A financial services company requires that all remote endpoints connecting via FortiSASE have their disk encryption enabled and an up-to-date EDR agent running. If a device fails these checks, it must be quarantined to a remediation network with limited access. Which FortiSASE components are essential for enforcing this conditional access policy?
A security analyst at a retail company is reviewing FortiSASE traffic logs. They observe a series of small, encrypted DNS queries to various seemingly random subdomains of a single, non-corporate domain from multiple endpoints. This is followed by small outbound TCP connections to an IP address associated with that domain. This pattern of activity is most indicative of which type of threat?
A manufacturing company is extending its corporate network to remote workers using FortiSASE. They have a central FortiGate NGFW at their headquarters. The goal is for remote users to appear as if they are on the local corporate network, using an IP from the internal DHCP scope, to access legacy applications that use Layer 2 discovery protocols. Which VDOM type must be configured on the headquarters' FortiGate to achieve this Layer 2 network extension with FortiSASE?
True or False: FortiSASE Secure Private Access (SPA) is exclusively used for providing access to web-based applications hosted in a private data center.
A global consulting firm is onboarding users to FortiSASE. They want to streamline the process by integrating with their existing identity provider and ensure a consistent user experience across company-issued laptops and personal mobile devices. Which two methods should the administrator configure to meet these user onboarding requirements? (Select TWO)
HealthForward, a large healthcare provider, is migrating its 10,000 remote clinicians and administrative staff to FortiSASE. Their primary goals are to enforce HIPAA compliance for all internet-bound traffic, prevent data exfiltration of Patient Health Information (PHI), and secure access to both modern SaaS applications (like Office 365) and legacy clinical applications hosted in their on-premises data center. The legacy applications are not web-based and require direct TCP/UDP connectivity. The CISO has mandated a stringent security posture. All traffic, including to trusted SaaS vendors, must be inspected for threats and data loss. Clinicians often work from untrusted networks, so endpoint compliance is critical; devices must have active antivirus and full-disk encryption. Furthermore, to simplify auditing and interactions with external partners who have IP-based allow-lists, all traffic from the finance department must originate from a single, predictable public IP address, regardless of where the user is located. The network team has been tasked with implementing a solution that meets all these requirements without significantly impacting user experience, especially for latency-sensitive clinical applications. They must use FortiSASE's native capabilities to achieve this. Which combination of FortiSASE configurations best addresses all of HealthForward's security and compliance requirements?
An administrator needs to configure FortiSASE logging to meet strict data privacy regulations. The requirements are to retain security event logs for one year, traffic logs for 90 days, and to minimize the storage of personally identifiable information (PII) where possible. Which two actions should the administrator take in the logging settings? (Select TWO)
A FortiSASE administrator is troubleshooting a ZTNA connection issue for a remote user. The user can authenticate successfully, but cannot access the protected application. The administrator wants to view real-time debugging information for the ZTNA application gateway. Which FortiOS CLI command is used for this purpose?
What is the primary architectural benefit of integrating FortiSASE with an existing Fortinet SD-WAN deployment at branch offices?
A company has configured a dedicated IP address in FortiSASE for source IP anchoring. The goal is to ensure that traffic from their European sales team always exits to the internet from a specific IP address when accessing a partner's SaaS platform. After configuration, the sales team reports that their traffic is still egressing from the general shared IP pool. What is the most likely configuration error?