FCSS_SASE_AD-23試験問題集でPDF問題とテストエンジン [Q16-Q37]

Share

FCSS_SASE_AD-23試験問題集でPDF問題とテストエンジン

FCSS_SASE_AD-23問題集で必ず試験合格させる


Fortinet FCSS_SASE_AD-23 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • SASE architecture and components: In this section, the focus is on integrating FortiSASE in a hybrid network, identifying FortiSASE components, and constructing FortiSASE deployment cases.
トピック 2
  • SASE deployment: In this section, the focus is given to implementing various types of user onboarding methods, configuring SASE administration settings, and setting up security posture checks and compliance rules.
トピック 3
  • SIA, SSA, and SPA: In this section, the focus is given to the design of security profiles to perform content inspection, and implement SD-WAN using FortiSASE, and ZTNA.
トピック 4
  • Analytics: In this section, the focus is given to identifying potential security threats using FortiSASE logs, configuring dashboards, FortiView and logging settings, and analyzing reports for user traffic and security issues.

 

質問 # 16
What are two advantages of using zero-trust tags? (Choose two.)

  • A. Zero-trust tags can be used to create multiple endpoint profiles which can be applied to different endpoints
  • B. Zero-trust tags can be used to allow or deny access to network resources
  • C. Zero-trust tags can determine the security posture of an endpoint.
  • D. Zero-trust tags can be used to allow secure web gateway (SWG) access

正解:B、C

解説:
Zero-trust tags are critical in implementing zero-trust network access (ZTNA) policies. Here are the two key advantages of using zero-trust tags:
* Access Control (Allow or Deny):
* Zero-trust tags can be used to define policies that either allow or deny access to specific network resources based on the tag associated with the user or device.
* This granular control ensures that only authorized users or devices with the appropriate tags can access sensitive resources, thereby enhancing security.
* Determining Security Posture:
* Zero-trust tags can be utilized to assess and determine the security posture of an endpoint.
* Based on the assigned tags, FortiSASE can evaluate the device's compliance with security policies, such as antivirus status, patch levels, and configuration settings.
* Devices that do not meet the required security posture can be restricted from accessing the network or given limited access.
References:
* FortiOS 7.2 Administration Guide: Provides detailed information on configuring and using zero-trust tags for access control and security posture assessment.
* FortiSASE 23.2 Documentation: Explains how zero-trust tags are implemented and used within the FortiSASE environment for enhancing security and compliance.


質問 # 17
Refer to the exhibits.





A FortiSASE administrator is trying to configure FortiSASE as a spoke to a FortiGate hub. The tunnel is up to the FortiGale hub. However, the administrator is not able to ping the webserver hosted behind the FortiGate hub.
Based on the output, what is the reason for the ping failures?

  • A. Quick mode selectors are restricting the subnet.
  • B. The BGP route is not received.
  • C. The Secure Private Access (SPA) policy needs to allow PING service.
  • D. Network address translation (NAT) is not enabled on the spoke-to-hub policy.

正解:A

解説:
The reason for the ping failures is due to the quick mode selectors restricting the subnet. Quick mode selectors define the IP ranges and protocols that are allowed through the VPN tunnel, and if they are not configured correctly, traffic to certain subnets can be blocked.
* Quick Mode Selectors:
* Quick mode selectors specify the source and destination subnets that are allowed to communicate through the VPN tunnel.
* If the selectors do not include the subnet of the webserver (192.168.10.0/24), then the traffic will be restricted, and the ping will fail.
* Diagnostic Output:
* The diagnostic output shows the VPN configuration details, but it is important to check the quick mode selectors to ensure that the necessary subnets are included.
* If the quick mode selectors are too restrictive, they will prevent traffic to and from the specified subnets.
* Configuration Check:
* Verify the quick mode selectors on both the FortiSASE and FortiGate hub to ensure they match and include the subnet of the webserver.
* Adjust the selectors to allow the necessary subnets for successful communication.
References:
* FortiOS 7.2 Administration Guide: Provides detailed information on configuring VPN tunnels and quick mode selectors.
* FortiSASE 23.2 Documentation: Explains how to set up and manage VPN tunnels, including the configuration of quick mode selectors.


質問 # 18
Refer to the exhibits.

WiMO-Pro and Win7-Pro are endpoints from the same remote location. WiMO-Pro can access the internet though FortiSASE, while Wm7-Pro can no longer access the internet Given the exhibits, which reason explains the outage on Wm7-Pro?

  • A. Win-7 Pro has exceeded the total vulnerability detected threshold.
  • B. The Win7-Pro FortiClient version does not match the FortiSASE endpoint requirement.
  • C. Win7-Pro cannot reach the FortiSASE SSL VPN gateway
  • D. The Win7-Pro device posture has changed.

正解:A

解説:
Based on the provided exhibits, the reason why the Win7-Pro endpoint can no longer access the internet through FortiSASE is due to exceeding the total vulnerability detected threshold. This threshold is used to determine if a device is compliant with the security requirements to access the network.
* Endpoint Compliance:
* FortiSASE monitors endpoint compliance by assessing various security parameters, including the number of vulnerabilities detected on the device.
* The compliance status is indicated by the ZTNA tags and the vulnerabilities detected.
* Vulnerability Threshold:
* The exhibit shows that Win7-Pro has 176 vulnerabilities detected, whereas Win10-Pro has 140 vulnerabilities.
* If the endpoint exceeds a predefined vulnerability threshold, it may be restricted from accessing the network to ensure overall network security.
* Impact on Network Access:
* Since Win7-Pro has exceeded the vulnerability threshold, it is marked as non-compliant and subsequently loses internet access through FortiSASE.
* The FortiSASE endpoint profile enforces this compliance check to prevent potentially vulnerable devices from accessing the internet.
References:
* FortiOS 7.2 Administration Guide: Provides information on endpoint compliance and vulnerability management.
* FortiSASE 23.2 Documentation: Explains how vulnerability thresholds are used to determine endpoint compliance and access control.


質問 # 19
During FortiSASE provisioning, how many security points of presence (POPs) need to be configured by the FortiSASE administrator?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:C

解説:
During FortiSASE provisioning, the FortiSASE administrator needs to configure at least one security point of presence (PoP). A single PoP is sufficient to get started with FortiSASE, providing the necessary security services and connectivity for users.
* Security Point of Presence (PoP):
* A PoP is a strategically located data center that provides security services such as secure web gateway, firewall, and VPN termination.
* Configuring at least one PoP ensures that users can connect to FortiSASE and benefit from its security features.
* Scalability:
* While only one PoP is required to start, additional PoPs can be added as needed to enhance redundancy, load balancing, and performance.
References:
* FortiOS 7.2 Administration Guide: Provides details on the provisioning process for FortiSASE.
* FortiSASE 23.2 Documentation: Explains the configuration and role of security PoPs in the FortiSASE architecture.


質問 # 20
Which two additional components does FortiSASE use for application control to act as an inline-CASB?
(Choose two.)

  • A. SSL deep inspection
  • B. Web filter with inline-CASB
  • C. DNS filter
  • D. intrusion prevention system (IPS)

正解:A、B

解説:
FortiSASE uses the following components for application control to act as an inline-CASB (Cloud Access Security Broker):
* SSL Deep Inspection:
* SSL deep inspection is essential for decrypting and inspecting HTTPS traffic to identify and control applications and data transfers within encrypted traffic.
* This allows FortiSASE to enforce security policies on SSL/TLS encrypted traffic, providing visibility and control over cloud applications.
* Web Filter with Inline-CASB:
* The web filter component integrates with inline-CASB to monitor and control access to cloud applications based on predefined security policies.
* This combination provides granular control over cloud application usage, ensuring compliance with security policies and preventing unauthorized data transfers.
References:
* FortiOS 7.2 Administration Guide: Details on SSL deep inspection and web filtering configurations.
* FortiSASE 23.2 Documentation: Explains how FortiSASE acts as an inline-CASB using SSL deep inspection and web filtering.


質問 # 21
An organization needs to resolve internal hostnames using its internal rather than public DNS servers for remotely connected endpoints. Which two components must be configured on FortiSASE to achieve this?
(Choose two.)

  • A. Split tunnelling destinations
  • B. SSL deep inspection
  • C. DNS filter
  • D. Split DNS rules

正解:A、D

解説:
To resolve internal hostnames using internal DNS servers for remotely connected endpoints, the following two components must be configured on FortiSASE:
* Split DNS Rules:
* Split DNS allows the configuration of specific DNS queries to be directed to internal DNS servers instead of public DNS servers.
* This ensures that internal hostnames are resolved using the organization's internal DNS infrastructure, maintaining privacy and accuracy for internal network resources.
* Split Tunneling Destinations:
* Split tunneling allows specific traffic (such as DNS queries for internal domains) to be routed through the VPN tunnel while other traffic is sent directly to the internet.
* By configuring split tunneling destinations, you can ensure that DNS queries for internal hostnames are directed through the VPN to the internal DNS servers.
References:
* FortiOS 7.2 Administration Guide: Provides details on configuring split DNS and split tunneling for VPN clients.
* FortiSASE 23.2 Documentation: Explains the implementation and configuration of split DNS and split
* tunneling for securely resolving internal hostnames.


質問 # 22
Which FortiSASE feature ensures least-privileged user access to all applications?

  • A. thin branch SASE extension
  • B. SD-WAN
  • C. zero trust network access (ZTNA)
  • D. secure web gateway (SWG)

正解:C


質問 # 23
Refer to the exhibit.

A company has a requirement to inspect all the endpoint internet traffic on FortiSASE, and exclude Google Maps traffic from the FortiSASE VPN tunnel and redirect it to the endpoint physical Interface.
Which configuration must you apply to achieve this requirement?

  • A. Exempt the Google Maps FQDN from the endpoint system proxy settings.
  • B. Configure a static route with the Google Maps FQDN on the endpoint to redirect traffic
  • C. Configure the Google Maps FQDN as a split tunneling destination on the FortiSASE endpoint profile.
  • D. Change the default DNS server configuration on FortiSASE to use the endpoint system DNS.

正解:C

解説:
To meet the requirement of inspecting all endpoint internet traffic on FortiSASE while excluding Google Maps traffic from the FortiSASE VPN tunnel and redirecting it to the endpoint's physical interface, you should configure split tunneling. Split tunneling allows specific traffic to bypass the VPN tunnel and be routed directly through the endpoint's local interface.
* Split Tunneling Configuration:
* Split tunneling enables selective traffic to be routed outside the VPN tunnel.
* By configuring the Google Maps Fully Qualified Domain Name (FQDN) as a split tunneling destination, you ensure that traffic to Google Maps bypasses the VPN tunnel and uses the endpoint's local interface instead.
* Implementation Steps:
* Access the FortiSASE endpoint profile configuration.
* Add the Google Maps FQDN to the split tunneling destinations list.
* This configuration directs traffic intended for Google Maps to bypass the VPN tunnel and be routed directly through the endpoint's physical network interface.
References:
* FortiOS 7.2 Administration Guide: Provides details on split tunneling configuration.
* FortiSASE 23.2 Documentation: Explains how to set up and manage split tunneling for specific destinations.


質問 # 24
Which secure internet access (SIA) use case minimizes individual workstation or device setup, because you do not needto install FortiClient on endpoints or configure explicit web proxy settings on web browser-based end points?

  • A. SIA for agentless remote users
  • B. SIA for inline-CASB users
  • C. SIA for SSLVPN remote users
  • D. SIA for site-based remote users

正解:A


質問 # 25
When you configure FortiSASE Secure Private Access (SPA) with SD-WAN integration, you must establish a routing adjacency between FortiSASE and the FortiGate SD-WAN hub. Which routing protocol must you use?

  • A. EIGRP
  • B. OSPF
  • C. BGP
  • D. IS-IS

正解:C

解説:
When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a routing adjacency between FortiSASE and the FortiGate SD-WAN hub requires the use of the Border Gateway Protocol (BGP).
* BGP (Border Gateway Protocol):
* BGP is widely used for establishing routing adjacencies between different networks, particularly in SD-WAN environments.
* It provides scalability and flexibility in managing dynamic routing between FortiSASE and the FortiGate SD-WAN hub.
* Routing Adjacency:
* BGP enables the exchange of routing information between FortiSASE and the FortiGate SD-WAN hub.
* This ensures optimal routing paths and efficient traffic management across the hybrid network.
References:
* FortiOS 7.2 Administration Guide: Provides information on configuring BGP for SD-WAN integration.
* FortiSASE 23.2 Documentation: Details on setting up routing adjacencies using BGP for Secure Private Access with SD-WAN.


質問 # 26
An organization wants to block all video and audio application traffic but grant access to videos from CNN Which application override action must you configure in the Application Control with Inline-CASB?

  • A. Permit
  • B. Allow
  • C. Pass
  • D. Exempt

正解:D

解説:
To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:
* Application Control Configuration:
* Application Control is used to identify and manage application traffic based on predefined or custom application signatures.
* Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.
* Blocking Video and Audio Applications:
* To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.
* Granting Access to Specific Videos (CNN):
* To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.
* The override action "Exempt" ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.
* Configuration Steps:
* Navigate to the Application Control profile in the FortiSASE interface.
* Set the application categories related to video and audio streaming to "Block."
* Add a new override entry for CNN video traffic and set the action to "Exempt." References:
* FortiOS 7.2 Administration Guide: Detailed steps on configuring Application Control and Inline-CASB.
* Fortinet Training Institute: Provides scenarios and examples of using Application Control with Inline-CASB for specific use cases.


質問 # 27
Which policy type is used to control traffic between the FortiClient endpoint to FortiSASE for secure internet access?

  • A. VPN policy
  • B. private access policy
  • C. secure web gateway (SWG) policy
  • D. thin edge policy

正解:C

解説:
The Secure Web Gateway (SWG) policy is used to control traffic between the FortiClient endpoint and FortiSASE for secure internet access. SWG provides comprehensive web security by enforcing policies that manage and monitor user access to the internet.
* Secure Web Gateway (SWG) Policy:
* SWG policies are designed to protect users from web-based threats and enforce acceptable use policies.
* These policies control and monitor user traffic to and from the internet, ensuring that security protocols are followed.
* Traffic Control:
* The SWG policy intercepts all web traffic, inspects it, and applies security rules before allowing or blocking access.
* This policy type is crucial for providing secure internet access to users connecting through FortiSASE.
References:
* FortiOS 7.2 Administration Guide: Details on configuring and managing SWG policies.
* FortiSASE 23.2 Documentation: Explains the role of SWG in securing internet access for endpoints.


質問 # 28
Which two components are part of onboarding a secure web gateway (SWG) endpoint? (Choose two)

  • A. FortiClient installer
  • B. proxy auto-configuration (PAC) file
  • C. FortiSASE invitation code
  • D. FortiSASE CA certificate

正解:B、D

解説:
Onboarding a Secure Web Gateway (SWG) endpoint involves several components to ensure secure and effective integration with FortiSASE. Two key components are the FortiSASE CA certificate and the proxy auto-configuration (PAC) file.
* FortiSASE CA Certificate:
* The FortiSASE CA certificate is essential for establishing trust between the endpoint and the FortiSASE infrastructure.
* It ensures that the endpoint can securely communicate with FortiSASE services and inspect SSL/TLS traffic.
* Proxy Auto-Configuration (PAC) File:
* The PAC file is used to configure the endpoint to direct web traffic through the FortiSASE proxy.
* It provides instructions on how to route traffic, ensuring that all web requests are properly inspected and filtered by FortiSASE.
References:
* FortiOS 7.2 Administration Guide: Details on onboarding endpoints and configuring SWG.
* FortiSASE 23.2 Documentation: Explains the components required for integrating endpoints with FortiSASE and the process for deploying the CA certificate and PAC file.


質問 # 29
......

合格させるFortinet FCSS_SASE_AD-23試験最速合格にはFast2test:https://jp.fast2test.com/FCSS_SASE_AD-23-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어