Fortinet FCP_ZCS_AD-7.4 FCP - Azure Cloud Security 7.4 Administrator Exam Practice Test

Azure Firewall is a cloud-native, fully managed network security service designed to control and log network traffic using Azure policies. In contrast, the FortiGate VM is a network virtual appliance (NVA) that delivers comprehensive security features, including firewalling, IPS, antivirus, VPN, and application control, suitable for both on-premises and cloud deployments.

The branch-to-branch topology in Azure Virtual WAN is characterized by direct connectivity between branches through the Virtual WAN backbone, which reduces dependency on centralized hubs. This results in a simplified network architecture, lowering latency and optimizing routing between branch locations.

Azure assigns MAC addresses in a specific Organizationally Unique Identifier (OUI) range. The MAC address d8-34-99-c5-0A-BC begins with d8-34-99, which is a Microsoft-assigned OUI used in Azure virtual networks. This strongly indicates the output was taken from a VM running in Azure.

Infrastructure-as-a-Service (IaaS) allows you to deploy FortiWeb as a virtual machine in Azure, giving you granular control over vCPU and memory allocation. This model provides full flexibility over the compute resources and network configuration, which is essential for deploying and scaling security appliances like FortiWeb.

Enabling the IP forwarding setting on FortiGate (or any NVA) in Azure allows the VM to route traffic that is not destined for itself, effectively enabling it to act as a router or firewall. This is essential for scenarios where FortiGate inspects or filters traffic between subnets or from on-premises to Azure.

The debug output shows that the UbuntuServer address object successfully resolved an IP, while the webServer did not. The most likely cause is a mismatch in the dynamic address filter or missing tags on the target VM.

Verify the filter used for the dynamic firewall address – The filter category=windows may not match any VM metadata, resulting in no matched addresses.

Verify the tags on the target VM – Ensure that the VM has the correct tags (e.g., category=windows) that match the dynamic address filter to enable resolution.

In an active-active FortiGate ELB/ILB deployment, the inbound NAT rules configured on the external load balancer are used to allow administrative access (e.g., HTTPS, SSH) to the individual FortiGate VMs. Since the public IP is associated with the load balancer, NAT rules are required to map specific ports to backend FortiGate instances for management access.

In an active-active FortiGate cluster deployment in Azure, you must assign the public IP address to an Azure load balancer. This is required because Azure does not support multiple VMs sharing a single public IP directly. The Azure Load Balancer handles inbound traffic and distributes it to the active FortiGate instances.

Two virtual NICs – The FortiGate Azure Marketplace template deploys the VM with at least two network interfaces: one for the external/public interface and one for the internal/private interface.

One NSG for each interface – The deployment creates separate Network Security Groups (NSGs) attached to each NIC to control inbound and outbound traffic as per Fortinet’s best practices.

The first and most direct diagnostic step is to verify the BGP peering status on both the FortiGate VM and Azure Route Server. If BGP peering is not established or is in an idle or down state, route propagation will fail. This check confirms whether the two systems are communicating and exchanging routes as expected.