According to theFortiSASE 24.4 Administration Guideand theFortiSASE Core Administratortraining materials, theOn-net detectionrule setting is a critical component for determining the "trust status" of an endpoint's physical location.

Endpoint Location Verification: On-net rule sets are used to determine if FortiSASE considers an endpoint to beon-net(trusted) oroff-net(untrusted). An endpoint is considered on-net when it is physically located within the corporate network, which is assumed to already have on-premises security measures (like a FortiGate NGFW).

Operational Impact: When an endpoint is detected as on-net, FortiSASE can be configured toexemptthe endpoint from automatically establishing a VPN tunnel to the SASE cloud. This optimization prevents redundant security inspection and conserves SASE bandwidth since the user is already protected by the local corporate firewall.

Detection Methods: To classify an endpoint as on-net, administrators configure rule sets that look for specific environmental markers, such as:

Known Public (WAN) IP: If the endpoint's public IP matches the corporate headquarters' egress IP.

DHCP Server: If the endpoint receives an IP from a specific corporate DHCP server.

DNS Server/Subnet: Matching internal DNS infrastructure or specific internal IP ranges.

Dynamic Policy Application: By accurately determining if an endpoint is on or off-net, FortiSASE ensures that theFortiClientagent only initiates its secure internet access (SIA) tunnel when the user is in an untrusted location (e.g., a home network or public Wi-Fi).

Why other options are incorrect:

Option A: User authentication is a separate process and is not controlled by the on/off-net detection rules, which focus on the network environment rather than user credentials.

Option B: While on-net status affectshowtraffic is routed (VPN vs. local), these rules specificallydetermine the statusitself rather than defining the routing tables for private vs. cloud resources.

Option D: Geographical location (Geo-location) is a different filtering criterion often used in firewall policies; on-net detection is specifically about the proximity to the trusted corporate perimeter.