매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Fortinet NSE 5 - FortiSASE and SD-WAN 7.6 Core Administrator 온라인 연습
최종 업데이트 시간: 2026년03월09일
당신은 온라인 연습 문제를 통해 Fortinet NSE5_SSE_AD-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 NSE5_SSE_AD-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 35개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
According to the FortiSASE 24.4 Administration Guide and the FortiSASE Core Administrator training materials, the On-net detection rule setting is a critical component for determining the "trust status" of an endpoint's physical location.
Endpoint Location Verification: On-net rule sets are used to determine if FortiSASE considers an endpoint to be on-net (trusted) or off-net (untrusted). An endpoint is considered on-net when it is physically located within the corporate network, which is assumed to already have on-premises security measures (like a FortiGate NGFW).
Operational Impact: When an endpoint is detected as on-net, FortiSASE can be configured to exempt the endpoint from automatically establishing a VPN tunnel to the SASE cloud. This optimization prevents redundant security inspection and conserves SASE bandwidth since the user is already protected by the local corporate firewall.
Detection Methods: To classify an endpoint as on-net, administrators configure rule sets that look for specific environmental markers, such as:
Known Public (WAN) IP: If the endpoint's public IP matches the corporate headquarters' egress IP.
DHCP Server: If the endpoint receives an IP from a specific corporate DHCP server.
DNS Server/Subnet: Matching internal DNS infrastructure or specific internal IP ranges.
Dynamic Policy Application: By accurately determining if an endpoint is on or off-net, FortiSASE ensures that the FortiClient agent only initiates its secure internet access (SIA) tunnel when the user is in an untrusted location (e.g., a home network or public Wi-Fi).
Why other options are incorrect:
Option A: User authentication is a separate process and is not controlled by the on/off-net detection rules, which focus on the network environment rather than user credentials.
Option B: While on-net status affects how traffic is routed (VPN vs. local), these rules specifically determine the status itself rather than defining the routing tables for private vs. cloud resources.
Option D: Geographical location (Geo-location) is a different filtering criterion often used in firewall policies; on-net detection is specifically about the proximity to the trusted corporate perimeter.
정답:
Explanation:
According to the FortiSASE 7.6 Administration Guide and FCP - FortiSASE 24/25 Administrator curriculum, security posture tags (often referred to as ZTNA tags) are the fundamental building blocks for identity-based and posture-based access control.
Multiple Tag Assignment: A single endpoint can be assigned multiple tags at the same time. For example, an endpoint might simultaneously have the tags "OS-Windows-11", "AV-Running", and "Corporate-Domain-Joined".
Evaluation Logic: During the policy evaluation process (for both SIA and SPA), FortiSASE or the FortiGate hub considers all tags assigned to the endpoint. Security policies can be configured to use these tags as source criteria. If an administrator defines a policy that requires both "AV-Running" and "Corporate-Domain-Joined," the system evaluates both tags to decide whether to permit the traffic.
Dynamic Nature: Contrary to Option C, these tags are highly dynamic. They are automatically applied or removed in real-time based on the telemetry data sent by the FortiClient to the SASE cloud. If a user disables their antivirus, the "AV-Running" tag is removed immediately, and the endpoint's access is revoked by the next policy evaluation.
Scalability: While the system supports many tags, documentation recommends a baseline of custom tags for optimal performance, though it confirms that multiple tags are standard for reflecting a comprehensive security posture.
Why other options are incorrect:
Option A: This is incorrect because the system does not pick just one tag; it evaluates the collection of tags against the policy's requirements (e.g., matching any or matching all).
Option C: This is incorrect because tags are dynamic and change as soon as the endpoint's status (like vulnerability count or software presence) changes.
Option D: This is incorrect because the architectural advantage of ZTNA is the ability to layer multiple security "checks" (tags) for a single user.
정답:
Explanation:
Comprehensive and Detailed Explanation with all FortiSASE and SD-WAN 7.6 Core Administrator curriculum documents: According to the SD-WAN 7.6 Core Administrator study guide and FortiOS 7.6 Administration Guide, the behavior for deleting an SD-WAN member from the GUI when it is the only member in its zone is governed by the following operational logic:
Reference Checks: Before allowing the deletion of any SD-WAN member, FortiOS performs a "check for dependencies." If an interface is being used in an active Performance SLA or an SD-WAN Rule, the GUI will typically prevent the deletion or gray out the option until those references are removed. However, the question specifies that this member is no longer used in health-checks or rules.
Zone Integrity: Unlike some other network objects, an SD-WAN zone is permitted to exist without any members. When you delete the final member of a user-defined zone through the GUI, the zone itself remains in the configuration as an empty container.
Route Management: When an SD-WAN member is deleted, any static routes that were specifically tied to that interface's membership in the SD-WAN bundle are automatically updated or removed by the FortiGate to prevent routing loops or "black-holing" traffic. This is part of the automated cleanup process handled by the FortiOS management plane.
GUI vs. CLI: In the GUI, the process is streamlined to allow the removal of the member interface. Once the member is deleted, the interface returns to being a "regular" system interface and can be used for standard firewall policies or other functions.
Why other options are incorrect:
Option A: There is no requirement that a zone must contain at least one member; "empty" zones are valid configuration objects in FortiOS 7.6.
Option C: While the deletion is accepted, it is not with "no further action"―the system must still reconcile the routing table and interface status.
Option D: FortiGate does not automatically move deleted members into the default zone (virtual-wan-link). Once deleted, the interface is simply no longer an SD-WAN member.
정답:
Explanation:
According to the FortiSASE 7.6 Administration Guide and the FCP - FortiSASE 24/25 training materials, FortiSASE leverages a cloud-native FortiAnalyzer instance to provide specialized reports. These reports are designed to give administrators visibility into remote user behavior, endpoint health, and cloud application usage.
The three valid and standard report types available directly within the FortiSASE portal are:
Web Usage Summary Report (Option A): This report provides a high-level overview of web activity across the SASE deployment. It categorizes traffic by website categories (e.g., Social Media, Streaming, Malicious Sites), top users by bandwidth, and blocked requests, helping IT teams understand how internet resources are being consumed by remote workers.
Vulnerability Assessment Report (Option C): Since FortiSASE integrates with FortiClient and an embedded EMS, it can aggregate vulnerability scan data from managed endpoints. This report lists software vulnerabilities found on user devices (OS-level and application-level), providing a "Security Rating" or posture assessment that is critical for Zero Trust Network Access (ZTNA) enforcement.
Shadow IT Report (Option D): Leveraging the built-in CASB (Cloud Access Security Broker) capabilities, this report identifies "unsanctioned" or "risky" SaaS applications being used by employees. It helps organizations discover hidden security risks by cataloging cloud applications that have not been explicitly approved by the IT department.
Why other options are incorrect:
Endpoint Compliance Deviation Report (Option B): While FortiSASE performs compliance checks via ZTNA tags, this specific name is not a standard "Report Type" template in the portal; compliance is typically monitored via the Endpoint Management or ZTNA Dashboards.
Cyber Threat Assessment (Option E): The Cyber Threat Assessment Program (CTAP) is a specific Fortinet sales and auditing tool used to generate a one-time report on a network's security posture (often used for FortiGate evaluations). It is not a native, recurring report type within the day-to-day FortiSASE administration interface.
정답: 
정답:
Explanation:
According to the SD-WAN 7.6 Core Administrator study guide and FortiOS 7.6 Administration Guide, no configuration change is required to simply measure jitter.
Implicit Measurement: In FortiOS, once a Performance SLA (Health Check) is configured with an Active probe mode (as seen in the exhibit with Ping selected), the FortiGate automatically begins calculating three key quality metrics for every member interface: Latency, Jitter, and Packet Loss.
Visibility: Even without an SLA Target defined, these real-time measurements are visible in the SD-WAN Monitor and via the CLI command diagnose sys virtual-wan-link health-check <SLA_Name>.
Active Probes: Because the probe mode is set to Active using the Ping protocol, the FortiGate sends synthetic packets at the defined Check interval (500ms in the exhibit). It calculates jitter by measuring the variation in the round-trip time (RTT) between these consecutive probes.
Why other options are incorrect:
Option B: Adding an SLA target and defining a jitter threshold is only necessary if you want the SD-WAN engine to make steering decisions based on that metric (e.g., "remove this link from the pool if jitter exceeds 50ms"). It is not required just to measure the jitter.
Option C: While you can specify participants, the current setting is "All SD-WAN Members," which means it is already measuring jitter for every member.
Option D: HTTP is an alternative probe protocol, but Ping (ICMP) is perfectly capable of measuring jitter and is often preferred for its lower overhead.
정답:
Explanation:
In the SD-WAN 7.6 Core Administrator curriculum, the "Prefer Passive" probe mode is a hybrid monitoring strategy designed to minimize the overhead of synthetic traffic (probes) while maintaining link health visibility. According to the FortiOS 7.6 Administration Guide and the SD-WAN Study Guide, the behavior and impacts are as follows:
TCP Traffic Requirement (Option E): Passive monitoring relies on the FortiGate’s ability to inspect actual user traffic to calculate health metrics such as Latency, Jitter, and Packet Loss. Specifically, it uses TCP traffic (by analyzing TCP sequence numbers and timestamps to calculate Round Trip Time - RTT). If user traffic is flowing through the member interface, the FortiGate uses those real-world sessions for SLA calculations instead of sending its own probes.
Inability to Detect Dead Members (Option C): A significant limitation of passive monitoring is that it cannot distinguish between a "dead" link and an "idle" link. If there is no traffic, the passive monitor has no data to analyze. Consequently, while in passive mode, the SD-WAN engine cannot detect a dead member. To mitigate this, "Prefer Passive" includes a fail-safe: if no traffic is detected for a specific period (typically 3 minutes), the FortiGate will automatically switch to Active mode (sending ICMP/TCP pings) to verify if the link is actually alive.
Why other options are incorrect:
Option A: Passive monitoring generally disables hardware offloading (ASIC) for the monitored traffic. This is because the CPU must inspect every packet header to calculate performance metrics; if the traffic were offloaded to the Network Processor (NP), the CPU would not see the packets, rendering passive monitoring impossible.
Option B: While active probes often use ICMP, passive monitoring is specifically designed for TCP traffic because the TCP protocol's ACK structure allows for accurate RTT and loss calculation without synthetic packets.
Option D: The "3-minute" timer is actually the trigger to switch from passive to active when traffic is absent, not the fallback timer to return to passive. The fallback to passive happens as soon as valid TCP traffic is detected again.
According to the FortiSASE 7.6 Administration Guide and the FCP - FortiSASE 24/25 Administrator study materials, FortiSASE supports three primary external (remote) authentication sources to verify the identity of remote users (SIA and SPA users). These sources allow organizations to leverage their existing identity infrastructure for seamless onboarding and policy enforcement:
Security Assertion Markup Language (SAML) (Option A): This is the most common and recommended method for modern SASE deployments. FortiSASE acts as a SAML Service Provider (SP) and integrates
with Identity Providers (IdP) such as Microsoft Entra ID (formerly Azure AD), Okta, or FortiAuthenticator. This enables Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
Lightweight Directory Access Protocol (LDAP) (Option C): FortiSASE can connect to on-premises or cloud-based LDAP servers (such as Windows Active Directory). This allows the administrator to map existing AD groups to FortiSASE user groups for granular security policy application.
Remote Authentication Dial-in User Service (RADIUS) (Option E): RADIUS is supported for organizations that use centralized authentication servers or traditional MFA solutions (like RSA SecurID). FortiSASE can query a RADIUS server to validate user credentials before granting access to the SASE tunnel.
Why other options are incorrect:
OpenID Connect (OIDC) (Option B): While OIDC is a modern authentication protocol similar to SAML, FortiSASE's primary integration for external Identity Providers is currently standardized on SAML 2.0.
TACACS+ (Option D): Terminal Access Controller Access-Control System Plus is primarily used for administrative access (AAA) to network devices (like logging into a FortiGate CLI or FortiManager). It is not used for end-user VPN or SASE authentication in the Fortinet ecosystem.
정답:
Explanation:
"If a flow is identified as belonging to a defined application category (such as social media), FortiGate will match it to the corresponding service rule (rule 2) and route it through the specified interface, such as port2. However, if the application is not recognized during the session setup, the system defaults to load balancing the traffic using the available tunnels according to the policy for unclassified traffic, ensuring continuous connectivity while waiting for application classification." This guarantees both performance and resilience.
정답:
Explanation:
According to the FortiSASE 7.6 Feature Administration Guide and the latest updates to the NSE 5 SASE curriculum, FortiSASE has introduced native lifecycle management for FortiClient agents to reduce the operational burden on IT teams who previously relied solely on third-party MDM (Mobile Device Management) or GPO (Group Policy Objects) for every update.
The Endpoint Upgrade feature, found under System > Endpoint Upgrade in the FortiSASE portal,
allows administrators to perform the following:
Centralized Version Control: Administrators can see which versions are currently deployed and which "Recommended" versions are available from FortiGuard.
Scheduled Rollouts: You can choose to upgrade all endpoints or specific endpoint groups at a designated time, ensuring that upgrades do not disrupt business operations.
Status Monitoring: The portal provides a real-time dashboard showing the progress of the upgrade (e.g., Downloading, Installing, Reboot Pending, or Success).
Manual vs. Managed: While MDM is still highly recommended for the initial onboarding (the first time FortiClient is installed and connected to the SASE cloud), all subsequent upgrades can be handled natively by the FortiSASE portal.
Why other options are incorrect:
Option B: Manual upgrades are inefficient for large-scale deployments (~400 users in this scenario) and are not the intended "feature-rich" solution provided by FortiSASE.
Option C: "Onboarding" refers to the initial setup. Re-onboarding every time a version changes would be redundant and counterproductive.
Option D: While the system can manage the upgrade, it is not "auto-upgraded on demand" by the client itself without administrative configuration in the portal. The administrator must still define the target version and schedule.
정답:
Explanation:
According to the SD-WAN 7.6 Core Administrator study guide and the FortiOS 7.6 Administration Guide, for the FortiGate SD-WAN engine to successfully steer traffic using SD-WAN rules, three fundamental configuration components must be in place. This is because the SD-WAN rule lookup occurs only after certain initial conditions are met in the packet flow:
Interfaces (Option C): You must first define the physical or logical interfaces (such as ISP links, LTE, or VPN tunnels) as SD-WAN members. These members are then typically grouped into SD-WAN Zones. Without designated member interfaces, there is no "pool" of links for the SD-WAN rules to select from.
Routing (Option D): For a packet to even be considered by the SD-WAN engine, there must be a matching route in the Forwarding Information Base (FIB). Usually, this is a static route where the destination is the network you want to reach, and the gateway interface is set to the SD-WAN virtual
interface (or a specific SD-WAN zone). If there is no route pointing to SD-WAN, the FortiGate will use other routing table entries (like a standard static route) and bypass the SD-WAN rule-based steering logic entirely.
Firewall Policies (Option A): In FortiOS, no traffic is allowed to pass through the device unless a Firewall Policy permits it. To steer traffic, you must have a policy where the Incoming Interface is the internal network and the Outgoing Interface is the SD-WAN zone (or the virtual-wan-link). The SD-WAN rule selection happens during the "Dirty" session state, which requires a policy match to proceed with the session creation.
Why other options are incorrect:
Security Profiles (Option B): While mandatory for Application-level steering (to identify L7 signatures), basic SD-WAN steering based on IP addresses, ports, or ISDB objects does not require security profiles to be active.
Traffic Shaping (Option E): This is an optimization feature used to manage bandwidth once steering is already determined; it is not a prerequisite for the steering engine itself to function