Fortinet FCSS_SASE_AD-25 Exam Questions Instant Access

Question 1

Which two are required to enable central management on FortiSASE? (Choose two.)

AFortiSASE connector configured on FortiManager.

BFortiSASE central management entitlement applied to FortiManager.

CThe FortiManager IP address in the FortiSASE central management configuration.

DFortiManager and FortiSASE registered under the same FortiCloud account.

Answer : B, D

According to the FortiOS Administration Guide, when configuring central management, a FortiManager Cloud entitlement must be present and the devices must share the same FortiCloud account for registration. Specifically:

''The FortiManager Cloud button can only be selected if you have a FortiManager Cloud product entitlement.''

''The FortiGate and FortiCloud license are registered to the same account.''

Thus, the two verified requirements are: B (entitlement) and D (same FortiCloud account).

Question 2

What are two benefits of deploying secure private access with SD-WAN? (Choose two.)

Aa direct access proxy tunnel from FortiClient to the on-premises FortiGate

BZTNA posture check performed by the hub FortiGate

Csupport of both TCP and UDP applications

Dinline security inspection by FortiSASE

Answer : B, C

Deploying secure private access with SD-WAN enables the hub FortiGate to perform ZTNA posture checks, and supports both TCP and UDP applications over the tunnel, allowing for flexible and secure access to internal resources.

Question 3

Which two advantages does FortiSASE bring to businesses with microbranch offices that have FortiAP deployed for unmanaged devices? (Choose two.)

AIt secures internet access both on and off the network.

BIt uses zero trust network access (ZTNA) tags to perform device compliance checks.

CIt eliminates the requirement for an on-premises firewall.

DIt simplifies management and provisioning.

Answer : A, C

Question 4

Refer to the exhibits.

Jumpbox and Windows-AD are endpoints from the same remote location. Jumpbox can access the internet through FortiSASE, while Windows-AD can no longer access the internet.

Based on the information in the exhibits, which reason explains the outage on Windows-AD?

AWindows-AD is excluded from FortiSASE management.

BThe FortiClient version installed on Windows AD does not match the expected version on FortiSASE.

CThe device posture for Windows-AD has changed.

DThe remote VPN user on Windows-AD no longer matches any VPN policy.

Answer : C

The Windows-AD endpoint now has both 'FortiSASE-Compliant' and 'FortiSASE-Non-Compliant' tags due to failing the antivirus software check. As a result, the Secure Internet Access Policy matches the 'Non-Compliant' rule, which is set to Deny, causing the device to lose internet access.

Question 5

Refer to the exhibits.

A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub.

The VPN tunnel does not establish.

Which configuration needs to be modified to bring the tunnel up?

AFortiSASE spoke devices do not support mode config.

BThe network overlay ID must match on FortiSASE and the hub.

CThe BGP router ID must match on the hub and FortiSASE.

DAuto-discovery-sender must be disabled on IPsec phase1 settings.

Answer : B

Fortinet documentation makes clear that overlay IDs must be identical on hub and spoke for ADVPN to establish correctly:

''When configuring the root and downstream FortiGates the Fabric Overlay Orchestrator configures... IPsec overlay configuration (hub and spoke ADVPN tunnels).''

''The Fabric root will be the hub and any first-level downstream devices from the Fabric root will be spokes.''

In the scenario:

FortiSASE overlay ID = 100

FortiGate hub overlay ID = 101

Mismatch prevents tunnel establishment. Therefore, the fix is: B. The network overlay ID must match on FortiSASE and the hub.

Question 6

Which FortiSASE feature ensures least-privileged user access to corporate applications that are protected by an on-premises FortiGate device?

Asecure web gateway (SWG)

Bzero trust network access (ZTNA)

Ccloud access security broker (CASB)

Dremote browser isolation (RBI)

Answer : B

ZTNA enforces least-privileged access by verifying user identity and device posture before granting access to specific corporate applications, even when protected by an on-premises FortiGate.

Question 7

Which statement best describes the Digital Experience Monitor (DEM) feature on FortiSASE?

AIt provides end-to-end network visibility from all the FortiSASE security PoPs to a specific SaaS application.

BIt gathers all the vulnerability information from all the FortiClient endpoints.

CIt is used for performing device compliance checks on endpoints.

DIt monitors the FortiSASE POP health based on ping probes.

Answer : A

The Digital Experience Monitor (DEM) in FortiSASE measures and monitors network performance from the FortiSASE Points of Presence (PoPs) to specific SaaS or cloud applications, helping identify and troubleshoot performance issues across the service path.

Fortinet FCSS - FortiSASE 25 Administrator FCSS_SASE_AD-25 Exam Questions