Pass FCP_ZCS_AD-7.4 Exam Guide

The FortiGate VM and the Windows Server VM are in different subnets but within the same Production virtual network, which means they can communicate by default unless restricted. Azure allows ICMP between subnets, but Windows VMs have ICMP blocked by default in their firewall settings. Therefore, the likely reason for the ping failure is that the Windows Server’s firewall is blocking ICMP (ping) traffic.

The first and most direct diagnostic step is to verify the BGP peering status on both the FortiGate VM and Azure Route Server. If BGP peering is not established or is in an idle or down state, route propagation will fail. This check confirms whether the two systems are communicating and exchanging routes as expected.

The Reverse Proxy mode is the most appropriate FortiWeb operation mode for this scenario. In this mode, FortiWeb sits between internet users and the Linux web servers, terminating client connections and then forwarding requests to the backend servers. This enables deep inspection, protection from web attacks (like SQL injection and XSS), and full WAF functionality, making it ideal for securing front-end web servers exposed to the internet.

The route server subnet in Azure is a dedicated subnet that hosts the Azure Route Server, which functions as the hub for dynamic routing information exchange between Azure virtual networks and BGP-enabled network virtual appliances (NVAs) or on-premises routers. It enables seamless and centralized route propagation.