Your organization is currently using FortiSASE for its cybersecurity. They have recently hired a contractor who will work from the HQ office and who needs temporary internet access in order to set up a web-based point of sale (POS) system. How can you provide secure internet access to the contractor using FortiSASE? (Choose one answer)
Correct Answer: A
In the FortiSASE architecture, there are two primary methods for delivering Secure Internet Access (SIA): Agent-based (using FortiClient) and Agentless (using Secure Web Gateway/SWG). * Use Case Analysis: The scenario describes a contractor-an unmanaged user-who requires temporary access for a web-based application (the POS system). For contractors or guests using personal/non-corporate devices where installing the FortiClient agent is either not feasible or not desired, FortiSASE provides the SIA Agentless deployment model. * Mechanism (SWG & PAC): In this mode, FortiSASE functions as an explicit web proxy. To steer the contractor's web traffic (HTTP/HTTPS) to the SASE cloud for inspection, the administrator provides the user with a proxy auto-configuration (PAC) file. The contractor simply configures their browser or operating system to point to the URL of this PAC file. * Security Enforcement: Once the PAC file is applied, all web traffic from the contractor's device is redirected to the FortiSASE SWG PoP. Here, the traffic is subject to the organization's full security stack, including SSL deep inspection, Antivirus, Web Filtering, and Application Control, ensuring that even temporary contractor access is fully secured and logged. * Why other options are incorrect: * Option B (Tunnel Policy): This refers to agent-based access where a VPN tunnel is established. This requires FortiClient, which is generally not used for temporary contractors on unmanaged devices. * Option C (ZTNA Unmanaged): While ZTNA supports agentless access to private applications (SPA), providing internet access (SIA) to an unmanaged endpoint is specifically the role of the SWG/Proxy service. * Option D (Self-registration): While FortiSASE has a User Portal for onboarding, it is a method for user registration/credential management, not the technical traffic-steering mechanism used to provide internet connectivity. According to the FortiSASE 25 Secure Internet Access Architecture Guide, the SWG (Agentless) approach is the recommended best practice for securing web-only traffic from unmanaged endpoints and third- party contractors.
NSE7_SSE_AD-25 Exam Question 32
What happens to the logs on FortiSASE that are older than the configured log retention period? (Choose one answer)
Correct Answer: A
In a FortiSASE environment, log management is governed by a cloud-native storage policy that prioritizes performance and resource availability. * Retention Policy Framework: All FortiSASE instances come with log retention enabled by default. The standard log retention period is 30 days, though administrators can customize this policy to any duration between 2 and 30 days. This policy applies across all log types, including traffic, security, and event logs. * Automatic Deletion (A): When logs exceed the configured retention threshold, FortiSASE automatically deletes the older logs from the platform.2 This automatic purging is necessary to free up storage space on the cloud infrastructure and maintain compliance with the organization's data lifecycle settings. * Persistence and Recovery: Once logs are deleted due to the expiration of the retention period, they are generally unrecoverable from the FortiSASE platform. * Long-Term Storage Solutions: Because FortiSASE is not designed as a long-term archival solution, customers who need to store logs for months or years for regulatory compliance should configure log forwarding to an external server, such as a FortiAnalyzer or a remote Syslog server. * Analysis of Incorrect Options: * Option B and D: While traditional FortiAnalyzer deployments use SQL indexing and separate "Archive" (raw/compressed) vs. "Analytics" (SQL) tiers, FortiSASE uses a simplified cloud storage model where data is purged rather than archived or tier-shifted upon expiry. * Option C: While FortiSASE is part of the FortiCloud ecosystem, it does not automatically "back up" expired logs to another FortiCloud service; the deletion is final unless external forwarding is active.
NSE7_SSE_AD-25 Exam Question 33
A customer configured the On/off-net detection rule to disable FortiSASE VPN auto-connect when users are inside the corporate network. The rule is set to Connects with a known public IP using the company's public IP address. However, when the users are on the corporate network, the FortiSASE VPN still auto-connects. The customer has confirmed that traffic is going to the internet with the correct IP address. Which configuration is causing the issue? (Choose one answer)
Correct Answer: C
The FortiSASE On/off-net detection feature is a two-part configuration designed to optimize bandwidth and user experience by determining when a device is in a trusted environment. * Rule Set Definition: The first part involves defining what constitutes an "on-net" or "on-fabric" status. In this scenario, the customer successfully configured a rule set named CERT-PUBLIC-IP using the Connects with a known public IP detection type. This tells FortiSASE that if the endpoint's public WAN IP matches the corporate gateway, it is considered to be on the corporate network. * Profile Exemption Logic: Defining the rule set is not enough to stop the VPN connection. Within the Endpoint Profile (under the Connection tab > On/off-net Settings), there is a specific toggle labeled Exempt endpoint from FortiSASE auto-connect when endpoint is on-net (or in some versions, Bypass FortiSASE when endpoint is on-net). * Exhibit Analysis: Looking at the provided exhibit (image_57097d.jpg), the "Exempt endpoint from FortiSASE auto-connect..." toggle is clearly disabled (switched to the left). * Root Cause: Because this toggle is disabled, FortiClient identifies that it is "on-net" based on the IP rule, but it has no instruction to skip the VPN connection. Consequently, the "Automatically" initiate tunnel setting remains the dominant instruction, causing the VPN to connect regardless of the network location. To resolve the issue, the administrator must enable the Exempt endpoint from FortiSASE auto-connect when endpoint is on-net option in the SASECert01 profile.
NSE7_SSE_AD-25 Exam Question 34
An organization needs to resolve internal hostnames using its internal rather than public DNS servers for remotely connected endpoints. Which two components must be configured on FortiSASE to achieve this? (Choose two.)
Correct Answer: B,C
To resolve internal hostnames using internal DNS servers for remotely connected endpoints, the following two components must be configured on FortiSASE: * Split DNS Rules: * Split DNS allows the configuration of specific DNS queries to be directed to internal DNS servers instead of public DNS servers. * This ensures that internal hostnames are resolved using the organization's internal DNS infrastructure, maintaining privacy and accuracy for internal network resources. * Split Tunneling Destinations: * Split tunneling allows specific traffic (such as DNS queries for internal domains) to be routed through the VPN tunnel while other traffic is sent directly to the internet. * By configuring split tunneling destinations, you can ensure that DNS queries for internal hostnames are directed through the VPN to the internal DNS servers. References: FortiOS 7.6 Administration Guide: Provides details on configuring split DNS and split tunneling for VPN clients. FortiSASE 23.2 Documentation: Explains the implementation and configuration of split DNS and split tunneling for securely resolving internal hostnames.
NSE7_SSE_AD-25 Exam Question 35
You have configured FortiSASE Secure Private Access (SPA) deployment. Which statement is true about traffic flows? (Choose two answers)
Correct Answer: C,D
FortiSASE Secure Private Access (SPA) offers two distinct architectural methods for connecting remote users to private applications: SD-WAN-based SPA and ZTNA-based SPA. Each utilizes a different traffic flow to balance security and performance requirements. * SD-WAN Private Access (Hub-and-Spoke): In this model, the FortiSASE Security Points of Presence (PoPs) act as spokes in a traditional hub-and-spoke VPN topology. When a remote user attempts to access a private network, the traffic is first steered to the closest FortiSASE PoP. The PoP then routes that traffic over a persistent IPsec tunnel to the corporate FortiGate hub (or SPA hub). This ensures that all traffic, regardless of protocol (TCP/UDP), can be inspected by the SASE security stack before entering the private network. * Zero Trust Network Access (ZTNA): Unlike the SD-WAN approach, ZTNA is designed for a "shortest path" connection. While FortiSASE manages the endpoint's posture and issues certificates, the actual application traffic (the data plane) bypasses the FortiSASE PoP. Instead, the FortiClient agent on the endpoint establishes a direct HTTPS or TCP-forwarding connection to the ZTNA Access Proxy configured on the corporate FortiGate. This significantly reduces latency and is ideal for high- performance TCP-based applications. According to the FortiSASE 25 Secure Internet Access Architecture Guide, "In FortiSASE, ZTNA refers to traffic that is destined directly to private resources using the FortiGate ZTNA access proxy traffic flow," whereas for SD-WAN SPA, the PoPs "rely on IPsec overlays... to secure and route traffic between PoPs and the networks behind an organization's SD-WAN hubs."