Which FortiSASE feature ensures least-privileged user access to all applications?

1. A. secure web gateway (SWG)
2. B. SD-WAN
3. C. zero trust network access (ZTNA)
4. D. thin branch SASE extension

Correct Answer: C
Zero Trust Network Access (ZTNA) is the FortiSASE feature that ensures least-privileged user access to all applications. ZTNA operates on the principle of "never trust, always verify," providing secure access based on the identity of users and devices, regardless of their location.
✑ Zero Trust Network Access (ZTNA):
✑ Implementation:
References:
✑ FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its role in ensuring least-privileged access.
✑ FortiSASE 23.2 Documentation: Explains the implementation and benefits of ZTNA within the FortiSASE environment.

Which two components are part of onboarding a secure web gateway (SWG) endpoint? (Choose two)

1. A. FortiSASE CA certificate
2. B. proxy auto-configuration (PAC) file
3. C. FortiSASE invitation code
4. D. FortiClient installer

Correct Answer: AB
Onboarding a Secure Web Gateway (SWG) endpoint involves several components to
ensure secure and effective integration with FortiSASE. Two key components are the FortiSASE CA certificate and the proxy auto-configuration (PAC) file.
✑ FortiSASE CA Certificate:
✑ Proxy Auto-Configuration (PAC) File:
References:
✑ FortiOS 7.2 Administration Guide: Details on onboarding endpoints and configuring SWG.
✑ FortiSASE 23.2 Documentation: Explains the components required for integrating endpoints with FortiSASE and the process for deploying the CA certificate and PAC file.

Refer to the exhibits.





A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The VPN tunnel does not establish
Based on the provided configuration, what configuration needs to be modified to bring the tunnel up?

1. A. NAT needs to be enabled in the Spoke-to-Hub firewall policy.
2. B. The BGP router ID needs to match on the hub and FortiSASE.
3. C. FortiSASE spoke devices do not support mode config.
4. D. The hub needs IKEv2 enabled in the IPsec phase 1 settings.

Correct Answer: C
The VPN tunnel between the FortiSASE spoke and the FortiGate hub is not establishing due to the configuration of mode config, which is not supported by FortiSASE spoke devices. Mode config is used to assign IP addresses to VPN clients dynamically, but this feature is not applicable to FortiSASE spokes.
✑ Mode Config in IPsec:
✑ Configuration Adjustment:
✑ Steps to Disable Mode Config:
References:
✑ FortiOS 7.2 Administration Guide: Provides details on configuring IPsec VPNs and mode config settings.
✑ FortiSASE 23.2 Documentation: Explains the supported configurations for FortiSASE spoke devices and VPN setups.

When you configure FortiSASE Secure Private Access (SPA) with SD-WAN integration, you must establish a routing adjacency between FortiSASE and the FortiGate SD-WAN hub. Which routing protocol must you use?

1. A. BGP
2. B. IS-IS
3. C. OSPF
4. D. EIGRP

Correct Answer: A
When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a routing adjacency between FortiSASE and the FortiGate SD- WAN hub requires the use of the Border Gateway Protocol (BGP).
✑ BGP (Border Gateway Protocol):
✑ Routing Adjacency:
References:
✑ FortiOS 7.2 Administration Guide: Provides information on configuring BGP for SD-WAN integration.
✑ FortiSASE 23.2 Documentation: Details on setting up routing adjacencies using BGP for Secure Private Access with SD-WAN.