Exam FCP_WCS_AD-7.4 topic 1 question 24 discussion

From Fortigate CNF Administration guide 24.1.b B When a policy set is changed locally in the FortiGate CNF console, CNF instances are not automatically synchonized with the updated policy set. C FortiGate CNF comes with a preconfigured allow_all policy set that cannot be edited or deleted.The allow_all policy set should only be used during the initial testing stage to help test routing. It should not be used for production since it does not provide any security protection.

The correct statements regarding FortiGate Cloud-Native Firewall (CNF) policy sets are: There is an implicit deny rule at the bottom of the policy set: This is common in many firewall policies, where an implicit deny rule ensures that any traffic not explicitly allowed by a preceding rule is denied. A new policy set is created with each deployed CNF instance: This is a standard practice for managing security and applying policies to individual firewall instances for better control and management.

For me the correct answers are: A and D.

B, C are correct. I found nothing in the Study Guide, but you can use the CNF Admin Guide. A - i find no implicit deny, but this: "Configuring policy sets -> The default allow_all policy set is pre-configured and automatically added to new instances." B: When a policy set is changed locally in the FortiGate CNF console, CNF instances are not automatically synchonized with the updated policy set. C/D: Only one policy set can be applied to an instance at a time.

A, C are correct Implicit Deny Rule: Similar to traditional firewall rule sets, FortiGate Cloud-Native Firewall (CNF) includes an implicit deny rule at the bottom of each policy set. This means any traffic that does not match an existing rule in the policy set is automatically denied (Option A). Policy Set Creation: When a new CNF instance is deployed, a new policy set is created specifically for that instance. This ensures that each CNF instance can have a tailored set of security policies based on the specific needs of the deployment (Option C). Other Options Analysis: Option B is incorrect because policy sets do not require manual synchronization; they are applied automatically once configured. Option D is incorrect as a single CNF instance operates with a single policy set at a time.