Which authentication method overrides any other previously configured user authentication on FortiSASE?
Correct Answer: D
In FortiSASE, SSO authentication takes precedence over all other configured authentication methods. When SSO is enabled, it overrides local, RADIUS, and MFA user authentication settings.
Question 22
Which configuration is a valid use case for FortiSASE features in supporting remote users?
Correct Answer: C
According to theFortiSASE 7.6 Architecture GuideandFCP - FortiSASE 24/25 Administratormaterials, the solution is built around three primary use cases that support a hybrid workforce: * Secure Internet Access (SIA):This enables secure web browsing by applying security profiles such as Web Filter,Anti-Malware, andSSL Inspectionin the SASE cloud. It protects remote users from internet-based threats regardless of their location. * Secure Private Access (SPA):This provides granular, explicit access to private applications hosted in data centers or the cloud. It is achieved throughZTNA (Zero Trust Network Access)for session-based security or throughSD-WAN integrationwhere FortiSASE acts as a spoke to an existing corporate SD- WAN hub. * SaaS Security:FortiSASE utilizesInline-CASBandShadow IT visibilityto monitor and control the use of cloud applications.Data Loss Prevention (DLP)is integrated into these workflows to prevent sensitive corporate data from being uploaded to unauthorized SaaS platforms. Why other options are incorrect: * Option A:While it mentions SD-WAN and Shadow IT, it misses the core definition of SIA (secure web browsing) which is the primary driver for SASE deployments. * Option B:Remote Browser Isolation (RBI)is typically applied to risky or uncategorized websites, not "all websites," due to the high performance and resource overhead. * Option D:FortiSASE is designed to protect data in motion (via security profiles) as well as data stored in sanctioned cloud apps, not "at rest only".
Question 23
What is the purpose of the on/off-net rule setting in FortiSASE?
Correct Answer: C
The on/off-net rule setting in FortiSASE classifies endpoints as on-net (inside trusted corporate networks, like branch offices) or off-net (remote or untrusted locations, like home or public Wi-Fi). Administrators define on-net rules using IP subnets, gateway MACs, or other criteria to trigger behaviors such as exempting on-net endpoints from FortiSASE auto-connect or applying different profiles.
Question 24
Which statement is true about FortiSASE supported deployment?
Correct Answer: B
According to theFortiSASE 7.6 Administration Guideand theFCP - FortiSASE 24/25 Administrator curriculum, FortiSASE is designed with a hybrid deployment architecture to support various user and device requirements. It primarily operates in two modes: * Endpoint Mode (Agent-based): This mode requires the installation ofFortiClienton the user's laptop or device. The agent establishes an "always-up" secure VPN tunnel to the nearest FortiSASE Point of Presence (PoP), providing full Secure Internet Access (SIA), Secure Private Access (SPA), and endpoint posture checks (ZTNA). * Secure Web Gateway (SWG) Mode (Agentless): This mode is used for users or devices where installing an agent is not feasible (e.g., unmanaged devices or Chromebooks). It relies on explicit web proxy settings or a PAC (Proxy Auto-Configuration) file to redirect web traffic (HTTP/HTTPS) to the SASE PoP for inspection. Why other options are incorrect: * Option A: While it supports VPN, "VPN mode" is not the formal name of the deployment type; it is "Endpoint mode". * Option C: FortiSASE is not limited to SWG; it is a full SSE (Security Service Edge) solution including FWaaS and ZTNA. * Option D: ZTNA is a capability within the platform, not a replacement for the overall endpoint or SWG functions.
Question 25
Which three reports are valid report types in FortiSASE? (Choose three.)
Correct Answer: A,D,E
Shadow IT Report: Leveraging the built-in CASB (Cloud Access Security Broker) capabilities, this report identifies "unsanctioned" or "risky" SaaS applications being used by employees. It helps organizations discover hidden security risks by cataloging cloud applications that have not been explicitly approved by the IT department. Vulnerability Assessment Report: Since FortiSASE integrates with FortiClient and an embedded EMS, it can aggregate vulnerability scan data from managed endpoints. This report lists software vulnerabilities found on user devices (OS-level and application-level), providing a "Security Rating" or posture assessment that is critical for Zero Trust Network Access (ZTNA) enforcement. Web Usage Summary Report: This report provides a high-level overview of web activity across the SASE deployment. It categorizes traffic by website categories (e.g., Social Media, Streaming, Malicious Sites), top users by bandwidth, and blocked requests, helping IT teams understand how internet resources are being consumed by remote workers.