Big Halloween Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Home
Fortinet
Fortinet Certified Solution Specialist
FCSS_SASE_AD-25
FCSS - FortiSASE 25 Administrator Questions and Answers

Pass the Fortinet Certified Solution Specialist FCSS_SASE_AD-25 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam FCSS_SASE_AD-25 Premium Access

View all detail and faqs for the FCSS_SASE_AD-25 exam

Go to Exam

552 Students Passed

93% Average Score

93% Same Questions

Viewing page 1 out of 2 pages

Viewing questions 1-10 out of questions

Questions # 1:

In a FortiSASE secure web gateway (SWG) deployment, which two features protect against web-based threats? (Choose two.)

Options:

SSL deep inspection for encrypted web traffic

malware protection with sandboxing capabilities

web application firewall (WAF) for web applications

intrusion prevention system (IPS) for web traffic

Answer

A, B

Explanation

SSL deep inspection allows FortiSASE to analyze encrypted web traffic for threats, while malware protection with sandboxing detects and blocks malicious files delivered through web channels.

Questions # 2:

Refer to the exhibit.

Question # 2

An organization must inspect all the endpoint internet traffic on FortiSASE, and exclude Google Maps traffic from the FortiSASE VPN tunnel and redirect it to the endpoint physical interface.

Which configuration must you apply to achieve this requirement?

Options:

Configure a steering bypass tunnel firewall policy using Google Maps FQDN to exclude and redirect the traffic.

Add the Google Maps URL in the zero trust network access (ZTNA) TCP access proxy forwarding rule.

Add the Google Maps URL as a steering bypass destination in the endpoint profile.

Exempt Google Maps in URL filtering in the web filter profile.

Answer

Explanation

To exclude specific internet traffic (such as Google Maps) from being tunneled through FortiSASE and instead direct it out the local endpoint interface, you must configure it as a steering bypass destination in the FortiClient endpoint profile. This ensures traffic matching the URL bypasses the FortiSASE tunnel.

Questions # 3:

Refer to the exhibits.

Question # 3

Antivirus is installed on a Windows 10 endpoint, but the windows application firewall is stopping it from running.

What will the endpoint security posture check be?

Options:

FortiClient will tag the endpoint as FortiSASE-Non-Compliant.

FortiClient will be unmanaged from FortiSASE due to failed compliance.

FortiClient will trigger network lockdown on the endpoint.

FortiClient will prompt the user to enable antivirus.

Answer

Explanation

Although the antivirus is installed, it is not running due to the Windows application firewall blocking it. According to the FortiSASE-Non-Compliant rule, antivirus software must be both installed and running. Since this condition fails, FortiClient assigns the FortiSASE-Non-Compliant tag to the endpoint.

Questions # 4:

Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE?

Options:

It provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS application.

It gathers all the vulnerability information from all the FortiClient endpoints.

It is used for performing device compliance checks on endpoints.

It monitors the FortiSASE POP health based on ping probes.

Answer

Explanation

The Digital Experience Monitor (DEM) in FortiSASE measures and monitors network performance from the FortiSASE Points of Presence (PoPs) to specific SaaS or cloud applications, helping identify and troubleshoot performance issues across the service path.

Questions # 5:

Which two settings are automatically pushed from FortiSASE to FortiClient in a new FortiSASE deployment with default settings? (Choose two.)

Options:

zero trust network access (ZTNA) tags

tunnel profile

FortiSASE certificate authority (CA) certificate

real-time protection

Answer

B, C

Explanation

In a default FortiSASE deployment, the tunnel profile (for secure connectivity) and the FortiSASE CA certificate (for SSL inspection and trusted communication) are automatically pushed to FortiClient endpoints.

Questions # 6:

Which two components are part of onboarding a secure web gateway (SWG) endpoint for secure internet access (SIA)? (Choose two.)

Options:

proxy auto-configuration (PAC) file

FortiSASE certificate authority (CA) certificate

FortiClient software

tunnel policy

Answer

A, C

Explanation

A PAC file is used to redirect client web traffic through the SWG, and FortiClient software is required to connect endpoints to the FortiSASE service for secure internet access (SIA).

Questions # 7:

Which FortiSASE component protects users from online threats by hosting their browsing sessions on a remote container within a secure environment?

Options:

secure web gateway (SWG)

remote browser isolation (RBI)

cloud access security broker (CASB)

data loss prevention (DLP)

Answer

Explanation

Remote Browser Isolation (RBI) protects users by executing their web browsing sessions in a remote, secure container, preventing malicious content from reaching the local device.

Questions # 8:

How do security profile group objects behave when central management is enabled on FortiSASE?

Options:

Objects support two-way synchronization.

Objects created on FortiSASE can be retrieved on FortiManager.

Objects that are only flow-based are supported.

Objects are considered read-only on FortiSASE.

Answer

Explanation

When central management is enabled, security profile group objects are managed exclusively through FortiManager, making them read-only on the FortiSASE portal to ensure centralized policy control.

Questions # 9:

Refer to the exhibit.

Question # 9

A customer needs to implement device posture checks for their remote endpoints while accessing the protected server. They also want the TCP traffic between the remote endpoints and the protected servers to be processed by FortiGate.

In this scenario, which two setups will achieve these requirements? (Choose two.)

Options:

Configure ZTNA servers and ZTNA policies on FortiGate.

Configure FortiGate as a zero trust network access (ZTNA) access proxy.

Configure ZTNA tags on FortiGate.

Configure private access policies on FortiSASE with ZTNA.

Answer

A, B

Explanation

To enforce device posture checks and ensure that TCP traffic flows through FortiGate, the FortiGate must act as a ZTNA access proxy and host the ZTNA servers and policies. This setup allows posture validation via FortiSASE while routing traffic securely to protected servers through FortiGate.

Questions # 10:

Refer to the exhibit.

Question # 10