Practice Free NSE7_SSE_AD-25 Exam Online Questions
Refer to the exhibits.
A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The VPN tunnel does not establish
Based on the provided configuration, what configuration needs to be modified to bring the tunnel up?
- A . NAT needs to be enabled in the Spoke-to-Hub firewall policy.
- B . The BGP router ID needs to match on the hub and FortiSASE.
- C . FortiSASE spoke devices do not support mode config.
- D . The hub needs IKEv2 enabled in the IPsec phase 1 settings.
Which event log subtype captures FortiSASE SSL VPN user creation?
- A . Endpoint Events
- B . VPN Events
- C . User Events
- D . Administrator Events
C
Explanation:
Theevent log subtypethat captures FortiSASE SSL VPN user creation isUser Events. This subtype is specifically designed to log activities related to user management, such as creating, modifying, or deleting user accounts. When an SSL VPN user is created, it falls under this category because it involves adding a new user to the system.
Here’s why the other options are incorrect:
Refer to the exhibit.
An endpoint is assigned an IP address of 192.168.13.101/24.
Which action will be run on the endpoint?
- A . The endpoint will be exempted from auto-connect to the FortiSASE tunnel.
- B . The endpoint will automatically connect to the FortiSASE tunnel.
- C . The endpoint will be detected as off-net.
- D . The endpoint will be able to bypass the on-net rule because it is connecting from a known subnet.
A
Explanation:
The FortiClient Administration Guide states that on-net rules determine when an endpoint is in a trusted location. If the endpoint matches the configured subnet, the client is considered on-net, and therefore bypasses auto-connect.
“Device registration and on-net status information for a device that is running FortiClient appears only on the FortiGate that applies the FortiClient profile to that device.”
Since 192.168.13.101 falls inside the trusted subnet 192.168.13.0/24, the endpoint is treated as on-net → it will be exempted from auto-connect.
Which service is included in a secure access service edge (SASE) solution, but not in a security service edge (SSE) solution?
- A . ZTNA
- B . SD-WAN
- C . SWG
- D . CASB
B
Explanation:
SD-WAN is a networking component included in a SASE solution but not in an SSE solution. SSE focuses solely on security services (like ZTNA, SWG, and CASB), while SASE combines both networking (e.g., SD-WAN) and security into a unified cloud-delivered service.
Refer to the exhibit.
In the user connection monitor, the FortiSASE administrator notices the user name is showing random characters.
Which configuration change must the administrator make to get proper user information?
- A . Turn off log anonymization on FortiSASE.
- B . Add more endpoint licenses on FortiSASE.
- C . Configure the username using FortiSASE naming convention.
- D . Change the deployment type from SWG to VPN.
A
Explanation:
In the user connection monitor, the random characters shown for the username indicate that log anonymization is enabled. Log anonymization is a feature that hides the actual user information in the logs for privacy and security reasons. To display proper user information, you need to disable log anonymization.
Log Anonymization:
When log anonymization is turned on, the actual usernames are replaced with random characters to protect user privacy.
This feature can be beneficial in certain environments but can cause issues when detailed user monitoring is required.
Disabling Log Anonymization:
Navigate to the FortiSASE settings.
Locate the log settings section.
Disable the log anonymization feature to ensure that actual usernames are displayed in the logs and user connection monitors.
Reference: FortiSASE 23.2 Documentation: Provides detailed steps on enabling and disabling log anonymization.
Fortinet Knowledge Base: Explains the impact of log anonymization on user monitoring and logging.
What are two benefits of deploying FortiSASE with FortiGate ZTNA access proxy? (Choose two.)
- A . It offers data center redundancy.
- B . The on-premises FortiGate performs a device posture check.
- C . It is ideal for latency-sensitive applications.
- D . It supports both agentless ZTNA and agent-based ZTNA.
C,D
Explanation:
Deploying FortiSASE with FortiGate ZTNA access proxy enables efficient access to private applications with reduced latency and supports both agentless and agent-based ZTNA methods for flexible access control.
A customer wants to ensure secure access for private applications for their users by replacing their VPN.
Which two SASE technologies can you use to accomplish this task? (Choose two.)
- A . zero trust network access (ZTNA)
- B . secure SD-WAN
- C . secure web gateway (SWG) and cloud access security broker (CASB)
- D . SD-WAN on-ramp
A,D
Explanation:
ZTNA replaces traditional VPNs by enforcing identity- and posture-based access to private applications. SD-WAN on-ramp integrates with FortiSASE to securely route traffic from branch users to private applications over the SASE fabric, ensuring secure and optimized access.
In a FortiSASE secure web gateway (SWG) deployment, which three features protect against web-based threats? (Choose three)
- A . Intrusion prevention system (IPS) for web traffic
- B . SSL deep inspection for encrypted web traffic
- C . Malware protection with sandboxing capabilities
- D . Data loss prevention (DLP) for web traffic
- E . Web application firewall (WAF) for web applications
Which two additional components does FortiSASE use for application control to act as an inline-CASB? (Choose two.)
- A . intrusion prevention system (IPS)
- B . SSL deep inspection
- C . DNS filter
- D . Web filter with inline-CASB
What are two benefits of deploying secure private access with SD-WAN? (Choose two.)
- A . a direct access proxy tunnel from FortiClient to the on-premises FortiGate
- B . ZTNA posture check performed by the hub FortiGate
- C . support of both TCP and UDP applications
- D . inline security inspection by FortiSASE
B,C
Explanation:
Deploying secure private access with SD-WAN enables the hub FortiGate to perform ZTNA posture checks, and supports both TCP and UDP applications over the tunnel, allowing for flexible and secure access to internal resources.