Most Recent Fortinet FCSS_SASE_AD-23 Exam Questions & Answers

There are two deployment methods used to connect a FortiExtender as a FortiSASE LAN extension:

Connect FortiExtender to FortiSASE using FortiZTP:

FortiZero Touch Provisioning (FortiZTP) simplifies the deployment process by allowing FortiExtender to automatically connect and configure itself with FortiSASE.

This method requires minimal manual configuration, making it efficient for large-scale deployments.

Enter the FortiSASE domain name in the FortiExtender GUI as a static discovery server:

Manually configuring the FortiSASE domain name in the FortiExtender GUI allows the extender to discover and connect to the FortiSASE infrastructure.

This static discovery method ensures that FortiExtender can establish a connection with FortiSASE using the provided domain name.

FortiOS 7.2 Administration Guide: Details on FortiExtender deployment methods and configurations.

FortiSASE 23.2 Documentation: Explains how to connect and configure FortiExtender with FortiSASE using FortiZTP and static discovery.

To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:

Application Control Configuration:

Application Control is used to identify and manage application traffic based on predefined or custom application signatures.

Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.

Blocking Video and Audio Applications:

To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.

Granting Access to Specific Videos (CNN):

To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.

The override action 'Exempt' ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.

Configuration Steps:

Navigate to the Application Control profile in the FortiSASE interface.

Set the application categories related to video and audio streaming to 'Block.'

Add a new override entry for CNN video traffic and set the action to 'Exempt.'

FortiOS 7.2 Administration Guide: Detailed steps on configuring Application Control and Inline-CASB.

Fortinet Training Institute: Provides scenarios and examples of using Application Control with Inline-CASB for specific use cases.

FortiSASE hides user information when viewing and analyzing logs by hashing data using salt. This approach ensures that sensitive user information is obfuscated, enhancing privacy and security.

Hashing Data with Salt:

Hashing data involves converting it into a fixed-size string of characters, which is typically a hash value.

Salting adds random data to the input of the hash function, ensuring that even identical inputs produce different hash values.

This method provides enhanced security by making it more difficult to reverse-engineer the original data from the hash value.

Security and Privacy:

Using salted hashes ensures that user information remains secure and private when stored or analyzed in logs.

This technique is widely used in security systems to protect sensitive data from unauthorized access.

FortiOS 7.2 Administration Guide: Provides information on log management and data protection techniques.

FortiSASE 23.2 Documentation: Details on how FortiSASE implements data hashing and salting to secure user information in logs.

FortiSASE supports zero trust network access (ZTNA) principles by identifying attributes on the endpoint for security posture checks. ZTNA principles require continuous verification of user and device credentials, as well as their security posture, before granting access to network resources.

Security Posture Check:

FortiSASE can evaluate the security posture of endpoints by checking for compliance with security policies, such as antivirus status, patch levels, and configuration settings.

This ensures that only compliant and secure devices are granted access to the network.

Zero Trust Network Access (ZTNA):

ZTNA is based on the principle of 'never trust, always verify,' which requires continuous assessment of user and device trustworthiness.

FortiSASE plays a crucial role in implementing ZTNA by performing these security posture checks and enforcing access control policies.

FortiOS 7.2 Administration Guide: Provides information on ZTNA and endpoint security posture checks.

FortiSASE 23.2 Documentation: Details on how FortiSASE implements ZTNA principles.

To meet the requirement of inspecting all endpoint internet traffic on FortiSASE while excluding Google Maps traffic from the FortiSASE VPN tunnel and redirecting it to the endpoint's physical interface, you should configure split tunneling. Split tunneling allows specific traffic to bypass the VPN tunnel and be routed directly through the endpoint's local interface.

Split Tunneling Configuration:

Split tunneling enables selective traffic to be routed outside the VPN tunnel.

By configuring the Google Maps Fully Qualified Domain Name (FQDN) as a split tunneling destination, you ensure that traffic to Google Maps bypasses the VPN tunnel and uses the endpoint's local interface instead.

Implementation Steps:

Access the FortiSASE endpoint profile configuration.

Add the Google Maps FQDN to the split tunneling destinations list.

This configuration directs traffic intended for Google Maps to bypass the VPN tunnel and be routed directly through the endpoint's physical network interface.

FortiOS 7.2 Administration Guide: Provides details on split tunneling configuration.

FortiSASE 23.2 Documentation: Explains how to set up and manage split tunneling for specific destinations.