Pass the Fortinet Fortinet Certified Solution Specialist FCSS_SASE_AD-23 Questions and answers with CertsForce

When remote users connected to FortiSASE require access to internal resources on Branch-2, the following process occurs:

SD-WAN Capability:

FortiSASE leverages SD-WAN to optimize traffic routing based on performance metrics and priorities.

In the priority settings, HUB-1 is configured with the highest priority (P1), whereas HUB-2 has a lower priority (P2).

Traffic Routing Decision:

FortiSASE evaluates the available hubs (HUB-1 and HUB-2) and selects HUB-1 due to its highest priority setting.

Once the traffic reaches HUB-1, it is then routed to the appropriate branch based on internal routing policies.

Branch-2 Access:

Since HUB-1 has the highest priority, FortiSASE directs the traffic to HUB-1.

HUB-1 then routes the traffic to Branch-2, providing the remote users access to the internal resources.

References:

FortiOS 7.2 Administration Guide: Details on SD-WAN configurations and priority settings.

FortiSASE 23.2 Documentation: Explains how FortiSASE integrates with SD-WAN to route traffic based on defined priorities and performance metrics.

To resolve internal hostnames using internal DNS servers for remotely connected endpoints, the following two components must be configured on FortiSASE:

Split DNS Rules:

Split DNS allows the configuration of specific DNS queries to be directed to internal DNS servers instead of public DNS servers.

This ensures that internal hostnames are resolved using the organization's internal DNS infrastructure, maintaining privacy and accuracy for internal network resources.

Split Tunneling Destinations:

Split tunneling allows specific traffic (such as DNS queries for internal domains) to be routed through the VPN tunnel while other traffic is sent directly to the internet.

By configuring split tunneling destinations, you can ensure that DNS queries for internal hostnames are directed through the VPN to the internal DNS servers.

References:

FortiOS 7.2 Administration Guide: Provides details on configuring split DNS and split tunneling for VPN clients.

FortiSASE 23.2 Documentation: Explains the implementation and configuration of split DNS and split tunneling for securely resolving internal hostnames.

FortiSASE hides user information when viewing and analyzing logs by hashing data using salt. This approach ensures that sensitive user information is obfuscated, enhancing privacy and security.

Hashing Data with Salt:

Hashing data involves converting it into a fixed-size string of characters, which is typically a hash value.

Salting adds random data to the input of the hash function, ensuring that even identical inputs produce different hash values.

This method provides enhanced security by making it more difficult to reverse-engineer the original data from the hash value.

Security and Privacy:

Using salted hashes ensures that user information remains secure and private when stored or analyzed in logs.

This technique is widely used in security systems to protect sensitive data from unauthorized access.

References:

FortiOS 7.2 Administration Guide: Provides information on log management and data protection techniques.

FortiSASE 23.2 Documentation: Details on how FortiSASE implements data hashing and salting to secure user information in logs.

Zero Trust Network Access (ZTNA) private access provides the most efficient and secure method for remote users to access a TCP-based application hosted on a private web server. ZTNA ensures that only authenticated and authorized users can access specific applications based on predefined policies, enhancing security and access control.

Zero Trust Network Access (ZTNA):

ZTNA operates on the principle of "never trust, always verify," continuously verifying user identity and device security posture before granting access.

It provides secure and granular access to specific applications, ensuring that remote users can securely access the TCP-based application hosted on the private web server.

Secure and Efficient Access:

ZTNA private access allows remote users to connect directly to the application without needing a full VPN tunnel, reducing latency and improving performance.

It ensures that only authorized users can access the application, providing robust security controls.

References:

FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its deployment use cases.

FortiSASE 23.2 Documentation: Explains how ZTNA can be used to provide secure access to private applications for remote users.

For a customer looking to upgrade their legacy on-premises proxy to a cloud-based proxy for a hybrid network, the combination of Secure Web Gateway (SWG) and Inline Cloud Access Security Broker (CASB) features in FortiSASE will provide the necessary capabilities.

Secure Web Gateway (SWG):

SWG provides comprehensive web security by inspecting and filtering web traffic to protect against web-based threats.

It ensures that all web traffic, whether originating from on-premises or remote locations, is inspected and secured by the cloud-based proxy.

Inline Cloud Access Security Broker (CASB):

CASB enhances security by providing visibility and control over cloud applications and services.

Inline CASB integrates with SWG to enforce security policies for cloud application usage, preventing unauthorized access and data leakage.

References:

FortiOS 7.2 Administration Guide: Details on SWG and CASB features.

FortiSASE 23.2 Documentation: Explains how SWG and inline-CASB are used in cloud-based proxy solutions.

FortiSASE uses the following components for application control to act as an inline-CASB (Cloud Access Security Broker):

SSL Deep Inspection:

SSL deep inspection is essential for decrypting and inspecting HTTPS traffic to identify and control applications and data transfers within encrypted traffic.

This allows FortiSASE to enforce security policies on SSL/TLS encrypted traffic, providing visibility and control over cloud applications.

Web Filter with Inline-CASB:

The web filter component integrates with inline-CASB to monitor and control access to cloud applications based on predefined security policies.

This combination provides granular control over cloud application usage, ensuring compliance with security policies and preventing unauthorized data transfers.

References:

FortiOS 7.2 Administration Guide: Details on SSL deep inspection and web filtering configurations.

FortiSASE 23.2 Documentation: Explains how FortiSASE acts as an inline-CASB using SSL deep inspection and web filtering.

When accessing the FortiSASE portal for the first time, an administrator must select data center locations for the following FortiSASE components:

Endpoint Management:

The data center location for endpoint management ensures that endpoint data and policies are managed and stored within the chosen geographical region.

Points of Presence (PoPs):

Points of Presence (PoPs) are the locations where FortiSASE services are delivered to users. Selecting PoP locations ensures optimal performance and connectivity for users based on their geographical distribution.

Logging:

The data center location for logging determines where log data is stored and managed. This is crucial for compliance and regulatory requirements, as well as for efficient log analysis and reporting.

References:

FortiOS 7.2 Administration Guide: Details on initial setup and configuration steps for FortiSASE.

FortiSASE 23.2 Documentation: Explains the importance of selecting data center locations for various FortiSASE components.

When deploying FortiSASE agent-based clients, several features are available that are not typically available with an agentless solution. These features enhance the security and management capabilities for endpoints.

Vulnerability Scan:

Agent-based clients can perform vulnerability scans on endpoints to identify and remediate security weaknesses.

This proactive approach helps to ensure that endpoints are secure and compliant with security policies.

SSL Inspection:

Agent-based clients can perform SSL inspection to decrypt and inspect encrypted traffic for threats.

This feature is critical for detecting malicious activities hidden within SSL/TLS encrypted traffic.

Web Filter:

Web filtering is a key feature available with agent-based clients, allowing administrators to control and monitor web access.

This feature helps enforce acceptable use policies and protect users from web-based threats.

References:

FortiOS 7.2 Administration Guide: Explains the features and benefits of deploying agent-based clients.

FortiSASE 23.2 Documentation: Details the differences between agent-based and agentless solutions and the additional features provided by agent-based deployments.

To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:

Application Control Configuration:

Application Control is used to identify and manage application traffic based on predefined or custom application signatures.

Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.

Blocking Video and Audio Applications:

To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.

Granting Access to Specific Videos (CNN):

To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.

The override action "Exempt" ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.

Configuration Steps:

Navigate to the Application Control profile in the FortiSASE interface.

Set the application categories related to video and audio streaming to "Block."

Add a new override entry for CNN video traffic and set the action to "Exempt."

References:

FortiOS 7.2 Administration Guide: Detailed steps on configuring Application Control and Inline-CASB.

Fortinet Training Institute: Provides scenarios and examples of using Application Control with Inline-CASB for specific use cases.