet

Refer to the exhibit. A customer has deployed an environment in Amazon Web Services (AWS) and is now trying to send outbound traffic from the Web servers to the Internet. The FortiGate policies are configured to allow all outbound traffic; however, the traffic is not reaching the FortiGate internal interface.
What are two possible reasons for this behavior? (Choose two.)
A. The web servers are not configured with the default gateway.
B. The Internet gateway (IGW) is not added to VPC (virtual private cloud).
C. AWS source and destination checks are enabled on the FortiGate interfaces.
D. AWS security groups may be blocking the traffic.

Refer to the exhibit. You are deploying a FortiGate-VM in Microsoft Azure using the PAYG/On-demand licensing model. After you configure the FortiGate-VM, the validation process fails, displaying the error shown in the exhibit.
What caused the validation process to fail?
A. You selected the incorrect resource group.
B. You selected the Bring Your Own License (BYOL) licensing mode.
C. You selected the PAYG/On-demand licensing model, but did not select correct virtual machine size.
D. You selected the PAYG/On-demand licensing model, but did not associate a valid Azure subscription.
Which two statements about Microsoft Azure network security groups are true? (Choose two.)
A. Network security groups can be applied to subnets and virtual network interfaces.
B. Network security groups can be applied to subnets only.
C. Network security groups are stateless inbound and outbound rules used for traffic filtering.
D. Network security groups are a stateful inbound and outbound rules used for traffic filtering.
You have been asked to secure your organization's salesforce application that is running on Microsoft Azure, and find an effective method for inspecting shadow IT activities in the organization. After an initial investigation, you find that many users access the salesforce application remotely as well as on-premises. Your goal is to find a way to get more visibility, control over shadow IT-related activities, and identify any data leaks in the salesforce application.
Which three steps should you take to achieve your goal? (Choose three.)
A. Deploy and configure FortiCASB with a Fortinet FortiCASB subscription license.
B. Configure FortiCASB and set up access rights, privileges, and data protection policies.
C. Use FortiGate, FortiGuard, and FortiAnalyzer solutions.
D. Deploy and configure FortiCWP with a workload guardian license.
E. Deploy and configure FortiGate with Security Fabric solutions, and FortiCWP with a storage guardian advance license.
You have previously deployed an Amazon Web Services (AWS) transit virtual private cloud (VPC) with a pair of FortiGate firewalls (VM04 / c4.xlarge) as your security perimeter. You are beginning to see high CPU usage on the FortiGate instances.
Which action will fix this issue?
A. Convert the c4.xlarge instances to m4.xlarge instances.
B. Migrate the transit VPNs to new and larger instances (VM08 / c4.2xlarge).
C. Convert from IPsec tunnels to generic routing encapsulation (GRE) tunnels, for the VPC peering connections.
D. Convert the transit VPC firewalls into an auto-scaling group and launch additional EC2 instances in that group.
An organization deploys a FortiGate-VM (VM04 / c4.xlarge) in Amazon Web Services (AWS) and configures two elastic network interfaces (ENIs). Now, the same organization wants to add additional ENIs to support different workloads in their environment.
Which action can you take to accomplish this?
A. None, you cannot create and add additional ENIs to an existing FortiGate-VM.
B. Create the ENI, shut down FortiGate, attach the ENI to FortiGate, and then start FortiGate.
C. Create the ENI, attach it to FortiGate, and then restart FortiGate.
D. Create the ENI and attach it to FortiGate.
An organization deployed a FortiGate-VM in the Google Cloud Platform and initially configured it with two vNICs. Now, the same organization wants to add additional vNICs to this existing FortiGate-VM to support different workloads in their environment.
How can they do this?
A. They can create additional vNICs using the Cloud Shell.
B. They cannot create and add additional vNICs to an existing FortiGate-VM.
C. They can create additional vNICs in the UI console.
D. They can use the Compute Engine API Explorer.

Refer to the exhibit. You are configuring an active-passive FortiGate clustering protocol (FGCP) HA configuration in a single availability zone in Amazon Web Services (AWS), using a cloud formation template.
After deploying the template, you notice that the AWS console has IP information listed in the FortiGate VM firewalls in the HA configuration. However, within the configuration of FortiOS, you notice that port1 is using an IP of 10.0.0.13, and port2 is using an IP of 10.0.1.13.
What should you do to correct this issue?
A. Configure FortiOS to use static IP addresses with the IP addresses reflected in the ENI primary IP address configuration (as per the exhibit).
B. Delete the deployment and start again. You have in put the wrong parameters during the cloud formation template deployment.
C. Configure FortiOS to use DHCP so that it will get the correct IP addresses on the ports.
D. Nothing, in AWS cloud, it is normal for a FortiGate ENI primary IP address to be different than the FortiOS IP address configuration.
You need to deploy FortiGate VM devices in a highly available topology in the Microsoft Azure cloud. The
following are the requirements of your deployment:
Two FortiGate devices must be deployed; each in a different availability zone.
Each FortiGate requires two virtual network interfaces: one will connect to a public subnet and the other
will connect to a private subnet.
An external Microsoft Azure load balancer will distribute ingress traffic to both FortiGate devices in an
active-active topology.
An internal Microsoft Azure load balancer will distribute egress traffic from protected virtual machines to
both FortiGate devices in an active-active topology.
Traffic should be accepted or denied by a firewall policy in the same way by either FortiGate device in this
topology.
Which FortiOS CLI configuration can help reduce the administrative effort required to maintain the
FortiGate devices, by synchronizing firewall policy and object configuration between the FortiGate
devices?
A. config system sdn-connector
B. config system ha
C. config system auto-scale
D. config system session-sync