Fortinet FCP_ZCS-AD-7.4 FCP - Azure Cloud Security 7.4 Administrator Exam Practice Test

Azure ExpressRouteprovidesdedicated private connectionsbetween on-premises infrastructure and Azure data centers, bypassing the public internet. This results inmore predictable latency, higher reliability, and better security, making it ideal for mission-critical workloads.

Enhanced protection for application and data in a single Azure region – Availability Zones provide physical separation of infrastructure within a single Azure region, protecting against datacenter-level failures.

Protect applications and data through high availability with fault isolation and redundancy – They offer fault isolation and redundancy, enabling high availability for applications and services by distributing them across multiple zones within the same region.

In aFortiGate active-active HA deployment in Azure, synchronization between instances is achieved using:

FortiGate Clustering Protocol (FGCP)– This is the primary protocol used to synchronize configuration and session information between HA peers.

Heartbeat interfaces– These interfaces are specifically configured to exchange HA state and sync data between the FortiGate VMs, ensuring cluster consistency.

UsingFortiGate at both endsof a site-to-site IPsec VPN tunnel provides the advantage of applyingconsistent security policies, configurations, and management toolsacross both the on-premises and Azure environments. This simplifies policy enforcement, improves operational efficiency, and ensures uniform threat protection.

Two virtual NICs – The FortiGate Azure Marketplace template deploys the VM with at least two network interfaces: one for the external/public interface and one for the internal/private interface.

One NSG for each interface – The deployment creates separate Network Security Groups (NSGs) attached to each NIC to control inbound and outbound traffic as per Fortinet’s best practices.

Azure Virtual WANis designed forlarge-scale, automated, and global branch connectivity, supportinghub-and-spoke architecturesacross multiple regions. It enablescentralized routing,hub-to-hub connectivity, and integrates withVPN, ExpressRoute, and SD-WAN solutions, making it ideal for complex, multi-region deployments as shown in the diagram.

Thelocal network gatewayin Azure represents theon-premises VPN device(such as FortiGate) and defines theon-premises public IP addressand theaddress prefixesof the on-premises network. This is essential for configuring site-to-site VPN connections from Azure to FortiGate.

TheLinux server in the spoke VNet cannot directly peer BGP with the Azure Route Server, as it is not a BGP-enabled device. Instead,Azure propagates routes to VMs through the effective route tablesassociated with theirnetwork interfaces (NICs). Therefore, to diagnose why BGP routes are notreaching the Linux VM, you shouldmonitor the effective routes on the NICto verify if the routes from the FortiGate (via the Route Server) are being injected properly.

Theroute server subnetin Azure is adedicated subnetthat hosts theAzure Route Server, which functions as thehub for dynamic routing information exchangebetween Azure virtual networks and BGP-enabled network virtual appliances (NVAs) or on-premises routers. It enables seamless and centralized route propagation.

Azure does not allow the deployment of virtual machines (VMs) in a gateway subnet.The gateway subnet is specifically reserved forAzure VPN Gateway or ExpressRoute Gateway instances, and deploying other resources in it can causegateway deployment or operation failures.