A financial services company, FinSecure Capital, has deployed a FortiGate VM in Azure. They are using Azure tags to categorize VMs based on their environment (e.g., `env:prod`, `env:dev`). The security team wants to create a firewall policy that automatically applies to all production VMs, even as new ones are provisioned. What is the most efficient method on the FortiGate to create a firewall policy destination that dynamically includes all Azure VMs tagged with `env:prod`?
An administrator has configured a FortiGate Active-Passive HA cluster in Azure behind an external Azure Load Balancer. During a failover test, the passive unit becomes active, but external traffic is not reaching the newly active FortiGate. Internal traffic and HA synchronization are working correctly. The Azure Load Balancer health probe is configured to check an HTTPS service on port 443 on the FortiGates. Which configuration error is the most likely cause for the failure of external traffic to reach the new active unit?
An organization is deploying a multi-tiered application in Azure and needs to enforce network traffic filtering rules at the subnet level. They want to control both inbound and outbound traffic for their Virtual Machines. Which Azure component is used to filter network traffic to and from Azure resources in an Azure Virtual Network?
A network engineer is configuring a site-to-site IPsec VPN tunnel between an on-premises FortiGate and an Azure VPN Gateway. The tunnel fails to establish. The engineer has verified that the pre-shared key and IP addresses are correct. The FortiGate is configured to use IKEv2 with AES-256 for encryption and SHA256 for integrity in Phase 1. Which of the following is a common reason for the VPN tunnel failure in this scenario?
Global E-Commerce Inc. runs a large retail platform on Azure, protected by a cluster of FortiGate firewalls. During peak shopping seasons, they experience massive traffic surges that can overwhelm the fixed number of firewalls, leading to performance degradation and dropped connections. Their current setup is an Active-Passive HA pair, which provides redundancy but not scalability. The primary business requirement is to maintain high performance and availability during unpredictable traffic spikes, while minimizing costs during off-peak hours. The solution must automatically scale the number of firewalls based on CPU utilization. All firewalls in the pool must have an identical security policy, which is managed centrally. The architecture team is proposing a new solution. The proposed architecture involves placing the FortiGate instances into an Azure VM Scale Set (VMSS). An external Azure Load Balancer will distribute incoming internet traffic to the FortiGates, and an internal Load Balancer will handle traffic from the application subnets. A User Defined Route (UDR) on the application subnets will direct all outbound traffic to the internal load balancer. The team needs to ensure that newly provisioned FortiGates automatically receive the correct configuration and licenses. Which combination of Fortinet and Azure services is required to build this scalable and automated firewall solution?
A cloud engineer is deploying a single FortiGate-VM from the Azure Marketplace using the standard ARM template for a standalone firewall. The engineer needs to ensure traffic can be routed through the FortiGate for inspection. After the deployment is complete, which two actions are essential to enable the FortiGate VM to forward traffic between its network interfaces? (Select TWO).
True or False: When deploying a FortiGate-VM in Azure using a Pay-As-You-Go (PAYG) license from the Marketplace, a separate license file from Fortinet must be manually uploaded to the VM after deployment.
A large enterprise has a complex hybrid network with multiple on-premises sites connected to Azure via ExpressRoute and S2S VPNs. They use a pair of FortiGate NVAs in Azure for traffic inspection and want to simplify their routing configuration. They need to dynamically exchange BGP routes between their on-premises gateways and the FortiGate NVAs without creating complex User Defined Routes. Which Azure service should be deployed to enable dynamic route exchange between the on-premises gateways and the FortiGate NVAs via BGP?
When configuring a Site-to-Site VPN in Azure, you need to create a resource that represents the on-premises VPN device (like a FortiGate) and defines its public IP address and the on-premises network address spaces. This Azure resource is called a ______.
An administrator configured an Azure SDN connector on a FortiGate using a Managed Identity. They created a dynamic address object to match VMs with the tag `App:Database`. However, the address object on the FortiGate remains empty, even though several VMs with that exact tag exist in the VNet. The FortiGate's system logs show no errors related to the SDN connector. What is the most likely reason the dynamic address object is not being populated?