A security architect is designing a multi-account AWS environment using FortiGate CNF for centralized egress filtering. The design includes a central networking account with a transit gateway and multiple spoke VPCs in different member accounts. To inspect traffic from the spoke VPCs, the architect has created a GWLB endpoint in each spoke. What is the final critical step required in the spoke VPC route tables to direct egress traffic through the FortiGate CNF for inspection?
An engineer deployed a FortiGate Active-Passive HA cluster in AWS using the official CloudFormation template. During a failover test, the secondary unit fails to promote to primary, and session state is lost. The IAM role has permissions for EC2 route table updates and EIP association, and the S3 bucket is in the correct region. What is the most likely cause of the FGCP unicast session synchronization failure?
A startup is deploying its first web application on AWS and requires basic web application firewall (WAF) protection against common exploits like SQL injection and cross-site scripting (XSS). The company has a limited budget and no dedicated security staff to manage a full WAF appliance. Which Fortinet solution is the most cost-effective and simplest to deploy for this requirement?
A DevSecOps team wants to automate security responses for newly discovered vulnerabilities on their EC2 instances. They are using AWS Inspector to scan instances and have configured a FortiGate with an SDN connector. Which two actions can be automated using the AWS SDN connector when AWS Inspector reports a high-severity vulnerability on an EC2 instance? (Select TWO)
When configuring a FortiGate Active-Passive cluster in AWS using FGCP, the heartbeat communication must be established. Because AWS environments do not support Layer 2 mechanisms like broadcast or multicast, the FGCP configuration must be set to `________`.
An e-commerce company is using FortiWeb Cloud to protect its primary application, which is hosted behind an AWS Application Load Balancer (ALB). To route traffic through FortiWeb Cloud for inspection, what critical DNS change must be made for their public domain `www.ecom-store.com`?
A financial services company, FinSecure, is migrating its applications to a multi-VPC architecture in AWS. They have strict compliance requirements to inspect all east-west traffic between their 'Staging' and 'Production' VPCs, and all egress traffic to the internet from both VPCs. The security team must maintain stateful sessions and have centralized logging for audits. They want to avoid complex routing changes within the application VPCs. The current setup involves a Transit Gateway connecting the VPCs. The security team has experience with FortiGate appliances and wants to leverage them in the cloud. Performance is critical, and the solution must scale horizontally without manual intervention. Centralized policy management is a key requirement from their existing FortiManager. Which architecture best meets FinSecure's requirements for transparent, scalable, and stateful inspection? ```mermaid graph TD subgraph Central_Security_VPC TGW_Attachment --- GWLB[Gateway Load Balancer] GWLB --- FG_ASG[FortiGate Auto Scaling Group] end subgraph Spoke_VPC_Staging App_Staging[Staging App] --> TGW_Attachment_Staging end subgraph Spoke_VPC_Production App_Prod[Production App] --> TGW_Attachment_Prod end TGW[Transit Gateway] -- routes to --> TGW_Attachment TGW_Attachment_Staging --> TGW TGW_Attachment_Prod --> TGW Internet((Internet)) -- egress --> TGW ```
True or False: In a FortiGate Active-Passive HA cluster deployed across two different AWS Availability Zones, both the primary and secondary FortiGate instances require a public IP address to be active simultaneously for failover to function correctly.
A large enterprise with hundreds of FortiGate VMs deployed across multiple AWS regions wants to enforce a consistent security policy baseline. They need to ensure that specific compliance rules, such as blocking outbound traffic to known malicious IPs, are applied to all FortiGates, while still allowing regional teams to add their own specific policies. How can this be achieved most efficiently using FortiManager?
A network administrator is setting up a new VPC in AWS for a three-tier application. They need to ensure that the database servers in the private subnet can download security patches from the internet without being directly accessible from the internet. Which AWS component is required in the public subnet to facilitate this one-way internet access?