You are designing a new network, and the cybersecurity policy mandates that all remote users working from home must always be connected and protected.
Which FortiSASE component facilitates this always-on security measure?
An SPA service connection is experiencing connectivity problems.
Which configuration setting should the administrator verify and correct first?
ARemote Gateway
BBGP Peer IP
CNetwork overlay ID
DAuthentication Method
Your FortiSASE customer has a small branch office in which ten users will be using their personal laptops and mobile devices to access the internet.
Which deployment should they use to secure their internet access with minimal configuration?
AFortiClient endpoint agent to secure internet access
BFortiAP to secure internet access
CSD-WAN on-ramp to secure internet access
DFortiGate as a LAN extension to secure internet access
You have configured FortiSASE Secure Private Access (SPA) deployment.
Which statement is true about traffic flows? (Choose two.)
AWhen using SD-WAN private access, traffic goes from an endpoint directly to an SPA hub.
BWhen using zero trust network access, traffic goes from an endpoint to a FortiSASE POP, and then to a ZTNA access proxy.
CWhen using zero trust network access (ZTNA) traffic goes from an endpoint directly to a ZTNA access proxy.
DWhen using SD-WAN private access, traffic goes from an endpoint to a FortiSASE POP, and then to an SPA hub.
An administrator must restrict endpoints from certain countries from connecting to FortiSASE.
Which configuration can achieve this?
AA network lockdown policy on the endpoint profiles
BSource IP anchoring to restrict access from the specified countries
CA geography address object as the source for a deny policy
DGeofencing to restrict access from the required countries
Question 6
Advanced Deployment Features
0
Question 7
Endpoint Management
Question 8
Central Management, Central Analytics, and Security Operations
Question 9
Endpoint Management
Question 10
Central Management, Central Analytics, and Security Operations
Question 11
Central Management, Central Analytics, and Security Operations
Question 12
Troubleshooting
Question 13
Endpoint Management
Question 14
Endpoint Management
Question 15
SPA
Question 16
Endpoint Management
Question 17
Advanced Deployment Features
Question 18
Advanced Deployment Features
Question 19
Troubleshooting
Question 20
Advanced Deployment Features
Question 21
Central Management, Central Analytics, and Security Operations
Question 22
Advanced Deployment Features
Question 23
SPA
Question 24
Endpoint Management
Question 25
Endpoint Management
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Which two settings are automatically pushed from FortiSASE to FortiClient in a new FortiSASE deployment with default settings? (Choose two.)
AFortiSASE certificate authority (CA) certificate
BTunnel profile
CReal-time protection
DZero trust network access (ZTNA) tags
What can be configured on FortiSASE as an additional layer of security for FortiClient registration?
ASecurity posture tags
BUser verification
CDevice identification
DApplication inventory
A Fortinet customer is considering integrating FortiManager with FortiSASE.
What are two prerequisites they should consider? (Choose two.)
AAdding a FortiManager connection add-on license to FortiSASE.
BPlacing ForfiManager in the same FortiCloud account as FortiSASE.
CReducing the number of FortiSASE PoPs that support FortiManager.
DRunning a FortiManager version that is supported by FortiSASE.
Refer to the exhibit.
Based on the configuration shown, in which two ways will FortiSASE process sessions that require FortiSandbox inspection? (Choose two.)
AAll files will be sent to an on-premises FortiSandbox for inspection.
BFortiClient quarantines only infected files that FortiSandbox detects as medium level.
CAll files executed on a USB drive will be sent to FortSandbox for analysis.
DOnly endpoints assigned a profile for sandbox detection will be processed by the sandbox feature.
Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE?
AIt monitors the FortiSASE POP health based on ping probes.
BIt is used for performing device compliance checks on endpoints.
CIt provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS application.
DIt gathers all the vulnerability information from all the FortiClient endpoints.
Which statement about FortiSASE and SAML is true?
AFortiSASE acts as the SIP relies on an external IdP, and can use SAML group matching.
BFortiSASE supports SAML login but cannot use SAML group matching.
CFortiSASE acts as the IdP and can perform SAML group matching internally.
DFortiSASE includes IdP functionality and uses it for SAML group matching.
Refer to the exhibit.
A customer wants to fine-tune network assignments on FortiSASE, so they modified the IPAM configuration as shown in the exhibit. After this configuration, the customer started having connectivity problems and noticed that devices are using excluded ranges.
What could be causing the unexpected behavior and connectivity problems? (Choose two.)
AThe pool must include at least one /20 per security POP for the IPAM to work correctly.
BThe pool must include at least one /16 per Instance for the IPAM to work correctly.
CThe pool must include at least one /20 per instance for the IPAM to work correctly.
DThe customer excluded too many networks from the pool.
What is the purpose of the grace period for off-net endpoints in the FortiSASE Network Lockdown feature?
ATo allow users to attempt VPN reconnection before restrictions are applied
BTo bypass security policies for specific applications
CTo permanently block network access for non-compliant endpoints
DTo automatically reset the FortiClient configuration
Your organization is currently using FortiSASE for its cybersecurity. They have recently hired a contractor who will work from the HQ office and who needs temporary internet access in order to set up a web-based point of sale (POS) system.
How can you provide secure internet access to the contractor using FortiSASE?
AUse a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an explicit web proxy.
BUse a tunnel policy with a contractors user group as the source on FortiSASE to provide internet access.
CUse zero trust network access (ZTNA) and tag the client as an unmanaged endpoint.
DUse the self-registration portal on FortiSASE to grant internet access.
Which two statements about the Hub Selection Method in FortiSASE Secure Private Access (SPA) are correct? (Choose two.)
AWhen using Hub Health and Priority, ForiSASE selects the highest priority hub that meets the configured SLA thresholds.
BWhen using BGP MED, FortiSASE selects the hub with the lowest MED value only if it also meets the configured SLA thresholds.
CWhen using SLA thresholds, administrators can customize latency, jitter, and packet loss for each security POP.
DWhen using Hub Health and Priority, all hubs with the same priority are always selected regardless of SLA results.
Refer to the exhibit.
Which type of information or actions are available to a FortiSASE administrator from the following output?
AAdministrators can view and configure endpoint profiles and ZTNA tags.
BAdministrators can view and configure automatic patching of endpoints, and first detected date for applications.
CAdministrators can view latest application version available and push updates to managed endpoints.
DAdministrators can view application details, such as vendor, version, and installation dates to identify unwanted or outdated software.
Which two statements about FortiSASE Geofencing with regional compliance are true? (Choose two.)
AYou can configure regional compliance on the security POP or the on-premises device, not both.
BIf no regional compliance rule is configured, the connection is made to the closest security POP.
CA regional compliance rule can connect only to an on-premises device or only to a security POP.
DThe connection order for a regional compliance rule is always the security POP first, followed by the on-premises device.
You are configuring FortiSASE SSL deep inspection.
What is required for FortiSASE to inspect encrypted traffic?
AFortiSASE uses a third-party CA certificate without importing it to client machines, and SSL deep inspection supports only web filtering and application control.
BFortiSASE acts as a root CA without needing a certificate, and SSL deep inspection is used only for split DNS and video filtering.
CFortiSASE requires an external CA to issue certificates to client machines, and SSL deep inspection supports only antivirus and file filter.
DFortiSASE acts as a certificate authority (CA) with a self-signed or internal CA certificate, requiring the root CA certificate to be imported into client machines.
Refer to the exhibit.
The daily report for application usage for internet traffic shows an unusually high number of unknown applications by category.
What are two possible explanations for this? (Choose two.)
AThe inline-CASB application control profile does not have application categories set to Monitor.
BCertificate inspection is not being used to scan application traffic.
CThe private access policy must be to set to log Security Events.
DDeep inspection is not being used to scan traffic.
Which service is included in a secure access service edge (SASE) solution, but not in a security service edge (SSE) solution?
ASWG
BSD-WAN
CCASB
DZTNA
How does FortiSASE address the market trends of multicloud and Software-as-a-Service (SaaS) adoption, hybrid workforce, and zero trust?
AIt focuses solely on securing on-premises networks, ignoring cloud and remote work challenges.
BIt prioritizes legacy VPN connections for hybrid workforces, bypassing modern cloud and zero-rust security measures.
CIt provides visibility and control for multicloud and SaaS environments, ensures secure and seamless access for hybrid workforces, and implements zero-trust principles.
DIt supports only zero-trust frameworks without addressing multicloud or hybrid workforce needs.
What are two benefits of deploying secure private access with SD-WAN? (Choose two.)
AZTNA posture check performed by the hub FortiGate
BSupport of both TCP and UDP applications
CA direct access proxy tunnel from FortiClient to the on-premises FortiGate
DInline security inspection by FortiSASE
Which three traffic flows are supported by FortiSASE Secure Private Access (SPA)? (Choose three.)
AFrom private resources to FortiSASE agent-based users.
BFrom private resources to the internet.
CFrom agent-based users to private resources behind the Fortinet SD-WAN.
DFrom private resources to other private resources (SPA to SPA).
EFrom thin branches/branch on-ramp to private resources behind the Fortinet SD-WAN.
A AFortiSASE customer has been enforcing always-on VPN for their remote-users running FortiClient.
What option can be enabled under the customer’s Endpoint Profile o allow them access different resources located in the same L2 network?
AAllow local LAN Access into user Endpoint Profile before they get connected to the VPN
BEndpoint Sandbox protection for VPN users
CEndpoint Anti-Virus protection in the Endpoint Profile for VPN
DNetwork Lockdown for endpoints with VPN enabled
For monitoring potentially unwanted applications on endpoints, which information is available on the FortiSASE software installations page? (Choose two.)
