Fortinet FCSS FortiSASE 23 Administrator FCSS_SASE_AD-23 Exam Dumps: Updated Questions & Answers (May 2025)

Zero Trust Network Access (ZTNA) private access provides the most efficient and secure method for remote users to access a TCP-based application hosted on a private web server. ZTNA ensures that only authenticated and authorized users can access specific applications based on predefined policies, enhancing security and access control.

Zero Trust Network Access (ZTNA):

ZTNA operates on the principle of "never trust, always verify," continuously verifying user identity and device security posture before granting access.

It provides secure and granular access to specific applications, ensuring that remote users can securely access the TCP-based application hosted on the private web server.

Secure and Efficient Access:

ZTNA private access allows remote users to connect directly to the application without needing a full VPN tunnel, reducing latency and improving performance.

It ensures that only authorized users can access the application, providing robust security controls.

References:

FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its deployment use cases.

FortiSASE 23.2 Documentation: Explains how ZTNA can be used to provide secure access to private applications for remote users.

When remote users connected to FortiSASE require access to internal resources on Branch-2, the following process occurs:

SD-WAN Capability:

FortiSASE leverages SD-WAN to optimize traffic routing based on performance metrics and priorities.

In the priority settings, HUB-1 is configured with the highest priority (P1), whereas HUB-2 has a lower priority (P2).

Traffic Routing Decision:

FortiSASE evaluates the available hubs (HUB-1 and HUB-2) and selects HUB-1 due to its highest priority setting.

Once the traffic reaches HUB-1, it is then routed to the appropriate branch based on internal routing policies.

Branch-2 Access:

Since HUB-1 has the highest priority, FortiSASE directs the traffic to HUB-1.

HUB-1 then routes the traffic to Branch-2, providing the remote users access to the internal resources.

References:

FortiOS 7.2 Administration Guide: Details on SD-WAN configurations and priority settings.

FortiSASE 23.2 Documentation: Explains how FortiSASE integrates with SD-WAN to route traffic based on defined priorities and performance metrics.

Zero Trust Network Access (ZTNA) is the FortiSASE feature that ensures least-privileged user access to all applications. ZTNA operates on the principle of "never trust, always verify," providing secure access based on the identity of users and devices, regardless of their location.

Zero Trust Network Access (ZTNA):

ZTNA ensures that only authenticated and authorized users and devices can access applications.

It applies the principle of least privilege by granting access only to the resources required by the user, minimizing the potential for unauthorized access.

Implementation:

ZTNA continuously verifies user and device trustworthiness and enforces granular access control policies.

This approach enhances security by reducing the attack surface and limiting lateral movement within the network.

References:

FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its role in ensuring least-privileged access.

FortiSASE 23.2 Documentation: Explains the implementation and benefits of ZTNA within the FortiSASE environment.

To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:

Application Control Configuration:

Application Control is used to identify and manage application traffic based on predefined or custom application signatures.

Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.

Blocking Video and Audio Applications:

To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.

Granting Access to Specific Videos (CNN):

To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.

The override action "Exempt" ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.

Configuration Steps:

Navigate to the Application Control profile in the FortiSASE interface.

Set the application categories related to video and audio streaming to "Block."

Add a new override entry for CNN video traffic and set the action to "Exempt."

References:

FortiOS 7.2 Administration Guide: Detailed steps on configuring Application Control and Inline-CASB.

Fortinet Training Institute: Provides scenarios and examples of using Application Control with Inline-CASB for specific use cases.

The reason for the ping failures is due to the quick mode selectors restricting the subnet. Quick mode selectors define the IP ranges and protocols that are allowed through the VPN tunnel, and if they are not configured correctly, traffic to certain subnets can be blocked.

Quick Mode Selectors:

Quick mode selectors specify the source and destination subnets that are allowed to communicate through the VPN tunnel.

If the selectors do not include the subnet of the webserver (192.168.10.0/24), then the traffic will be restricted, and the ping will fail.

Diagnostic Output:

The diagnostic output shows the VPN configuration details, but it is important to check the quick mode selectors to ensure that the necessary subnets are included.

If the quick mode selectors are too restrictive, they will prevent traffic to and from the specified subnets.

Configuration Check:

Verify the quick mode selectors on both the FortiSASE and FortiGate hub to ensure they match and include the subnet of the webserver.

Adjust the selectors to allow the necessary subnets for successful communication.

References:

FortiOS 7.2 Administration Guide: Provides detailed information on configuring VPN tunnels and quick mode selectors.

FortiSASE 23.2 Documentation: Explains how to set up and manage VPN tunnels, including the configuration of quick mode selectors.

FortiSASE supports zero trust network access (ZTNA) principles by identifying attributes on the endpoint for security posture checks. ZTNA principles require continuous verification of user and device credentials, as well as their security posture, before granting access to network resources.

Security Posture Check:

FortiSASE can evaluate the security posture of endpoints by checking for compliance with security policies, such as antivirus status, patch levels, and configuration settings.

This ensures that only compliant and secure devices are granted access to the network.

Zero Trust Network Access (ZTNA):

ZTNA is based on the principle of "never trust, always verify," which requires continuous assessment of user and device trustworthiness.

FortiSASE plays a crucial role in implementing ZTNA by performing these security posture checks and enforcing access control policies.

References:

FortiOS 7.2 Administration Guide: Provides information on ZTNA and endpoint security posture checks.

FortiSASE 23.2 Documentation: Details on how FortiSASE implements ZTNA principles.

FortiSASE hides user information when viewing and analyzing logs by hashing data using salt. This approach ensures that sensitive user information is obfuscated, enhancing privacy and security.

Hashing Data with Salt:

Hashing data involves converting it into a fixed-size string of characters, which is typically a hash value.

Salting adds random data to the input of the hash function, ensuring that even identical inputs produce different hash values.

This method provides enhanced security by making it more difficult to reverse-engineer the original data from the hash value.

Security and Privacy:

Using salted hashes ensures that user information remains secure and private when stored or analyzed in logs.

This technique is widely used in security systems to protect sensitive data from unauthorized access.

References:

FortiOS 7.2 Administration Guide: Provides information on log management and data protection techniques.

FortiSASE 23.2 Documentation: Details on how FortiSASE implements data hashing and salting to secure user information in logs.

There are two deployment methods used to connect a FortiExtender as a FortiSASE LAN extension:

Connect FortiExtender to FortiSASE using FortiZTP:

FortiZero Touch Provisioning (FortiZTP) simplifies the deployment process by allowing FortiExtender to automatically connect and configure itself with FortiSASE.

This method requires minimal manual configuration, making it efficient for large-scale deployments.

Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server:

Manually configuring the FortiSASE domain name in the FortiExtender GUI allows the extender to discover and connect to the FortiSASE infrastructure.

This static discovery method ensures that FortiExtender can establish a connection with FortiSASE using the provided domain name.

References:

FortiOS 7.2 Administration Guide: Details on FortiExtender deployment methods and configurations.

FortiSASE 23.2 Documentation: Explains how to connect and configure FortiExtender with FortiSASE using FortiZTP and static discovery.

For a customer looking to upgrade their legacy on-premises proxy to a cloud-based proxy for a hybrid network, the combination of Secure Web Gateway (SWG) and Inline Cloud Access Security Broker (CASB) features in FortiSASE will provide the necessary capabilities.

Secure Web Gateway (SWG):

SWG provides comprehensive web security by inspecting and filtering web traffic to protect against web-based threats.

It ensures that all web traffic, whether originating from on-premises or remote locations, is inspected and secured by the cloud-based proxy.

Inline Cloud Access Security Broker (CASB):

CASB enhances security by providing visibility and control over cloud applications and services.

Inline CASB integrates with SWG to enforce security policies for cloud application usage, preventing unauthorized access and data leakage.

References:

FortiOS 7.2 Administration Guide: Details on SWG and CASB features.

FortiSASE 23.2 Documentation: Explains how SWG and inline-CASB are used in cloud-based proxy solutions.