What are the key differences between the FortiSASE BGP per overlay and BGP on loopback routing design methods? (Choose one answer)
BGP per overlay can use separate iBGP sessions for each spoke-to-hub tunnel with mode-cfg enabled for IP address assignment, while BGP on loopback uses a single iBGP session per hub terminating on a loopback interface to simplify configuration and reduce advertised routes.
BGP per overlay establishes a single iBGP session per hub on a loopback interface, while BGP on loopback requires mode-cfg for IP address assignment and uses multiple iBGP sessions per tunnel.
BGP per overlay is used for loopback interfaces to reduce routes, while BGP on loopback is the default method requiring separate iBGP sessions for each spoke.
BGP per overlay simplifies hub configuration without mode-cfg, while BGP on loopback establishes multiple iBGP sessions for each tunnel to increase advertised routes.
FortiSASE supports two main routing design methods for Secure Private Access (SPA) when connecting to a FortiGate SD-WAN hub:
BGP per Overlay (Traditional/Default Method): In this configuration, a separate iBGP session is established over every individual IPsec overlay (tunnel) between the FortiSASE PoP and the hub. These sessions terminate on the tunnel interface IP addresses. To facilitate this, the hubs typically use the IPsec VPN mode-cfg feature to dynamically assign tunnel IP addresses to the SASE PoPs. For every LAN prefix, the system generates multiple BGP routes—one for each overlay—which increases the total number of routes advertised across the network.
BGP on Loopback (Modern Alternative): This newer design establishes only a single iBGP session between the spoke and the hub, regardless of how many physical or logical overlays (tunnels) connect them. The session is terminated on a loopback interface on both sides.
Key Advantages of BGP on Loopback:
Reduced Complexity: It significantly simplifies the BGP configuration because there are fewer neighbors to manage.2
Improved Scalability: It greatly reduces the volume of routes advertised, as only a single BGP route is generated for each LAN prefix, making it the preferred choice for large-scale deployments.
Resiliency: The BGP session remains active as long as the loopback is reachable via any of the available overlays, meaning no BGP convergence is required if a single overlay fails.
Your FortiSASE customer has a small branch office in which ten users will be using their personal laptops and mobile devices to access the internet. Which deployment should they use to secure their internet access with minimal configuration? (Choose one answer)
FortiClient endpoint agent to secure internet access
FortiAP to secure internet access
SD-WAN on-ramp to secure internet access
FortiGate as a LAN extension to secure internet access
For small branch offices (thin edges) where users utilize unmanaged personal devices (BYOD) like laptops and mobile phones, the most efficient way to provide Secure Internet Access (SIA) with minimal configuration is by deploying a FortiAP.
Thin Edge Integration: FortiSASE includes expanded integrations with the Fortinet WLAN portfolio, allowing FortiAP wireless access points to function as "thin edge" devices. These access points intelligently offload and steer traffic from the branch directly to the nearest FortiSASE Security Point of Presence (PoP).
No Endpoint Agents Required: Because the devices are personal and unmanaged, installing the FortiClient agent (Option A) is often not feasible or desirable. The FortiAP deployment secures all client devices at the location without requiring any endpoint agents.
Minimal Configuration & Zero-Touch: This solution is specifically designed for small office locations with limited budgets and no local IT staff. FortiSASE offers cloud-delivered management with zero-touch provisioning for FortiAP. Once the AP is connected, it automatically establishes a secure CAPWAP or IPsec tunnel to FortiSASE, ensuring all connected users are protected by the cloud security stack (Antivirus, Web Filtering, etc.) with almost no manual setup on the end-user side.
Why other options are less ideal:
Option C and D: SD-WAN on-ramp and FortiGate LAN extensions typically require a physical FortiGate appliance at the branch. For a small office with only ten users and personal devices, this adds unnecessary hardware costs and configuration complexity compared to a simple, cloud-managed FortiAP.
A Fortinet customer is considering integrating FortiManager with FortiSASE. What are two prerequisites they should consider? (Choose two answers)
Adding a FortiManager connection add-on license to FortiSASE.
Placing FortiManager in the same FortiCloud account as FortiSASE.
Reducing the number of FortiSASE PoPs that support FortiManager.
Running a FortiManager version that is supported by FortiSASE.
Integrating FortiManager with FortiSASE allows for central management of configuration objects like addresses and5 security 6profiles. For this integration to function correctly, the following key prerequisites must be met:
Same FortiCloud Account: A fundamental requirement for the integration is that both 10the FortiSASE instance and the FortiManager (whether physical, VM, or Cloud) must be registered under the same FortiCloud (FortiCare) account. This common identity allows the platforms to securely discover and authorize each other for synchronization.
Supported Firmware Version: The FortiManager must run a firmware version that is compatible with the FortiSASE release. According to the FortiSASE 25 Enterprise Administrator Study Guide, FortiManager version 7.4.4 or later is generally required to support the specific API connectors and object synchronization logic used by current FortiSASE environments. Using an unsupported version may result in synchronization failures or missing configuration features.
Management Logic: Once these prerequisites are met, the administrator can enable "Central Management" in the FortiSASE portal. This creates a one-way synchronization where FortiManager acts as the source of truth for objects like Security Profile Groups, ensuring consistent security posture across both the SASE cloud and on-premises FortiGates.
You are designing a new network, and the cybersecurity policy mandates that all remote users working from home must always be connected and protected. Which FortiSASE component facilitates this always-on security measure? (Choose one answer)
Unified FortiClient
SDWAN on-ramp2
Secure web gateway
Thin-branch SASE extension
In a FortiSASE environment, the Unified FortiClient agent is the critical component that fulfills the requirement for "always-on" connectivity and security for remote users.
Persistent Encrypted Tunnels: The Unified FortiClient maintains a persistent, always-on connection to the FortiSASE infrastructure.4 This is typically achieved through an auto-connect VPN tunnel (SSL or IPsec) that initiates as soon as the user logs into their device and has internet access.
Continuous Security Enforcement: By staying connected to a nearby FortiSASE Point of Presence (PoP), the endpoint ensures that all traffic is inspected. This allows the organization to enforce a consistent security posture—including Web Filtering, Antivirus, and Application Control—regardless of whether the user is at home, in a coffee shop, or traveling.
Zero-Trust Integration: Beyond simple connectivity, the unified agent supports Universal ZTNA. It continuously verifies the identity of the user and the security posture of the device before granting access to specific applications, thereby satisfying modern zero-trust security mandates.
Comparison of Other Components:
SD-WAN on-ramp (B): Used primarily to integrate existing branch office SD-WAN networks with the SASE cloud for private application access.
Secure Web Gateway (C): While a feature of the SASE PoP, the agentless SWG deployment (using PAC files) does not provide the same level of "always-on" persistent tunnel protection as the FortiClient agent.
Thin-branch SASE extension (D): Focused on securing small branch locations (using FortiAP or FortiExtender) where individual client agents may not be deployed on every device.
What is the role of ZTNA tags in the FortiSASE Secure Internet Access (SIA) and Secure Private Access (SPA) use cases? (Choose one answer)
ZTNA tags are created to isolate browser sessions in SIA and enforce data loss prevention in SPA for all devices.
ZTNA tags determine device posture for non-web traffic protocols and are applied only in agentless deployments for SIA.
ZTNA tags determine device posture for endpoints running FortiClient and are used to grant or deny access in SIA or SPA based on that posture.
ZTNA tags are applied to unmanaged endpoints without FortiClient to secure HTTP and HTTPS traffic in SIA and SPA.
In the Fortinet SASE architecture, Zero Trust Network Access (ZTNA) tags (which have been renamed to Security Posture Tags starting with FortiClient/EMS 7.4.0) play a critical role in continuous posture assessment. These tags are dynamic metadata assign8ed to an endpoint based on specific conditions or "tagging rules" defined in the FortiSASE Endpoint Management Service (EMS).
Posture Determination: The FortiClient agent, installed on the endpoint, monitors the device for various security attributes—such as whether an antivirus is running, the presence of specific registry keys, OS version, or the absence of critical vulnerabilities.
SIA (Secure Internet Access) Use Case: In SIA scenarios, FortiSASE uses these tags within security policies to control internet access. For example, a policy may allow full internet access only to endpoints tagged as "Compliant" while redirecting "Non-Compliant" devices to a restricted remediation portal.
SPA (Secure Private Access) Use Case: In SPA (specifically ZTNA Proxy mode), the tags are synchronized from FortiSASE to the corporate FortiGate (acting as the ZTNA Access Proxy).12 When a user attempts to access a private application, the FortiGate checks the endpoint's client certificate and its synchronized ZTNA tags.13 If the endpoint does not meet the required posture (e.g., it is missing a required "Domain-Joined" tag), access is denied at the session level.
According to the FortiSASE 25 Enterprise Administrator Study Guide, ZTNA tags are fundamental to the "Zero Trust" principle because they move beyond static identity (username/password) to verify the real-time security state of the device before granting access to either the internet or internal private resources.
Refer to the exhibits.
An endpoint is assigned an IP address of 192.168.13.101/24. Which action will be run on the endpoint? (Choose one answer)
The endpoint will be able to bypass the on-net rule because it is connecting from a known subnet.
The endpoint will be detected as off-net.
The endpoint will be exempted from auto-connect to the FortiSASE tunnel.
The endpoint will automatically connect to the FortiSASE tunnel.
Based on the provided exhibits and the logic of FortiSASE On/off-net detection, the endpoint's behavior is determined by its network environment relative to the configured rules.
Subnet Matching and Detection: The On-net rule set (named "On-Premises") is configured to identify a trusted location when the endpoint "Connects from a known local subnet". The administrator has defined the known subnet as $192.168.13.0/24$. Since the endpoint's IP address is $192.168.13.101$, it falls within this range. Consequently, FortiClient detects the endpoint as being on-net (on-fabric).
Action Logic (Exemption): In a FortiSASE Endpoint Profile, when On/off-net detection is enabled and an endpoint matches an "On-net" rule, the standard behavior is to exempt the endpoint from auto-connecting to the FortiSASE VPN tunnel. This design assumes the endpoint is already in a secured office environment where the corporate firewall (FortiGate) provides the necessary protection, making the SASE tunnel redundant.
Comparison of Other Options: * Option B: Incorrect, because the IP matches the defined "known local subnet" rule for on-net detection.
Option D: Incorrect, as auto-connect only triggers when the endpoint is detected as off-net to ensure remote security.
How does FortiSASE Secure Private Access (SPA) facilitate connectivity to private resources in a hub-and-spoke network? (Choose one answer)
SPA establishes direct links to spokes without IPsec or BGP and uses an easy configuration key to secure web traffic for remote users.
SPA applies source network address translation (SNAT) for remote user traffic and uses IKEv1 for IPsec tunnels to connect to standalone hubs without BGP support.
SPA connects to private resources using HTTP and HTTPS protocols and relies on FortiClient for agentless access to SD-WAN deployments.
SPA connects a FortiSASE POP to a FortiGate hub or SD-WAN deployment using IPsec and BGP for dynamic route exchange with an easy configuration key for simplified setup on FortiOS.1
FortiSASE Secure Private Access (SPA) is designed to provide remote users with seamless and secure access to private applications hosted behind an organization's FortiGate Next-Generation Firewall (NGFW) or SD-WAN hubs.2
Hub-and-Spoke Architecture: In this deployment model, the organization’s FortiGate (either a standalone NGFW or an SD-WAN hub) acts as the hub, while the global FortiSASE Security Points of Presence (PoPs) act as spokes.3
IPsec and BGP Integration: The connectivity between the FortiSASE PoPs and the corporate hub is established via IPsec VPN tunnels. To manage routing and ensure that remote users can reach the correct internal subnets, Border Gateway Protocol (BGP) is used for dynamic route exchange.4 This allows the hub to advertise internal prefixes to FortiSASE, enabling the PoPs to route user traffic effectively without requiring complex static route management.
Simplified Configuration: To reduce administrative overhead and prevent manual configuration errors on the FortiOS side, Fortinet introduced the SPA easy configuration key (also known as an invitation code or simplified SPA setup). An administrator generates this key in the FortiSASE portal and enters it on the FortiGate hub. This triggers the Fabric Overlay Orchestrator to automatically provision the necessary IPsec tunnels, BGP peerings, and firewall policies required for SPA connectivity.
According to the FortiSASE 25 Architecture Guide, this method is preferred over legacy VPNs because it supports both TCP and UDP traffic, integrates natively with existing SD-WAN deployments, and automatically finds the shortest path to applications using ADVPN (Auto-Discovery VPN) shortcuts where applicable.
Which information does FortiSASE use to bring network lockdown into effect on an endpoint? (Choose one answer)
Zero-day malware detection on endpoint
The number of critical vulnerabilities detected on the endpoint
The connection status of the tunnel to FortiSASE
The security posture of the endpoint based on ZTNA tags
The Network Lockdown feature in FortiSASE is a specialized security control designed to ensure that managed endpoints remain protected by the SASE security stack at all times.
Mechanism of Action: Network lockdown relies specifically on the connection status of the tunnel to FortiSASE. When this feature is enabled in the Endpoint Profile, the FortiClient agent monitors whether the secure VPN tunnel (SSL or IPsec) to a FortiSASE Point of Presence (PoP) is active.
Enforcement Logic: If the agent detects that the tunnel is disconnected, it immediately places the endpoint's network interface into a "locked" state. In this state, all inbound and outbound network traffic is blocked, with the exception of traffic required to re-establish the connection to the FortiSASE infrastructure.
Purpose: This prevents "leakage" where an endpoint might communicate directly with the internet without inspection if the VPN tunnel drops or is manually disabled by the user. It essentially mandates that the device is either connected to FortiSASE or has no network access at all.
Analysis of Incorrect Options:
Option A and B: While malware and vulnerabilities affect the security posture, they trigger different remediation actions (like quarantine or patching) rather than the "Network Lockdown" tunnel-state feature.
Option D: ZTNA tags identify the security posture to allow or deny access to specific applications, whereas Network Lockdown is a binary state (On/Off) affecting all network traffic based purely on tunnel connectivity.
Which two advantages does FortiSASE bring to businesses with multiple branch offices? (Choose two.)
It offers centralized management for simplified administration.
It enables seamless integration with third-party firewalls.
it offers customizable dashboard views for each branch location
It eliminates the need to have an on-premises firewall for each branch.
FortiSASE brings the following advantages to businesses with multiple branch offices:
Centralized Management for Simplified Administration:
FortiSASE provides a centralized management platform that allows administrators to manage security policies, configurations, and monitoring from a single interface.
This simplifies the administration and reduces the complexity of managing multiple branch offices.
Eliminates the Need for On-Premises Firewalls:
FortiSASE enables secure access to the internet and cloud applications without requiring dedicated on-premises firewalls at each branch office.
This reduces hardware costs and simplifies network architecture, as security functions are handled by the cloud-based FortiSASE solution.
Which two components are part of onboarding a secure web gateway (SWG) endpoint? (Choose two)
FortiSASE CA certificate
proxy auto-configuration (PAC) file
FortiSASE invitation code
FortiClient installer
Onboarding a Secure Web Gateway (SWG) endpoint involves several components to ensure secure and effective integration with FortiSASE. Two key components are the FortiSASE CA certificate and the proxy auto-configuration (PAC) file.
FortiSASE CA Certificate:
The FortiSASE CA certificate is essential for establishing trust between the endpoint and the FortiSASE infrastructure.
It ensures that the endpoint can securely communicate with FortiSASE services and inspect SSL/TLS traffic.
Proxy Auto-Configuration (PAC) File:
The PAC file is used to configure the endpoint to direct web traffic through the FortiSASE proxy.
It provides instructions on how to route traffic, ensuring that all web requests are properly inspected and filtered by FortiSASE.
Refer to the exhibit.
A customer wants to fine-tune network assignments on FortiSASE, so they modified the IPAM configuration as shown in the exhibit. After this configuration, the customer started having connectivity problems and noticed that devices are using excluded ranges. What could be causing the unexpected behavior and connectivity problems? (Choose two answers)
The pool must include at least one /20 per security POP for the IPAM to work correctly.
The pool must include at least one /16 per Instance for the IPAM to work correctly.
The pool must include at least one /20 per Instance for the IPAM to work correctly.
The customer excluded too many networks from the pool.
IP Address Management (IPAM) in FortiSASE is responsible for automatically allocating subnets to various services, including VPN tunnels and Edge devices. When an administrator modifies the default IPAM configuration, they must adhere to specific architectural scaling requirements.
Subnet Requirements per PoP: FortiSASE architecture requires a minimum amount of address space to be available for each provisioned Security Point of Presence (PoP) to handle internal routing and endpoint assignments. For the IPAM engine to function correctly and distribute unique subnets across the global infrastructure, the pool must provide at least one /20 subnet per security PoP. If the available space is smaller than this per-PoP requirement, the allocation logic may fail or produce unpredictable routing behavior.
Impact of Excessive Exclusions: In the exhibit (image_578940.png), the customer has defined a large summary pool of 172.16.0.0/12. However, they have configured eight separate /15 excluded subnets: 172.16.0.0/15, 172.18.0.0/15, 172.20.0.0/15, 172.22.0.0/15, 172.24.0.0/15, 172.26.0.0/15, 172.28.0.0/15, and 172.30.0.0/15.
Calculating the Exhaustion: A /12 network contains exactly eight /15 blocks. By excluding all eight /15 ranges listed in the exhibit, the customer has effectively excluded 100% of the available addresses from the primary 172.16.0.0/12 pool.
Connectivity Problems: When the IPAM pool is exhausted or overly restricted, FortiSASE cannot assign valid, non-overlapping subnets to the PoPs. This leads to connectivity problems for remote users and can cause the system to "fall back" to ranges it believes are available, even if they were intended to be excluded, or simply fail to establish tunnels entirely.
To resolve this, the administrator must ensure that the excluded subnets do not consume the entire pool and that the remaining unexcluded space is large enough to provide a /20 block for every active PoP in their subscription.
A FortiSASE administrator is configuring a Secure Private Access (SPA) solution to share endpoint information with a corporate FortiGate.
Which three configuration actions will achieve this solution? (Choose three.)
Add the FortiGate IP address in the secure private access configuration on FortiSASE.
Use the FortiClient EMS cloud connector on the corporate FortiGate to connect to FortiSASE
Register FortiGate and FortiSASE under the same FortiCloud account.
Authorize the corporate FortiGate on FortiSASE as a ZTNA access proxy.
Apply the FortiSASE zero trust network access (ZTNA) license on the corporate FortiGate.
To configure a Secure Private Access (SPA) solution to share endpoint information between FortiSASE and a corporate FortiGate, you need to take the following steps:
Add the FortiGate IP address in the secure private access configuration on FortiSASE:
This step allows FortiSASE to recognize and establish a connection with the corporate FortiGate.
Use the FortiClient EMS cloud connector on the corporate FortiGate to connect to FortiSASE:
The EMS (Endpoint Management Server) cloud connector facilitates the integration between FortiClient endpoints and FortiSASE, enabling seamless sharing of endpoint information.
Register FortiGate and FortiSASE under the same FortiCloud account:
By registering both FortiGate and FortiSASE under the same FortiCloud account, you ensure centralized management and synchronization of configurations and policies.
What is required to enable the MSSP feature on FortiSASE? (Choose one answer)
Multi-tenancy must be enabled on the FortiSASE portal.
MSSP user accounts and permissions must be configured on the FortiSASE portal.
The MSSP add-on license must be applied to FortiSASE.
Role-based access control (RBAC) must be assigned to identity and access management (IAM) users using the FortiCloud IAM portal.
To enable the Managed Security Service Provider (MSSP) feature on FortiSASE, the administrative framework must be established outside of the local SASE instance within the broader FortiCloud ecosystem.
FortiCloud IAM Integration: The FortiSASE MSSP portal relies on FortiCloud Identity & Access Management (IAM) to define the scope of management for internal teams. Administrators do not create local "MSSP users" within the SASE portal itself; instead, they must use the FortiCloud IAM portal to assign specific Role-Based Access Control (RBAC) to IAM users.
Permissions and Scope: These RBAC settings determine which customer tenants (Organizational Units or OUs) an MSSP administrator can view, configure, or monitor. Without the proper role assignment in the IAM portal, the MSSP portal and its multi-tenant viewing capabilities will not be accessible to the user, even if the account has the necessary licenses.
Hierarchical Management: Once RBAC is correctly assigned, the MSSP administrator can leverage the FortiCloud Organizations service to manage multiple customer accounts from a single pane of glass. This centralized approach ensures that security policies and configurations can be standardized across the entire customer base while maintaining strict data isolation between tenants.
According to the FortiSASE 25 Multitenant Deployment Guide, configuring the IAM portal is the primary prerequisite that grants an MSSP internal team the permissions necessary to perform operations on customer FortiSASE tenants.
In the Secure Private Access (SPA) use case, which two FortiSASE features facilitate access to corporate applications? (Choose two answers)
SD-WAN
zero trust network access (ZTNA)
thin edge
cloud access security broker (CASB)
In a FortiSASE deployment, the Secure Private Access (SPA) use case is specifically designed to provide remote users with secure, high-performance connectivity to internal corporate applications hosted in private data centers or public clouds.5 This is achieved through two primary architectural methods:
SD-WAN Integration (A): FortiSASE integrates natively with existing Fortinet Secure SD-WAN networks.6 In this architecture, the FortiSASE global PoPs act as spokes that establish automated IPsec tunnels to the organization’s FortiGate SD-WAN hubs. This allows the platform to use intelligent application steering and dynamic routing to find the shortest, most efficient path to private resources, ensuring a superior user experience.
Zero Trust Network Access (ZTNA) (B): FortiSASE provides Universal ZTNA to enforce granular, per-session access control.7 Unlike traditional VPNs that grant broad network access, ZTNA verifies the user's identity and the endpoint's security posture (via ZTNA tags) before every application session. This ensures that users only have access to the specific corporate applications they are authorized to use, significantly reducing the attack surface.
Analysis of Other Options: * Thin Edge (C) is a connectivity method used to secure branch offices and micro-branches (typically using FortiExtender), rather than a specific feature for facilitating private corporate application access for individual remote users.
CASB (D) is used for Secure SaaS Access (SSA) to provide visibility and control over third-party cloud applications like Office 365, rather than private applications hosted on-premises.
A customer wants to upgrade their legacy on-premises proxy to a could-based proxy for a hybrid network. Which FortiSASE features would help the customer to achieve this outcome?
SD-WAN and NGFW
SD-WAN and inline-CASB
zero trust network access (ZTNA) and next generation firewall (NGFW)
secure web gateway (SWG) and inline-CASB
For a customer looking to upgrade their legacy on-premises proxy to a cloud-based proxy for a hybrid network, the combination of Secure Web Gateway (SWG) and Inline Cloud Access Security Broker (CASB) features in FortiSASE will provide the necessary capabilities.
Secure Web Gateway (SWG):
SWG provides comprehensive web security by inspecting and filtering web traffic to protect against web-based threats.
It ensures that all web traffic, whether originating from on-premises or remote locations, is inspected and secured by the cloud-based proxy.
Inline Cloud Access Security Broker (CASB):
CASB enhances security by providing visibility and control over cloud applications and services.
Inline CASB integrates with SWG to enforce security policies for cloud application usage, preventing unauthorized access and data leakage.
Your organization is currently using FortiSASE for its cybersecurity. They have recently hired a contractor who will work from the HQ office and who needs temporary internet access in order to set up a web-based point of sale (POS) system. How can you provide secure internet access to the contractor using FortiSASE? (Choose one answer)
Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an explicit web proxy.
Use a tunnel policy with a contractors user group as the source on FortiSASE to provide internet access.
Use zero trust network access (ZTNA) and tag the client as an unmanaged endpoint.
Use the self-registration portal on FortiSASE to grant internet access.
In the FortiSASE architecture, there are two primary methods for delivering Secure Internet Access (SIA): Agent-based (using FortiClient) and Agentless (using Secure Web Gateway/SWG).
Use Case Analysis: The scenario describes a contractor—an unmanaged user—who requires temporary access for a web-based application (the POS system). For contractors or guests using personal/non-corporate devices where installing the FortiClient agent is either not feasible or not desired, FortiSASE provides the SIA Agentless deployment model.
Mechanism (SWG & PAC): In this mode, FortiSASE functions as an explicit web proxy. To steer the contractor's web traffic (HTTP/HTTPS) to the SASE cloud for inspection, the administrator provides the user with a proxy auto-configuration (PAC) file. The contractor simply configures their browser or operating system to point to the URL of this PAC file.
Security Enforcement: Once the PAC file is applied, all web traffic from the contractor's device is redirected to the FortiSASE SWG PoP. Here, the traffic is subject to the organization’s full security stack, including SSL deep inspection, Antivirus, Web Filtering, and Application Control, ensuring that even temporary contractor access is fully secured and logged.
Why other options are incorrect:
Option B (Tunnel Policy): This refers to agent-based access where a VPN tunnel is established. This requires FortiClient, which is generally not used for temporary contractors on unmanaged devices.
Option C (ZTNA Unmanaged): While ZTNA supports agentless access to private applications (SPA), providing internet access (SIA) to an unmanaged endpoint is specifically the role of the SWG/Proxy service.
Option D (Self-registration): While FortiSASE has a User Portal for onboarding, it is a method for user registration/credential management, not the technical traffic-steering mechanism used to provide internet connectivity.
According to the FortiSASE 25 Secure Internet Access Architecture Guide, the SWG (Agentless) approach is the recommended best practice for securing web-only traffic from unmanaged endpoints and third-party contractors.
What is the purpose of security posture tagging in ZTNA? (Choose one answer)
To assign usernames to different devices for security logs
To ensure that all devices and users are monitored continuously
To provide granular access control based on the compliance status of devices and users1
To categorize devices and users based on their role in the organization
In the context of Zero Trust Network Access (ZTNA), security posture tagging is the fundamental mechanism used to enforce compliance and security standards before granting access to protected resources.
Granular Access Control: The primary purpose of tagging is to provide granular access control.3 Instead of relying solely on static credentials, ZTNA uses these dynamic tags to determine if a device or user meets specific security requirements at the moment of the connection request.
Compliance-Based Enforcement: Tags are assigned based on the compliance status of the endpoint. For example, the FortiSASE Endpoint Management Service (EMS) can verify if a device has an active antivirus, is running a specific OS version, or is joined to the corporate domain.5 If the device fails any of these checks, the "Compliant" tag is removed, and access is automatically revoked.
Dynamic and Continuous Assessment: Unlike traditional VPNs that check posture only at login, ZTNA posture tagging allows for continuous assessment. If a device's security posture changes—for instance, if the user disables their firewall—the tag is updated in real-time across the Security Fabric, and the ZTNA policy will immediately deny further access.8
Integration with Policies: On the FortiGate (acting as a ZTNA proxy) or within FortiSASE, these tags are used as source criteria in ZTNA policies.9 Only traffic originating from endpoints with the required tags (e.g., "EMS-Tag: Corporate-Managed") is permitted to reach the protected application.
Refer to the exhibits.
A FortiSASE administrator has configured FortiSASE as a spoke to a FortiGate hub. The tunnel is up to the FortiGate hub. However, the remote FortiClient is not able to access the web server hosted behind the FortiGate hub. What is the reason for the access failure? (Choose one answer)
The hub is not advertising the required routes.
A private access policy has denied the traffic because of failed compliance.
The hub firewall policy does not include the FortiClient address range.
The server subnet BGP route was not received on FortiSASE.
Based on the detailed analysis of the provided exhibits (image_65feb6.jpg), the connectivity failure is caused by a mismatch in the Hub firewall policy configuration.
Endpoint Analysis: The Network Diagram shows the FortiClient endpoint has an IP address of 100.65.80.2/20 and currently carries the FortiSASE-Compliant ZTNA tag.
FortiSASE Policy Validation: The Private access policy on FortiSASE shows an "Accept" rule for traffic originating from "FortiSASE-Compliant" sources destined for "All Private Access Traffic". This confirms the traffic is successfully leaving the FortiSASE PoP.
Routing Validation: The Learned BGP Routes on FortiSASE table shows the prefix 10.160.160.0/24 (the Server subnet) is correctly received via Next Hop 10.11.11.1. Routing is correctly established.
Hub Firewall Policy Error: Examining the Hub firewall policy (edit 7), the srcaddr is set to "SASE_Remote_Access". Looking at the address object definition for "SASE_Remote_Access," it is configured with the subnet 10.11.11.0 255.255.255.0.
The Conflict: The FortiClient's actual IP address (100.65.80.2) does not fall within the 10.11.11.0/24 range defined in the policy's source address. On a FortiGate hub, for traffic to be permitted through the tunnel to the internal server, the firewall policy must include the specific subnet assigned to the remote clients, not just the tunnel interface subnet. Because the FortiClient address range is missing from the hub's policy, the traffic is dropped at the hub.
Refer to the exhibit.
Which type of information or actions are available to a FortiSASE administrator from the following output? (Choose one answer)
Administrators can view and configure endpoint profiles and ZTNA tags.
Administrators can view and configure automatic patching of endpoints, and first detected date for applications.
Administrators can view latest application version available and push updates to managed endpoints.
Administrators can view application details, such as vendor, version, and installation dates to identify unwanted or outdated software.
The provided exhibit (image_57e69d.jpg) displays the Software Installations dashboard within the FortiSASE portal. This dashboard is a key component of the endpoint visibility and management features provided by the integrated FortiClient EMS functionality.
Visible Metadata: The output provides a granular list of all software detected on managed endpoints, including the application Name, the Vendor (e.g., Igor Pavlov, Microsoft Corporation, Adobe), the specific Version currently installed, and critical timestamps such as First Detected and Last Installed.
Administrative Utility: This information allows an administrator to audit the software environment effectively. By reviewing these details, they can identify unwanted software (PUA), shadow IT, or outdated software versions that may possess known vulnerabilities.
Actions Available: While the primary view is informational, the presence of the View Endpoints button (visible in the top-left) allows administrators to pivot from a specific application to a list of all individual devices where that software is present, facilitating targeted remediation.
Analysis of Incorrect Options:
Option A: While FortiSASE manages profiles and tags, this specific "Software Installations" view is focused purely on software inventory.
Option B: Although the "First Detected" date is visible, FortiSASE does not support "automatic patching" of third-party software directly from this inventory screen.
Option C: The dashboard shows what is installed, not the "latest available" version in the market, nor does it provide a mechanism to "push updates" to these third-party applications.
Refer to the exhibits.
When remote users connected to FortiSASE require access to internal resources on Branch-2. how will traffic be routed?
FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-2. which will then route traffic to Branch-2.
FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2 directly, using a static route
FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-1, which will then route traffic to Branch-2.
FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2 directly, using a dynamic route
When remote users connected to FortiSASE require access to internal resources on Branch-2, the following process occurs:
SD-WAN Capability:
FortiSASE leverages SD-WAN to optimize traffic routing based on performance metrics and priorities.
In the priority settings, HUB-1 is configured with the highest priority (P1), whereas HUB-2 has a lower priority (P2).
Traffic Routing Decision:
FortiSASE evaluates the available hubs (HUB-1 and HUB-2) and selects HUB-1 due to its highest priority setting.
Once the traffic reaches HUB-1, it is then routed to the appropriate branch based on internal routing policies.
Branch-2 Access:
Since HUB-1 has the highest priority, FortiSASE directs the traffic to HUB-1.
HUB-1 then routes the traffic to Branch-2, providing the remote users access to the internal resources.
What are two advantages of using zero-trust tags? (Choose two.)
Zero-trust tags can be used to allow or deny access to network resources
Zero-trust tags can determine the security posture of an endpoint.
Zero-trust tags can be used to create multiple endpoint profiles which can be applied to different endpoints
Zero-trust tags can be used to allow secure web gateway (SWG) access
Zero-trust tags are critical in implementing zero-trust network access (ZTNA) policies. Here are the two key advantages of using zero-trust tags:
Access Control (Allow or Deny):
Zero-trust tags can be used to define policies that either allow or deny access to specific network resources based on the tag associated with the user or device.
This granular control ensures that only authorized users or devices with the appropriate tags can access sensitive resources, thereby enhancing security.
Determining Security Posture:
Zero-trust tags can be utilized to assess and determine the security posture of an endpoint.
Based on the assigned tags, FortiSASE can evaluate the device's compliance with security policies, such as antivirus status, patch levels, and configuration settings.
Devices that do not meet the required security posture can be restricted from accessing the network or given limited access.
Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE? (Choose one answer)
It monitors the FortiSASE POP health based on ping probes.
It is used for performing device compliance checks on endpoints.
It provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS application.
It gathers all the vulnerability information from all the FortiClient endpoints.
The Digital Experience Monitor (DEM) feature in FortiSASE is a specialized monitoring tool integrated into the SASE cloud to ensure optimal application performance and user satisfaction.2
Purpose and Visibility: DEM is designed to provide end-to-end network visibility by monitoring the health and performance of the connections between the global FortiSASE security Points of Presence (PoPs) and specific SaaS applications (such as Microsoft 365, WebEx, or Dropbox).
Performance Metrics: It identifies and helps troubleshoot issues related to latency, jitter, and packet loss. By leveraging vantage points within the SASE infrastructure, administrators can determine if a performance bottleneck resides within the local network, the SASE backbone, or the SaaS provider's environment.
Integration: This feature is often powered by FortiMonitor, allowing for synthetic transaction monitoring (STM) to simulate user interactions and proactively spot performance issues before they impact the hybrid workforce.
Operational Efficiency: By providing comprehensive insights across users and PoPs, DEM reduces the time required to resolve "slowness" complaints, which are common in remote work scenarios.
Comparison of Other Features:
Option A: While FortiSASE monitors PoP health, DEM's primary value is the end-to-end path to the application.
Option B: Compliance checks are a function of Endpoint Profiles and ZTNA tagging rules, not the monitoring dashboard.
Option D: Vulnerability management is handled by the Vulnerability Scan feature within the managed FortiClient settings.
Refer to the exhibits.
How will the application vulnerabilities be patched, based on the exhibits provided? (Choose one answer)
An administrator will patch the vulnerability remotely using FortiSASE.
The end user will patch the vulnerabilities using the FortiClient software.
The vulnerability will be patched by installing the patch from the vendor's website.
The vulnerability will be patched automatically based on the endpoint profile configuration.
Based on the settings shown in the provided exhibits, the vulnerability remediation workflow is determined by the Endpoint Profile and the Vulnerability Dashboard.
Endpoint Profile Evaluation: The top exhibit displays the Scan for Vulnerabilities settings. The toggle for Automatically patch vulnerabilities is explicitly set to Disabled. Consequently, the system will not perform automated remediation when a scan completes.
Manual Patching Requirement: The Vulnerability Dashboard (bottom exhibit) lists several application vulnerabilities with a Patching status of Manual patching required. In a FortiSASE environment, "Manual" indicates that the vulnerability cannot be handled by the client's autonomous update process and requires a direct instruction from the management plane.
Administrative Intervention: The dashboard includes a Patch endpoints action button. Since auto-patching is disabled in the profile, an administrator must manually select the vulnerabilities and click the "Patch endpoints" button to remotely trigger the patching sequence on the managed endpoints via the FortiSASE cloud service.
Workflow Logic: While FortiClient acts as the "conductor" on the local machine to facilitate the download and installation, the trigger for this specific scenario is the administrator's remote action within the portal. This differentiates it from Option D (which is disabled) and Option C (which would involve a user manually browsing a website outside the managed SASE workflow).
An organization wants to block all video and audio application traffic but grant access to videos from CNN Which application override action must you configure in the Application Control with Inline-CASB?
Allow
Pass
Permit
Exempt
To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:
Application Control Configuration:
Application Control is used to identify and manage application traffic based on predefined or custom application signatures.
Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.
Blocking Video and Audio Applications:
To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.
Granting Access to Specific Videos (CNN):
To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.
The override action "Exempt" ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.
Configuration Steps:
Navigate to the Application Control profile in the FortiSASE interface.
Set the application categories related to video and audio streaming to "Block."
Add a new override entry for CNN video traffic and set the action to "Exempt."
Copyright © 2014-2026 Certensure. All Rights Reserved