FCSS_SASE_AD-25 FCSS - FortiSASE 25 Administrator Questions and Answers

The secure web gateway (SWG) serves as the cloud-based proxy that inspects and controls web traffic, replacing the on-premises proxy. The inline-CASB provides additional visibility and control over cloud application usage, enhancing security in hybrid environments.

Geofencing allows the administrator to restrict or allow access to FortiSASE services based on the geographic location of the endpoints, effectively blocking connections from specified countries.

To enforce device posture checks and ensure that TCP traffic flows through FortiGate, the FortiGate must act as a ZTNA access proxy and host the ZTNA servers and policies. This setup allows posture validation via FortiSASE while routing traffic securely to protected servers through FortiGate.

Assigning hubs with different priorities in a FortiSASE SD-WAN deployment allows traffic to be routed through the optimal hub to meet SLA requirements and ensures redundancy by enabling automatic failover if the preferred hub becomes unavailable.

Zero-trust tags assess endpoint compliance based on defined posture rules and are used in access policies to control whether a device is permitted or denied access to specific network resources.

According to the FortiOS Administration Guide, when configuring central management, a FortiManager Cloud entitlement must be present and the devices must share the same FortiCloud account for registration. Specifically:

“The FortiManager Cloud button can only be selected if you have a FortiManager Cloud product entitlement.”

“The FortiGate and FortiCloud license are registered to the same account.”

Thus, the two verified requirements are: B (entitlement) and D (same FortiCloud account).

Deploying FortiSASE with FortiGate ZTNA access proxy enables efficient access to private applications with reduced latency and supports both agentless and agent-based ZTNA methods for flexible access control.

In a default FortiSASE deployment, the tunnel profile (for secure connectivity) and the FortiSASE CA certificate (for SSL inspection and trusted communication) are automatically pushed to FortiClient endpoints.

FortiSASE reporting provides visibility into the usage of sanctioned and unsanctioned SaaS applications, enabling administrators to monitor cloud application activity and enforce security policies.

FortiSASE ensures secure access for remote workers by protecting traffic between endpoints and cloud applications and enforcing ZTNA policies that validate user identity and device posture before granting access to corporate resources.

The Digital Experience Monitor (DEM) in FortiSASE measures and monitors network performance from the FortiSASE Points of Presence (PoPs) to specific SaaS or cloud applications, helping identify and troubleshoot performance issues across the service path.