Fortinet NSE7_SSE_AD-25 Fortinet NSE 7 - FortiSASE 25 Enterprise Administrator Exam Practice Test

In a default FortiSASE deployment, endpoints are typically onboarded using a shared invitation code sent via email. While this code simplifies deployment, it can represent a security risk if the code is leaked or intercepted, as any device with the code could potentially register with the SASE management service.

User Verification (SAML SSO): To mitigate this risk, administrators can enable user verification as an additional layer of security.3 When this feature is enforced, entering the invitation code is no longer sufficient to complete registration.

Authentication Workflow: After the end user enters the invitation code in FortiClient, they are prompted to provide their corporate credentials via a SAML SSO login.5 FortiSASE acts as the Service Provider (SP), while an external identity provider (IdP) such as Microsoft Entra ID, Okta, or FortiAuthenticator verifies the user's identity.

Security Benefit: This ensures that only authenticated users—not just anyone with a valid code—can successfully register an endpoint and receive the organization's security and VPN profiles. It prevents unauthorized "shadow" endpoints from joining the managed environment.

Incorrect Options:

Option A: Security posture tags are used after registration to determine if an endpoint is compliant (e.g., checking if an antivirus is active); they do not secure the registration process itself.

Option C and D: Device identification and application inventory are monitoring and visibility features that occur once the endpoint is already managed.

Refer to the exhibit. Based on the configuration shown in image_595357.jpg, FortiSASE will process sessions requiring FortiSandbox inspection in the following two ways:

A. Only endpoints assigned a profile for sandbox detection will be processed by the sandbox feature.

C. All files executed on a USB drive will be sent to FortiSandbox for analysis.

Answer: A, C

The provided exhibit displays an Endpoint Profile configuration specifically for the Sandbox module. This profile controls how the FortiClient agent on remote endpoints interacts with the integrated FortiSASE cloud sandbox engine.

Profile Assignment (A): In the FortiSASE architecture, security and endpoint settings are organized into profiles that must be explicitly assigned to users or user groups via endpoint policies. Consequently, the sandbox detection and remediation features are active only on those endpoints that have been assigned this specific endpoint profile. If an endpoint is not assigned a profile with sandbox enabled, it will not submit files for analysis.

Removable Media Analysis (C): Under the File Submission Options, the toggle for All Files Executed from Removable Media is enabled (shown in blue). Since USB drives are the most common form of removable media, this configuration ensures that any file executed from a USB drive is intercepted by FortiClient and submitted to the FortiSASE sandbox for behavioral analysis before being allowed to run, protecting the endpoint from offline-delivered threats.

Understanding Verdict Levels (B): The exhibit shows the Action is set to Quarantine and the Sandbox Detection Verdict Level is set to Medium. This configuration functions as a threshold; FortiClient will quarantine any file that receives a verdict of Medium or higher (including High and Malicious). Option B is incorrect because it claims only medium-level files are quarantined, which ignores the high-risk and malicious files that would also be blocked.

Sandbox Mode (D): The Sandbox Mode is clearly set to FortiSASE, which utilizes the built-in cloud-native sandbox. This contradicts Option D, which suggests the use of an on-premises or standalone sandbox appliance.

Comprehensive and Detailed Explanation From FortiSASE 24.x/25.x, FortiOS 7.4, FortiAuthenticator 6.5, FortiClient 7.0 and later Exact Extract study guide:

In FortiSASE environments, Single Sign-On (SSO) is prioritized as the primary enterprise authentication mechanism. According to the FortiSASE Configuration Guide and Security Operations documentation, when you configure SAML SSO (Single Sign-On), it serves as a global authentication setting that overrides any previously configured local or remote (RADIUS/LDAP) user authentication methods for the secure web gateway (SWG) and VPN tunnels.

The architectural logic is designed to ensure a seamless "Zero Trust" identity provider (IdP) experience. Once SSO is enabled and configured (typically using Azure AD, Okta, or FortiAuthenticator as the IdP), FortiSASE redirects authentication requests to the defined IdP. This effectively supersedes manual local user databases or legacy RADIUS configurations to maintain a single source of truth for identity management. While MFA is often a component of the authentication process, it is a secondary factor, whereas SSO is the foundational method that dictates the authentication flow and overrides prior settings.

The provided exhibit (image_57e69d.jpg) displays the Software Installations dashboard within the FortiSASE portal. This dashboard is a key component of the endpoint visibility and management features provided by the integrated FortiClient EMS functionality.

Visible Metadata: The output provides a granular list of all software detected on managed endpoints, including the application Name, the Vendor (e.g., Igor Pavlov, Microsoft Corporation, Adobe), the specific Version currently installed, and critical timestamps such as First Detected and Last Installed.

Administrative Utility: This information allows an administrator to audit the software environment effectively. By reviewing these details, they can identify unwanted software (PUA), shadow IT, or outdated software versions that may possess known vulnerabilities.

Actions Available: While the primary view is informational, the presence of the View Endpoints button (visible in the top-left) allows administrators to pivot from a specific application to a list of all individual devices where that software is present, facilitating targeted remediation.

Analysis of Incorrect Options:

Option A: While FortiSASE manages profiles and tags, this specific "Software Installations" view is focused purely on software inventory.

Option B: Although the "First Detected" date is visible, FortiSASE does not support "automatic patching" of third-party software directly from this inventory screen.

Option C: The dashboard shows what is installed, not the "latest available" version in the market, nor does it provide a mechanism to "push updates" to these third-party applications.

To resolve internal hostnames using internal DNS servers for remotely connected endpoints, the following two components must be configured on FortiSASE:

Split DNS Rules:

Split DNS allows the configuration of specific DNS queries to be directed to internal DNS servers instead of public DNS servers.

This ensures that internal hostnames are resolved using the organization's internal DNS infrastructure, maintaining privacy and accuracy for internal network resources.

Split Tunneling Destinations:

Split tunneling allows specific traffic (such as DNS queries for internal domains) to be routed through the VPN tunnel while other traffic is sent directly to the internet.

By configuring split tunneling destinations, you can ensure that DNS queries for internal hostnames are directed through the VPN to the internal DNS servers.

In the FortiSASE architecture, there are two primary methods for delivering Secure Internet Access (SIA): Agent-based (using FortiClient) and Agentless (using Secure Web Gateway/SWG).

Use Case Analysis: The scenario describes a contractor—an unmanaged user—who requires temporary access for a web-based application (the POS system). For contractors or guests using personal/non-corporate devices where installing the FortiClient agent is either not feasible or not desired, FortiSASE provides the SIA Agentless deployment model.

Mechanism (SWG & PAC): In this mode, FortiSASE functions as an explicit web proxy. To steer the contractor's web traffic (HTTP/HTTPS) to the SASE cloud for inspection, the administrator provides the user with a proxy auto-configuration (PAC) file. The contractor simply configures their browser or operating system to point to the URL of this PAC file.

Security Enforcement: Once the PAC file is applied, all web traffic from the contractor's device is redirected to the FortiSASE SWG PoP. Here, the traffic is subject to the organization’s full security stack, including SSL deep inspection, Antivirus, Web Filtering, and Application Control, ensuring that even temporary contractor access is fully secured and logged.

Why other options are incorrect:

Option B (Tunnel Policy): This refers to agent-based access where a VPN tunnel is established. This requires FortiClient, which is generally not used for temporary contractors on unmanaged devices.

Option C (ZTNA Unmanaged): While ZTNA supports agentless access to private applications (SPA), providing internet access (SIA) to an unmanaged endpoint is specifically the role of the SWG/Proxy service.

Option D (Self-registration): While FortiSASE has a User Portal for onboarding, it is a method for user registration/credential management, not the technical traffic-steering mechanism used to provide internet connectivity.

According to the FortiSASE 25 Secure Internet Access Architecture Guide, the SWG (Agentless) approach is the recommended best practice for securing web-only traffic from unmanaged endpoints and third-party contractors.

When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a routing adjacency between FortiSASE and the FortiGate SD-WAN hub requires the use of the Border Gateway Protocol (BGP).

BGP (Border Gateway Protocol):

BGP is widely used for establishing routing adjacencies between different networks, particularly in SD-WAN environments.

It provides scalability and flexibility in managing dynamic routing between FortiSASE and the FortiGate SD-WAN hub.

Routing Adjacency:

BGP enables the exchange of routing information between FortiSASE and the FortiGate SD-WAN hub.

This ensures optimal routing paths and efficient traffic management across the hybrid network.

1. DLP Data Pattern

2. DLP Dictionary

3. DLP Sensor

4. DLP Profile

The FortiSASE Data Loss Prevention (DLP) framework follows a hierarchical object-oriented structure. When creating a custom DLP rule using Regular Expressions (Regex), the administrator must build the components from the most granular level upward to the policy level.

DLP Data Pattern: This is the first step where the actual Regex string is defined. The pattern specifies what specific data string (e.g., a specific credit card format or employee ID) the engine should look for.

DLP Dictionary: Once the pattern is created, it must be added to a Dictionary. The dictionary acts as a container that groups one or more data patterns together for easier management.

DLP Sensor: The dictionary is then linked to a DLP Sensor. Within the sensor, you define the "Rule" which specifies the dictionary to use and the action to take (such as block, log, or quarantine) when a match occurs.

DLP Profile: Finally, the sensor is applied to a DLP Profile. This profile is the high-level object that is ultimately selected within a FortiSASE Security Policy to inspect traffic for sensitive data.

FortiSASE Secure Private Access (SPA) is designed to provide remote users with seamless and secure access to private applications hosted behind an organization's FortiGate Next-Generation Firewall (NGFW) or SD-WAN hubs.2

Hub-and-Spoke Architecture: In this deployment model, the organization’s FortiGate (either a standalone NGFW or an SD-WAN hub) acts as the hub, while the global FortiSASE Security Points of Presence (PoPs) act as spokes.3

IPsec and BGP Integration: The connectivity between the FortiSASE PoPs and the corporate hub is established via IPsec VPN tunnels. To manage routing and ensure that remote users can reach the correct internal subnets, Border Gateway Protocol (BGP) is used for dynamic route exchange.4 This allows the hub to advertise internal prefixes to FortiSASE, enabling the PoPs to route user traffic effectively without requiring complex static route management.

Simplified Configuration: To reduce administrative overhead and prevent manual configuration errors on the FortiOS side, Fortinet introduced the SPA easy configuration key (also known as an invitation code or simplified SPA setup). An administrator generates this key in the FortiSASE portal and enters it on the FortiGate hub. This triggers the Fabric Overlay Orchestrator to automatically provision the necessary IPsec tunnels, BGP peerings, and firewall policies required for SPA connectivity.

According to the FortiSASE 25 Architecture Guide, this method is preferred over legacy VPNs because it supports both TCP and UDP traffic, integrates natively with existing SD-WAN deployments, and automatically finds the shortest path to applications using ADVPN (Auto-Discovery VPN) shortcuts where applicable.

The distinction between SASE (Secure Access Service Edge) and SSE (Security Service Edge) is a fundamental architectural concept in modern networking and security.

SASE Definition: SASE is a comprehensive framework that converges networking capabilities (specifically SD-WAN) with cloud-native security services (SSE) into a single, unified service model.

SSE Definition: SSE represents the security-focused subset of SASE.4 It encompasses the core security pillars required for secure access, including Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA).

The Key Differentiator: While both solutions share the same security stack (SWG, CASB, ZTNA), SD-WAN (Software-Defined Wide Area Network) is the specific networking component that exists in a full SASE solution to provide intelligent path selection and optimized connectivity. SSE intentionally excludes these wide-area networking functions, focusing purely on the security service delivery layer.

According to the FortiSASE 25 Enterprise Administrator Study Guide, organizations that already have a robust networking infrastructure and only require a cloud-delivered security overlay would opt for SSE, whereas those seeking a complete transformation of both network and security would deploy a full SASE solution that includes SD-WAN.

Zero Trust Network Access (ZTNA) is the FortiSASE feature that ensures least-privileged user access to all applications. ZTNA operates on the principle of "never trust, always verify," providing secure access based on the identity of users and devices, regardless of their location.

Zero Trust Network Access (ZTNA):

ZTNA ensures that only authenticated and authorized users and devices can access applications.

It applies the principle of least privilege by granting access only to the resources required by the user, minimizing the potential for unauthorized access.

Implementation:

ZTNA continuously verifies user and device trustworthiness and enforces granular access control policies.

This approach enhances security by reducing the attack surface and limiting lateral movement within the network.

To ensure that organizational SaaS applications (such as Microsoft 365, Salesforce, or AWS Console) are only accessible to users who are currently connected and protected by FortiSASE, administrators utilize Source IP Anchoring and IP-based access control.

Consistent Egress IPs: Every FortiSASE instance is assigned a set of dedicated public IP addresses (egress IPs) for each Security Point of Presence (PoP). Regardless of where a remote user is physically located, when they connect to a specific FortiSASE PoP, all their traffic destined for the internet or SaaS applications will appear to originate from that PoP's dedicated egress IP.

Whitelisting and Conditional Access: Administrators can retrieve the list of these dedicated egress IPs from the FortiSASE portal (typically found under the Support or Region IP list). These IPs are then configured as "Trusted Locations" or "Named Locations" within the SaaS provider's security settings (e.g., Microsoft Entra ID Conditional Access).

Enforcement Mechanism: Once the SaaS portal is configured to only permit logins from the FortiSASE egress IP ranges, any user attempting to access the application without being connected to the FortiSASE VPN will be denied access because their source IP will be their local ISP address rather than the trusted SASE IP. This effectively mandates the use of the SASE security stack for all corporate SaaS interactions.

Analysis of Incorrect Options:

Option A: CNAPP (Cloud-Native Application Protection Platform) is used for securing cloud-native applications and infrastructure, not for managing egress IP whitelisting for external SaaS providers.

Option B: While ZTNA is a secure access method, it is primarily used for Private Applications hosted by the organization, not for third-party public SaaS portals which rely on standard IP or identity-based conditional access.

Option C: SPA hubs are designed for Secure Private Access (connecting to a corporate data center), not for managing access to public SaaS applications.

To restrict endpoints from certain countries from connecting to FortiSASE, the administrator should configure Geofencing. This feature provides granular control over which geographic locations are permitted or denied access to the SASE infrastructure.

Geofencing in FortiSASE

Geofencing is the primary mechanism for controlling remote user connectivity based on their origin.

Functionality: It uses a geography-to-IP mapping database to identify the location of incoming connection requests.

Access Modes: Administrators can choose between two main modes:

Allow: Only users from specified countries can connect; all others are blocked.

Deny: Users from specified countries are blocked; all others are allowed.

Configuration Path: In the FortiSASE GUI, navigate to Configuration > Geofencing to enable the feature and add the relevant countries.

Enforcement: Once enabled, the system automatically creates "local-in" policies to drop or permit traffic at the edge of the SASE PoPs before it can consume resources or attempt authentication.

If the daily summary report generated by FortiSASE contains very little data, one possible explanation is that the "Log allowed traffic" setting is configured to log only "Security Events" for all policies. This configuration limits the amount of data logged, as it only includes security events and excludes normal allowed traffic.

Log Allowed Traffic Setting:

The "Log allowed traffic" setting determines which types of traffic are logged.

When set to "Security Events," only traffic that triggers a security event (such as a threat detection or policy violation) is logged.

Impact on Report Data:

If the log setting excludes regular allowed traffic, the amount of data captured and reported is significantly reduced.

This results in reports with minimal data, as only security-related events are included.

FortiSASE is designed as a unified, single-vendor solution that specifically targets the convergence of networking and security to address the modern challenges of a distributed enterprise.2

Multicloud and SaaS Adoption: FortiSASE addresses the surge in cloud-first strategies by providing Next-Generation Dual-Mode CASB (Cloud Access Security Broker).3 This feature uses both inline and API-based inspection to provide comprehensive visibility into sanctioned and unsanctioned SaaS applications (Shadow IT), ensuring that data is protected regardless of whether it resides in AWS, Azure, Google Cloud, or SaaS platforms like Microsoft 365.

Hybrid Workforce: To support a workforce that moves between the home, the office, and public spaces, FortiSASE delivers consistent security posture.5 It replaces the inconsistent experience of legacy VPNs with a geographically dispersed network of over 150 Points of Presence (PoPs), ensuring low-latency access to applications while maintaining high-performance SSL inspection and threat detection for all remote users.

Zero Trust Integration: Central to the FortiSASE architecture is Universal ZTNA (Zero Trust Network Access).7 Unlike traditional VPNs that grant broad network access, ZTNA applies the principle of "never trust, always verify". It grants access on a per-session, per-application basis, continuously verifying the device posture and user identity before and during application access.9 This shift from implicit to explicit trust significantly reduces the internal attack surface and mitigates the risk of lateral movement by attackers.

By integrating these components into a single operating system (FortiOS) and managed via a single console, FortiSASE simplifies IT operations while delivering the visibility and control required for today's multicloud and hybrid environments.

FortiSASE supports zero trust network access (ZTNA) principles by identifying attributes on the endpoint for security posture checks. ZTNA principles require continuous verification of user and device credentials, as well as their security posture, before granting access to network resources.

Security Posture Check:

FortiSASE can evaluate the security posture of endpoints by checking for compliance with security policies, such as antivirus status, patch levels, and configuration settings.

This ensures that only compliant and secure devices are granted access to the network.

Zero Trust Network Access (ZTNA):

ZTNA is based on the principle of "never trust, always verify," which requires continuous assessment of user and device trustworthiness.

FortiSASE plays a crucial role in implementing ZTNA by performing these security posture checks and enforcing access control policies.

In recent versions of FortiSASE (starting from version 24.4 and later), the platform has increased its scalability to support larger enterprise environments.

Maximum Hub Support: According to the FortiSASE Mature Administration Guide and the FortiSASE 25.3.148 Feature Release Notes, administrators can now configure a maximum of 12 SPA Service Connections (SPA hubs). Previously, this limit was restricted to 4 hubs.

Scalability for Large Enterprises: This enhancement allows organizations with complex, geographically dispersed networks—such as those with multiple regional datacenters or cloud hubs—to integrate up to 12 distinct FortiGate SD-WAN hubs into their SASE infrastructure.

Service Connection Licensing: Each SPA hub requires a dedicated FortiGate SPA Service Connection license. In MSSP environments using FortiCloud Organizations, a single FortiSASE instance can inherit these licenses from a root OU, supporting up to the same cumulative maximum of 12 service connections.

Routing and Performance: These 12 hubs form the "Private Access" backbone, where FortiSASE security PoPs act as spokes. The use of BGP (either per-overlay or on loopback) ensures that traffic is dynamically routed to the optimal hub based on the destination network and defined SLA priorities.

In the context of Zero Trust Network Access (ZTNA), security posture tagging is the fundamental mechanism used to enforce compliance and security standards before granting access to protected resources.

Granular Access Control: The primary purpose of tagging is to provide granular access control.3 Instead of relying solely on static credentials, ZTNA uses these dynamic tags to determine if a device or user meets specific security requirements at the moment of the connection request.

Compliance-Based Enforcement: Tags are assigned based on the compliance status of the endpoint. For example, the FortiSASE Endpoint Management Service (EMS) can verify if a device has an active antivirus, is running a specific OS version, or is joined to the corporate domain.5 If the device fails any of these checks, the "Compliant" tag is removed, and access is automatically revoked.

Dynamic and Continuous Assessment: Unlike traditional VPNs that check posture only at login, ZTNA posture tagging allows for continuous assessment. If a device's security posture changes—for instance, if the user disables their firewall—the tag is updated in real-time across the Security Fabric, and the ZTNA policy will immediately deny further access.8

Integration with Policies: On the FortiGate (acting as a ZTNA proxy) or within FortiSASE, these tags are used as source criteria in ZTNA policies.9 Only traffic originating from endpoints with the required tags (e.g., "EMS-Tag: Corporate-Managed") is permitted to reach the protected application.

In the user connection monitor, the random characters shown for the username indicate that log anonymization is enabled. Log anonymization is a feature that hides the actual user information in the logs for privacy and security reasons. To display proper user information, you need to disable log anonymization.

Log Anonymization:

When log anonymization is turned on, the actual usernames are replaced with random characters to protect user privacy.

This feature can be beneficial in certain environments but can cause issues when detailed user monitoring is required.

Disabling Log Anonymization:

Navigate to the FortiSASE settings.

Locate the log settings section.

Disable the log anonymization feature to ensure that actual usernames are displayed in the logs and user connection monitors.

In FortiSASE, the requirement to redirect specific traffic away from the secure tunnel and through the local physical interface is achieved through Steering Bypass (commonly referred to as split tunneling).

Steering Bypass Destinations: This feature is configured within the Endpoint Profile settings. When an administrator adds a destination (such as the Google Maps URL or FQDN) to the Steering Bypass table, the FortiClient agent updates the local routing table on the endpoint.

Traffic Redirection: Traffic matching these bypass rules is explicitly excluded from the FortiSASE VPN tunnel and instead sent directly out of the device's local internet gateway (physical interface). This is ideal for optimizing bandwidth and reducing latency for trusted, high-volume applications like mapping services or video conferencing.

Analysis of Other Options:

Option A: ZTNA TCP access proxy rules are designed for secure access to private applications, not for managing how internet-bound traffic is routed.

Option B: While it uses the term "steering bypass," there is no "tunnel firewall policy" configuration for this purpose; the configuration is done at the endpoint profile level.

Option C: Exempting a URL in the Web Filter profile only instructs FortiSASE to skip security scanning (AV, DLP, etc.) for that traffic. The traffic would still be encapsulated in the tunnel and sent to FortiSASE, which does not meet the requirement to redirect it to the physical interface.

By configuring the Google Maps URL as a steering bypass destination, the organization ensures the traffic never enters the SASE tunnel, fulfilling the requirement for both traffic inspection (for all other traffic) and local redirection (for Google Maps).

Based on the provided exhibits, the reason why the Win7-Pro endpoint can no longer access the internet through FortiSASE is due to exceeding the total vulnerability detected threshold. This threshold is used to determine if a device is compliant with the security requirements to access the network.

Endpoint Compliance:

FortiSASE monitors endpoint compliance by assessing various security parameters, including the number of vulnerabilities detected on the device.

The compliance status is indicated by the ZTNA tags and the vulnerabilities detected.

Vulnerability Threshold:

The exhibit shows that Win7-Pro has 176 vulnerabilities detected, whereas Win10-Pro has 140 vulnerabilities.

If the endpoint exceeds a predefined vulnerability threshold, it may be restricted from accessing the network to ensure overall network security.

Impact on Network Access:

Since Win7-Pro has exceeded the vulnerability threshold, it is marked as non-compliant and subsequently loses internet access through FortiSASE.

The FortiSASE endpoint profile enforces this compliance check to prevent potentially vulnerable devices from accessing the internet.

Based on the detailed analysis of the provided exhibits (image_65feb6.jpg), the connectivity failure is caused by a mismatch in the Hub firewall policy configuration.

Endpoint Analysis: The Network Diagram shows the FortiClient endpoint has an IP address of 100.65.80.2/20 and currently carries the FortiSASE-Compliant ZTNA tag.

FortiSASE Policy Validation: The Private access policy on FortiSASE shows an "Accept" rule for traffic originating from "FortiSASE-Compliant" sources destined for "All Private Access Traffic". This confirms the traffic is successfully leaving the FortiSASE PoP.

Routing Validation: The Learned BGP Routes on FortiSASE table shows the prefix 10.160.160.0/24 (the Server subnet) is correctly received via Next Hop 10.11.11.1. Routing is correctly established.

Hub Firewall Policy Error: Examining the Hub firewall policy (edit 7), the srcaddr is set to "SASE_Remote_Access". Looking at the address object definition for "SASE_Remote_Access," it is configured with the subnet 10.11.11.0 255.255.255.0.

The Conflict: The FortiClient's actual IP address (100.65.80.2) does not fall within the 10.11.11.0/24 range defined in the policy's source address. On a FortiGate hub, for traffic to be permitted through the tunnel to the internal server, the firewall policy must include the specific subnet assigned to the remote clients, not just the tunnel interface subnet. Because the FortiClient address range is missing from the hub's policy, the traffic is dropped at the hub.

To meet the requirement of inspecting all endpoint internet traffic on FortiSASE while excluding Google Maps traffic from the FortiSASE VPN tunnel and redirecting it to the endpoint's physical interface, you should configure split tunneling. Split tunneling allows specific traffic to bypass the VPN tunnel and be routed directly through the endpoint's local interface.

Split Tunneling Configuration:

Split tunneling enables selective traffic to be routed outside the VPN tunnel.

By configuring the Google Maps Fully Qualified Domain Name (FQDN) as a split tunneling destination, you ensure that traffic to Google Maps bypasses the VPN tunnel and uses the endpoint's local interface instead.

Implementation Steps:

Access the FortiSASE endpoint profile configuration.

Add the Google Maps FQDN to the split tunneling destinations list.

This configuration directs traffic intended for Google Maps to bypass the VPN tunnel and be routed directly through the endpoint's physical network interface.

In the FortiSASE architecture, Network Lockdown is a security feature designed to prevent off-net (off-fabric) endpoints from accessing the internet or local network without the protection of the SASE security stack.

Triggering Lockdown: When an endpoint is determined to be "off-net"—meaning it does not satisfy the on-net rule sets defined in its endpoint profile—a timer starts for a configurable grace period.

Function of the Grace Period: During this period, the endpoint maintains full access to the LAN and the internet.4 The specific purpose of this grace period is to provide the user with a window of time to attempt a connection to the FortiSASE VPN tunnel or an alternate corporate tunnel.5 This ensures that users can authenticate and regain a secure "on-net" status before any connectivity restrictions are enforced.

Enforcement: If the grace period expires and the endpoint has failed to establish a VPN connection, FortiClient enforces a strict lockdown.7 In this state, the device cannot reach the LAN or the internet, except for specifically defined "Exempt Destinations" (such as captive portal login pages or the FortiSASE portal itself).

Resetting the Timer: Any attempt to connect to the tunnel during the grace period resets the timer, providing additional opportunities for the user to remediate their connection status.8

According to the FortiSASE 25 Administrator Study Guide, the grace period is an essential user-experience setting that balances strict "zero-trust" security with the practical need for users to access the network briefly to establish their secure tunnel.

During FortiSASE provisioning, the FortiSASE administrator needs to configure at least one security point of presence (PoP). A single PoP is sufficient to get started with FortiSASE, providing the necessary security services and connectivity for users.

Security Point of Presence (PoP):

A PoP is a strategically located data center that provides security services such as secure web gateway, firewall, and VPN termination.

Configuring at least one PoP ensures that users can connect to FortiSASE and benefit from its security features.

Scalability:

While only one PoP is required to start, additional PoPs can be added as needed to enhance redundancy, load balancing, and performance.