FCSS_SASE_AD-24 Free Practice Test

An organization must block user attempts to log in to non-company resources while using Microsoft Office 365 to prevent users from accessing unapproved cloud resources.
Which FortiSASE feature can you implement to achieve this requirement?

1. A. Web Filter with Inline-CASB
2. B. SSL deep inspection
3. C. Data loss prevention (DLP)
4. D. Application Control with Inline-CASB

Correct Answer: A
To block user attempts to log in to non-company resources while using Microsoft Office 365, theWeb Filter with Inline-CASBfeature in FortiSASE is the most appropriate solution. Inline-CASB (Cloud Access Security Broker) provides real-time visibility and control over cloud application usage. When combined with Web Filtering, it can enforce policies to restrict access to unauthorized or non-company resources within sanctioned applications like Microsoft Office 365. This ensures that users cannot access unapproved cloud resources while still allowing legitimate use of Office 365.
Here??s why the other options are incorrect:
✑ B. SSL deep inspection:While SSL deep inspection is useful for decrypting and inspecting encrypted traffic, it does not specifically address the need to block access to non-companyresources within Office 365. It focuses on securing traffic rather than enforcing application-specific policies.
✑ C. Data loss prevention (DLP):DLP is designed to prevent sensitive data from being leaked or exfiltrated. While it is a valuable security feature, it does not directly block access to non-company resources within Office 365.
✑ D. Application Control with Inline-CASB:Application Control focuses on managing access to specific applications rather than enforcing granular policies within an application like Office 365. Web Filter with Inline-CASB is better suited for this use case.
References:
✑ Fortinet FCSS FortiSASE Documentation - Inline-CASB and Web Filtering
✑ FortiSASE Administration Guide - Securing Cloud Applications
================

What are two advantages of using zero-trust tags? (Choose two.)

1. A. Zero-trust tags can be used to allow or deny access to network resources
2. B. Zero-trust tags can determine the security posture of an endpoint.
3. C. Zero-trust tags can be used to create multiple endpoint profiles which can be applied to different endpoints
4. D. Zero-trust tags can be used to allow secure web gateway (SWG) access

Correct Answer: AB
Zero-trust tags are critical in implementing zero-trust network access (ZTNA) policies. Here are the two key advantages of using zero-trust tags:
✑ Access Control (Allow or Deny):
✑ Determining Security Posture:
References:
✑ FortiOS 7.2 Administration Guide: Provides detailed information on configuring and using zero-trust tags for access control and security posture assessment.
✑ FortiSASE 23.2 Documentation: Explains how zero-trust tags are implemented and used within the FortiSASE environment for enhancing security and compliance.

Refer to the exhibit.

The daily report for application usage shows an unusually high number of unknown applications by category.
What are two possible explanations for this? (Choose two.)

1. A. Certificate inspection is not being used to scan application traffic.
2. B. The inline-CASB application control profile does not have application categories set to Monitor
3. C. Zero trust network access (ZTNA) tags are not being used to tag the correct users.
4. D. Deep inspection is not being used to scan traffic.

Correct Answer: BD

Refer to the exhibit.

In the user connection monitor, the FortiSASE administrator notices the user name is showing random characters. Which configuration change must the administrator make to get proper user information?

1. A. Turn off log anonymization on FortiSASE.
2. B. Add more endpoint licenses on FortiSASE.
3. C. Configure the username using FortiSASE naming convention.
4. D. Change the deployment type from SWG to VPN.

Correct Answer: A
In the user connection monitor, the random characters shown for the username indicate that log anonymization is enabled. Log anonymization is a feature that hides the actual user informationin the logs for privacy and security reasons. To display proper user information, you need to disable log anonymization.
✑ Log Anonymization:
✑ Disabling Log Anonymization:
References:
✑ FortiSASE 23.2 Documentation: Provides detailed steps on enabling and disabling log anonymization.
✑ Fortinet Knowledge Base: Explains the impact of log anonymization on user monitoring and logging.

When you configure FortiSASE Secure Private Access (SPA) with SD-WAN integration, you must establish a routing adjacency between FortiSASE and the FortiGate SD-WAN hub. Which routing protocol must you use?

1. A. BGP
2. B. IS-IS
3. C. OSPF
4. D. EIGRP

Correct Answer: A
When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a routing adjacency between FortiSASE and the FortiGate SD- WAN hub requires the use of the Border Gateway Protocol (BGP).
✑ BGP (Border Gateway Protocol):
✑ Routing Adjacency:
References:
✑ FortiOS 7.2 Administration Guide: Provides information on configuring BGP for SD-WAN integration.
✑ FortiSASE 23.2 Documentation: Details on setting up routing adjacencies using BGP for Secure Private Access with SD-WAN.