Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free FCSS Public Cloud Security Practice Questions

Pass your Fortinet FCSS - Public Cloud Security 7.6 Architect (FCSS_CDS_AR-7.6) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Fortinet does not publicly report pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An architect notices that an AWS SDN connector address tag stops updating when a customer scales the EC2 fleet quickly. Which knob is most often tuned?

A
B
C
D
to track
Same family resources

Explore More Fortinet Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Fortinet NSE 4 Network Security Professional

Practice Questions
1 blog

Fortinet NSE 7 Network Security Architect

Practice Questions

Fortinet FCP - FortiAuthenticator 6.5 Administrator (FCP_FAC_AD-6.5)

Practice Questions

Fortinet FCP FortiAnalyzer 7.4 Administrator (FCP_FAZ_AD-7.4)

Practice Questions

Fortinet FCP FortiClient EMS 7.4 Administrator (FCP_FCT_AD-7.4)

Practice Questions

Fortinet FCP FortiMail 7.4 Administrator (FCP_FML_AD-7.4)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleFREE Fortinet NSE 4 Exam Guide 2026: FortiOS 7.6, FCP Rebrand, Pass First Try22 min read
2026 Statistics

Key Facts: FCSS Public Cloud Security Exam

38

Exam Questions

Single-select and multi-select MCQ

75 min

Time Limit

Pearson VUE delivery

$400

Exam Fee

Per attempt

2 yrs

Validity

FCSS-tier recertification window

4 Domains

Exam Coverage

Deployment, Automation, Monitoring, Troubleshooting

Pearson VUE

Test Delivery

Online proctored or in-person

The Fortinet FCSS - Public Cloud Security 7.6 Architect (FCSS_CDS_AR-7.6) is an architect-level certification with a 38-question, 75-minute exam priced at $400 USD through Pearson VUE. Fortinet does not publish a fixed passing score for FCSS exams. The single-exam FCSS path validates skills across FortiGate-VM in AWS/Azure/GCP, FortiWeb Cloud, Terraform/Ansible/CloudFormation/Bicep automation, FortiAnalyzer Cloud and FortiSIEM monitoring, and multi-cloud SDN connector troubleshooting. Items mix single-select and multi-select multiple-choice formats and target experienced FortiGate engineers moving into multi-cloud architect roles.

Sample FCSS Public Cloud Security Practice Questions

Try these sample questions to test your FCSS Public Cloud Security exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1An architect is deploying a FortiGate-VM in AWS with two interfaces (public and private). Which AWS construct is required to support a per-interface elastic IP and security group on the FortiGate?
A.A single ENI shared between both interfaces
B.One Elastic Network Interface (ENI) per FortiGate port, each in the matching subnet
C.An EBS volume attached to each FortiOS port
D.An AWS PrivateLink endpoint per interface
Explanation: AWS exposes each FortiGate-VM data plane port as a separate Elastic Network Interface. Each ENI lives in its own subnet, can have its own security group, and can carry an Elastic IP for public-facing ports such as port1. This is how FortiOS sees distinct port1/port2 interfaces in AWS.
2Which two FortiGate-VM licensing models are offered through the AWS Marketplace? (Choose two.)
A.BYOL (Bring Your Own License)
B.PAYG / On-Demand
C.Perpetual hardware-only license
D.FortiGuard subscription-only AMI
Explanation: FortiGate-VM is published on the AWS Marketplace in two AMIs: BYOL, where the customer applies a Fortinet-purchased license, and PAYG (also called On-Demand), where licensing is metered hourly and billed through AWS along with the FortiCloud-generated license adoption. Both are valid for 7.6.x deployments. (Multi-select sample — primary correct answer marked; treat option 1 as also correct on the live exam.)
3Which AWS instance family is recommended for FortiGate-VM workloads that require high packet-per-second throughput and Enhanced Networking (ENA)?
A.t3 burstable
B.c5n compute-optimized with ENA
C.m6g Graviton
D.r5 memory-optimized
Explanation: Fortinet recommends the c5n family (for example c5n.xlarge, c5n.2xlarge) for FortiGate-VM in AWS because c5n instances are compute-optimized with high network bandwidth and Enhanced Networking via the ENA driver, which FortiOS supports natively. T3 is bursty and unsuitable for sustained inspection; m6g/Graviton ARM is not supported by FortiGate-VM AMIs at this writing.
4In a FortiGate AWS Auto Scale group, which Lambda-driven function elects the primary FortiGate when the Auto Scaling group launches new instances?
A.AWS Route 53 health checks
B.The FortiOS Auto Scale handler (FortiCare callback Lambda) using a DynamoDB lock table
C.EC2 Spot interruption notifications
D.AWS Systems Manager Run Command
Explanation: Fortinet's AWS Auto Scale solution deploys a Lambda function and a DynamoDB table. New FortiGate instances call the Lambda Auto Scale handler at boot; the function uses the DynamoDB lock to elect a single primary, distribute the master configuration, and synchronize PAYG/BYOL licensing. Failover and scaling events go through the same handler.
5An architect uses an AWS Gateway Load Balancer (GWLB) sandwich with FortiGate-VM. Which protocol does GWLB use to encapsulate traffic to the FortiGate appliances?
A.VXLAN over UDP 4789
B.GENEVE on UDP 6081
C.GRE
D.IPsec ESP
Explanation: AWS Gateway Load Balancer transparently steers traffic to backend appliances using GENEVE encapsulation on UDP port 6081. FortiGate-VM 7.x supports GWLB GENEVE and decapsulates on the data interface configured for GWLB. This preserves the original 5-tuple so security inspection sees the real flow.
6Which AWS service is specifically designed to interconnect many VPCs and on-premises networks through one hub, and is commonly paired with a centralized FortiGate inspection VPC?
A.AWS Direct Connect
B.AWS Transit Gateway
C.AWS PrivateLink
D.AWS VPN CloudHub
Explanation: AWS Transit Gateway (TGW) is the regional hub that connects hundreds of VPCs and VPN/Direct Connect attachments. In a FortiGate centralized-inspection design, spoke VPCs attach to the TGW, the FortiGate inspection VPC also attaches, and TGW route tables steer east-west and north-south traffic through the FortiGate.
7In a centralized FortiGate inspection design with AWS Transit Gateway, which TGW configuration is required to force east-west traffic between two spoke VPCs through the inspection VPC?
A.Enable TGW DNS resolution
B.Use separate TGW route tables: a spoke RT pointing at the inspection attachment, and an inspection RT with the spoke CIDRs
C.Disable TGW appliance-mode support
D.Configure each spoke VPC with a 0.0.0.0/0 internet gateway route
Explanation: The standard pattern uses two TGW route tables. Spoke attachments associate with a 'spoke' route table whose default route points to the inspection VPC attachment. The inspection attachment associates with an 'inspection' route table that knows the spoke CIDRs so return traffic can flow back. Appliance-mode support should be enabled on the inspection attachment to keep flows symmetric.
8Which AWS feature lets a FortiGate-VM expose a managed service to consumer VPCs using a private interface endpoint, without VPC peering?
A.Internet Gateway
B.AWS PrivateLink with an interface VPC endpoint
C.AWS Site-to-Site VPN
D.Elastic Load Balancer Classic
Explanation: AWS PrivateLink lets a service provider publish an Endpoint Service backed by a Network Load Balancer. Consumers create interface VPC endpoints (ENIs in their VPCs) to reach the service privately. FortiGate can sit behind the NLB to inspect or terminate the service traffic without VPC peering.
9In an AWS FortiGate active/passive HA deployment across two Availability Zones, how does the standby unit move the floating Elastic IP and the secondary route table on failover?
A.FortiGate uses VRRP advertisements over the AWS underlay
B.FortiGate calls the AWS API (using its IAM role) to reassign the EIP and update VPC route tables
C.AWS Lambda detects loss of ICMP and rewrites routes
D.An on-premises BGP router advertises the new path
Explanation: Cross-AZ HA in AWS cannot rely on Layer-2 VRRP because subnets do not span AZs. Instead, the surviving FortiGate uses AWS API calls (authenticated by an attached IAM role) to disassociate/associate the Elastic IP and to rewrite VPC route table entries that point to its own ENI, completing the failover.
10Which IAM policy permission is the minimum required for the FortiGate AWS SDN connector to read EC2 instance tags for dynamic firewall address objects?
A.iam:PassRole
B.ec2:DescribeInstances and ec2:DescribeTags
C.s3:GetObject
D.sts:AssumeRoleWithSAML
Explanation: The AWS SDN connector polls EC2 metadata to populate dynamic address tags. It needs read permissions such as ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeVpcs, and ec2:DescribeSubnets. These calls are typically granted through an IAM role attached to the FortiGate instance so no static keys are stored.

About the FCSS Public Cloud Security Exam

The Fortinet FCSS - Public Cloud Security 7.6 Architect (FCSS_CDS_AR-7.6) certification validates architect-level skill in deploying and operating Fortinet security in AWS, Azure, and GCP. Topics include FortiGate-VM marketplace deployment (BYOL/PAYG), AWS Transit Gateway and Gateway Load Balancer integration, Azure vWAN and ExpressRoute, GCP HA designs, FortiWeb Cloud, container and Kubernetes security, automation with Terraform/Ansible/CloudFormation/Bicep, cloud monitoring with FortiAnalyzer Cloud and FortiSIEM, and troubleshooting connectivity, SDN connectors, and BGP across clouds.

Assessment

38 multiple-choice questions (single-select and multi-select) covering FortiGate-VM cloud deployment, automation/IaC, cloud monitoring, and troubleshooting

Time Limit

75 minutes

Passing Score

Fortinet does not publish a fixed passing score

Exam Fee

$400 (Fortinet / Pearson VUE)

FCSS Public Cloud Security Exam Content Outline

~25%

Security Solutions Deployment and Integration

FortiGate-VM in AWS/Azure/GCP, FortiWeb Cloud, container/Kubernetes security, AWS Transit Gateway, Gateway Load Balancer (GENEVE), AWS PrivateLink, Azure vWAN with FortiGate as NVA, Azure Route Server BGP, ExpressRoute, GCP HA with internal/external NLB, multi-cloud SDN connectors

~25%

Automation and Deployment Tools

Official fortinetdev/fortios Terraform provider, fortinet.fortios Ansible collection, AWS CloudFormation Auto Scale stacks (Lambda + DynamoDB + S3 bootstrap), Azure Bicep/ARM templates, REST API tokens, FortiFlex entitlement licensing

~25%

Cloud Infrastructure Monitoring

FortiAnalyzer Cloud, FortiSIEM correlation and IOC rules, AWS CloudTrail / VPC Flow Logs ingestion, Azure Activity Log via Event Hub, GCP Cloud Audit Logs, FortiSoC playbooks, FortiView dashboards, ADOM multi-tenancy, log integrity with S3 Object Lock

~25%

Troubleshooting and Connectivity Management

AWS ENI source/dest check, TGW appliance-mode and asymmetric routing, IPsec Phase 1/2 mismatches, Azure LB health probes, GCP fixed NIC count, BGP route-maps on ExpressRoute and vWAN, SDN connector AccessDenied, diagnose debug flow and diagnose sniffer packet

How to Pass the FCSS Public Cloud Security Exam

What You Need to Know

  • Passing score: Fortinet does not publish a fixed passing score
  • Assessment: 38 multiple-choice questions (single-select and multi-select) covering FortiGate-VM cloud deployment, automation/IaC, cloud monitoring, and troubleshooting
  • Time limit: 75 minutes
  • Exam fee: $400

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

FCSS Public Cloud Security Study Tips from Top Performers

1Memorize cloud-specific gotchas: AWS ENIs need Source/Dest Check disabled, Azure HA fails over via API not VRRP, and GCP cannot add NICs after instance creation
2For TGW questions, remember that appliance-mode is required to keep flows symmetric across AZs - asymmetric routing is the most common architect-tier trap
3GWLB uses GENEVE on UDP 6081 and FortiGate exposes a dedicated GENEVE interface - know this combo cold
4Practice the official Terraform provider (fortinetdev/fortios) and Ansible collection (fortinet.fortios), not legacy community modules
5Know which AWS log source captures what: CloudTrail = API audit, VPC Flow Logs = network 5-tuple, Config = drift; Azure equivalent is Activity Log via Event Hub
6Always cite least-privilege IAM patterns (instance profiles, OIDC, managed identities) over static keys - the exam favors cloud-native auth

Frequently Asked Questions

What is the Fortinet FCSS Public Cloud Security 7.6 Architect exam?

The FCSS_CDS_AR-7.6 exam is Fortinet's architect-level certification for FortiGate, FortiWeb Cloud, and the Fortinet Security Fabric in public clouds. It validates skills in FortiGate-VM deployment across AWS, Azure, and GCP, multi-cloud network insertion (Transit Gateway, GWLB, vWAN, ExpressRoute), automation with Terraform and Ansible, monitoring with FortiAnalyzer Cloud and FortiSIEM, and troubleshooting connectivity and SDN connectors.

How many questions are on the FCSS Public Cloud Security exam?

The exam has 38 multiple-choice questions delivered in 75 minutes via Pearson VUE. Items mix single-select and multi-select multiple-choice formats. Fortinet does not publish a fixed passing score for FCSS exams; pass/fail is calibrated per form.

How much does the FCSS Public Cloud Security exam cost?

The exam fee is $400 USD per attempt through Pearson VUE. Fortinet partners may receive vouchers or discounts, and Fortinet sometimes offers free retakes during certification campaigns. Online proctored or in-person testing is available.

What topics are covered on FCSS Public Cloud Security 7.6?

Four roughly equal-weight domains are covered: (1) Security Solutions Deployment and Integration (FortiGate-VM in AWS/Azure/GCP, FortiWeb Cloud, container security, multi-cloud integration); (2) Automation and Deployment Tools (Terraform, Ansible, CloudFormation, Azure Bicep/ARM, API-driven provisioning); (3) Cloud Infrastructure Monitoring (logging, FortiAnalyzer/FortiSIEM, real-time threat detection); (4) Troubleshooting and Connectivity Management (SDN connectors, AWS/Azure connectivity, VPN/Transit Gateway debugging).

Is FCSS Public Cloud Security a single exam or multiple exams?

FCSS Public Cloud Security 7.6 is a single-exam FCSS track. Passing FCSS_CDS_AR-7.6 by itself awards the architect-level FCSS Public Cloud Security designation. Some other FCSS tracks combine a core and elective exam, but this one does not.

How long is FCSS Public Cloud Security valid?

FCSS-level Fortinet certifications are valid for 2 years from the date of passing. To recertify, candidates pass the then-current version of the FCSS Public Cloud Security exam or earn a higher-tier Fortinet credential.

How should I prepare for FCSS Public Cloud Security?

Combine Fortinet's free Training Institute self-paced courses with hands-on labs deploying FortiGate-VM in AWS, Azure, and GCP. Practice AWS Transit Gateway with appliance mode, GWLB GENEVE, Azure vWAN/ExpressRoute, GCP HA, and the SDN connector for each cloud. Build at least one Terraform module using fortinetdev/fortios and one Ansible playbook using fortinet.fortios. Then drill 100 practice questions covering all four exam domains.