NSE7_SSE_AD-25 Fortinet NSE 7 - FortiSASE 25 Enterprise Administrator Questions and Answers

Onboarding a Secure Web Gateway (SWG) endpoint involves several components to ensure secure and effective integration with FortiSASE. Two key components are the FortiSASE CA certificate and the proxy auto-configuration (PAC) file.

FortiSASE CA Certificate:

The FortiSASE CA certificate is essential for establishing trust between the endpoint and the FortiSASE infrastructure.

It ensures that the endpoint can securely communicate with FortiSASE services and inspect SSL/TLS traffic.

Proxy Auto-Configuration (PAC) File:

The PAC file is used to configure the endpoint to direct web traffic through the FortiSASE proxy.

It provides instructions on how to route traffic, ensuring that all web requests are properly inspected and filtered by FortiSASE.

In a FortiSASE environment where always-on VPN is enforced, FortiClient typically establishes a full tunnel to a Security Point of Presence (PoP). By default, a full-tunnel configuration instructs the endpoint to send all traffic—including traffic destined for the local network—through the secure tunnel to FortiSASE for inspection.

The Local Access Challenge: When a remote user is at home or in a satellite office, they often need to access local resources such as printers, NAS devices, or other computers on the same Layer 2 (L2) broadcast domain. In a standard full-tunnel setup, these local resources become unreachable because the routing table on the endpoint prioritizes the VPN interface for all non-local-gateway traffic.

Allow Local LAN Access: To resolve this while maintaining the security of the "Always-On" requirement, FortiSASE administrators can enable the Allow Local LAN Access feature within the Endpoint Profile.

Configuration Logic: This setting modifies the FortiClient configuration (often via an XML update pushed from the FortiSASE EMS) to include an exemption for the endpoint's locally connected subnet. Specifically, it ensures that traffic destined for the local L2 network does not enter the IPsec or SSL-VPN tunnel, allowing the user to interact with local peripherals while all other internet and corporate-bound traffic remains secured by FortiSASE.

Incorrect Options: * Option B and C: Sandbox and Anti-Virus protections are security features for threat detection and do not influence the routing of local network traffic.

Option D: Network Lockdown actually does the opposite; it restricts network access until a VPN connection is established and typically blocks local LAN access unless specific exemptions are made, making it the incorrect choice for enabling access to local resources.

When accessing the FortiSASE portal for the first time, an administrator must select data center locations for the following FortiSASE components:

Endpoint Management:

The data center location for endpoint management ensures that endpoint data and policies are managed and stored within the chosen geographical region.

Points of Presence (PoPs):

Points of Presence (PoPs) are the locations where FortiSASE services are delivered to users. Selecting PoP locations ensures optimal performance and connectivity for users based on their geographical distribution.

Logging:

The data center location for logging determines where log data is stored and managed. This is crucial for compliance and regulatory requirements, as well as for efficient log analysis and reporting.

According to the NSE7 SASE Enterprise Guide (Pages 64 & 153), FortiSASE utilizes an intelligent engine to manage connectivity to private resources through various selection methods:

Hub Health and Priority: FortiSASE incorporates a built-in SD-WAN engine for intelligent routing selection among established IPsec links. The health check IP address periodically receives performance metrics, including jitter, latency, and packet loss, for each service connection. In this mode, FortiSASE evaluates the available hubs and selects the one with the highest priority (the most preferred value) within each POP, provided that the hub meets the defined service-level agreement (SLA) requirements. For this configuration to function correctly, both FortiSASE and the SPA hub must use the same Autonomous System Number (ASN).

BGP Multiple Exit Discriminator (MED): This method leverages the standard BGP MED attribute, which allows an autonomous system to signal its preferred entry point to a peer. FortiSASE learns the MED values advertised by the configured hubs. The architecture is designed so that the lower the MED value, the more preferred the path is to the receiving router. Consistent with the "Zero Trust" and "Secure Access" principles, even when using BGP MED, the selection is gated by the health engine; therefore, the hub is only selected if it also satisfies the configured SLA thresholds.

While SLA thresholds can be configured, the primary logic for hub selection focuses on how priority and dynamic routing attributes (like MED) interact with the real-time health of the tunnel.

FortiSASE Secure Private Access (SPA) provides flexible connectivity to internal corporate resources using a hub-and-spoke architecture where FortiSASE PoPs act as spokes to an organization's FortiGate hub.

Flow from Agent-based users to Private Resources (C): This is the core functionality of SPA. Remote users running FortiClient (agent-based) connect to the nearest FortiSASE PoP. The PoP, integrated into the corporate SD-WAN fabric, uses IPsec and BGP to route traffic to the private applications located behind the FortiGate hub or associated spokes.

Flow from Thin Branches/Branch On-ramp to Private Resources (E): FortiSASE extends its security and connectivity to physical locations through "Thin Edge" (e.g., FortiExtender, FortiAP) or "Branch On-ramp" (e.g., branch FortiGates). These sites form tunnels to the FortiSASE PoP, which then provides them with access to the same private resources in the SD-WAN network as the remote agent-based users.

Flow from Private Resources to Agent-based users (A): The SPA architecture is designed for bidirectional communication. Documentation confirms that traffic can be initiated from the FortiGate hub (or local networks behind it) to the remote VPN agents. This "Server-to-Client" flow is essential for administrative tasks, log forwarding, or real-time communication applications like VoIP.

Incorrect Options:

Option B: Traffic from private resources to the internet is handled via Secure Internet Access (SIA) or local gateway policies, not the SPA use case, which is dedicated to internal private application access.

Option D: While FortiSASE can facilitate branch-to-branch communication via ADVPN shortcuts, the term "SPA" specifically refers to the access layer for users and is not used to describe resource-to-resource or hub-to-hub traffic.

FortiSASE utilizes Security Assertion Markup Language (SAML) to provide a seamless Single Sign-On (SSO) experience for remote users connecting to the cloud infrastructure.

Role Identification: In a SAML exchange, FortiSASE functions as the Service Provider (SP). It relies on an external Identity Provider (IdP)—such as Microsoft Entra ID (formerly Azure AD), Okta, or FortiAuthenticator—to authenticate the user's identity and provide security assertions.2

SAML Group Matching: One of the core features of the FortiSASE SAML implementation is the ability to perform group matching. During the authentication process, the IdP sends a SAML assertion that typically includes an "Attribute Statement" containing the user's group memberships.3 FortiSASE captures this attribute and matches it against locally defined SAML user groups.

Policy Enforcement: This group matching capability is critical because it allows administrators to apply different Security Internet Access (SIA) or Secure Private Access (SPA) policies based on the user's role (e.g., "Marketing" vs. "Finance") rather than managing individual users manually.

Analysis of Incorrect Options: * Options C and D are incorrect because FortiSASE does not natively act as a SAML IdP; it is designed to consume assertions from professional identity management platforms.

Option B is incorrect because FortiSASE fully supports and relies upon group matching for enterprise-scale policy management.

Zero Trust Network Access (ZTNA) is the FortiSASE feature that ensures least-privileged user access to all applications. ZTNA operates on the principle of "never trust, always verify," providing secure access based on the identity of users and devices, regardless of their location.

Zero Trust Network Access (ZTNA):

ZTNA ensures that only authenticated and authorized users and devices can access applications.

It applies the principle of least privilege by granting access only to the resources required by the user, minimizing the potential for unauthorized access.

Implementation:

ZTNA continuously verifies user and device trustworthiness and enforces granular access control policies.

This approach enhances security by reducing the attack surface and limiting lateral movement within the network.

In recent versions of FortiSASE (starting from version 24.4 and later), the platform has increased its scalability to support larger enterprise environments.

Maximum Hub Support: According to the FortiSASE Mature Administration Guide and the FortiSASE 25.3.148 Feature Release Notes, administrators can now configure a maximum of 12 SPA Service Connections (SPA hubs). Previously, this limit was restricted to 4 hubs.

Scalability for Large Enterprises: This enhancement allows organizations with complex, geographically dispersed networks—such as those with multiple regional datacenters or cloud hubs—to integrate up to 12 distinct FortiGate SD-WAN hubs into their SASE infrastructure.

Service Connection Licensing: Each SPA hub requires a dedicated FortiGate SPA Service Connection license. In MSSP environments using FortiCloud Organizations, a single FortiSASE instance can inherit these licenses from a root OU, supporting up to the same cumulative maximum of 12 service connections.

Routing and Performance: These 12 hubs form the "Private Access" backbone, where FortiSASE security PoPs act as spokes. The use of BGP (either per-overlay or on loopback) ensures that traffic is dynamically routed to the optimal hub based on the destination network and defined SLA priorities.

The core of this issue lies in the difference between Certificate Inspection and Deep SSL Inspection within the FortiSASE security framework.

The Limitation of Certificate Inspection: When "Force Certificate Inspection" is enabled in a FortiSASE firewall policy, the system only inspects the SSL handshake—specifically the SNI (Server Name Indication) and certificate headers. It does not decrypt the actual data payload of the HTTPS session.

Antivirus Scanning Requirements: To detect and block malicious files like the EICAR test file when they are downloaded over an encrypted HTTPS connection (such as https://eicar.org), the FortiSASE antivirus engine must be able to "see" inside the encrypted tunnel. This requires Deep Inspection (Full SSL Inspection), where FortiSASE acts as a "man-in-the-middle" to decrypt, scan, and then re-encrypt the traffic.

Exhibit Analysis: The Secure Internet Access policy exhibit clearly shows the toggle for Force Certificate Inspection is enabled (set to "ON"). As specified in the Fortinet technical documentation, enabling this option forces the policy to use Certificate Inspection only, overriding any Deep Inspection settings that might be defined in the Profile Group.

Conclusion: Because the traffic is only undergoing certificate-level inspection, the antivirus engine cannot analyze the encrypted eicar.com-zip file payload, allowing the download to proceed even though an antivirus profile is active in the group.

FortiSASE supports zero trust network access (ZTNA) principles by identifying attributes on the endpoint for security posture checks. ZTNA principles require continuous verification of user and device credentials, as well as their security posture, before granting access to network resources.

Security Posture Check:

FortiSASE can evaluate the security posture of endpoints by checking for compliance with security policies, such as antivirus status, patch levels, and configuration settings.

This ensures that only compliant and secure devices are granted access to the network.

Zero Trust Network Access (ZTNA):

ZTNA is based on the principle of "never trust, always verify," which requires continuous assessment of user and device trustworthiness.

FortiSASE plays a crucial role in implementing ZTNA by performing these security posture checks and enforcing access control policies.

The FortiSASE On/off-net detection feature is a two-part configuration designed to optimize bandwidth and user experience by determining when a device is in a trusted environment.

Rule Set Definition: The first part involves defining what constitutes an "on-net" or "on-fabric" status. In this scenario, the customer successfully configured a rule set named CERT-PUBLIC-IP using the Connects with a known public IP detection type. This tells FortiSASE that if the endpoint’s public WAN IP matches the corporate gateway, it is considered to be on the corporate network.

Profile Exemption Logic: Defining the rule set is not enough to stop the VPN connection. Within the Endpoint Profile (under the Connection tab > On/off-net Settings), there is a specific toggle labeled Exempt endpoint from FortiSASE auto-connect when endpoint is on-net (or in some versions, Bypass FortiSASE when endpoint is on-net).

Exhibit Analysis: Looking at the provided exhibit (image_57097d.jpg), the "Exempt endpoint from FortiSASE auto-connect..." toggle is clearly disabled (switched to the left).

Root Cause: Because this toggle is disabled, FortiClient identifies that it is "on-net" based on the IP rule, but it has no instruction to skip the VPN connection. Consequently, the "Automatically" initiate tunnel setting remains the dominant instruction, causing the VPN to connect regardless of the network location.

To resolve the issue, the administrator must enable the Exempt endpoint from FortiSASE auto-connect when endpoint is on-net option in the SASECert01 profile.

For small branch offices (thin edges) where users utilize unmanaged personal devices (BYOD) like laptops and mobile phones, the most efficient way to provide Secure Internet Access (SIA) with minimal configuration is by deploying a FortiAP.

Thin Edge Integration: FortiSASE includes expanded integrations with the Fortinet WLAN portfolio, allowing FortiAP wireless access points to function as "thin edge" devices. These access points intelligently offload and steer traffic from the branch directly to the nearest FortiSASE Security Point of Presence (PoP).

No Endpoint Agents Required: Because the devices are personal and unmanaged, installing the FortiClient agent (Option A) is often not feasible or desirable. The FortiAP deployment secures all client devices at the location without requiring any endpoint agents.

Minimal Configuration & Zero-Touch: This solution is specifically designed for small office locations with limited budgets and no local IT staff. FortiSASE offers cloud-delivered management with zero-touch provisioning for FortiAP. Once the AP is connected, it automatically establishes a secure CAPWAP or IPsec tunnel to FortiSASE, ensuring all connected users are protected by the cloud security stack (Antivirus, Web Filtering, etc.) with almost no manual setup on the end-user side.

Why other options are less ideal:

Option C and D: SD-WAN on-ramp and FortiGate LAN extensions typically require a physical FortiGate appliance at the branch. For a small office with only ten users and personal devices, this adds unnecessary hardware costs and configuration complexity compared to a simple, cloud-managed FortiAP.

FortiSASE brings the following advantages to businesses with multiple branch offices:

Centralized Management for Simplified Administration:

FortiSASE provides a centralized management platform that allows administrators to manage security policies, configurations, and monitoring from a single interface.

This simplifies the administration and reduces the complexity of managing multiple branch offices.

Eliminates the Need for On-Premises Firewalls:

FortiSASE enables secure access to the internet and cloud applications without requiring dedicated on-premises firewalls at each branch office.

This reduces hardware costs and simplifies network architecture, as security functions are handled by the cloud-based FortiSASE solution.

To meet the requirement of inspecting all endpoint internet traffic on FortiSASE while excluding Google Maps traffic from the FortiSASE VPN tunnel and redirecting it to the endpoint's physical interface, you should configure split tunneling. Split tunneling allows specific traffic to bypass the VPN tunnel and be routed directly through the endpoint's local interface.

Split Tunneling Configuration:

Split tunneling enables selective traffic to be routed outside the VPN tunnel.

By configuring the Google Maps Fully Qualified Domain Name (FQDN) as a split tunneling destination, you ensure that traffic to Google Maps bypasses the VPN tunnel and uses the endpoint's local interface instead.

Implementation Steps:

Access the FortiSASE endpoint profile configuration.

Add the Google Maps FQDN to the split tunneling destinations list.

This configuration directs traffic intended for Google Maps to bypass the VPN tunnel and be routed directly through the endpoint's physical network interface.

Based on the detailed analysis of the provided exhibits (image_65feb6.jpg), the connectivity failure is caused by a mismatch in the Hub firewall policy configuration.

Endpoint Analysis: The Network Diagram shows the FortiClient endpoint has an IP address of 100.65.80.2/20 and currently carries the FortiSASE-Compliant ZTNA tag.

FortiSASE Policy Validation: The Private access policy on FortiSASE shows an "Accept" rule for traffic originating from "FortiSASE-Compliant" sources destined for "All Private Access Traffic". This confirms the traffic is successfully leaving the FortiSASE PoP.

Routing Validation: The Learned BGP Routes on FortiSASE table shows the prefix 10.160.160.0/24 (the Server subnet) is correctly received via Next Hop 10.11.11.1. Routing is correctly established.

Hub Firewall Policy Error: Examining the Hub firewall policy (edit 7), the srcaddr is set to "SASE_Remote_Access". Looking at the address object definition for "SASE_Remote_Access," it is configured with the subnet 10.11.11.0 255.255.255.0.

The Conflict: The FortiClient's actual IP address (100.65.80.2) does not fall within the 10.11.11.0/24 range defined in the policy's source address. On a FortiGate hub, for traffic to be permitted through the tunnel to the internal server, the firewall policy must include the specific subnet assigned to the remote clients, not just the tunnel interface subnet. Because the FortiClient address range is missing from the hub's policy, the traffic is dropped at the hub.

The reason for the ping failures is due to the quick mode selectors restricting the subnet. Quick mode selectors define the IP ranges and protocols that are allowed through the VPN tunnel, and if they are not configured correctly, traffic to certain subnets can be blocked.

Quick Mode Selectors:

Quick mode selectors specify the source and destination subnets that are allowed to communicate through the VPN tunnel.

If the selectors do not include the subnet of the webserver (192.168.10.0/24), then the traffic will be restricted, and the ping will fail.

Diagnostic Output:

The diagnostic output shows the VPN configuration details, but it is important to check the quick mode selectors to ensure that the necessary subnets are included.

If the quick mode selectors are too restrictive, they will prevent traffic to and from the specified subnets.

Configuration Check:

Verify the quick mode selectors on both the FortiSASE and FortiGate hub to ensure they match and include the subnet of the webserver.

Adjust the selectors to allow the necessary subnets for successful communication.

In a FortiSASE environment, the Unified FortiClient agent is the critical component that fulfills the requirement for "always-on" connectivity and security for remote users.

Persistent Encrypted Tunnels: The Unified FortiClient maintains a persistent, always-on connection to the FortiSASE infrastructure.4 This is typically achieved through an auto-connect VPN tunnel (SSL or IPsec) that initiates as soon as the user logs into their device and has internet access.

Continuous Security Enforcement: By staying connected to a nearby FortiSASE Point of Presence (PoP), the endpoint ensures that all traffic is inspected. This allows the organization to enforce a consistent security posture—including Web Filtering, Antivirus, and Application Control—regardless of whether the user is at home, in a coffee shop, or traveling.

Zero-Trust Integration: Beyond simple connectivity, the unified agent supports Universal ZTNA. It continuously verifies the identity of the user and the security posture of the device before granting access to specific applications, thereby satisfying modern zero-trust security mandates.

Comparison of Other Components:

SD-WAN on-ramp (B): Used primarily to integrate existing branch office SD-WAN networks with the SASE cloud for private application access.

Secure Web Gateway (C): While a feature of the SASE PoP, the agentless SWG deployment (using PAC files) does not provide the same level of "always-on" persistent tunnel protection as the FortiClient agent.

Thin-branch SASE extension (D): Focused on securing small branch locations (using FortiAP or FortiExtender) where individual client agents may not be deployed on every device.

In the FortiSASE architecture, there are two primary methods for delivering Secure Internet Access (SIA): Agent-based (using FortiClient) and Agentless (using Secure Web Gateway/SWG).

Use Case Analysis: The scenario describes a contractor—an unmanaged user—who requires temporary access for a web-based application (the POS system). For contractors or guests using personal/non-corporate devices where installing the FortiClient agent is either not feasible or not desired, FortiSASE provides the SIA Agentless deployment model.

Mechanism (SWG & PAC): In this mode, FortiSASE functions as an explicit web proxy. To steer the contractor's web traffic (HTTP/HTTPS) to the SASE cloud for inspection, the administrator provides the user with a proxy auto-configuration (PAC) file. The contractor simply configures their browser or operating system to point to the URL of this PAC file.

Security Enforcement: Once the PAC file is applied, all web traffic from the contractor's device is redirected to the FortiSASE SWG PoP. Here, the traffic is subject to the organization’s full security stack, including SSL deep inspection, Antivirus, Web Filtering, and Application Control, ensuring that even temporary contractor access is fully secured and logged.

Why other options are incorrect:

Option B (Tunnel Policy): This refers to agent-based access where a VPN tunnel is established. This requires FortiClient, which is generally not used for temporary contractors on unmanaged devices.

Option C (ZTNA Unmanaged): While ZTNA supports agentless access to private applications (SPA), providing internet access (SIA) to an unmanaged endpoint is specifically the role of the SWG/Proxy service.

Option D (Self-registration): While FortiSASE has a User Portal for onboarding, it is a method for user registration/credential management, not the technical traffic-steering mechanism used to provide internet connectivity.

According to the FortiSASE 25 Secure Internet Access Architecture Guide, the SWG (Agentless) approach is the recommended best practice for securing web-only traffic from unmanaged endpoints and third-party contractors.

When remote users connected to FortiSASE require access to internal resources on Branch-2, the following process occurs:

SD-WAN Capability:

FortiSASE leverages SD-WAN to optimize traffic routing based on performance metrics and priorities.

In the priority settings, HUB-1 is configured with the highest priority (P1), whereas HUB-2 has a lower priority (P2).

Traffic Routing Decision:

FortiSASE evaluates the available hubs (HUB-1 and HUB-2) and selects HUB-1 due to its highest priority setting.

Once the traffic reaches HUB-1, it is then routed to the appropriate branch based on internal routing policies.

Branch-2 Access:

Since HUB-1 has the highest priority, FortiSASE directs the traffic to HUB-1.

HUB-1 then routes the traffic to Branch-2, providing the remote users access to the internal resources.

In a FortiSASE environment, the ability of a remote user to establish a VPN tunnel is governed not only by their credentials and firewall policies but also by geographic access controls.

Geofencing Mechanism: FortiSASE includes a Geofencing feature (found under Configuration > Restrictions or Configuration > Geofencing in newer versions) that allows administrators to restrict or allow access to SASE services based on the geographic location of the endpoint's public IP address.

Connection Failure vs. SSO Success: The scenario describes a situation where users can successfully authenticate via SSO to reach third-party SaaS apps like Office 365 (O365) or Salesforce (SFDC) but cannot connect to the SASE VPN. This occurs because the SSO authentication is handled directly by the Identity Provider (IdP) (e.g., Microsoft Entra ID), which may not have the same geographic restrictions. However, when the FortiClient attempts to establish the tunnel to the FortiSASE Point of Presence (PoP), the SASE gateway checks the Geofencing list. If the country the user is visiting is on the Deny list (or not on the Allow list), the connection is dropped at the "local-in" policy level on the SASE backend, preventing the tunnel from forming.

Verification and Resolution: To resolve this, the administrator must verify the Geofencing settings and ensure that the countries where the traveling users are located are permitted to connect. If the feature is enabled with a "Deny" list, the specific country must be removed from that list; if it uses an "Allow" list, the country must be added.

Analysis of Other Options:

Option A: Firewall policies govern traffic after the tunnel is established; they cannot resolve a failure to connect the tunnel itself.

Option B: Restarting the device is a general troubleshooting step but will not bypass a server-side geographic block.

Option D: While keeping clients updated is a best practice, the issue described (specific to overseas travel while other functions work) points to a configuration restriction rather than a software bug.

The integration of FortiGuard SOCaaS with FortiSASE significantly strengthens an organization's security posture by offloading complex security operations to Fortinet's expert analysts.4

Continuous Threat Monitoring (B): FortiGuard SOCaaS provides 24x7x365 threat monitoring for all endpoints connected to the FortiSASE environment. This service eliminates the need for organizations to hire and maintain their own round-the-clock security operations staff while ensuring that threats are detected and verified in as little as 15 minutes.

Centralized Visibility (C): By forwarding FortiSASE logs to the SOCaaS cloud, administrators gain centralized visibility of all security events through a single, user-friendly portal. This portal allows security teams to track threats, review expert-led incident escalations, and communicate directly with Fortinet SOC analysts to streamline the incident response process.

Operational Efficiency: The integration uses AI-driven alert triage and automated correlation to distill data from the Fortinet Security Fabric, focusing on legitimate threats and reducing the alert fatigue often experienced by internal IT teams.