FCSS_SASE_AD-25 FCSS - FortiSASE 25 Administrator Question and Answers

FortiSASE hides user information in logs by using hashing, which anonymizes sensitive data such as usernames or IP addresses while still allowing for consistent tracking and analysis.

The sandbox feature applies only to endpoints assigned this profile, and the configuration explicitly enables the submission of all files executed from removable media (like USB drives) to FortiSandbox for analysis.

Fortinet documentation makes clear that overlay IDs must be identical on hub and spoke for ADVPN to establish correctly:

“When configuring the root and downstream FortiGates the Fabric Overlay Orchestrator configures… IPsec overlay configuration (hub and spoke ADVPN tunnels).”

“The Fabric root will be the hub and any first-level downstream devices from the Fabric root will be spokes.”

In the scenario:

FortiSASE overlay ID = 100

FortiGate hub overlay ID = 101

Mismatch prevents tunnel establishment. Therefore, the fix is: B. The network overlay ID must match on FortiSASE and the hub.

In FortiSASE, the recommended method to upgrade FortiClient is to configure an endpoint upgrade rule and assign it to specific endpoint groups. This ensures controlled and automated upgrades across managed devices.

ZTNA enforces least-privileged access by verifying user identity and device posture before granting access to specific corporate applications, even when protected by an on-premises FortiGate.

FortiSASE reporting provides visibility into the usage of sanctioned and unsanctioned SaaS applications, enabling administrators to monitor cloud application activity and enforce security policies.

Although the antivirus is installed, it is not running due to the Windows application firewall blocking it. According to the FortiSASE-Non-Compliant rule, antivirus software must be both installed and running. Since this condition fails, FortiClient assigns the FortiSASE-Non-Compliant tag to the endpoint.

Deploying secure private access with SD-WAN enables the hub FortiGate to perform ZTNA posture checks, and supports both TCP and UDP applications over the tunnel, allowing for flexible and secure access to internal resources.

The self-registration portal is the recommended method for granting temporary internet access to contractors or guests. It provides a simple and secure way for the contractor to authenticate and access the internet without requiring full endpoint management or policy configuration.

SD-WAN allows efficient and secure routing of traffic from users to corporate applications, while ZTNA enables secure access control and verification for users connecting to internal resources, both of which are essential for Secure Private Access (SPA) in FortiSASE.