SASE Flashcards by Massimiliano Monti

A FortiSASE administrator has configured an antivirus profile in the security profile group and applied
it to the internet access policy. Remote users are still able to download the eicar.com-zip file from
https://eicar.org. Traffic logs show traffic is allowed by the policy.
Which configuration on FortiSASE is allowing users to perform the download?

A. Web filter is allowing the traffic.
B. IPS is disabled in the security profile group.
C. The HTTPS protocol is not enabled in the antivirus profile.
D. Force certificate inspection is enabled in the policy.

How well did you know this?

Not at all

Perfectly

An organization wants to block all video and audio application traffic but grant access to videos from
CNN Which application override action must you configure in the Application Control with Inline-
CASB?

A. Allow
B. Pass
C. Permit
D. Exempt

How well did you know this?

Not at all

Perfectly

When remote users connected to FortiSASE require access to internal resources on Branch-2. how
will traffic be routed?

A. FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-2.
which will then route traffic to Branch-2.
B. FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2
directly, using a static route
C. FortiSASE will use the SD-WAN capability and determine that traffic will be directed to HUB-1,
which will then route traffic to Branch-2.
D. FortiSASE will use the AD VPN protocol and determine that traffic will be directed to Branch-2 directly, using a dynamic route

How well did you know this?

Not at all

Perfectly

What are two advantages of using zero-trust tags? (Choose two.)

A. Zero-trust tags can be used to allow or deny access to network resources
B. Zero-trust tags can determine the security posture of an endpoint.
C. Zero-trust tags can be used to create multiple endpoint profiles which can be applied to different endpoints
D. Zero-trust tags can be used to allow secure web gateway (SWG) access

A, B

How well did you know this?

Not at all

Perfectly

In the user connection monitor, the FortiSASE administrator notices the user name is showing
random characters. Which configuration change must the administrator make to get proper user
information?

A. Turn off log anonymization on FortiSASE.
B. Add more endpoint licenses on FortiSASE.
C. Configure the username using FortiSASE naming convention.
D. Change the deployment type from SWG to VPN.

How well did you know this?

Not at all

Perfectly

To allow access, which web tiller configuration must you change on FortiSASE?

A. FortiGuard category-based filter
B. content filter
C. URL Filter
D. inline cloud access security broker (CASB) headers

How well did you know this?

Not at all

Perfectly

Which policy type is used to control traffic between the FortiClient endpoint to FortiSASE for secure
internet access?

A. VPN policy
B. thin edge policy
C. private access policy
D. secure web gateway (SWG) policy

How well did you know this?

Not at all

Perfectly

Which role does FortiSASE play in supporting zero trust network access (ZTNA) principles?

A. It offers hardware-based firewalls for network segmentation.
B. It integrates with software-defined network (SDN) solutions.
C. It can identify attributes on the endpoint for security posture check.
D. It enables VPN connections for remote employees.

How well did you know this?

Not at all

Perfectly

When deploying FortiSASE agent-based clients, which three features are available compared to an
agentless solution? (Choose three.)

A. Vulnerability scan
B. SSL inspection
C. Anti-ransomware protection
D. Web filter
E. ZTNA tags

A, C, E

How well did you know this?

Not at all

Perfectly

Which FortiSASE feature ensures least-privileged user access to all applications?

A. secure web gateway (SWG)
B. SD-WAN
C. zero trust network access (ZTNA)
D. thin branch SASE extension

How well did you know this?

Not at all

Perfectly

Which two components are part of onboarding a secure web gateway (SWG) endpoint? (Choose two)

A. FortiSASE CA certificate
B. proxy auto-configuration (PAC) file
C. FortiSASE invitation code
D. FortiClient installer

A, B

How well did you know this?

Not at all

Perfectly

Which two deployment methods are used to connect a FortiExtender as a FortiSASE LAN extension?
(Choose two.)

A. Connect FortiExtender to FortiSASE using FortiZTP
B. Enable Control and Provisioning Wireless Access Points (CAPWAP) access on the FortiSASE portal.
C. Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server
D. Configure an IPsec tunnel on FortiSASE to connect to FortiExtender.

A, C

How well did you know this?

Not at all

Perfectly

How does FortiSASE hide user information when viewing and analyzing logs?

A. By hashing data using Blowfish
B. By hashing data using salt
C. By encrypting data using Secure Hash Algorithm 256-bit (SHA-256)
D. By encrypting data using advanced encryption standard (AES)

How well did you know this?

Not at all

Perfectly

A company has a requirement to inspect all the endpoint internet traffic on FortiSASE, and exclude
Google Maps traffic from the FortiSASE VPN tunnel and redirect it to the endpoint physical Interface.
Which configuration must you apply to achieve this requirement?

A. Exempt the Google Maps FQDN from the endpoint system proxy settings.
B. Configure a static route with the Google Maps FQDN on the endpoint to redirect traffic
C. Configure the Google Maps FQDN as a split tunneling destination on the FortiSASE endpoint
profile.
D. Change the default DNS server configuration on FortiSASE to use the endpoint system DNS.

How well did you know this?

Not at all

Perfectly

WiMO-Pro and Win7-Pro are endpoints from the same remote location. WiMO-Pro can access the
internet though FortiSASE, while Wm7-Pro can no longer access the internet
Given the exhibits, which reason explains the outage on Wm7-Pro?

A. The Win7-Pro device posture has changed.
B. Win7-Pro cannot reach the FortiSASE SSL VPN gateway
C. The Win7-Pro FortiClient version does not match the FortiSASE endpoint requirement.
D. Win-7 Pro has exceeded the total vulnerability detected threshold.

How well did you know this?

Not at all

Perfectly

A customer wants to upgrade their legacy on-premises proxy to a could-based proxy for a hybrid
network. Which FortiSASE features would help the customer to achieve this outcome?

A. SD-WAN and NGFW
B. SD-WAN and inline-CASB
C. zero trust network access (ZTNA) and next generation firewall (NGFW)
D. secure web gateway (SWG) and inline-CASB

How well did you know this?

Not at all

Perfectly

When you configure FortiSASE Secure Private Access (SPA) with SD-WAN integration, you must
establish a routing adjacency between FortiSASE and the FortiGate SD-WAN hub. Which routing
protocol must you use?

A. BGP
B. IS-IS
C. OSPF
D. EIGRP

How well did you know this?

Not at all

Perfectly

A FortiSASE administrator is configuring a Secure Private Access (SPA) solution to share endpoint
information with a corporate FortiGate.
Which three configuration actions will achieve this solution? (Choose three.)

A. Add the FortiGate IP address in the secure private access configuration on FortiSASE.
B. Use the FortiClient EMS cloud connector on the corporate FortiGate to connect to FortiSASE
C. Register FortiGate and FortiSASE under the same FortiCloud account.
D. Authorize the corporate FortiGate on FortiSASE as a ZTNA access proxy.
E. Apply the FortiSASE zero trust network access (ZTNA) license on the corporate FortiGate.

B, C, D

How well did you know this?

Not at all

Perfectly

The daily report for application usage shows an unusually high number of unknown applications by
category.
What are two possible explanations for this? (Choose two.)

A. Certificate inspection is not being used to scan application traffic.
B. The inline-CASB application control profile does not have application categories set to Monitor
C. Zero trust network access (ZTNA) tags are not being used to tag the correct users.
D. Deep inspection is not being used to scan traffic.

B, D

How well did you know this?

Not at all

Perfectly

When viewing the daily summary report generated by FortiSASE. the administrator notices that the
report contains very little dat
What is a possible explanation for this almost empty report?

A. Digital experience monitoring is not configured.
B. Log allowed traffic is set to Security Events for all policies.
C. The web filter security profile is not set to Monitor
D. There are no security profile group applied to all policies.

How well did you know this?

Not at all

Perfectly

You are designing a new network for Company X and one of the new cybersecurity policy
requirements is that all remote user endpoints must always be connected and protected Which
FortiSASE component facilitates this always-on security measure?

A. site-based deployment
B. thin-branch SASE extension
C. unified FortiClient
D. inline-CASB

How well did you know this?

Not at all

Perfectly

A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The tunnel is
up to the FortiGale hub. However, the administrator is not able to ping the webserver hosted behind
the FortiGate hub.
Based on the output, what is the reason for the ping failures?

A. The Secure Private Access (SPA) policy needs to allow PING service.
B. Quick mode selectors are restricting the subnet.
C. The BGP route is not received.
D. Network address translation (NAT) is not enabled on the spoke-to-hub policy.

How well did you know this?

Not at all

Perfectly

To complete their day-to-day operations, remote users require access to a TCP-based application that
is hosted on a private web server. Which FortiSASE deployment use case provides the most efficient
and secure method for meeting the remote users’ requirements?

A. SD-WAN private access
B. inline-CASB
C. zero trust network access (ZTNA) private access
D. next generation firewall (NGFW)

How well did you know this?

Not at all

Perfectly

Which secure internet access (SIA) use case minimizes individual workstation or device setup,
because you do not need to install FortiClient on endpoints or configure explicit web proxy settings
on web browser-based end points?

A. SIA for inline-CASB users
B. SIA for agentless remote users
C. SIA for SSLVPN remote users
D. SIA for site-based remote users

How well did you know this?

Not at all

Perfectly

A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The VPN tunnel does not establish Based on the provided configuration, what configuration needs to be modified to bring the tunnel up? A.NAT needs to be enabled in the Spoke-to-Hub firewall policy. B.The BGP router ID needs to match on the hub and FortiSASE. C. FortiSASE spoke devices do not support mode config. D. The hub needs IKEv2 enabled in the IPsec phase 1 settings.

Which two additional components does FortiSASE use for application control to act as an inline- CASB? (Choose two.) A. intrusion prevention system (IPS) B. SSL deep inspection C. DNS filter D. Web filter with inline-CASB

A, B

Which two advantages does FortiSASE bring to businesses with multiple branch offices? (Choose two.) A. It offers centralized management for simplified administration. B. It enables seamless integration with third-party firewalls. C. it offers customizable dashboard views for each branch location D. It eliminates the need to have an on-premises firewall for each branch.

A, D

When accessing the FortiSASE portal for the first time, an administrator must select data center locations for which three FortiSASE components? (Choose three.) A. Endpoint management B. Points of presence C. SD-WAN hub D. Logging E. Authentication

A, B, D

During FortiSASE provisioning, how many security points of presence (POPs) need to be configured by the FortiSASE administrator? A. 3 B. 4 C. 2 D. 1

An organization needs to resolve internal hostnames using its internal rather than public DNS servers for remotely connected endpoints. Which two components must be configured on FortiSASE to achieve this? (Choose two.) A. SSL deep inspection B. Split DNS rules C. Split tunnelling destinations D. DNS filter

A, B

When viewing the daily summary report generated by FortiSASE, the administrator notices that the report contains very little data. What is a possible explanation for this almost empty report? A. Log allowed traffic is set to Security Events for all policies. B. There are no security profile groups applied to all policies. C. The web filter security profile is not set to Monitor. D. Digital experience monitoring is not configured.

Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE? A. It provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS application. B. It can be used to request a detailed analysis of the endpoint from the FortiGuard team. C. It requires a separate DEM agent to be downloaded from the FortiSASE portal and installed on the endpoint. D. It can help IT and security teams ensure consistent security monitoring for remote users.

What are two requirements to enable the MSSP feature on FortiSASE? (Choose two.) A. Add FortiCloud premium subscription on the root FortiCloud account. B. Configure MSSP user accounts and permissions on the FortiSASE portal. C. Assign role-based access control (RBAC) to IAM users using FortiCloud IAM portal. D. Enable multi-tenancy on the FortiSASE portal.

A, C

Which event log subtype captures FortiSASE SSL VPN user creation? A. Endpoint Events B. VPN Events C. User Events D. Administrator Events

Your organization is currently using FortiSASE for its cybersecurity. They have recently hired a contractor who will work from the HQ office and who needs temporary internet access in order to set up a web-based point of sale (POS) system. What is the recommended way to provide internet access to the contractor? A. Use FortiClient on the endpoint to manage internet access. B. Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an explicit web proxy. C. Use zero trust network access (ZTNA) and tag the client as an unmanaged endpoint. D. Configure a VPN policy on FortiSASE to provide access to the internet.

Which two statements describe a zero trust network access (ZTNA) private access use case? (Choose two.) A. The security posture of the device is secure. B. All FortiSASE user-based deployments are supported. C. All TCP-based applications are supported. D. Data center redundancy is offered.

A, C

Which statement applies to a single sign-on (SSO) deployment on FortiSASE? A. SSO overrides any other previously configured user authentication. B. SSO identity providers can be integrated using public and private access types. C. SSO is recommended only for agent-based deployments. D. SSO users can be imported into FortiSASE and added to user groups.

Which statement describes the FortiGuard forensics analysis feature on FortiSASE? A. It can help troubleshoot user-to-application performance issues. B. It can help customers identify and mitigate potential risks to their network. C. It can monitor endpoint resources in real-time. D. It is a 24x7x365 monitoring service of your FortiSASE environment.

A customer needs to implement device posture checks for their remote endpoints while accessing the protected server. They also want the TCP traffic between the remote endpoints and theprotected servers to be processed by FortiGate. In this scenario, which three setups will achieve the above requirements? (Choose three.) A. Configure ZTNA tags on FortiGate. B. Configure FortiGate as a zero trust network access (ZTNA) access proxy. C. Configure ZTNA servers and ZTNA policies on FortiGate. D. Configure private access policies on FortiSASE with ZTNA. E. Sync ZTNA tags from FortiSASE to FortiGate.

B, C, E

Which of the following describes the FortiSASE inline-CASB component? A. It provides visibility for unmanaged locations and devices. B. It is placed directly in the traffic path between the endpoint and cloud applications. C. It uses API to connect to the cloud applications. D. It detects data at rest.

An organization must block user attempts to log in to non-company resources while using Microsoft Office 365 to prevent users from accessing unapproved cloud resources. Which FortiSASE feature can you implement to achieve this requirement? A. Web Filter with Inline-CASB B. SSL deep inspection C. Data loss prevention (DLP) D. Application Control with Inline-CASB

In which three ways does FortiSASE help organizations ensure secure access for remote workers? (Choose three.) A. It enforces multi-factor authentication (MFA) to validate remote users. B. It secures traffic from endpoints to cloud applications. C. It uses the identity & access management (IAM) portal to validate the identities of remote workers. D. It offers zero trust network access (ZTNA) capabilities. E. It enforces granular access policies based on user identities.

B, D, E

Which secure internet access (SIA) use case minimizes individual endpoint configuration? A. Site-based remote user internet access B. Agentless remote user internet access C. SIA for SSL VPN remote users D. SIA using ZTNA

Which three configurations must you perform to set up FortiGate as a FortiSASE LAN extension? (Choose three.) A. Configure VXLAN-over-IPsec on the FortiSASE portal. B. Connect FortiGate to FiSASE using FortiZ TP. C. Create a LAN extension VDOM on the edge FortiGate. D. Authorize the edge FortiGate device on FortiSASE portal. E. Enter the FortiSASE domain name in the FortiGate GUI as the access controller address.

C, D, E

In a FortiSASE secure web gateway (SWG) deployment, which three features protect against web-based threats? (Choose three.) A. Malware protection with sandboxing capabilities B. Intrusion prevention system (IPS) for web traffic C. SSL deep inspection for encrypted web traffic D. Data loss prevention (DLP) for web traffic E. Web application firewall (WAF) for web applications

B, C, D

What access point communication protocol does FortiAP use to communicate with FortiSASE in a micro branch deployment? A. Control and Provisioning of Wireless Access Points (CAPWAP) B. Lightweight Access Point Protocol (LWAPP) C. Wireless Application Protocol (WAP) D. Inter-Access Point Protocol (IAPP)

In a FortiSASE secure web gateway (SWG) deployment, which three features protect against web-based threats? (Choose three). A. Malware protection with sandboxing capabilities B. Intrusion prevention system (IPS) for web traffic C. SSL deep inspection for encrypted web traffic D. Data loss prevention (DLP) for web traffic F. Web application firewall (WAF) for web applications

B, C, D

A customer wants to ensure secure access for private applications for their users by replacing their VPN. Which two SASE technologies can you use to accomplish this task? (Choose two.) A. next-generation firewall (NGFW) B. secure SD-WAN C. zero trust network access (ZTNA) D. secure web gateway (SWG) and cloud access security broker (CASB)

B, C

Based on the configuration shown, in which two ways will FortiSASE process sessions that require FortiSandbox inspection? (Choose two.) A. All infected files that FortiSandbox detects as malicious will be quarantined. B. All files detected on a USB drive will be sent to FortiSandbox for analysis. C. All infected files will be sent to a on-premises FortiSandbox for inspection. D. Only endpoints assigned with profile for Sandbox Detection will be processed by the sandbox feature.

A, D

Which two settings are automatically pushed from FortiSASE to FortiClient in a new FortiSASE deployment with default settings? (Choose two.) A ZTNA tags B. FortiSASE CA certificate C. SSL VPN profile D. Real-time protection

A, B

Which FortiSASE component can be utilized for endpoint compliance? A Firewall-as-a-Service (FWaaS) B cloud access security broker (CASB) C zero trust network access (ZTNA) D secure web gateway (SWG)

Which VDOM type needs to be configured on the FortiGate Secure Edge to establish a layer 2 network between itself and FortiSASE? A Traffic B Admin C Transparent D LAN-Extension

Which dedicated IP address use case allows application of SNAT to specific incoming remote users based on user, group, or country? A Geolocation rules B Identification and isolation C Source IP anchoring D Central SNAT policy

FortiSASE delivers a converged networking and security solution. Which two features help with integrating FortiSASE into an existing network? (Choose two.) A SD-WAN B zero trust network access (ZTNA) C security, orchestration, automation, and response (SOAR) D remote browser isolation (RBI)

A, B

Which FortiSASE Secure Private Access (SPA) deployment involves installing FortiClient on remote endpoints? A secure web gateway (SWG) B SD-WAN C zero trust network access (ZTNA) D MicroBranch

Which feature can assist FortiSASE administrators with troubleshooting remote user connectivity issues to common SaaS applications using health check metrics? A Digital Experience Monitoring B FortiView Dashboards C Security logs D Event logs

For FortiSASE point of presence (POP) to connect as a spoke, which Fortinet solution is required as standalone IPSec VPN hub? A zero trust network access (ZTNA) B secure web gateway (SWG) C next generation firewall (NGFW) D SD-WAN

Which three ways does FortiSASE provide Secure Private Access (SPA) to corporate, non-web applications? (Choose three.) A Using digital experience monitoring B Using secure web gateway (SWG) C Using SD-WAN technology D Using next generation firewall (NGFW) E Using zero trust network access (ZTNA) technology

C, D, E

A customer has an existing network that needs access to a secure application on the cloud. Which FortiSASE feature can the customer use to provide secure Software-as-a-Service (SaaS) access? A inline-CASB B SD-WAN C secure web gateway (SWG) D zero trust network access (ZTNA)

When using Secure Private Access (SPA) and SD-WAN, which protocol is used for spoke-to-spoke connectivity? A SSL B GRE C IPSEC D Ebgp

SASE Flashcards

(60 cards)