Fortinet NSE7_SSE_AD-25 시험

Question No : 1

Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE?

• A.It is used for performing device compliance checks on endpoints.
• B.It gathers all the vulnerability information from all the FortiClient endpoints.
• C.It monitors the FortiSASE POP health based on ping probes.
• D.It provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS application.

답을 확인하기

정답:

Question No : 2

Refer to the exhibit.



The daily report for application usage for internet traffic shows an unusually high number of unknown applications by category.
What are two possible explanations for this? (Choose two.)

• A.Certificate inspection is not being used to scan application traffic.
• B.Deep inspection is not being used to scan traffic.
• C.The private access policy must be to set to log Security Events.
• D.The inline-CASB application control profile does not have application categories set to Monitor

답을 확인하기

정답:

Question No : 3

Which two statements about FortiSASE Geofencing with regional compliance are true? (Choose two.)

• A.If no regional compliance rule is configured, the connection is made to the closest security PO
• B.You can configure regional compliance on the security POP or the on-premises device, not both.
• C.a regional compliance rule can connect only to an on-premises device or only to a security PO
• D.The connection order for a regional compliance rule is always the security POP first, followed by the on-premises device.

답을 확인하기

정답:

Question No : 4

How does FortiSASE Secure Private Access (SPA) facilitate connectivity to private resources in a hub-and-spoke network?

• A.SPA establishes direct links to spokes without IPsec or BGP and uses an easy configuration key to secure web traffic for remote users.
• B.SPA connects to private resources using HTTP and HTTPS protocols and relies on FortiClient for agentless access to SD-WAN deployments.
• C.SPA connects a FortiSASE POP to a FortiGate hub or SD-WAN deployment using IPsec and BGP for dynamic route exchange with an easy configuration key for simplified setup on FortiO
• D.SPA applies source network address translation (SNAT) for remote user traffic and uses IKEv1 for IPsec tunnels to connect to standalone hubs without BGP support.

답을 확인하기

정답:

Question No : 5

Refer to the exhibit.







A customer configured the On/off-net detection rule to disable FortiSASE VPN auto-connect when users are inside the corporate network The rule is set to Connects with a known public IP using the company's public IP address. However, when the users are on the corporate network, the FortiSASE VPN still auto-connects. The customer has confirmed that traffic is going to the internet with the correct IP address.
Which configuration is causing the issue?

• A.ls connected to a known DNS server should be enabled and configured.
• B.Exempt endpoint from FortiSASE auto-connect is disabled when it should be enabled.
• C.Allow local LAN access when endpoint is on-net is disabled when it should be enabled.
• D.The On-net rule set configuration is incorrect.

답을 확인하기

정답:

Question No : 6

Which service is included in a secure access service edge (SASE) solution, but not in a security service edge (SSE) solution?

• A.CASB
• B.ZTNA
• C.SWG
• D.SD-WAN

답을 확인하기

정답:

Question No : 7

For monitoring potentially unwanted applications on endpoints, which information is available on the FortiSASE software installations page? (Choose two.)

• A.The endpoint the software is installed on
• B.The usage frequency of the software
• C.The license status of the software
• D.The vendor of the software

답을 확인하기

정답:

Question No : 8

A Fortinet customer is considering integrating FortiManager with FortiSASE.
What are two prerequisites they should consider? (Choose two.)

• A.Adding a FortiManager connection add-on license to FortiSAS
• B.Reducing the number of FortiSASE PoPs that support FortiManager
• C.Placing FortiManager in the same FortiCloud account as FortiSAS
• D.Running a FortiManager version that is supported by FortiSAS

답을 확인하기

정답:

Question No : 9

You are designing a new network, and the cybersecurity policy mandates that all remote users working from home must always be connected and protected.
Which FortiSASE component facilitates this always-on security measure?

• A.SDWAN on-ramp
• B.Thin-branch SASE extension
• C.Secure web gateway
• D.Unified FortiClient

답을 확인하기

정답:

Question No : 10

What is required to enable the MSSP feature on FortiSASE?

• A.The MSSP add-on license must be applied to FortiSAS
• B.Multi-tenancy must be enabled on the FortiSASE portal.
• C.MSSP user accounts and permissions must be configured on the FortiSASE portal.
• D.Role-based access control (RBAC) must be assigned to identity and access management (IAM) users using the FortiCloud IAM portal.

답을 확인하기

정답:

Question No : 11

Refer to the exhibits.















A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The VPN tunnel does not establish
Based on the provided configuration, what configuration needs to be modified to bring the tunnel up?

• A.NAT needs to be enabled in the Spoke-to-Hub firewall policy.
• B.The BGP router ID needs to match on the hub and FortiSAS
• C.FortiSASE spoke devices do not support mode config.
• D.The hub needs IKEv2 enabled in the IPsec phase 1 settings.

답을 확인하기

정답:
Explanation:
The VPN tunnel between the FortiSASE spoke and the FortiGate hub is not establishing due to the configuration of mode config, which is not supported by FortiSASE spoke devices. Mode config is used to assign IP addresses to VPN clients dynamically, but this feature is not applicable to FortiSASE spokes.
Mode Config in IPsec:
The configuration snippet shows that mode config is enabled in the IPsec phase 1 settings.
Mode config is typically used for VPN clients to dynamically receive an IP address from the VPN server, but it is not suitable for site-to-site VPN configurations involving FortiSASE spokes.
Configuration Adjustment:
To establish the VPN tunnel, you need to disable mode config in the IPsec phase 1 settings.
This adjustment will allow the FortiSASE spoke to properly establish the VPN tunnel with the FortiGate hub.
Steps to Disable Mode Config:
Access the VPN configuration on the FortiSASE spoke.
Edit the IPsec phase 1 settings to disable mode config.
Ensure other settings such as pre-shared key, remote gateway, and BGP configurations are correct and consistent with the FortiGate hub.
Reference: FortiOS 7.6 Administration Guide: Provides details on configuring IPsec VPNs and mode config settings.
FortiSASE 23.2 Documentation: Explains the supported configurations for FortiSASE spoke devices and VPN setups.

Question No : 12

Which secure internet access (SIA) use case minimizes individual workstation or device setup, because you do not need to install FortiClient on endpoints or configure explicit web proxy settings on web browser-based end points?

• A.SIA for inline-CASB users
• B.SIA for agentless remote users
• C.SIA for SSLVPN remote users
• D.SIA for site-based remote users

답을 확인하기

정답:
Explanation:
The Secure Internet Access (SIA) use case that minimizes individual workstation or device setup is SIA for agentless remote users. This use case does not require installing FortiClient on endpoints or configuring explicit web proxy settings on web browser-based endpoints, making it the simplest and most efficient deployment.
SIA for Agentless Remote Users:
Agentless deployment allows remote users to connect to the SIA service without needing to install any client software or configure browser settings.
This approach reduces the setup and maintenance overhead for both users and administrators.
Minimized Setup:
Without the need for FortiClient installation or explicit proxy configuration, the deployment is straightforward and quick.
Users can securely access the internet with minimal disruption and administrative effort.
Reference: FortiOS 7.6 Administration Guide: Details on different SIA deployment use cases and configurations.
FortiSASE 23.2 Documentation: Explains how SIA for agentless remote users is implemented and the benefits it provides.

Question No : 13

To complete their day-to-day operations, remote users require access to a TCP-based application that is hosted on a private web server.
Which FortiSASE deployment use case provides the most efficient and secure method for meeting the remote users' requirements?

• A.SD-WAN private access
• B.inline-CASB
• C.zero trust network access (ZTNA) private access
• D.next generation firewall (NGFW)

답을 확인하기

정답:
Explanation:
Zero Trust Network Access (ZTNA) private access provides the most efficient and secure method for remote users to access a TCP-based application hosted on a private web server. ZTNA ensures that only authenticated and authorized users can access specific applications based on predefined policies, enhancing security and access control.
Zero Trust Network Access (ZTNA):
ZTNA operates on the principle of "never trust, always verify," continuously verifying user identity and device security posture before granting access.
It provides secure and granular access to specific applications, ensuring that remote users can securely access the TCP-based application hosted on the private web server.
Secure and Efficient Access:
ZTNA private access allows remote users to connect directly to the application without needing a full VPN tunnel, reducing latency and improving performance.
It ensures that only authorized users can access the application, providing robust security controls.
Reference: FortiOS 7.6 Administration Guide: Provides detailed information on ZTNA and its deployment use cases.
FortiSASE 23.2 Documentation: Explains how ZTNA can be used to provide secure access to private applications for remote users.

Question No : 14

Refer to the exhibits.















A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The tunnel is up to the FortiGale hub. However, the administrator is not able to ping the webserver hosted behind the FortiGate hub.
Based on the output, what is the reason for the ping failures?

• A.The Secure Private Access (SPA) policy needs to allow PING service.
• B.Quick mode selectors are restricting the subnet.
• C.The BGP route is not received.
• D.Network address translation (NAT) is not enabled on the spoke-to-hub policy.

답을 확인하기

정답:
Explanation:
The reason for the ping failures is due to the quick mode selectors restricting the subnet. Quick mode selectors define the IP ranges and protocols that are allowed through the VPN tunnel, and if they are not configured correctly, traffic to certain subnets can be blocked.
Quick Mode Selectors:
Quick mode selectors specify the source and destination subnets that are allowed to communicate through the VPN tunnel.
If the selectors do not include the subnet of the webserver (192.168.10.0/24), then the traffic will be restricted, and the ping will fail.
Diagnostic Output:
The diagnostic output shows the VPN configuration details, but it is important to check the quick mode selectors to ensure that the necessary subnets are included.
If the quick mode selectors are too restrictive, they will prevent traffic to and from the specified subnets.
Configuration Check:
Verify the quick mode selectors on both the FortiSASE and FortiGate hub to ensure they match and include the subnet of the webserver.
Adjust the selectors to allow the necessary subnets for successful communication.
Reference: FortiOS 7.6 Administration Guide: Provides detailed information on configuring VPN tunnels and quick mode selectors.
FortiSASE 23.2 Documentation: Explains how to set up and manage VPN tunnels, including the configuration of quick mode selectors.

Question No : 15

You are designing a new network for Company X and one of the new cybersecurity policy requirements is that all remote user endpoints must always be connected and protected.
Which FortiSASE component facilitates this always-on security measure?

• A.site-based deployment
• B.thin-branch SASE extension
• C.unified FortiClient
• D.inline-CASB

답을 확인하기

정답:
Explanation:
The unified FortiClient component of FortiSASE facilitates the always-on security measure required for ensuring that all remote user endpoints are always connected and protected.
Unified FortiClient:
FortiClient is a comprehensive endpoint security solution that integrates with FortiSASE to provide continuous protection for remote user endpoints.
It ensures that endpoints are always connected to the FortiSASE infrastructure, even when users are off the corporate network.
Always-On Security:
The unified FortiClient maintains a persistent connection to FortiSASE, enforcing security policies and protecting endpoints against threats at all times.
This ensures compliance with the cybersecurity policy requiring constant connectivity and protection for remote users.
Reference: FortiOS 7.6 Administration Guide: Provides information on configuring and managing FortiClient for endpoint security.
FortiSASE 23.2 Documentation: Explains how FortiClient integrates with FortiSASE to deliver always-on security for remote endpoints.