FCSS_SASE_AD-24 Questions and Answers

Theagentless remote user internet accessuse case is designed to minimize individual endpoint configuration. In this scenario, FortiSASE provides secure internet access without requiring the installation of an agent on the endpoint device. This approach is particularly useful for environments with unmanaged devices or temporary users, as it eliminates the need for complex configurations on each endpoint. Instead, security policies are enforced at the network level, ensuring consistent protection without relying on endpoint-specific software.

Here’s why the other options are incorrect:

A. Site-based remote user internet access:This use case involves securing internet access for users at a specific site or location, typically through a gateway or firewall. While it simplifies configuration for all users at that site, it does not specifically minimize individual endpoint configuration for remote users.

C. SIA for SSL VPN remote users:SSL VPN requires users to connect to the corporate network via a client or browser-based interface. This approach often involves additional configuration on the endpoint, such as installing and configuring the SSL VPN client.

D. SIA using ZTNA:Zero Trust Network Access (ZTNA) focuses on verifying the identity and posture of devices before granting access to resources. While ZTNA enhances security, it may require endpoint agents or posture checks, which involve some level of endpoint configuration.

References:

Fortinet FCSS FortiSASE Documentation - Secure Internet Access (SIA) Use Cases

FortiSASE Administration Guide - Agentless Remote User Access

The issue of an almost empty daily summary report in FortiSASE can often be traced back to how logging is configured within the system. Specifically, if "Log Allowed Traffic" is set to "Security Events" for all policies, it means that only security-related events (such as threats or anomalies) are being logged, while normal, allowed traffic is not being recorded. Since most traffic in a typical network environment is allowed, this configuration would result in very little data being captured and subsequently reported in the daily summary.

Here’s a breakdown of why the other options are less likely to be the cause:

B. There are no security profile groups applied to all policies:While applying security profiles is important for comprehensive protection, their absence does not directly affect the volume of data in reports unless specific logging settings are also misconfigured.

C. The web filter security profile is not set to Monitor:This option pertains specifically to web filtering activities. Even if web filtering is not set to monitor mode, other types of traffic and logs should still populate the report.

D. Digital experience monitoring is not configured:Digital Experience Monitoring (DEM) focuses on user experience metrics rather than general traffic logging. Its absence would not lead to an almost empty report.

To resolve this issue, administrators should review the logging settings across all policies and ensure that "Log Allowed Traffic" is appropriately configured to capture the necessary data for reporting purposes.

References:

Fortinet FCSS FortiSASE Documentation - Reporting and Logging Best Practices

FortiSASE Administration Guide - Configuring Logging Settings

There are two deployment methods used to connect a FortiExtender as a FortiSASE LAN extension:

Connect FortiExtender to FortiSASE using FortiZTP:

FortiZero Touch Provisioning (FortiZTP) simplifies the deployment process by allowing FortiExtender to automatically connect and configure itself with FortiSASE.

This method requires minimal manual configuration, making it efficient for large-scale deployments.

Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server:

Manually configuring the FortiSASE domain name in the FortiExtender GUI allows the extender to discover and connect to the FortiSASE infrastructure.

This static discovery method ensures that FortiExtender can establish a connection with FortiSASE using the provided domain name.

References:

FortiOS 7.2 Administration Guide: Details on FortiExtender deployment methods and configurations.

FortiSASE 23.2 Documentation: Explains how to connect and configure FortiExtender with FortiSASE using FortiZTP and static discovery.

The recommended way to provide temporary internet access to the contractor is to useZero Trust Network Access (ZTNA)and tag the client as anunmanaged endpoint. ZTNA ensures that only authorized users and devices can access specific resources, while treating all endpoints as untrusted by default. By tagging the contractor's device as an unmanaged endpoint, you can apply strict access controls and ensure that the contractor has limited access to only the necessary resources (e.g., the web-based POS system) without exposing the internal network to unnecessary risks.

Here’s why the other options are less suitable:

A. Use FortiClient on the endpoint to manage internet access:While FortiClient provides endpoint security and management, it requires installation and configuration on the contractor's device. This may not be feasible for temporary contractors or unmanaged devices.

B. Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an explicit web proxy:While this approach can control web traffic, it does not provide thegranular access control and security posture validation offered by ZTNA. Additionally, managing PAC files can be cumbersome and less secure compared to ZTNA.

D. Configure a VPN policy on FortiSASE to provide access to the internet:Using a VPN policy would grant broader access to the network, which is not ideal for a temporary contractor. It increases the risk of unauthorized access to internal resources and does not align with the principle of least privilege.

References:

Fortinet FCSS FortiSASE Documentation - Zero Trust Network Access (ZTNA) Use Cases

FortiSASE Administration Guide - Managing Unmanaged Endpoints

================

To block user attempts to log in to non-company resources while using Microsoft Office 365, theWeb Filter with Inline-CASBfeature in FortiSASE is the most appropriate solution. Inline-CASB (Cloud Access Security Broker) provides real-time visibility and control over cloud application usage. When combined with Web Filtering, it can enforce policies to restrict access to unauthorized or non-company resources within sanctioned applications like Microsoft Office 365. This ensures that users cannot access unapproved cloud resources while still allowing legitimate use of Office 365.

Here’s why the other options are incorrect:

B. SSL deep inspection:While SSL deep inspection is useful for decrypting and inspecting encrypted traffic, it does not specifically address the need to block access to non-companyresources within Office 365. It focuses on securing traffic rather than enforcing application-specific policies.

C. Data loss prevention (DLP):DLP is designed to prevent sensitive data from being leaked or exfiltrated. While it is a valuable security feature, it does not directly block access to non-company resources within Office 365.

D. Application Control with Inline-CASB:Application Control focuses on managing access to specific applications rather than enforcing granular policies within an application like Office 365. Web Filter with Inline-CASB is better suited for this use case.

References:

Fortinet FCSS FortiSASE Documentation - Inline-CASB and Web Filtering

FortiSASE Administration Guide - Securing Cloud Applications

================