Fortinet FCSS_SASE_AD-25 Online Practice Questions and Exam Preparation

Fortinet FCSS_SASE_AD-25 Online Questions & Answers

• Question 11:

  A customer wants to upgrade their legacy on-premises proxy to a cloud-based proxy for a hybrid network. Which two FortiSASE features would help the customer achieve this outcome? (Choose two.)

  A. secure web gateway (SWG)
  B. zero trust network access (ZTNA)
  C. sandbox cloud
  D. inline-CASB
  A. secure web gateway (SWG)
  D. inline-CASB

  ---

  Explanation

  The secure web gateway (SWG) serves as the cloud-based proxy that inspects and controls web traffic, replacing the on-premises proxy. The inline-CASB provides additional visibility and control over cloud application usage, enhancing security in hybrid environments.

• Question 12:

  Your organization is currently using FortiSASE for its cybersecurity. They have recently hired a contractor who will work from the HQ office and who needs temporary internet access in order to set up a web-based point of sale (POS) system. What is the recommended way to provide internet access to the contractor?

  A. Use zero trust network access (ZTNA) and tag the client as an unmanaged endpoint.
  B. Use the self-registration portal on FortiSASE to grant internet access.
  C. Use a tunnel policy with a contractors user group as the source on FortiSASE to provide internet access.
  D. Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an explicit web proxy.
  B. Use the self-registration portal on FortiSASE to grant internet access.

  ---

  Explanation

  The self-registration portal is the recommended method for granting temporary internet access to contractors or guests. It provides a simple and secure way for the contractor to authenticate and access the internet without requiring full endpoint management or policy configuration.

• Question 13:

  Refer to the exhibits.

  

  

  A FortiSASE administrator has configured an antivirus profile in the security profile group and applied it to the internet access policy. Remote users are still able to download theeicar.com-zipfile fromhttps://eicar.org.

  Which configuration on FortiSASE is allowing users to perform the download?

  A- Web filter is allowing the URL.

  A. Deep inspection is not enabled.
  B. Application control is exempting all the browser traffic.
  C. Intrusion prevention is disabled.
  B. Application control is exempting all the browser traffic.

  ---

  Explanation

  The SSL inspection mode is set to certificate inspection, which only inspects SSL/TLS headers and does not allow full scanning of encrypted content. Without full (deep) inspection, the antivirus profile cannot scan or block malicious files (like eicar.com-zip) delivered over HTTPS, allowing the download to proceed.

• Question 14:

  How does FortiSASE hide user information when viewing and analyzing logs?

  A. By tokenization in log data
  B. By masking log data
  C. By compressing log data
  D. By hashing log data
  D. By hashing log data

  ---

  Explanation

  FortiSASE hides user information in logs by using hashing, which anonymizes sensitive data such as usernames or IP addresses while still allowing for consistent tracking and analysis.

• Question 15:

  For monitoring potentially unwanted applications on endpoints, which information is available on the FortiSASE software installations page?

  A. the vendor of the software
  B. the endpoint the software is installed on
  C. the license status of the software
  D. the usage frequency of the software
  B. the endpoint the software is installed on

  ---

  Explanation

  The FortiSASE software installations page shows which endpoints have specific software installed, allowing administrators to monitor potentially unwanted applications across the network.

• Question 16:

  An organization must block user attempts to log in to non-company resources while using Microsoft Office 365 to prevent users from accessing unapproved cloud resources. Which FortiSASE feature can you implement to meet this requirement?

  A. application control with inline-CASB
  B. data loss prevention (DLP) with Microsoft Purview Information Protection (MPIP)
  C. web filter with inline-CASB
  D. DNS filter with domain filter
  A. application control with inline-CASB

  ---

  Explanation

  Application control with inline-CASB allows FortiSASE to inspect and control application behavior at a granular level. This enables the organization to block login attempts to personal or non-corporate Microsoft Office 365 accounts, ensuring that only approved cloud resources are accessed.

• Question 17:

  Refer to the exhibit.

  

  An organization must inspect all the endpoint internet traffic on FortiSASE, and exclude Google Maps traffic from the FortiSASE VPN tunnel and redirect it to the endpoint physical interface.

  Which configuration must you apply to achieve this requirement?

  A. Configure a steering bypass tunnel firewall policy using Google Maps FQDN to exclude and redirect the traffic.
  B. Add the Google Maps URL in the zero trust network access (ZTNA) TCP access proxy forwarding rule.
  C. Add the Google Maps URL as a steering bypass destination in the endpoint profile.
  D. Exempt Google Maps in URL filtering in the web filter profile.
  C. Add the Google Maps URL as a steering bypass destination in the endpoint profile.

  ---

  Explanation

  To exclude specific internet traffic (such as Google Maps) from being tunneled through FortiSASE and instead direct it out the local endpoint interface, you must configure it as a steering bypass destination in the FortiClient endpoint profile. This ensures traffic matching the URL bypasses the FortiSASE tunnel.

• Question 18:

  Which information does FortiSASE use to bring network lockdown into effect on an endpoint?

  A. Zero-day malware detection on endpoint
  B. The number of critical vulnerabilities detected on the endpoint
  C. The security posture of the endpoint based on ZTNA tags
  D. The connection status of the tunnel to FortiSASE
  C. The security posture of the endpoint based on ZTNA tags

  ---

  Explanation

  FortiSASE uses ZTNA tags to assess the endpoint's security posture. If the posture is non-compliant based on predefined rules, FortiSASE enforces network lockdown to restrict access accordingly.

• Question 19:

  Which secure internet access (SIA) use case minimizes individual endpoint configuration?

  A. Agentless remote user internet access
  B. Site-based remote user internet access
  C. SIA using ZTNA
  D. SIA for FortiClient agent remote users
  B. Site-based remote user internet access

  ---

  Explanation

  Site-based remote user internet access minimizes individual endpoint configuration by routing user traffic through a centralized FortiSASE connection point (such as a FortiAP or FortiGate), rather than requiring each device to be individually configured with the FortiClient agent.

• Question 20:

  A customer wants to ensure secure access for private applications for their users by replacing their VPN. Which two SASE technologies can you use to accomplish this task? (Choose two.)

  A. zero trust network access (ZTNA)
  B. secure SD-WAN
  C. secure web gateway (SWG) and cloud access security broker (CASB)
  D. SD-WAN on-ramp
  A. zero trust network access (ZTNA)
  D. SD-WAN on-ramp

  ---

  Explanation

  ZTNA replaces traditional VPNs by enforcing identity- and posture-based access to private applications. SD- WAN on-ramp integrates with FortiSASE to securely route traffic from branch users to private applications over the SASE fabric, ensuring secure and optimized access.