Fortinet FCSS_SASE_AD-23 Exam Dumps & Practice Test Questions

Question 1:

A daily application usage report shows an unusually large number of unknown applications detected by category. What are two possible reasons for this behavior? (Select two.)

A. Certificate inspection is not being applied to analyze application traffic.
B. The inline-CASB application control profile lacks application categories set to Monitor.
C. Zero Trust Network Access (ZTNA) tags are not correctly applied to users.
D. Deep inspection is not enabled to analyze the traffic.

Correct Answers: A, D

Explanation:

When a report reveals a high volume of unknown applications, it usually means the system cannot properly identify or categorize the traffic passing through. This points to a lack of visibility or insufficient traffic analysis. Let’s break down the options to understand which best explain this issue.

Option A highlights the absence of certificate inspection, which is crucial because many applications today encrypt their data using SSL/TLS. Without decrypting this encrypted traffic, the security tools cannot examine the contents to determine the application type. Without certificate inspection (often called SSL decryption), encrypted traffic often gets labeled as "unknown SSL" or "unknown TCP," causing a surge in unknown applications in reports.

Option B refers to inline-CASB profiles and whether application categories are set to "Monitor." While these settings influence policy enforcement and logging, they do not directly impact whether the system can identify the application itself. Missing this configuration might reduce visibility in logs or enforcement actions but won’t cause a spike in unknown applications, so B is unlikely to be a correct reason.

Option C concerns Zero Trust Network Access tags, which control access based on user and device identity. ZTNA tagging affects user authorization but does not influence how applications are identified in traffic inspection, so it does not explain unknown applications appearing in reports.

Option D points to deep inspection (also known as Deep Packet Inspection, DPI). DPI analyzes the actual payload of network packets rather than just headers or metadata. Without deep inspection, the system relies on limited data like port numbers, which is insufficient for modern applications using dynamic ports or tunneling protocols. This limitation causes many applications to appear as unknown.

In summary, the most plausible reasons for a high number of unknown applications are the lack of certificate inspection (which prevents decrypting SSL traffic) and the absence of deep inspection (which restricts detailed traffic analysis). These factors combined lead to significant portions of traffic being unidentified.

Question 2:

What are two key benefits of using zero-trust tags within a zero-trust security framework? (Choose two.)

A. They enable access control decisions to allow or deny users and devices access to network resources.
B. They help determine the security posture or health status of an endpoint device.
C. They create multiple endpoint profiles to be applied across different devices.
D. They grant secure web gateway (SWG) access.

Correct Answers: A, B

Explanation:

Zero-trust security is based on the principle of "never trust, always verify," meaning every access request must be authenticated and authorized based on dynamic criteria rather than assuming trust based on location or network boundaries. Zero-trust tags are metadata labels applied to users or devices, reflecting attributes such as device health, user role, location, or behavior. These tags are critical in enforcing dynamic, context-aware access controls.

Option A correctly states that zero-trust tags are fundamental to access control decisions. They allow security systems to dynamically allow or deny access based on specific tag values. For example, endpoints tagged as "compliant" might receive access to sensitive applications, whereas those tagged as "non-compliant" might be blocked. This tag-based approach offers granular control and flexibility, making it a core benefit of zero-trust architecture.

Option B is also true. Zero-trust tags often reflect the real-time security posture of an endpoint, such as antivirus status, operating system patch level, disk encryption, or the presence of risky software. By tagging endpoints according to their health, organizations can enforce conditional access policies that restrict access from insecure or compromised devices, reducing risk exposure.

Option C is incorrect because zero-trust tags themselves do not create endpoint profiles. Endpoint profiles or device management policies are typically defined separately in endpoint management tools. Tags are attributes used within these policies but do not directly generate profiles.

Option D is misleading. While zero-trust policies influence access to web resources, zero-trust tags alone do not grant access to Secure Web Gateways (SWGs). Access to SWGs depends on broader policy enforcement and infrastructure configurations. Tags inform policies but do not inherently allow or deny SWG access by themselves.

In conclusion, zero-trust tags are vital for both enforcing dynamic access controls and assessing endpoint security posture, making options A and B the correct choices.

Question 3:

A FortiSASE administrator is setting up FortiSASE as a spoke to connect with a FortiGate hub via a VPN tunnel, but the tunnel fails to establish. Based on the given configuration, what modification is needed to successfully bring the tunnel up?

A. Enable NAT in the firewall policy between the spoke and hub.
B. Ensure the BGP router ID matches on both the FortiSASE and the hub.
C. Disable mode configuration since FortiSASE spokes do not support it.
D. Enable IKEv2 in the IPsec Phase 1 settings on the hub.

Correct answer: D

Explanation:

When configuring a VPN tunnel between FortiSASE as a spoke and a FortiGate acting as a hub, proper alignment of IPsec Phase 1 settings is crucial for tunnel establishment. The FortiSASE platform specifically requires the use of the IKEv2 protocol during Phase 1 of the IPsec negotiation. IKEv2 is the modern key exchange protocol that offers enhanced security, supports more encryption algorithms, and provides better stability compared to the older IKEv1.

If the FortiGate hub’s Phase 1 settings are still using IKEv1, the tunnel will fail to establish because FortiSASE expects IKEv2. Therefore, the necessary change is to enable IKEv2 on the FortiGate hub's IPsec Phase 1 configuration. This can be done by accessing the FortiGate’s management console, navigating to the VPN IPsec tunnel settings, and selecting IKEv2 as the Phase 1 protocol. Additional parameters like authentication methods and encryption algorithms should also match between the hub and spoke.

Let’s analyze other options:

• A (NAT enablement): NAT may be required in certain network setups, but it is not a default or necessary condition for the tunnel to come up in a FortiSASE spoke scenario. Incorrect NAT configuration is rarely the root cause of tunnel initiation failure here.

• B (BGP router ID matching): While BGP settings are critical for routing once the tunnel is up, mismatched BGP router IDs do not prevent the IPsec tunnel from forming. BGP is separate from the tunnel negotiation phase.

• C (Mode config support): FortiSASE supports mode configuration, which helps assign IP addresses and other parameters during VPN establishment, so this is not the cause of the problem.

In conclusion, the core issue preventing tunnel establishment is the lack of IKEv2 enabled on the FortiGate hub, making D the correct answer.

Question 4:

When remote users connected through FortiSASE need to access internal resources on Branch-2, how will the traffic be routed?

A. FortiSASE will leverage SD-WAN and send traffic to HUB-2, which will then forward it to Branch-2.
B. FortiSASE will use the AD VPN protocol with a static route directing traffic straight to Branch-2.
C. FortiSASE will utilize SD-WAN to route traffic via HUB-1, which will then route traffic to Branch-2.
D. FortiSASE will employ AD VPN with a dynamic route to send traffic directly to Branch-2.

Correct answer: C

Explanation:

In this scenario, the routing of traffic from remote users connected through FortiSASE to access resources at Branch-2 involves choosing the most efficient network path. FortiSASE integrates SD-WAN technology, which dynamically evaluates network conditions to optimize routing decisions, ensuring traffic flows along the best possible path.

Option C is correct because FortiSASE will typically route traffic via a central hub—here, HUB-1—that serves as a primary transit point. HUB-1 aggregates traffic from various spokes and remote users and efficiently forwards it to the destination branch (Branch-2). This hub-and-spoke topology leverages SD-WAN’s ability to dynamically select paths based on latency, bandwidth, and network health, thus optimizing performance and reliability.

Looking at other options:

• A (Routing via HUB-2) is less logical because HUB-2 may not serve as the main transit point for traffic destined to Branch-2, and SD-WAN typically selects the best performing hub, which is often a centralized hub like HUB-1.

• B (AD VPN with a static route) is unlikely because static routes do not adapt to changing network conditions, reducing efficiency and flexibility. Moreover, AD VPN protocols are not typically used for direct branch routing in FortiSASE environments.

• D (AD VPN with dynamic routing) suggests dynamic routes but paired with AD VPN, which is not commonly applied here. Traditional dynamic routing protocols such as OSPF or BGP would be more relevant for such traffic management, but FortiSASE primarily leverages SD-WAN in these cases.

Therefore, routing traffic through HUB-1 via SD-WAN provides an optimal, scalable, and resilient path, making C the best answer.

Question 5:

A FortiSASE administrator has set up an antivirus profile within a security profile group and applied it to an internet access policy. Despite this, remote users can still download the eicar.com-zip test file, and traffic logs indicate the download is allowed. 

What configuration in FortiSASE is likely permitting these downloads?

A. Web filter is allowing the traffic.
B. IPS is disabled in the security profile group.
C. The HTTPS protocol inspection is not enabled in the antivirus profile.
D. Force certificate inspection is enabled in the policy.

Correct Answer: C

Explanation:

In this situation, the administrator applied an antivirus profile intended to detect and block malicious files like eicar.com-zip. However, the fact that users can still download the file suggests the antivirus profile isn’t fully effective. A common root cause involves how FortiSASE inspects encrypted HTTPS traffic.

HTTPS traffic is encrypted, which means the contents cannot be scanned by the antivirus engine unless the traffic is decrypted first. FortiSASE requires HTTPS inspection to be explicitly enabled to decrypt and scan the data flowing through secure connections. If HTTPS protocol inspection is disabled or not included in the antivirus profile, FortiSASE will not be able to analyze the contents of HTTPS traffic, allowing potentially harmful files to bypass antivirus scanning.

Option A (Web filter allowing the traffic) is less likely because web filters primarily control access based on URLs and categories rather than scanning file contents for viruses.

Option B (IPS disabled) is not directly relevant since Intrusion Prevention Systems focus on network-level threats, not file-based virus scanning.

Option D (Force certificate inspection enabled) relates to SSL certificate validation and does not guarantee deep packet inspection or antivirus scanning of encrypted files.

Therefore, the critical missing configuration is enabling HTTPS protocol inspection within the antivirus profile. Without this, encrypted downloads are blind spots for antivirus scanning, allowing users to download malicious files despite the profile’s presence.

Question 6:

Which configuration must be applied in FortiSASE to inspect all internet traffic from endpoints but exclude Google Maps traffic from the VPN tunnel by redirecting it through the endpoint’s physical network interface?

A. Exempt Google Maps FQDN from the endpoint system proxy settings.
B. Set a static route on the endpoint for the Google Maps FQDN.
C. Add Google Maps FQDN as a split tunneling destination in the FortiSASE endpoint profile.
D. Change FortiSASE’s DNS configuration to use the endpoint’s DNS servers.

Correct Answer: C

Explanation:

The requirement here is to ensure all endpoint internet traffic is inspected through the FortiSASE VPN tunnel, except for Google Maps traffic, which should bypass the tunnel and use the device’s regular network interface. This selective routing is best achieved through split tunneling.

Split tunneling enables certain destinations or domains to be excluded from the VPN tunnel, allowing traffic to go directly to the internet via the endpoint’s physical network. This allows for inspection of most traffic by FortiSASE while letting specific traffic, such as Google Maps, bypass the tunnel to avoid unnecessary routing or latency.

Option A (exempting Google Maps in proxy settings) is insufficient because proxy exemptions don’t manage routing or VPN tunnel exclusions.

Option B (static routing) could technically redirect traffic but is complex and less flexible than domain-based split tunneling. Static routes are IP-based and do not dynamically handle domain names like Google Maps’ FQDN, which may change IP addresses.

Option D (changing DNS to use the endpoint’s DNS) affects name resolution only and does not influence traffic routing decisions once IP addresses are resolved.

Therefore, configuring Google Maps as a split tunneling destination on the FortiSASE endpoint profile (Option C) is the most effective approach. It ensures that Google Maps traffic exits through the local network interface while all other traffic routes through the VPN tunnel for inspection, meeting the company’s requirements efficiently.

Question 7:

Which web filtering setting on FortiSASE needs to be adjusted to grant website access?

A. FortiGuard category-based filter
B. Content filter
C. URL filter
D. Inline Cloud Access Security Broker (CASB) headers

Correct Answer: C

Explanation:

When managing web filtering on FortiSASE, there are multiple filtering mechanisms to regulate access to websites and online resources. Understanding which configuration directly controls website access is essential for administrators to effectively permit or block sites.

Option A, the FortiGuard category-based filter, works by classifying websites into broad categories such as social media, gaming, or business. This filter applies rules based on those categories, allowing or blocking groups of sites. However, it does not allow granular control of specific URLs and thus isn’t the primary method to explicitly permit access to a particular website.

Option B, the content filter, operates by scanning webpage content for specific keywords, potentially harmful code, or explicit material. While content filtering is vital for maintaining security and appropriateness, it is generally used to restrict access based on content rather than to explicitly allow access to specific URLs. It’s less direct and less common to use content filtering as a way to enable access.

Option C, the URL filter, directly manages access based on the exact URLs or domain names. By modifying URL filter settings, administrators can whitelist URLs to guarantee access or blacklist them to block access. This makes URL filtering the most direct and effective way to control website accessibility on FortiSASE, as it works on explicit web addresses rather than categories or content alone.

Option D refers to Inline Cloud Access Security Broker (CASB) headers, which focus on securing cloud applications and enforcing security policies related to cloud service usage. While CASB controls cloud application security, it does not directly manage generic web access through URL filtering.

In conclusion, to specifically allow or block access to particular websites on FortiSASE, modifying the URL filter is the correct and most effective approach, making C the right answer.

Question 8:

Why is the Windows 7 Professional device unable to access the internet via FortiSASE, while a Windows 10 Professional device at the same remote site can connect?

A. The device posture of Windows 7 Pro has changed.
B. Windows 7 Pro cannot connect to the FortiSASE SSL VPN gateway.
C. The FortiClient version on Windows 7 Pro does not meet FortiSASE endpoint requirements.
D. Windows 7 Pro has exceeded the vulnerability detection threshold.

Correct Answer: C

Explanation:

In this scenario, two devices located remotely—Windows 7 Pro and Windows 10 Pro—are attempting internet access via FortiSASE. The Windows 10 Pro device connects successfully, but Windows 7 Pro does not, indicating an issue specific to the Windows 7 Pro device configuration or compatibility.

Option C correctly identifies that the FortiClient version on Windows 7 Pro is not compatible with FortiSASE’s endpoint security requirements. FortiSASE, Fortinet’s Secure Access Service Edge platform, enforces strict compliance by requiring endpoints to use supported FortiClient versions that align with security policies and compatibility standards. An outdated or unsupported FortiClient version on Windows 7 Pro can prevent establishing a secure connection, thus blocking internet access. This is a common problem when older operating systems or software versions are used in modern secure environments.

Option A mentions device posture, which refers to the device’s compliance state based on security policies like antivirus status or patch levels. Although posture changes can cause connection issues, the question does not provide any indication that Windows 7 Pro’s posture has changed or become non-compliant.

Option B suggests connectivity issues to the FortiSASE SSL VPN gateway. However, since the Windows 10 Pro device on the same network can access the internet through the same gateway, it’s unlikely that Windows 7 Pro is completely unable to reach the VPN endpoint.

Option D addresses vulnerability thresholds, where exceeding detected vulnerabilities might restrict access. While possible, there is no evidence in the scenario that Windows 7 Pro has triggered such a block, making this option less likely.

Therefore, the most plausible cause is that the FortiClient on Windows 7 Pro does not meet the version requirements set by FortiSASE, preventing internet access. Hence, C is the correct answer.

Question 9:

A FortiSASE administrator has successfully established a tunnel to a FortiGate hub. However, the administrator cannot ping a webserver located behind the FortiGate hub. 

Based on the information, what is the most probable cause of the ping failure?

A. The Secure Private Access (SPA) policy does not permit the PING service.
B. The quick mode selectors are limiting the subnet traffic.
C. The BGP route has not been received.
D. Network Address Translation (NAT) is not enabled on the spoke-to-hub policy.

Correct Answer: B

Explanation:

When troubleshooting why a FortiSASE spoke can establish a tunnel to a FortiGate hub but fails to ping a webserver behind it, the problem often lies in how the tunnel’s security and routing policies are configured. The key to solving this issue is understanding the role of quick mode selectors in IPsec tunnels.

Quick mode selectors define which IP address ranges (subnets) are allowed to send traffic over the VPN tunnel. These selectors act as filters and control the permitted network communication between the two endpoints. If the selectors are too restrictive, they can block traffic destined for certain subnets—even if the tunnel itself is operational. In this scenario, the tunnel being up confirms that the initial phase of the connection works, but the ping failure indicates that the specific subnet hosting the webserver is not included or allowed in the quick mode selectors. This makes option B the most plausible cause.

Option A, relating to the SPA policy, is less likely the root cause. SPA policies usually manage access to specific services and applications, not basic network connectivity like ping. If SPA was blocking ping, it would typically prevent access to the application layer, but the tunnel and basic network communication issues point to something else.

Option C, the absence of BGP routes, would affect routing if dynamic routing protocols were in use. However, since the tunnel is established, routing is at least partially functional. If BGP routes were missing entirely, the tunnel might not come up, or more extensive connectivity issues would be observed.

Option D concerns NAT settings. While NAT can influence packet delivery in certain setups, it is unlikely the cause if the tunnel is active and other traffic passes correctly.

In conclusion, the issue most likely stems from restrictive quick mode selectors that block the subnet behind the FortiGate hub, preventing the ping from succeeding. Correcting these selectors to include the proper subnets should restore connectivity.

Question 10:

In a Fortinet SASE deployment, which component is primarily responsible for enforcing web filtering policies based on URL categories and individual URL exceptions to control user internet access?

A. FortiClient Endpoint Agent
B. FortiGate Next-Generation Firewall
C. FortiSASE Cloud Service Web Filter
D. FortiAnalyzer Logging and Reporting

Correct Answer: C

Explanation:

The Fortinet FCSS_SASE_AD-23 exam focuses heavily on Secure Access Service Edge (SASE) concepts, architecture, and how Fortinet’s SASE solution components integrate to provide secure, efficient cloud-delivered security and connectivity.

In a Fortinet SASE environment, web filtering policies are crucial to controlling what users can access on the internet. These policies often include blocking or allowing access based on URL categories (e.g., social media, gambling, malware sites) and specific URL exceptions (whitelists or blacklists).

Let’s analyze each option:

• Option A: FortiClient Endpoint Agent
  The FortiClient is an endpoint security agent that runs on user devices. While it provides endpoint protection, VPN connectivity, and some local policy enforcement, it is not the primary engine for centralized web filtering in the SASE model. The FortiClient can send telemetry and enforce endpoint posture but does not handle URL-based filtering policies at scale for all users.

• Option B: FortiGate Next-Generation Firewall
  The FortiGate appliance is a powerful network security device capable of enforcing firewall policies, intrusion prevention, application control, and web filtering. However, in a SASE deployment, especially when users are remote or distributed, relying on on-premises FortiGate devices is less practical. Web filtering in a cloud-delivered SASE architecture is offloaded to the cloud service for scalability and low-latency enforcement regardless of user location.

• Option C: FortiSASE Cloud Service Web Filter
  This is the correct answer. FortiSASE provides cloud-based security services, including web filtering that is enforced close to the user, regardless of their network location. The FortiSASE web filter uses URL categorization from FortiGuard services and allows administrators to configure policies that block or allow categories or specific URLs. It offers flexibility for both broad category enforcement and fine-grained URL exception handling, delivering consistent security and compliance enforcement for all users connected through FortiSASE.

• Option D: FortiAnalyzer Logging and Reporting
  FortiAnalyzer collects and analyzes logs from Fortinet devices and services to provide insight into security events and user activity. While critical for visibility, reporting, and compliance, it does not enforce web filtering policies.

In Fortinet’s SASE architecture, the cloud-delivered FortiSASE Web Filter service is the primary component responsible for enforcing URL and category-based web filtering policies. It ensures users receive consistent internet access controls regardless of where they connect from, which aligns with the core goals of SASE. Therefore, C is the correct answer.