FCP_ZCS_AD-7.4 Exam Dumps - Fortinet Public Cloud Security Questions and Answers

The first and most direct diagnostic step is to verify the BGP peering status on both the FortiGate VM and Azure Route Server. If BGP peering is not established or is in an idle or down state, route propagation will fail. This check confirms whether the two systems are communicating and exchanging routes as expected.

The Linux server in the spoke VNet cannot directly peer BGP with the Azure Route Server, as it is not a BGP-enabled device. Instead, Azure propagates routes to VMs through the effective route tables associated with their network interfaces (NICs). Therefore, to diagnose why BGP routes are not reaching the Linux VM, you should monitor the effective routes on the NIC to verify if the routes from the FortiGate (via the Route Server) are being injected properly.

The local network gateway in Azure represents the on-premises VPN device (such as FortiGate) and defines the on-premises public IP address and the address prefixes of the on-premises network. This is essential for configuring site-to-site VPN connections from Azure to FortiGate.

Azure Route Server enables dynamic route exchange using BGP between your Azure virtual network and network virtual appliances (NVAs) or on-premises networks. It provides a centralized and scalable solution for route management, allowing seamless integration of routing updates without manual configuration changes.

For VMs in the 10.0.1.0/26 subnet to access the internet through the FortiGate VM, their default gateway must be changed to the internal IP address of the FortiGate’s NIC in that subnet (e.g., LAB1-FGT-A-Nic2). This ensures traffic is routed through FortiGate for inspection and NAT, rather than directly using Azure’s default system routes.

They support the use of availability zones – Standard public IP addresses are zone-redundant and support availability zone deployments for high availability.

They can be dynamic or static – Azure standard public IPs can be configured as static or dynamic, offering flexibility based on deployment needs.

In a FortiGate active-active HA deployment in Azure, synchronization between instances is achieved using:

FortiGate Clustering Protocol (FGCP) – This is the primary protocol used to synchronize configuration and session information between HA peers.

Heartbeat interfaces – These interfaces are specifically configured to exchange HA state and sync data between the FortiGate VMs, ensuring cluster consistency.

Azure Firewall Premium includes advanced features not available in the Standard tier, such as enhanced URL filtering and web categories, TLS inspection, IDPS (intrusion detection and prevention system), and support for private certificate authorities. These enable more granular and secure traffic inspection and control.

A user-defined route (UDR) in Azure is used to redirect traffic from other VMs through a FortiGate VM for inspection. By modifying the routing table, you ensure that outbound or inter-subnet traffic is sent to the FortiGate as the next hop, enabling traffic filtering, logging, and security enforcement.

Since port 80 traffic is reaching the FortiGate (as shown in the sniffer output) but port 22 traffic is not, the issue lies before the FortiGate, at the Azure Load Balancer level. Azure Load Balancers require an Inbound NAT rule to forward specific ports (like SSH on port 22) to a specific backend VM. Creating a new Inbound NAT rule for port 22 will allow SSH traffic to be properly routed to the FortiGate VM.