+918087977656 FCSS SASE AD 24 passyourccie@gmail.

com
1/41

 TOTAL QUESTIONS:43

Question: 1

Refer to the exhibits.

+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
2/41
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
3/41

A FortiSASE administrator has configured an antivirus profile in the security profile group and applied
it to the internet access policy. Remote users are still able to download the eicar.com-zip file from
https://eicar.org. Traffic logs show traffic is allowed by the policy.
Which configuration on FortiSASE is allowing users to perform the download?

A. Web filter is allowing the traffic.

B. IPS is disabled in the security profile group.
C. The HTTPS protocol is not enabled in the antivirus profile.
D. Force certificate inspection is enabled in the policy.

Answer: D
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
4/41

Explanation:
https://community.fortinet.com/t5/FortiSASE/Technical-Tip-Force-Certificate-Inspection-option-in-
FortiSASE/ta-p/302617

Question: 2

An organization wants to block all video and audio application traffic but grant access to videos from
CNN Which application override action must you configure in the Application Control with Inline-
CASB?

A. Allow
B. Pass
C. Permit
D. Exempt

Answer: A

Explanation:

(https://docs.fortinet.com/document/fortisase/24.4.75/sia-agent-based-deployment-
guide/568255/configuring-application-control-profile

Question: 3

Refer to the exhibits.

+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
5/41

When remote users connected to FortiSASE require access to internal resources on Branch-2. how
will traffic be routed?

A. FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-2.
which will then route traffic to Branch-2.
B. FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2
directly, using a static route
C. FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-1,
which will then route traffic to Branch-2.
D. FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2
directly, using a dynamic route

Answer: D

Explanation:

Question: 4

What are two advantages of using zero-trust tags? (Choose two.)

A. Zero-trust tags can be used to allow or deny access to network resources

B. Zero-trust tags can determine the security posture of an endpoint.
C. Zero-trust tags can be used to create multiple endpoint profiles which can be applied to different
endpoints
D. Zero-trust tags can be used to allow secure web gateway (SWG) access

Answer: AB

Explanation:
Zero-trust tags are critical in implementing zero-trust network access (ZTNA) policies. Here are the
two key advantages of using zero-trust tags:
Access Control (Allow or Deny):
Zero-trust tags can be used to define policies that either allow or deny access to specific network
resources based on the tag associated with the user or device.
This granular control ensures that only authorized users or devices with the appropriate tags can
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
6/41

access sensitive resources, thereby enhancing security.

Determining Security Posture:
Zero-trust tags can be utilized to assess and determine the security posture of an endpoint.
Based on the assigned tags, FortiSASE can evaluate the device's compliance with security policies,
such as antivirus status, patch levels, and configuration settings.
Devices that do not meet the required security posture can be restricted from accessing the network
or given limited access.
Reference:
FortiOS 7.2 Administration Guide: Provides detailed information on configuring and using zero-trust
tags for access control and security posture assessment.
FortiSASE 23.2 Documentation: Explains how zero-trust tags are implemented and used within the
FortiSASE environment for enhancing security and compliance.

Question: 5

Refer to the exhibit.

In the user connection monitor, the FortiSASE administrator notices the user name is showing
random characters. Which configuration change must the administrator make to get proper user
information?

A. Turn off log anonymization on FortiSASE.

B. Add more endpoint licenses on FortiSASE.
C. Configure the username using FortiSASE naming convention.
D. Change the deployment type from SWG to VPN.

Answer: A

Explanation:
In the user connection monitor, the random characters shown for the username indicate that log
anonymization is enabled. Log anonymization is a feature that hides the actual user information in
the logs for privacy and security reasons. To display proper user information, you need to disable log
anonymization.
Log Anonymization:
When log anonymization is turned on, the actual usernames are replaced with random characters to
protect user privacy.
This feature can be beneficial in certain environments but can cause issues when detailed user
monitoring is required.
Disabling Log Anonymization:
Navigate to the FortiSASE settings.
Locate the log settings section.
Disable the log anonymization feature to ensure that actual usernames are displayed in the logs and
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
7/41

user connection monitors.

Reference:
FortiSASE 23.2 Documentation: Provides detailed steps on enabling and disabling log anonymization.
Fortinet Knowledge Base: Explains the impact of log anonymization on user monitoring and logging.

Question: 6

Refer to the exhibit.

To allow access, which web tiller configuration must you change on FortiSASE?
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
8/41

A. FortiGuard category-based filter

B. content filter
C. URL Filter
D. inline cloud access security broker (CASB) headers

Answer: B

Explanation:

Question: 7

Which policy type is used to control traffic between the FortiClient endpoint to FortiSASE for secure
internet access?

A. VPN policy
B. thin edge policy
C. private access policy
D. secure web gateway (SWG) policy

Answer: A

Explanation:

Question: 8

Which role does FortiSASE play in supporting zero trust network access (ZTNA) principles9

A. It offers hardware-based firewalls for network segmentation.

B. It integrates with software-defined network (SDN) solutions.
C. It can identify attributes on the endpoint for security posture check.
D. It enables VPN connections for remote employees.

Answer: C

Explanation:
FortiSASE supports zero trust network access (ZTNA) principles by identifying attributes on the
endpoint for security posture checks. ZTNA principles require continuous verification of user and
device credentials, as well as their security posture, before granting access to network resources.
Security Posture Check:
FortiSASE can evaluate the security posture of endpoints by checking for compliance with security
policies, such as antivirus status, patch levels, and configuration settings.
This ensures that only compliant and secure devices are granted access to the network.
Zero Trust Network Access (ZTNA):
ZTNA is based on the principle of "never trust, always verify," which requires continuous assessment
of user and device trustworthiness.
FortiSASE plays a crucial role in implementing ZTNA by performing these security posture checks and
enforcing access control policies.
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
9/41

Reference:
FortiOS 7.2 Administration Guide: Provides information on ZTNA and endpoint security posture
checks.
FortiSASE 23.2 Documentation: Details on how FortiSASE implements ZTNA principles.

Question: 9

When deploying FortiSASE agent-based clients, which three features are available compared to an
agentless solution? (Choose three.)

A. Vulnerability scan
B. SSL inspection
C. Anti-ransomware protection
D. Web filter
E. ZTNA tags

Answer: ACE

Explanation:

Question: 10

Which FortiSASE feature ensures least-privileged user access to all applications?

A. secure web gateway (SWG)

B. SD-WAN
C. zero trust network access (ZTNA)
D. thin branch SASE extension

Answer: C

Explanation:
Zero Trust Network Access (ZTNA) is the FortiSASE feature that ensures least-privileged user access
to all applications. ZTNA operates on the principle of "never trust, always verify," providing secure
access based on the identity of users and devices, regardless of their location.
Zero Trust Network Access (ZTNA):
ZTNA ensures that only authenticated and authorized users and devices can access applications.
It applies the principle of least privilege by granting access only to the resources required by the user,
minimizing the potential for unauthorized access.
Implementation:
ZTNA continuously verifies user and device trustworthiness and enforces granular access control
policies.
This approach enhances security by reducing the attack surface and limiting lateral movement within
the network.
Reference:
FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its role in ensuring
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
10/41

least-privileged access.
FortiSASE 23.2 Documentation: Explains the implementation and benefits of ZTNA within the
FortiSASE environment.

Question: 11

Which two components are part of onboarding a secure web gateway (SWG) endpoint? (Choose two)

A. FortiSASE CA certificate
B. proxy auto-configuration (PAC) file
C. FortiSASE invitation code
D. FortiClient installer

Answer: A, B

Explanation:

Onboarding a Secure Web Gateway (SWG) endpoint involves several components to ensure secure
and effective integration with FortiSASE. Two key components are the FortiSASE CA certificate and
the proxy auto-configuration (PAC) file.
FortiSASE CA Certificate:
The FortiSASE CA certificate is essential for establishing trust between the endpoint and the
FortiSASE infrastructure.
It ensures that the endpoint can securely communicate with FortiSASE services and inspect SSL/TLS
traffic.
Proxy Auto-Configuration (PAC) File:
The PAC file is used to configure the endpoint to direct web traffic through the FortiSASE proxy.
It provides instructions on how to route traffic, ensuring that all web requests are properly inspected
and filtered by FortiSASE.
Reference:
FortiOS 7.2 Administration Guide: Details on onboarding endpoints and configuring SWG.
FortiSASE 23.2 Documentation: Explains the components required for integrating endpoints with
FortiSASE and the process for deploying the CA certificate and PAC file.

Question: 12

Which two deployment methods are used to connect a FortiExtender as a FortiSASE LAN extension?
(Choose two.)

A. Connect FortiExtender to FortiSASE using FortiZTP

B. Enable Control and Provisioning Wireless Access Points (CAPWAP) access on the FortiSASE portal.
C. Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server
D. Configure an IPsec tunnel on FortiSASE to connect to FortiExtender.

Answer: AC

Explanation:
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
11/41

There are two deployment methods used to connect a FortiExtender as a FortiSASE LAN extension:
Connect FortiExtender to FortiSASE using FortiZTP:
FortiZero Touch Provisioning (FortiZTP) simplifies the deployment process by allowing FortiExtender
to automatically connect and configure itself with FortiSASE.
This method requires minimal manual configuration, making it efficient for large-scale deployments.
Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server:
Manually configuring the FortiSASE domain name in the FortiExtender GUI allows the extender to
discover and connect to the FortiSASE infrastructure.
This static discovery method ensures that FortiExtender can establish a connection with FortiSASE
using the provided domain name.
Reference:
FortiOS 7.2 Administration Guide: Details on FortiExtender deployment methods and configurations.
FortiSASE 23.2 Documentation: Explains how to connect and configure FortiExtender with FortiSASE
using FortiZTP and static discovery.

Question: 13

How does FortiSASE hide user information when viewing and analyzing logs?

A. By hashing data using Blowfish

B. By hashing data using salt
C. By encrypting data using Secure Hash Algorithm 256-bit (SHA-256)
D. By encrypting data using advanced encryption standard (AES)

Answer: B

Explanation:
FortiSASE hides user information when viewing and analyzing logs by hashing data using salt. This
approach ensures that sensitive user information is obfuscated, enhancing privacy and security.
Hashing Data with Salt:
Hashing data involves converting it into a fixed-size string of characters, which is typically a hash
value.
Salting adds random data to the input of the hash function, ensuring that even identical inputs
produce different hash values.
This method provides enhanced security by making it more difficult to reverse-engineer the original
data from the hash value.
Security and Privacy:
Using salted hashes ensures that user information remains secure and private when stored or
analyzed in logs.
This technique is widely used in security systems to protect sensitive data from unauthorized access.
Reference:
FortiOS 7.2 Administration Guide: Provides information on log management and data protection
techniques.
FortiSASE 23.2 Documentation: Details on how FortiSASE implements data hashing and salting to
secure user information in logs.

Question: 14
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
12/41

Refer to the exhibit.

A company has a requirement to inspect all the endpoint internet traffic on FortiSASE, and exclude
Google Maps traffic from the FortiSASE VPN tunnel and redirect it to the endpoint physical Interface.
Which configuration must you apply to achieve this requirement?

A. Exempt the Google Maps FQDN from the endpoint system proxy settings.
B. Configure a static route with the Google Maps FQDN on the endpoint to redirect traffic
C. Configure the Google Maps FQDN as a split tunneling destination on the FortiSASE endpoint
profile.
D. Change the default DNS server configuration on FortiSASE to use the endpoint system DNS.

Answer: C

Explanation:
To meet the requirement of inspecting all endpoint internet traffic on FortiSASE while excluding
Google Maps traffic from the FortiSASE VPN tunnel and redirecting it to the endpoint's physical
interface, you should configure split tunneling. Split tunneling allows specific traffic to bypass the
VPN tunnel and be routed directly through the endpoint's local interface.
Split Tunneling Configuration:
Split tunneling enables selective traffic to be routed outside the VPN tunnel.
By configuring the Google Maps Fully Qualified Domain Name (FQDN) as a split tunneling
destination, you ensure that traffic to Google Maps bypasses the VPN tunnel and uses the endpoint's
local interface instead.
Implementation Steps:
Access the FortiSASE endpoint profile configuration.
Add the Google Maps FQDN to the split tunneling destinations list.
This configuration directs traffic intended for Google Maps to bypass the VPN tunnel and be routed
directly through the endpoint's physical network interface.
Reference:
FortiOS 7.2 Administration Guide: Provides details on split tunneling configuration.
FortiSASE 23.2 Documentation: Explains how to set up and manage split tunneling for specific
destinations.
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
13/41

Question: 15

Refer to the exhibits.

WiMO-Pro and Win7-Pro are endpoints from the same remote location. WiMO-Pro can access the
internet though FortiSASE, while Wm7-Pro can no longer access the internet
Given the exhibits, which reason explains the outage on Wm7-Pro?

A. The Win7-Pro device posture has changed.

B. Win7-Pro cannot reach the FortiSASE SSL VPN gateway
C. The Win7-Pro FortiClient version does not match the FortiSASE endpoint requirement.
D. Win-7 Pro has exceeded the total vulnerability detected threshold.

Answer: D

Explanation:
Based on the provided exhibits, the reason why the Win7-Pro endpoint can no longer access the
internet through FortiSASE is due to exceeding the total vulnerability detected threshold. This
threshold is used to determine if a device is compliant with the security requirements to access the
network.
Endpoint Compliance:
FortiSASE monitors endpoint compliance by assessing various security parameters, including the
number of vulnerabilities detected on the device.
The compliance status is indicated by the ZTNA tags and the vulnerabilities detected.
Vulnerability Threshold:
The exhibit shows that Win7-Pro has 176 vulnerabilities detected, whereas Win10-Pro has 140
vulnerabilities.
If the endpoint exceeds a predefined vulnerability threshold, it may be restricted from accessing the
network to ensure overall network security.
Impact on Network Access:
Since Win7-Pro has exceeded the vulnerability threshold, it is marked as non-compliant and
subsequently loses internet access through FortiSASE.
The FortiSASE endpoint profile enforces this compliance check to prevent potentially vulnerable
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
14/41

devices from accessing the internet.

Reference:
FortiOS 7.2 Administration Guide: Provides information on endpoint compliance and vulnerability
management.
FortiSASE 23.2 Documentation: Explains how vulnerability thresholds are used to determine
endpoint compliance and access control.

Question: 16

A customer wants to upgrade their legacy on-premises proxy to a could-based proxy for a hybrid
network. Which FortiSASE features would help the customer to achieve this outcome?

A. SD-WAN and NGFW

B. SD-WAN and inline-CASB
C. zero trust network access (ZTNA) and next generation firewall (NGFW)
D. secure web gateway (SWG) and inline-CASB

Answer: D

Explanation:
For a customer looking to upgrade their legacy on-premises proxy to a cloud-based proxy for a hybrid
network, the combination of Secure Web Gateway (SWG) and Inline Cloud Access Security Broker
(CASB) features in FortiSASE will provide the necessary capabilities.
Secure Web Gateway (SWG):
SWG provides comprehensive web security by inspecting and filtering web traffic to protect against
web-based threats.
It ensures that all web traffic, whether originating from on-premises or remote locations, is inspected
and secured by the cloud-based proxy.
Inline Cloud Access Security Broker (CASB):
CASB enhances security by providing visibility and control over cloud applications and services.
Inline CASB integrates with SWG to enforce security policies for cloud application usage, preventing
unauthorized access and data leakage.
Reference:
FortiOS 7.2 Administration Guide: Details on SWG and CASB features.
FortiSASE 23.2 Documentation: Explains how SWG and inline-CASB are used in cloud-based proxy
solutions.

Question: 17

When you configure FortiSASE Secure Private Access (SPA) with SD-WAN integration, you must
establish a routing adjacency between FortiSASE and the FortiGate SD-WAN hub. Which routing
protocol must you use?

A. BGP
B. IS-IS
C. OSPF
D. EIGRP
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
15/41

Answer: A

Explanation:
When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a
routing adjacency between FortiSASE and the FortiGate SD-WAN hub requires the use of the Border
Gateway Protocol (BGP).
BGP (Border Gateway Protocol):
BGP is widely used for establishing routing adjacencies between different networks, particularly in
SD-WAN environments.
It provides scalability and flexibility in managing dynamic routing between FortiSASE and the
FortiGate SD-WAN hub.
Routing Adjacency:
BGP enables the exchange of routing information between FortiSASE and the FortiGate SD-WAN hub.
This ensures optimal routing paths and efficient traffic management across the hybrid network.
Reference:
FortiOS 7.2 Administration Guide: Provides information on configuring BGP for SD-WAN integration.
FortiSASE 23.2 Documentation: Details on setting up routing adjacencies using BGP for Secure Private
Access with SD-WAN.

Question: 18

A FortiSASE administrator is configuring a Secure Private Access (SPA) solution to share endpoint
information with a corporate FortiGate.
Which three configuration actions will achieve this solution? (Choose three.)

A. Add the FortiGate IP address in the secure private access configuration on FortiSASE.
B. Use the FortiClient EMS cloud connector on the corporate FortiGate to connect to FortiSASE
C. Register FortiGate and FortiSASE under the same FortiCloud account.
D. Authorize the corporate FortiGate on FortiSASE as a ZTNA access proxy.
E. Apply the FortiSASE zero trust network access (ZTNA) license on the corporate FortiGate.

Answer: BCD

Explanation:
Reference:
FortiOS 7.2 Administration Guide: Provides details on configuring Secure Private Access and
integrating with FortiGate.
FortiSASE 23.2 Documentation: Explains how to set up and manage connections between FortiSASE
and corporate FortiGate.

Question: 19

Refer to the exhibit.

+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
16/41

The daily report for application usage shows an unusually high number of unknown applications by
category.
What are two possible explanations for this? (Choose two.)

A. Certificate inspection is not being used to scan application traffic.

B. The inline-CASB application control profile does not have application categories set to Monitor
C. Zero trust network access (ZTNA) tags are not being used to tag the correct users.
D. Deep inspection is not being used to scan traffic.

Answer: B, D
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
17/41

Explanation:

Question: 20

When viewing the daily summary report generated by FortiSASE. the administrator notices that the
report contains very little dat
a. What is a possible explanation for this almost empty report?
A. Digital experience monitoring is not configured.
B. Log allowed traffic is set to Security Events for all policies.
C. The web filter security profile is not set to Monitor
D. There are no security profile group applied to all policies.

Answer: B

Explanation:
If the daily summary report generated by FortiSASE contains very little data, one possible
explanation is that the "Log allowed traffic" setting is configured to log only "Security Events" for all
policies. This configuration limits the amount of data logged, as it only includes security events and
excludes normal allowed traffic.
Log Allowed Traffic Setting:
The "Log allowed traffic" setting determines which types of traffic are logged.
When set to "Security Events," only traffic that triggers a security event (such as a threat detection or
policy violation) is logged.
Impact on Report Data:
If the log setting excludes regular allowed traffic, the amount of data captured and reported is
significantly reduced.
This results in reports with minimal data, as only security-related events are included.
Reference:
FortiOS 7.2 Administration Guide: Provides details on configuring logging settings for traffic policies.
FortiSASE 23.2 Documentation: Explains the impact of logging configurations on report generation
and data visibility.

Question: 21

You are designing a new network for Company X and one of the new cybersecurity policy
requirements is that all remote user endpoints must always be connected and protected Which
FortiSASE component facilitates this always-on security measure?

A. site-based deployment
B. thin-branch SASE extension
C. unified FortiClient
D. inline-CASB

Answer: C

Explanation:
The unified FortiClient component of FortiSASE facilitates the always-on security measure required
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
18/41

for ensuring that all remote user endpoints are always connected and protected.
Unified FortiClient:
FortiClient is a comprehensive endpoint security solution that integrates with FortiSASE to provide
continuous protection for remote user endpoints.
It ensures that endpoints are always connected to the FortiSASE infrastructure, even when users are
off the corporate network.
Always-On Security:
The unified FortiClient maintains a persistent connection to FortiSASE, enforcing security policies and
protecting endpoints against threats at all times.
This ensures compliance with the cybersecurity policy requiring constant connectivity and protection
for remote users.
Reference:
FortiOS 7.2 Administration Guide: Provides information on configuring and managing FortiClient for
endpoint security.
FortiSASE 23.2 Documentation: Explains how FortiClient integrates with FortiSASE to deliver always-
on security for remote endpoints.

Question: 22

Refer to the exhibits.

+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
19/41
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
20/41
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
21/41

A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The tunnel is
up to the FortiGale hub. However, the administrator is not able to ping the webserver hosted behind
the FortiGate hub.
Based on the output, what is the reason for the ping failures?

A. The Secure Private Access (SPA) policy needs to allow PING service.
B. Quick mode selectors are restricting the subnet.
C. The BGP route is not received.
D. Network address translation (NAT) is not enabled on the spoke-to-hub policy.

Answer: C
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
22/41

Explanation:

Question: 23

To complete their day-to-day operations, remote users require access to a TCP-based application that
is hosted on a private web server. Which FortiSASE deployment use case provides the most efficient
and secure method for meeting the remote users' requirements?

A. SD-WAN private access

B. inline-CASB
C. zero trust network access (ZTNA) private access
D. next generation firewall (NGFW)

Answer: C

Explanation:
Zero Trust Network Access (ZTNA) private access provides the most efficient and secure method for
remote users to access a TCP-based application hosted on a private web server. ZTNA ensures that
only authenticated and authorized users can access specific applications based on predefined
policies, enhancing security and access control.
Zero Trust Network Access (ZTNA):
ZTNA operates on the principle of "never trust, always verify," continuously verifying user identity
and device security posture before granting access.
It provides secure and granular access to specific applications, ensuring that remote users can
securely access the TCP-based application hosted on the private web server.
Secure and Efficient Access:
ZTNA private access allows remote users to connect directly to the application without needing a full
VPN tunnel, reducing latency and improving performance.
It ensures that only authorized users can access the application, providing robust security controls.
Reference:
FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its deployment use
cases.
FortiSASE 23.2 Documentation: Explains how ZTNA can be used to provide secure access to private
applications for remote users.

Question: 24

Which secure internet access (SIA) use case minimizes individual workstation or device setup,
because you do not need to install FortiClient on endpoints or configure explicit web proxy settings
on web browser-based end points?

A. SIA for inline-CASB users

B. SIA for agentless remote users
C. SIA for SSLVPN remote users
D. SIA for site-based remote users
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
23/41

Explanation:
The Secure Internet Access (SIA) use case that minimizes individual workstation or device setup is SIA
for agentless remote users. This use case does not require installing FortiClient on endpoints or
configuring explicit web proxy settings on web browser-based endpoints, making it the simplest and
most efficient deployment.
SIA for Agentless Remote Users:
Agentless deployment allows remote users to connect to the SIA service without needing to install
any client software or configure browser settings.
This approach reduces the setup and maintenance overhead for both users and administrators.
Minimized Setup:
Without the need for FortiClient installation or explicit proxy configuration, the deployment is
straightforward and quick.
Users can securely access the internet with minimal disruption and administrative effort.
Reference:
FortiOS 7.2 Administration Guide: Details on different SIA deployment use cases and configurations.
FortiSASE 23.2 Documentation: Explains how SIA for agentless remote users is implemented and the
benefits it provides.

Question: 25

Refer to the exhibits.

+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
24/41
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
25/41
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com
26/41
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 27/41

A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The VPN
tunnel does not establish
Based on the provided configuration, what configuration needs to be modified to bring the tunnel
up?

A. NAT needs to be enabled in the Spoke-to-Hub firewall policy.

B. The BGP router ID needs to match on the hub and FortiSASE.
C. FortiSASE spoke devices do not support mode config.
D. The hub needs IKEv2 enabled in the IPsec phase 1 settings.

Answer: D

Explanation:
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 28/41

Question: 26

Which two additional components does FortiSASE use for application control to act as an inline-
CASB? (Choose two.)

A. intrusion prevention system (IPS)

B. SSL deep inspection
C. DNS filter
D. Web filter with inline-CASB

Answer: AB

Explanation:

Question: 27

Which two advantages does FortiSASE bring to businesses with multiple branch offices? (Choose
two.)

A. It offers centralized management for simplified administration.

B. It enables seamless integration with third-party firewalls.
C. it offers customizable dashboard views for each branch location
D. It eliminates the need to have an on-premises firewall for each branch.

Answer: A, D

Explanation:
FortiSASE brings the following advantages to businesses with multiple branch offices:
Centralized Management for Simplified Administration:
FortiSASE provides a centralized management platform that allows administrators to manage
security policies, configurations, and monitoring from a single interface.
This simplifies the administration and reduces the complexity of managing multiple branch offices.
Eliminates the Need for On-Premises Firewalls:
FortiSASE enables secure access to the internet and cloud applications without requiring dedicated
on-premises firewalls at each branch office.
This reduces hardware costs and simplifies network architecture, as security functions are handled by
the cloud-based FortiSASE solution.
Reference:
FortiOS 7.2 Administration Guide: Provides information on the benefits of centralized management
and cloud-based security solutions.
FortiSASE 23.2 Documentation: Explains the advantages of using FortiSASE for businesses with
multiple branch offices, including reduced need for on-premises firewalls.

Question: 28

When accessing the FortiSASE portal for the first time, an administrator must select data center
locations for which three FortiSASE components? (Choose three.)
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 29/41

A. Endpoint management
B. Points of presence
C. SD-WAN hub
D. Logging
E. Authentication

Answer: A, B, D

Explanation:
When accessing the FortiSASE portal for the first time, an administrator must select data center
locations for the following FortiSASE components:
Endpoint Management:
The data center location for endpoint management ensures that endpoint data and policies are
managed and stored within the chosen geographical region.
Points of Presence (PoPs):
Points of Presence (PoPs) are the locations where FortiSASE services are delivered to users. Selecting
PoP locations ensures optimal performance and connectivity for users based on their geographical
distribution.
Logging:
The data center location for logging determines where log data is stored and managed. This is crucial
for compliance and regulatory requirements, as well as for efficient log analysis and reporting.
Reference:
FortiOS 7.2 Administration Guide: Details on initial setup and configuration steps for FortiSASE.
FortiSASE 23.2 Documentation: Explains the importance of selecting data center locations for various
FortiSASE components.

Question: 29

During FortiSASE provisioning, how many security points of presence (POPs) need to be configured
by the FortiSASE administrator?

A. 3
B. 4
C. 2
D. 1

Answer: B

Explanation:

Question: 30

An organization needs to resolve internal hostnames using its internal rather than public DNS servers
for remotely connected endpoints. Which two components must be configured on FortiSASE to
achieve this? (Choose two.)
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 30/41

A. SSL deep inspection

B. Split DNS rules
C. Split tunnelling destinations
D. DNS filter

Answer: AB

Explanation:
To resolve internal hostnames using internal DNS servers for remotely connected endpoints, the
following two components must be configured on FortiSASE:
Split DNS Rules:
Split DNS allows the configuration of specific DNS queries to be directed to internal DNS servers
instead of public DNS servers.
This ensures that internal hostnames are resolved using the organization's internal DNS
infrastructure, maintaining privacy and accuracy for internal network resources.
Split Tunneling Destinations:
Split tunneling allows specific traffic (such as DNS queries for internal domains) to be routed through
the VPN tunnel while other traffic is sent directly to the internet.
By configuring split tunneling destinations, you can ensure that DNS queries for internal hostnames
are directed through the VPN to the internal DNS servers.
Reference:
FortiOS 7.2 Administration Guide: Provides details on configuring split DNS and split tunneling for
VPN clients.
FortiSASE 23.2 Documentation: Explains the implementation and configuration of split DNS and split
tunneling for securely resolving internal hostnames.

Question: 31

When viewing the daily summary report generated by FortiSASE, the administrator notices that the
report contains very little data.
What is a possible explanation for this almost empty report?

A. Log allowed traffic is set to Security Events for all policies.

B. There are no security profile groups applied to all policies.
C. The web filter security profile is not set to Monitor.
D. Digital experience monitoring is not configured.

Answer: A

Explanation:

The issue of an almost empty daily summary report in FortiSASE can often be traced back to how
logging is configured within the system. Specifically, if "Log Allowed Traffic" is set to "Security Events"
for all policies, it means that only security-related events (such as threats or anomalies) are being
logged, while normal, allowed traffic is not being recorded. Since most traffic in a typical network
environment is allowed, this configuration would result in very little data being captured and
subsequently reported in the daily summary.
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 31/41

Here’s a breakdown of why the other options are less likely to be the cause:
B . There are no security profile groups applied to all policies: While applying security profiles is
important for comprehensive protection, their absence does not directly affect the volume of data in
reports unless specific logging settings are also misconfigured.
C . The web filter security profile is not set to Monitor: This option pertains specifically to web
filtering activities. Even if web filtering is not set to monitor mode, other types of traffic and logs
should still populate the report.
D . Digital experience monitoring is not configured: Digital Experience Monitoring (DEM) focuses on
user experience metrics rather than general traffic logging. Its absence would not lead to an almost
empty report.
To resolve this issue, administrators should review the logging settings across all policies and ensure
that "Log Allowed Traffic" is appropriately configured to capture the necessary data for reporting
purposes.
Reference:
Fortinet FCSS FortiSASE Documentation - Reporting and Logging Best Practices
FortiSASE Administration Guide - Configuring Logging Settings

Question: 32

Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE?

A. It provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS
application.
B. It can be used to request a detailed analysis of the endpoint from the FortiGuard team.
C. It requires a separate DEM agent to be downloaded from the FortiSASE portal and installed on the
endpoint.
D. It can help IT and security teams ensure consistent security monitoring for remote users.

Answer: A

Explanation:

The Digital Experience Monitor (DEM) feature in FortiSASE is designed to provide end-to-end
network visibility by monitoring the performance and health of connections between FortiSASE
security Points of Presence (PoPs) and specific SaaS applications. This ensures that administrators can
identify and troubleshoot issues related to latency, jitter, packet loss, and other network
performance metrics that could impact user experience when accessing cloud-based services.
Here’s why the other options are incorrect:
B . It can be used to request a detailed analysis of the endpoint from the FortiGuard team: This is
incorrect because DEM focuses on network performance monitoring, not endpoint analysis.
Endpoint analysis would typically involve tools like FortiClient or FortiEDR, not DEM.
C . It requires a separate DEM agent to be downloaded from the FortiSASE portal and installed on the
endpoint: This is incorrect because DEM operates at the network level and does not require an
additional agent to be installed on endpoints.
D . It can help IT and security teams ensure consistent security monitoring for remote users: While
DEM indirectly supports security by ensuring optimal network performance, its primary purpose is to
monitor and improve the digital experience rather than enforce security policies.
Reference:
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 32/41

Fortinet FCSS FortiSASE Documentation - Digital Experience Monitoring Overview

FortiSASE Administration Guide - Configuring DEM

Question: 33

What are two requirements to enable the MSSP feature on FortiSASE? (Choose two.)

A. Add FortiCloud premium subscription on the root FortiCloud account.

B. Configure MSSP user accounts and permissions on the FortiSASE portal.
C. Assign role-based access control (RBAC) to IAM users using FortiCloud IAM portal.
D. Enable multi-tenancy on the FortiSASE portal.

Answer: C, D

Explanation:

To enable the MSSP (Managed Security Service Provider) feature on FortiSASE, two key requirements
must be met:
Assign role-based access control (RBAC) to IAM users using FortiCloud IAM portal (Option C):
RBAC is essential for managing permissions and ensuring that different customers (tenants) have
appropriate access levels. The FortiCloud Identity and Access Management (IAM) portal allows
administrators to define roles and assign them to users, ensuring secure and granular control over
resources.
Enable multi-tenancy on the FortiSASE portal (Option D):
Multi-tenancy is a critical feature for MSSPs, as it allows them to manage multiple customer
environments (tenants) from a single FortiSASE instance. Each tenant operates independently with
its own configurations, policies, and reporting, while the MSSP retains centralized control.
Here’s why the other options are incorrect:
A . Add FortiCloud premium subscription on the root FortiCloud account: While FortiCloud
subscriptions may enhance functionality, they are not specifically required to enable the MSSP
feature.
B . Configure MSSP user accounts and permissions on the FortiSASE portal: User accounts and
permissions are managed through the FortiCloud IAM portal, not directly on the FortiSASE portal.
Reference:
Fortinet FCSS FortiSASE Documentation - MSSP Feature Configuration
FortiSASE Administration Guide - Multi-Tenancy and RBAC Setup

Question: 34

Which event log subtype captures FortiSASE SSL VPN user creation?

A. Endpoint Events
B. VPN Events
C. User Events
D. Administrator Events
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 33/41

Answer: C

Explanation:

The event log subtype that captures FortiSASE SSL VPN user creation is User Events . This subtype is
specifically designed to log activities related to user management, such as creating, modifying, or
deleting user accounts. When an SSL VPN user is created, it falls under this category because it
involves adding a new user to the system.
Here’s why the other options are incorrect:
A . Endpoint Events: These logs pertain to activities related to endpoint devices, such as device
registration, compliance checks, or security posture assessments. SSL VPN user creation is unrelated
to endpoint events.
B . VPN Events: These logs capture activities related to VPN connections, such as session
establishment, termination, or errors. While SSL VPN usage generates VPN events, the creation of a
user account itself is not logged under this subtype.
D . Administrator Events: These logs track actions performed by administrators, such as configuration
changes or policy updates. While an administrator might create the SSL VPN user, the specific event
of user creation is categorized under User Events, not Administrator Events.
Reference:
Fortinet FCSS FortiSASE Documentation - Event Logging and Subtypes
FortiSASE Administration Guide - Monitoring and Logging

Question: 35

Your organization is currently using FortiSASE for its cybersecurity. They have recently hired a
contractor who will work from the HQ office and who needs temporary internet access in order to
set up a web-based point of sale (POS) system.
What is the recommended way to provide internet access to the contractor?

A. Use FortiClient on the endpoint to manage internet access.

B. Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an
explicit web proxy.
C. Use zero trust network access (ZTNA) and tag the client as an unmanaged endpoint.
D. Configure a VPN policy on FortiSASE to provide access to the internet.

Answer: C

Explanation:

The recommended way to provide temporary internet access to the contractor is to use Zero Trust
Network Access (ZTNA) and tag the client as an unmanaged endpoint . ZTNA ensures that only
authorized users and devices can access specific resources, while treating all endpoints as untrusted
by default. By tagging the contractor's device as an unmanaged endpoint, you can apply strict access
controls and ensure that the contractor has limited access to only the necessary resources (e.g., the
web-based POS system) without exposing the internal network to unnecessary risks.
Here’s why the other options are less suitable:
A . Use FortiClient on the endpoint to manage internet access: While FortiClient provides endpoint
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 34/41

security and management, it requires installation and configuration on the contractor's device. This
may not be feasible for temporary contractors or unmanaged devices.
B . Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an
explicit web proxy: While this approach can control web traffic, it does not provide the granular
access control and security posture validation offered by ZTNA. Additionally, managing PAC files can
be cumbersome and less secure compared to ZTNA.
D . Configure a VPN policy on FortiSASE to provide access to the internet: Using a VPN policy would
grant broader access to the network, which is not ideal for a temporary contractor. It increases the
risk of unauthorized access to internal resources and does not align with the principle of least
privilege.
Reference:
Fortinet FCSS FortiSASE Documentation - Zero Trust Network Access (ZTNA) Use Cases
FortiSASE Administration Guide - Managing Unmanaged Endpoints

Question: 36

Which two statements describe a zero trust network access (ZTNA) private access use case? (Choose
two.)

A. The security posture of the device is secure.

B. All FortiSASE user-based deployments are supported.
C. All TCP-based applications are supported.
D. Data center redundancy is offered.

Answer: A, C

Explanation:

Zero Trust Network Access (ZTNA) private access use cases focus on providing secure and controlled
access to private applications without exposing them to the public internet. The following two
statements accurately describe ZTNA private access use cases:
The security posture of the device is secure (Option A):
ZTNA enforces strict access controls based on the principle of least privilege. Before granting access
to private applications, ZTNA evaluates the security posture of the device (e.g., whether it is patched,
compliant, and free of malware). Only devices that meet the required security standards are granted
access, ensuring that the device is secure before allowing private access.
All TCP-based applications are supported (Option C):
ZTNA supports all TCP-based applications, enabling secure access to a wide range of private
applications, including legacy systems and custom-built applications. This flexibility makes ZTNA
suitable for organizations with diverse application environments.
Here’s why the other options are incorrect:
B . All FortiSASE user-based deployments are supported: While FortiSASE supports various
deployment scenarios, not all user-based deployments are automatically compatible with ZTNA.
Specific configurations and requirements must be met to enable ZTNA functionality.
D . Data center redundancy is offered: Data center redundancy is unrelated to ZTNA private access
use cases. Redundancy typically pertains to infrastructure design and failover mechanisms, not
access control methodologies like ZTNA.
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 35/41

Reference:
Fortinet FCSS FortiSASE Documentation - ZTNA Private Access Overview
FortiSASE Administration Guide - ZTNA Deployment Best Practices

Question: 37

Which statement applies to a single sign-on (SSO) deployment on FortiSASE?

A. SSO overrides any other previously configured user authentication.

B. SSO identity providers can be integrated using public and private access types.
C. SSO is recommended only for agent-based deployments.
D. SSO users can be imported into FortiSASE and added to user groups.

Answer: D

Explanation:

In a Single Sign-On (SSO) deployment on FortiSASE, SSO users can be imported into FortiSASE and
added to user groups . This allows administrators to manage SSO users within FortiSASE, enabling
them to apply policies, permissions, and group-based access controls. By integrating SSO with
FortiSASE, organizations can streamline user authentication and simplify access management while
maintaining security.
Here’s why the other options are incorrect:
A . SSO overrides any other previously configured user authentication: This is incorrect because SSO
does not automatically override other authentication methods. FortiSASE supports multiple
authentication mechanisms, and SSO is just one of them. Administrators can configure fallback
authentication methods if needed.
B . SSO identity providers can be integrated using public and private access types: While FortiSASE
supports integration with various identity providers (e.g., SAML, LDAP, OAuth), the concept of "public
and private access types" is not applicable to SSO configurations.
C . SSO is recommended only for agent-based deployments: This is incorrect because SSO can be
used in both agent-based and agentless deployments. It is not limited to environments where agents
are installed.
Reference:
Fortinet FCSS FortiSASE Documentation - Single Sign-On (SSO) Integration
FortiSASE Administration Guide - User Authentication and SSO

Question: 38

Which statement describes the FortiGuard forensics analysis feature on FortiSASE?

A. It can help troubleshoot user-to-application performance issues.

B. It can help customers identify and mitigate potential risks to their network.
C. It can monitor endpoint resources in real-time.
D. It is a 24x7x365 monitoring service of your FortiSASE environment.
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 36/41

Answer: B

Explanation:

The FortiGuard forensics analysis feature on FortiSASE is designed to help customers identify and
mitigate potential risks to their network . This feature provides detailed insights into suspicious
activities, threats, and anomalies detected by FortiSASE. By analyzing logs, traffic patterns, and
threat intelligence, FortiGuard forensics enables administrators to investigate incidents, understand
their root causes, and take proactive measures to secure the network.
Here’s why the other options are incorrect:
A . It can help troubleshoot user-to-application performance issues: Performance troubleshooting is
typically handled by features like Digital Experience Monitoring (DEM) or application performance
monitoring tools, not forensics analysis.
C . It can monitor endpoint resources in real-time: Real-time endpoint monitoring is a function of
endpoint security solutions like FortiClient or FortiEDR, not FortiGuard forensics analysis.
D . It is a 24x7x365 monitoring service of your FortiSASE environment: While Fortinet offers managed
services for continuous monitoring, FortiGuard forensics analysis is not a dedicated monitoring
service. Instead, it focuses on post-incident investigation and risk mitigation.
Reference:
Fortinet FCSS FortiSASE Documentation - FortiGuard Forensics Analysis
FortiSASE Administration Guide - Threat Detection and Response

Question: 39

A customer needs to implement device posture checks for their remote endpoints while accessing
the protected server. They also want the TCP traffic between the remote endpoints and the
protected servers to be processed by FortiGate.
In this scenario, which three setups will achieve the above requirements? (Choose three.)

A. Configure ZTNA tags on FortiGate.

D. Configure private access policies on FortiSASE with ZTNA.

E. Sync ZTNA tags from FortiSASE to FortiGate.

Answer: A, B, C

Explanation:

To meet the requirements of implementing device posture checks for remote endpoints and ensuring
that TCP traffic between the endpoints and protected servers is processed by FortiGate, the following
three setups are necessary:
Configure ZTNA tags on FortiGate (Option A):
ZTNA (Zero Trust Network Access) tags are used to define access control policies based on the
security posture of devices. By configuring ZTNA tags on FortiGate, administrators can enforce
granular access controls, ensuring that only compliant devices can access protected resources.
Configure FortiGate as a zero trust network access (ZTNA) access proxy (Option B):
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 37/41

FortiGate can act as a ZTNA access proxy, which allows it to mediate and secure connections
between remote endpoints and protected servers. This setup ensures that all TCP traffic passes
through FortiGate, enabling inspection and enforcement of security policies.
Configure ZTNA servers and ZTNA policies on FortiGate (Option C):
To enable ZTNA functionality, administrators must define ZTNA servers (the protected resources) and
create ZTNA policies on FortiGate. These policies determine how traffic is routed, inspected, and
controlled based on device posture and user identity.
Here’s why the other options are incorrect:
D . Configure private access policies on FortiSASE with ZTNA: While FortiSASE supports ZTNA, the
requirement specifies that TCP traffic must be processed by FortiGate. Configuring private access
policies on FortiSASE would route traffic through FortiSASE instead of FortiGate, which does not meet
the stated requirements.
E . Sync ZTNA tags from FortiSASE to FortiGate: Synchronizing ZTNA tags is unnecessary in this
scenario because the focus is on FortiGate processing the traffic. The tags can be directly configured
on FortiGate without involving FortiSASE.
Reference:
Fortinet FCSS FortiSASE Documentation - Zero Trust Network Access (ZTNA) Deployment
FortiGate Administration Guide - ZTNA Configuration

Question: 40

Which of the following describes the FortiSASE inline-CASB component?

A. It provides visibility for unmanaged locations and devices.

B. It is placed directly in the traffic path between the endpoint and cloud applications.
C. It uses API to connect to the cloud applications.
D. It detects data at rest.

Answer: B

Explanation:

The FortiSASE inline-CASB (Cloud Access Security Broker) component is designed to provide real-time
security and visibility by being placed directly in the traffic path between the endpoint and cloud
applications . Inline-CASB inspects traffic as it flows to and from cloud applications, enabling
enforcement of security policies, detection of threats, and prevention of unauthorized access. This
approach ensures that all interactions with cloud applications are monitored and controlled in real
time.
Here’s why the other options are incorrect:
A . It provides visibility for unmanaged locations and devices: While inline-CASB enhances visibility,
its primary function is to inspect and secure traffic in real time. Visibility for unmanaged locations
and devices is typically achieved through other components like endpoint agents or API-based CASB.
C . It uses API to connect to the cloud applications: API-based CASB is a different approach that relies
on APIs provided by cloud applications to monitor and manage data. Inline-CASB operates directly in
the traffic flow rather than using APIs.
D . It detects data at rest: Detecting data at rest is typically handled by Data Loss Prevention (DLP)
tools or API-based CASB solutions. Inline-CASB focuses on inspecting traffic in motion, not data
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 38/41

stored in cloud applications.

Reference:
Fortinet FCSS FortiSASE Documentation - Inline-CASB Overview
FortiSASE Administration Guide - Cloud Application Security

Question: 41

An organization must block user attempts to log in to non-company resources while using Microsoft
Office 365 to prevent users from accessing unapproved cloud resources.
Which FortiSASE feature can you implement to achieve this requirement?

A. Web Filter with Inline-CASB

B. SSL deep inspection
C. Data loss prevention (DLP)
D. Application Control with Inline-CASB

Answer: A

Explanation:

To block user attempts to log in to non-company resources while using Microsoft Office 365, the Web
Filter with Inline-CASB feature in FortiSASE is the most appropriate solution. Inline-CASB (Cloud
Access Security Broker) provides real-time visibility and control over cloud application usage. When
combined with Web Filtering, it can enforce policies to restrict access to unauthorized or non -
company resources within sanctioned applications like Microsoft Office 365. This ensures that users
cannot access unapproved cloud resources while still allowing legitimate use of Office 365.
Here’s why the other options are incorrect:
B . SSL deep inspection: While SSL deep inspection is useful for decrypting and inspecting encrypted
traffic, it does not specifically address the need to block access to non-company resources within
Office 365. It focuses on securing traffic rather than enforcing application-specific policies.
C . Data loss prevention (DLP): DLP is designed to prevent sensitive data from being leaked or
exfiltrated. While it is a valuable security feature, it does not directly block access to non-company
resources within Office 365.
D . Application Control with Inline-CASB: Application Control focuses on managing access to specific
applications rather than enforcing granular policies within an application like Office 365. Web Filter
with Inline-CASB is better suited for this use case.
Reference:
Fortinet FCSS FortiSASE Documentation - Inline-CASB and Web Filtering
FortiSASE Administration Guide - Securing Cloud Applications

Question: 42

In which three ways does FortiSASE help organizations ensure secure access for remote workers?
(Choose three.)

A. It enforces multi-factor authentication (MFA) to validate remote users.

+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 39/41

B. It secures traffic from endpoints to cloud applications.

C. It uses the identity & access management (IAM) portal to validate the identities of remote
workers.
D. It offers zero trust network access (ZTNA) capabilities.
E. It enforces granular access policies based on user identities.

Answer: B, D, E

Explanation:

FortiSASE provides several features to ensure secure access for remote workers. The following three
ways are particularly relevant:
It secures traffic from endpoints to cloud applications (Option B):
FortiSASE secures all traffic between remote endpoints and cloud applications by inspecting it in real
time. This includes applying security policies, threat detection, and data protection measures to
ensure that traffic is safe and compliant.
It offers zero trust network access (ZTNA) capabilities (Option D):
ZTNA ensures that remote workers are granted access to resources based on strict verification of
their identity and device posture. By treating all users and devices as untrusted by default, ZTNA
minimizes the risk of unauthorized access and lateral movement within the network.
It enforces granular access policies based on user identities (Option E):
FortiSASE allows administrators to define and enforce fine-grained access policies based on user
identities, roles, and other attributes. This ensures that remote workers only have access to the
resources they need, reducing the attack surface.
Here’s why the other options are incorrect:
A . It enforces multi-factor authentication (MFA) to validate remote users: While MFA is a critical
security measure, it is typically implemented through identity providers (e.g., FortiAuthenticator or
third-party solutions) rather than directly through FortiSASE.
C . It uses the identity & access management (IAM) portal to validate the identities of remote
workers: FortiSASE integrates with IAM systems but does not use the IAM portal itself to validate
identities. Identity validation is handled through authentication mechanisms like SAML, LDAP, or
OAuth.
Reference:
Fortinet FCSS FortiSASE Documentation - Secure Remote Access
FortiSASE Administration Guide - ZTNA and Access Policies

Question: 43

Which secure internet access (SIA) use case minimizes individual endpoint configuration?

A. Site-based remote user internet access

B. Agentless remote user internet access
C. SIA for SSL VPN remote users
D. SIA using ZTNA

Answer: B
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 40/41

Explanation:

The agentless remote user internet access use case is designed to minimize individual endpoint
configuration. In this scenario, FortiSASE provides secure internet access without requiring the
installation of an agent on the endpoint device. This approach is particularly useful for environments
with unmanaged devices or temporary users, as it eliminates the need for complex configurations on
each endpoint. Instead, security policies are enforced at the network level, ensuring consistent
protection without relying on endpoint-specific software.
Here’s why the other options are incorrect:
A . Site-based remote user internet access: This use case involves securing internet access for users
at a specific site or location, typically through a gateway or firewall. While it simplifies configuration
for all users at that site, it does not specifically minimize individual endpoint configuration for remote
users.
C . SIA for SSL VPN remote users: SSL VPN requires users to connect to the corporate network via a
client or browser-based interface. This approach often involves additional configuration on the
endpoint, such as installing and configuring the SSL VPN client.
D . SIA using ZTNA: Zero Trust Network Access (ZTNA) focuses on verifying the identity and posture of
devices before granting access to resources. While ZTNA enhances security, it may require endpoint
agents or posture checks, which involve some level of endpoint configuration.
Reference:
Fortinet FCSS FortiSASE Documentation - Secure Internet Access (SIA) Use Cases
FortiSASE Administration Guide - Agentless Remote User Access
+918087977656 FCSS SASE AD 24 passyourccie@gmail.com 41/41