Fortinet · NSE 7
Validates advanced skills in deploying, managing, and troubleshooting Fortinet security solutions in public cloud environments including AWS, Azure, and Google Cloud. Covers FortiGate VM deployment, cloud automation tools, SD-WAN in the cloud, and FortiCNP risk management.
Practice Questions
600
≈ 10 practice exams
Duration
60 minutes
Passing Score
70%
Difficulty
ProfessionalLast Updated
May 2026
Use this Fortinet NSE 7 Network Security Architect—Public Cloud Security practice exam to prepare for Fortinet NSE 7 Network Security Architect—Public Cloud Security with realistic questions, detailed explanations, and focused study modes. The practice bank includes 600 questions for Fortinet NSE 7, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as FortiGate VM Deployment in Public Cloud, Cloud Automation and Infrastructure-as-Code, AWS Transit Gateway and SD-WAN Connect, Azure FortiGate Deployment and Troubleshooting, and FortiCNP Risk Management. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Fortinet NSE 7 – Public Cloud Security exam (NSE7_PBC-7.2 / NSE7_CDS_AR-7.6) validates advanced proficiency in deploying, administering, monitoring, and troubleshooting Fortinet security solutions within public cloud environments, specifically AWS and Azure. The exam tests applied knowledge across FortiGate VM deployment architectures, cloud-native automation using Terraform and Ansible, SD-WAN integration with AWS Transit Gateway, Azure Virtual WAN, and risk management through FortiCNP. It is part of the Fortinet Certified Solution Specialist (FCSS) – Public Cloud Security certification track.
The exam is scenario-driven, incorporating design scenarios and configuration extracts that reflect real-world enterprise cloud security deployments. Candidates are expected to demonstrate competency beyond basic firewall configuration to encompass Infrastructure-as-Code (IaC) pipelines, high-availability architectures across cloud providers, east-west and north-south traffic control, and cloud-native monitoring integration. Product coverage is anchored on FortiOS 7.6 and FortiCNAPP (formerly FortiCNP).
This certification is designed for network and security professionals who are responsible for the integration, administration, and troubleshooting of enterprise public cloud security infrastructures built on Fortinet solutions. Relevant job roles include cloud security engineers, network security architects, cloud infrastructure administrators, and senior network engineers who work across AWS and Azure environments.
Candidates typically have experience deploying multi-vendor cloud security stacks and are looking to formalize and validate their expertise in Fortinet-specific public cloud deployments. It is well-suited for professionals seeking the FCSS – Public Cloud Security designation as a step toward the NSE 8 expert-level certification.
Fortinet recommends a minimum of two years of hands-on experience with Fortinet security solutions, two years with AWS cloud infrastructure, and two years with Azure cloud infrastructure prior to attempting this exam. Candidates should be comfortable with IaaS concepts, virtual networking, routing protocols, and Linux VM administration.
Formal recommended training includes completion of the FCSS – Cloud Security for AWS and FCSS – Cloud Security for Azure courses from the Fortinet Training Institute. Candidates who attempt the exam without completing these preparatory courses should have a thorough working understanding of cloud-native constructs such as VPCs, Transit Gateways, VNets, Azure Resource Manager, IAM roles, and security groups. Prior hands-on lab experience with FortiGate VM deployments and basic Terraform usage is strongly advised.
The NSE 7 – Public Cloud Security exam consists of 35–40 questions (reported as 37 questions for the NSE7_PBC-7.2 version) with a time limit of 70–75 minutes, delivered in English through Pearson VUE test centers or via online proctoring. Question types are single-selection and multiple-selection multiple-choice. The exam is registered and delivered through Pearson VUE at a cost of approximately $400 USD.
Scoring is pass/fail based on a 70% passing threshold. All answers within a question must be fully correct to receive credit — no partial credit is awarded for partially correct multiple-select answers. A detailed score report is available through Pearson VUE following the exam. The certification earned by passing this exam is valid for two years and can be renewed by passing any current NSE 7-level exam.
Earning the FCSS – Public Cloud Security designation through the NSE 7 exam positions professionals for roles such as Cloud Security Architect, Senior Network Security Engineer, Cloud Infrastructure Security Specialist, and Security Operations Engineer in organizations running hybrid or multi-cloud environments. As enterprises increasingly migrate workloads to AWS and Azure, demand for professionals who can enforce security policy at scale using automated, cloud-native tooling continues to grow, making Fortinet's cloud security specialization directly relevant to hiring decisions at organizations standardized on FortiOS.
The NSE 7 certification is recognized within the broader Fortinet NSE Program as the professional tier, sitting above the NSE 4–6 associate/specialist levels and below the NSE 8 expert designation. It integrates into the FCSS track, which is Fortinet's current role-based certification framework. Professionals holding this certification often pursue complementary cloud provider certifications (AWS Solutions Architect, Azure Security Engineer Associate) to maximize market positioning, as the combination of vendor-specific Fortinet expertise and cloud-provider credentials is particularly sought after in regulated industries and large enterprises.
5 sample questions with answers and explanations. The full bank has 600 questions, enough for 10 full-length practice exams.
Preview — answers shown1. A security engineer at Contoso configured an Azure SDN connector on FortiGate to populate dynamic firewall address objects based on Azure resource tags. The connector status shows 'connection failed' even though the subscription ID and tenant ID are correct. The FortiGate VM has no direct internet connectivity but has access to Azure management APIs via the VNet. Which TWO authentication configurations should the engineer verify to resolve the connector failure? (Select two!)
Multiple correct answersExplanation
Azure SDN connector supports two authentication methods. Managed Identity is the recommended approach, where the FortiGate VM instance has a system-assigned or user-assigned managed identity with at minimum Reader role on the subscription, enabling the connector to query Azure Resource Manager APIs without storing credentials. Service Principal with client ID and client secret is the alternative method configured directly in the SDN connector settings when Managed Identity is not available or practical. Azure Storage Account access keys are for storage service authentication and are not used by the SDN connector. Accelerated Networking improves network throughput but has no bearing on Azure API authentication. FortiGate admin account Azure AD permissions are not the authentication mechanism used by the SDN connector.
2. A cloud security team at Contoso uses FortiCNP to assess their AWS Lambda-based microservices architecture. The team wants to identify which vulnerabilities FortiCNP can detect in serverless functions without deploying agents in the Lambda execution environment. Which TWO vulnerabilities does FortiCNP detect in AWS Lambda functions through agentless cloud API integration? (Select two!)
Multiple correct answersExplanation
FortiCNP uses agentless cloud API integration to scan serverless function configurations and specifically detects insecure environment variables containing hardcoded secrets, API keys, or database credentials stored in plaintext within Lambda function configuration settings. FortiCNP also identifies overly permissive IAM execution roles where Lambda functions have excessive permissions through wildcard actions or overly broad service access, leveraging its CIEM (Cloud Infrastructure Entitlement Management) capability. These checks analyze cloud resource configurations through AWS APIs without requiring agents in the Lambda execution environment. Buffer overflow detection and race condition analysis in application source code require static code analysis provided by FortiDevSec SAST scanning at build time. Unencrypted HTTP endpoint detection at runtime is a DAST (Dynamic Application Security Testing) capability covered by FortiDevSec DAST, not FortiCNP posture assessment.
3. A DevOps engineer at Contoso needs to automate the complete deployment of FortiGate in AWS including EC2 instances, VPC networking, security groups, IAM roles, AND the FortiGate firewall policies, address objects, and UTM security profiles as a single automated workflow. Which statement correctly identifies the tool that supports the full scope of this requirement? (Select one!)
Explanation
Terraform is the only infrastructure-as-code tool that can simultaneously handle AWS infrastructure deployment and FortiOS configuration management in a single workflow. The hashicorp/aws Terraform provider deploys all AWS resources: EC2 instances (aws_instance for FortiGate VMs), VPC and subnets (aws_vpc, aws_subnet), security groups (aws_security_group), IAM roles and instance profiles (aws_iam_role, aws_iam_instance_profile), route tables (aws_route_table), and Elastic IPs (aws_eip). The fortinetdev/fortios Terraform provider connects directly to FortiGate's REST API at /api/v2/cmdb/ to configure FortiOS resources: firewall policies (fortios_firewall_policy), address objects (fortios_firewall_address), address groups (fortios_firewall_addrgrp), UTM profiles (fortios_antivirus_profile, fortios_ips_sensor), SDN connectors (fortios_system_sdnconnector), and routing (fortios_router_static). Both providers are declared in the same Terraform configuration and execute in dependency order. AWS CloudFormation is AWS-specific and can only manage native AWS resources; there is no AWS::FortiGate::Policy resource type. FortiOS configuration via CloudFormation is limited to what can be passed as user-data bootstrap at instance creation, which is a one-time initialization, not ongoing policy management. ARM templates are an Azure-specific technology with no role in AWS deployments. FortiManager can configure FortiOS policies via its JSON-RPC API, but it is not an IaC tool and does not replace Terraform for infrastructure provisioning.
4. Litware's security team migrated workloads to AWS three months ago and is concerned that cloud resource configurations may drift from security best practices over time. The team wants a FortiCNP capability that continuously monitors infrastructure configurations, detects policy violations, alerts on compliance gaps, and maps findings against frameworks such as PCI DSS and HIPAA. Which FortiCNP capability addresses this requirement? (Select one!)
Explanation
Cloud Security Posture Management (CSPM) is the FortiCNP capability that continuously monitors cloud resource configurations against security best practices and compliance frameworks. CSPM detects configuration drift, policy violations, and compliance gaps across cloud infrastructure and maps findings against standards such as PCI DSS, HIPAA, and NIST CSF. Cloud Workload Protection Platform (CWPP) focuses on protecting running workloads including virtual machines, containers, and serverless functions from runtime threats such as malware and ransomware. Cloud Infrastructure Entitlement Management (CIEM) specifically audits identity and permission assignments to identify over-privileged accounts and unused credentials. Cloud Detection and Response (CDR) focuses on detecting and responding to active threat activity rather than configuration compliance monitoring.
5. Fabrikam has deployed a FortiGate VM on GCP Compute Engine. After deployment, the network team discovers that traffic forwarding is not working because canIpForward was not enabled during instance creation. What is the correct remediation step for this GCP-specific issue? (Select one!)
Explanation
In GCP, the canIpForward parameter must be set at instance creation time and cannot be changed after the instance is created. This is a critical difference from AWS, where Source/Destination Check can be disabled on an existing EC2 instance via the console or CLI at any time after deployment, and from Azure, where IP Forwarding can be enabled on an existing NIC post-deployment. In GCP, the only remediation is to delete the existing FortiGate VM and create a new instance with canIpForward set to true in the instance configuration, either via gcloud compute instances create --can-ip-forward or via the Terraform google_compute_instance resource with can_ip_forward = true. There is no equivalent of AWS modify-instance-attribute or Azure NIC update for this parameter in GCP, making it the most commonly encountered gotcha in cross-cloud FortiGate deployments.
FCP - FortiManager 7.6 Administrator (FCP_FMG_AD-7.6)
FCP_FMG_AD-7.6 · 600 questions
FCP – Secure Wireless LAN 7.4 Administrator (FCP_FWF_AD-7.4)
FCP_FWF_AD-7.4 · 600 questions
Fortinet NSE 4 – FortiOS 7.6 Administrator (FOS-ADM-7.6)
FOS-ADM-7.6 · 600 questions
Fortinet NSE 5 - FortiNAC-F 7.6 Administrator
NSE 5 · 600 questions
Fortinet NSE 5 - FortiSASE and SD-WAN 7.6 Core Administrator (NSE5_SSE_AD-7.6)
NSE5_SSE_AD-7.6 · 600 questions
Fortinet NSE 5 - FortiSwitch 7.6 Administrator (NSE5_FSW_AD-7.6)
NSE5_FSW_AD-7.6 · 600 questions
$17.99
One-time access to this exam