F0RT1S4S3

Refer to the exhibit. The daily report for application usage shows an unusually high number of unknown applications by category. What are two possible explanations for this? (Choose two.). Certificate inspection is not being used to scan application traffic. The inline-CASB application control profile does not have application categories set to Monitor. Zero trust network access (ZTNA) tags are not being used to tag the correct users. Deep inspection is not being used to scan traffic.

What are two advantages of using zero-trust tags? (Choose two.). Zero-trust tags can be used to allow or deny access to network resources. Zero-trust tags can determine the security posture of an endpoint. Zero-trust tags can be used to create multiple endpoint profiles which can be applied to different endpoints. Zero-trust tags can be used to allow secure web gateway (SWG) access.

Refer to the exhibits. A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The VPN tunnel does not establish. Based on the provided configuration, what configuration needs to be modified to bring the tunnel up?. NAT needs to be enabled in the Spoke-to-Hub firewall policy. The BGP router ID needs to match on the hub and FortiSASE. FortiSASE spoke devices do not support mode config. The hub needs IKEv2 enabled in the IPsec phase 1 settings.

Refer to the exhibits. When remote users connected to FortiSASE require access to internal resources on Branch-2, how will traffic be routed?. FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-2, which will then route traffic to Branch-2. FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2 directly, using a static route. FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-1, which will then route traffic to Branch-2. FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2 directly, using a dynamic route.

Refer to the exhibits. A FortiSASE administrator has configured an antivirus profile in the security profile group and applied it to the internet access policy. Remote users are still able to download the eicar.com-zip file from https://eicar.org. Traffic logs show traffic is allowed by the policy. Which configuration on FortiSASE is allowing users to perform the download?. Web filter is allowing the traffic. IPS is disabled in the security profile group. The HTTPS protocol is not enabled in the antivirus profile. Force certificate inspection is enabled in the policy.

Refer to the exhibit. A company has a requirement to inspect all the endpoint internet traffic on FortiSASE, and exclude Google Maps traffic from the FortiSASE VPN tunnel and redirect it to the endpoint physical interface. Which configuration must you apply to achieve this requirement?. Exempt the Google Maps FQDN from the endpoint system proxy settings. Configure a static route with the Google Maps FQDN on the endpoint to redirect traffic. Configure the Google Maps FQDN as a split tunneling destination on the FortiSASE endpoint profile. Change the default DNS server configuration on FortiSASE to use the endpoint system DNS.

Refer to the exhibit. To allow access, which web filter configuration must you change on FortiSASE?. FortiGuard category-based filter. content filter. URL Filter. inline cloud access security broker (CASB) headers.

Refer to the exhibits. Win10-Pro and Win7-Pro are endpoints from the same remote location. Win10-Pro can access the internet though FortiSASE, while Win7-Pro can no longer access the internet. Given the exhibits, which reason explains the outage on Win7-Pro?. The Win7-Pro device posture has changed. Win7-Pro cannot reach the FortiSASE SSL VPN gateway. The Win7-Pro FortiClient version does not match the FortiSASE endpoint requirement. Win-7 Pro has exceeded the total vulnerability detected threshold.

Refer to the exhibits. A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The tunnel is up to the FortiGate hub. However, the administrator is not able to ping the Webserver hosted behind the FortiGate hub. Based on the output, what is the reason for the ping failures?. The Secure Private Access (SPA) policy needs to allow PING service. Quick mode selectors are restricting the subnet. The BGP route is not received. Network address translation (NAT) is not enabled on the spoke-to-hub policy.

An organization wants to block all video and audio application traffic but grant access to videos from CNN. Which application override action must you configure in the Application Control with Inline-CASB?. Allow. Pass. Permit. Exempt.

An organization needs to resolve internal hostnames using its internal rather than public DNS servers for remotely connected endpoints. Which two components must be configured on FortiSASE to achieve this? (Choose two.). SSL deep inspection. Split DNS rules. Split tunneling destinations. DNS filter.

Refer to the exhibit. In the user connection monitor, the FortiSASE administrator notices the user name is showing random characters. Which configuration change must the administrator make to get proper user information?. Turn off log anonymization on FortiSASE. Add more endpoint licenses on FortiSASE. Configure the username using FortiSASE naming convention. Change the deployment type from SWG to VPN.

Which FortiSASE feature ensures least-privileged user access to all applications?. secure web gateway (SWG). SD-WAN. zero trust network access (ZTNA). thin branch SASE extension.

When you configure FortiSASE Secure Private Access (SPA) with SD-WAN integration, you must establish a routing adjacency between FortiSASE and the FortiGate SD-WAN hub. Which routing protocol must you use?. BGP. IS-IS. OSPF. EIGRP.

During FortiSASE provisioning, how many security points of presence (POPs) need to be configured by the FortiSASE administrator?. 1. 2. 3. 4.

Which secure internet access (SIA) use case minimizes individual workstation or device setup, because you do not need to install FortiClient on endpoints or configure explicit web proxy settings on web browser-based endpoints?. SIA for inline-CASB users. SIA for agentless remote users. SIA for SSLVPN remote users. SIA for site-based remote users.

Which role does FortiSASE play in supporting zero trust network access (ZTNA) principles?. It offers hardware-based firewalls for network segmentation. It integrates with software-defined network (SDN) solutions. It can identify attributes on the endpoint for security posture check. It enables VPN connections for remote employees.

A FortiSASE administrator is configuring a Secure Private Access (SPA) solution to share endpoint information with a corporate FortiGate. Which three configuration actions will achieve this solution? (Choose three.). Add the FortiGate IP address in the secure private access configuration on FortiSASE. Use the FortiClient EMS cloud connector on the corporate FortiGate to connect to FortiSASE. Register FortiGate and FortiSASE under the same FortiCloud account. Authorize the corporate FortiGate on FortiSASE as a ZTNA access proxy. Apply the FortiSASE zero trust network access (ZTNA) license on the corporate FortiGate.

Which two deployment methods are used to connect a FortiExtender as a FortiSASE LAN extension? (Choose two.). Connect FortiExtender to FortiSASE using FortiZTP. Enable Control and Provisioning Wireless Access Points (CAPWAP) access on the FortiSASE portal. Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server. Configure an IPsec tunnel on FortiSASE to connect to FortiExtender.

You are designing a new network for Company X and one of the new cybersecurity policy requirements is that all remote user endpoints must always be connected and protected. Which FortiSASE component facilitates this always-on security measure?. site-based deployment. thin-branch SASE extension. unified FortiClient. inline-CASB.

Which policy type is used to control traffic between the FortiClient endpoint to FortiSASE for secure internet access?. VPN policy. thin edge policy. private access policy. secure web gateway (SWG) policy.

When accessing the FortiSASE portal for the first time, an administrator must select data center locations for which three FortiSASE components? (Choose three.). Endpoint management. Points of presence. SD-WAN hub. Logging. Authentication.

When deploying FortiSASE agent-based clients, which three features are available compared to an agentless solution? (Choose three.). Vulnerability scan. SSL inspection. Anti-ransomware protection. Web filter. ZTNA tags.

When viewing the daily summary report generated by FortiSASE. the administrator notices that the report contains very little data. What is a possible explanation for this almost empty report?. Digital experience monitoring is not configured. Log allowed traffic is set to Security Events for all policies. The web filter security profile is not set to Monitor. There are no security profile group applied to all policies.

How does FortiSASE hide user information when viewing and analyzing logs?. By hashing data using Blowfish. By hashing data using salt. By encrypting data using Secure Hash Algorithm 256-bit (SHA-256). By encrypting data using advanced encryption standard (AES).

Which two advantages does FortiSASE bring to businesses with multiple branch offices? (Choose two.). It offers centralized management for simplified administration. It enables seamless integration with third-party firewalls. It offers customizable dashboard views for each branch location. It eliminates the need to have an on-premises firewall for each branch.

A customer wants to upgrade their legacy on-premises proxy to a cloud-based proxy for a hybrid network. Which FortiSASE features would help the customer to achieve this outcome?. SD-WAN and NGFW. SD-WAN and inline-CASB. zero trust network access (ZTNA) and next generation firewall (NGFW). secure web gateway (SWG) and inline-CASB.

Which two additional components does FortiSASE use for application control to act as an inline-CASB? (Choose two.). intrusion prevention system (IPS). SSL deep inspection. DNS filter. Web filter with inline-CASB.

Which two components are part of onboarding a secure web gateway (SWG) endpoint? (Choose two.). FortiSASE CA certificate. proxy auto-configuration (PAC) file. FortiSASE invitation code. FortiClient installer.

To complete their day-to-day operations, remote users require access to a TCP-based application that is hosted on a private web server. Which FortiSASE deployment use case provides the most efficient and secure method for meeting the remote users' requirements?. SD-WAN private access. inline-CASB. zero trust network access (ZTNA) private access. next generation firewall (NGFW).

Which statement applies to a single sign-on (SSO) deployment on FortiSASE?. SSO overrides any other previously configured user authentication. SSO identity providers can be integrated using public and private access types. SSO is recommended only for agent-based deployments. SSO users can be imported into FortiSASE and added to user groups.

Which event log subtype captures FortiSASE SSL VPN user creation? Options: Endpoint Events. VPN Events. User Events. Administrator Events.