FCSS_SASE_AD-25 FCSS - FortiSASE 25 Administrator Questions and Answers

FortiSASE uses ZTNA tags to assess the endpoint’s security posture. If the posture is non-compliant based on predefined rules, FortiSASE enforces network lockdown to restrict access accordingly.

When central management is enabled, security profile group objects are managed exclusively through FortiManager, making them read-only on the FortiSASE portal to ensure centralized policy control.

The self-registration portal is the recommended method for granting temporary internet access to contractors or guests. It provides a simple and secure way for the contractor to authenticate and access the internet without requiring full endpoint management or policy configuration.

To enforce device posture checks and ensure that TCP traffic flows through FortiGate, the FortiGate must act as a ZTNA access proxy and host the ZTNA servers and policies. This setup allows posture validation via FortiSASE while routing traffic securely to protected servers through FortiGate.

FortiSASE hides user information in logs by using hashing, which anonymizes sensitive data such as usernames or IP addresses while still allowing for consistent tracking and analysis.

FortiSASE releases network lockdown when the endpoint re-establishes the tunnel connection or when it is verified as compliant through ZTNA tag evaluation, ensuring it meets security posture requirements.

A PAC file is used to redirect client web traffic through the SWG, and FortiClient software is required to connect endpoints to the FortiSASE service for secure internet access (SIA).

The Digital Experience Monitoring (DEM) agent on the endpoint performs a trace route to the SaaS application to measure latency, packet loss, and hop-by-hop performance. This helps diagnose where in the path connectivity or performance issues are occurring.

ZTNA replaces traditional VPNs by enforcing identity- and posture-based access to private applications. SD-WAN on-ramp integrates with FortiSASE to securely route traffic from branch users to private applications over the SASE fabric, ensuring secure and optimized access.

The Digital Experience Monitor (DEM) in FortiSASE measures and monitors network performance from the FortiSASE Points of Presence (PoPs) to specific SaaS or cloud applications, helping identify and troubleshoot performance issues across the service path.

The sandbox feature applies only to endpoints assigned this profile, and the configuration explicitly enables the submission of all files executed from removable media (like USB drives) to FortiSandbox for analysis.

The usernames appear as random character strings because log anonymization is enabled in FortiSASE, which hashes sensitive user information such as usernames to protect privacy while still allowing log analysis.