The Fortinet NSE 7 - FortiSASE 25 Enterprise Administrator (NSE7_SSE_AD-25)

To enable remote users to access internal applications located behind an existing FortiGate SD-WAN hub, the customer must license the FortiSASE Secure Private Access (SPA) add-on .

Secure Private Access (SPA) Use Case: This specific add-on is designed to extend the Fortinet Security Fabric into the SASE cloud, allowing for a hub-and-spoke architecture where the FortiSASE PoPs act as spokes and the customer ' s on-premises FortiGate acts as the hub.

Licensing Requirements: The SPA add-on is a per-hub (per service connection) license. It provides the necessary entitlements to establish IPsec tunnels and BGP peering between the SASE infrastructure and the corporate FortiGate.

Feature Enablement: Once the SPA license is applied, the Configuration > Private Access menu becomes available in the FortiSASE portal. This allows administrators to define " Service Connections " to their private data centers or cloud VPCs.

Analysis of Other Options:

Option A: The Global add-on is typically related to expanding the geographic reach or performance of the SASE PoPs, not specifically for private resource routing.

Option B: The Branch On-Ramp refers to connecting physical office locations (Thin Edge) to SASE, rather than the specific licensing for private application access for remote users.

Option D: Dedicated Public IP Address is used for source IP anchoring (SIA) to ensure remote users egress with a consistent IP for third-party SaaS IP-whitelisting.

According to the NSE7 SASE Enterprise Guide (Pages 64 & 153) , FortiSASE utilizes an intelligent engine to manage connectivity to private resources through various selection methods:

Hub Health and Priority: FortiSASE incorporates a built-in SD-WAN engine for intelligent routing selection among established IPsec links. The health check IP address periodically receives performance metrics, including jitter, latency, and packet loss, for each service connection. In this mode, FortiSASE evaluates the available hubs and selects the one with the highest priority (the most preferred value) within each POP, provided that the hub meets the defined service-level agreement (SLA) requirements . For this configuration to function correctly, both FortiSASE and the SPA hub must use the same Autonomous System Number (ASN).

BGP Multiple Exit Discriminator (MED): This method leverages the standard BGP MED attribute, which allows an autonomous system to signal its preferred entry point to a peer. FortiSASE learns the MED values advertised by the configured hubs. The architecture is designed so that the lower the MED value , the more preferred the path is to the receiving router. Consistent with the " Zero Trust " and " Secure Access " principles, even when using BGP MED, the selection is gated by the health engine; therefore, the hub is only selected if it also satisfies the configured SLA thresholds .

While SLA thresholds can be configured, the primary logic for hub selection focuses on how priority and dynamic routing attributes (like MED) interact with the real-time health of the tunnel.

In a FortiSASE environment where always-on VPN is enforced, FortiClient typically establishes a full tunnel to a Security Point of Presence (PoP). By default, a full-tunnel configuration instructs the endpoint to send all traffic—including traffic destined for the local network—through the secure tunnel to FortiSASE for inspection.

The Local Access Challenge: When a remote user is at home or in a satellite office, they often need to access local resources such as printers, NAS devices, or other computers on the same Layer 2 (L2) broadcast domain. In a standard full-tunnel setup, these local resources become unreachable because the routing table on the endpoint prioritizes the VPN interface for all non-local-gateway traffic.

Allow Local LAN Access: To resolve this while maintaining the security of the " Always-On " requirement, FortiSASE administrators can enable the Allow Local LAN Access feature within the Endpoint Profile .

Configuration Logic: This setting modifies the FortiClient configuration (often via an XML update pushed from the FortiSASE EMS) to include an exemption for the endpoint ' s locally connected subnet. Specifically, it ensures that traffic destined for the local L2 network does not enter the IPsec or SSL-VPN tunnel, allowing the user to interact with local peripherals while all other internet and corporate-bound traffic remains secured by FortiSASE.

Incorrect Options: * Option B and C: Sandbox and Anti-Virus protections are security features for threat detection and do not influence the routing of local network traffic.

Option D: Network Lockdown actually does the opposite; it restricts network access until a VPN connection is established and typically blocks local LAN access unless specific exemptions are made, making it the incorrect choice for enabling access to local resources.

The core of this issue lies in the difference between Certificate Inspection and Deep SSL Inspection within the FortiSASE security framework.

The Limitation of Certificate Inspection: When " Force Certificate Inspection " is enabled in a FortiSASE firewall policy, the system only inspects the SSL handshake—specifically the SNI (Server Name Indication) and certificate headers. It does not decrypt the actual data payload of the HTTPS session.

Antivirus Scanning Requirements: To detect and block malicious files like the EICAR test file when they are downloaded over an encrypted HTTPS connection (such as https://eicar.org), the FortiSASE antivirus engine must be able to " see " inside the encrypted tunnel. This requires Deep Inspection (Full SSL Inspection), where FortiSASE acts as a " man-in-the-middle " to decrypt, scan, and then re-encrypt the traffic.

Exhibit Analysis: The Secure Internet Access policy exhibit clearly shows the toggle for Force Certificate Inspection is enabled (set to " ON " ). As specified in the Fortinet technical documentation, enabling this option forces the policy to use Certificate Inspection only, overriding any Deep Inspection settings that might be defined in the Profile Group.

Conclusion: Because the traffic is only undergoing certificate-level inspection, the antivirus engine cannot analyze the encrypted eicar.com-zip file payload, allowing the download to proceed even though an antivirus profile is active in the group.

To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:

Application Control Configuration:

Application Control is used to identify and manage application traffic based on predefined or custom application signatures.

Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.

Blocking Video and Audio Applications:

To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.

Granting Access to Specific Videos (CNN):

To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.

The override action " Exempt " ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.

Configuration Steps:

Navigate to the Application Control profile in the FortiSASE interface.

Set the application categories related to video and audio streaming to " Block. "

Add a new override entry for CNN video traffic and set the action to " Exempt. "

IP Address Management (IPAM) in FortiSASE is responsible for automatically allocating subnets to various services, including VPN tunnels and Edge devices. When an administrator modifies the default IPAM configuration, they must adhere to specific architectural scaling requirements.

Subnet Requirements per PoP: FortiSASE architecture requires a minimum amount of address space to be available for each provisioned Security Point of Presence (PoP) to handle internal routing and endpoint assignments. For the IPAM engine to function correctly and distribute unique subnets across the global infrastructure, the pool must provide at least one /20 subnet per security PoP . If the available space is smaller than this per-PoP requirement, the allocation logic may fail or produce unpredictable routing behavior.

Impact of Excessive Exclusions: In the exhibit (image_578940.png), the customer has defined a large summary pool of 172.16.0.0/12. However, they have configured eight separate /15 excluded subnets: 172.16.0.0/15, 172.18.0.0/15, 172.20.0.0/15, 172.22.0.0/15, 172.24.0.0/15, 172.26.0.0/15, 172.28.0.0/15, and 172.30.0.0/15.

Calculating the Exhaustion: A /12 network contains exactly eight /15 blocks. By excluding all eight /15 ranges listed in the exhibit, the customer has effectively excluded 100% of the available addresses from the primary 172.16.0.0/12 pool.

Connectivity Problems: When the IPAM pool is exhausted or overly restricted, FortiSASE cannot assign valid, non-overlapping subnets to the PoPs. This leads to connectivity problems for remote users and can cause the system to " fall back " to ranges it believes are available, even if they were intended to be excluded, or simply fail to establish tunnels entirely.

To resolve this, the administrator must ensure that the excluded subnets do not consume the entire pool and that the remaining unexcluded space is large enough to provide a /20 block for every active PoP in their subscription.

Integrating Fortinet SOCaaS (Security Operations Center as a Service) with FortiSASE provides a managed extension of your security team, combining automated AI/ML-driven triage with human expertise to secure remote and on-premises users.

Consistent Security Monitoring and Dashboards (C): Fortinet SOCaaS ensures that your security posture remains robust through seamless integration. This is achieved by configuring FortiSASE to forward pertinent security logs to the SOCaaS cloud, ensuring that analysts have the necessary data to detect anomalies across your network. The service provides verified threat notifications with detailed response guidance and mitigation recommendations. Furthermore, a built-in portal offers intuitive dashboards to track threats and manage escalated alerts.

24x7x365 Expert-Led Monitoring (D): This feature addresses the cybersecurity skills gap by providing around-the-clock vigilance. A global team of Fortinet Security Analysts works 24x7x365 to monitor logs and investigate events. The platform leverages AI and Machine Learning for automated alert triage, while human experts perform in-depth analysis to eliminate false positives and validate threats.

Operational Efficiency: By offloading tedious manual work and triage to Fortinet experts, your internal security team can reduce burnout and focus on higher-value tasks while maintaining a superior security posture for both SASE and on-premises environments.

FortiSASE Secure Private Access (SPA) offers two distinct architectural methods for connecting remote users to private applications: SD-WAN-based SPA and ZTNA-based SPA . Each utilizes a different traffic flow to balance security and performance requirements.

SD-WAN Private Access (Hub-and-Spoke): In this model, the FortiSASE Security Points of Presence (PoPs) act as spokes in a traditional hub-and-spoke VPN topology. When a remote user attempts to access a private network, the traffic is first steered to the closest FortiSASE PoP . The PoP then routes that traffic over a persistent IPsec tunnel to the corporate FortiGate hub (or SPA hub). This ensures that all traffic, regardless of protocol (TCP/UDP), can be inspected by the SASE security stack before entering the private network.

Zero Trust Network Access (ZTNA): Unlike the SD-WAN approach, ZTNA is designed for a " shortest path " connection. While FortiSASE manages the endpoint ' s posture and issues certificates, the actual application traffic (the data plane) bypasses the FortiSASE PoP . Instead, the FortiClient agent on the endpoint establishes a direct HTTPS or TCP-forwarding connection to the ZTNA Access Proxy configured on the corporate FortiGate. This significantly reduces latency and is ideal for high-performance TCP-based applications.

According to the FortiSASE 25 Secure Internet Access Architecture Guide , " In FortiSASE, ZTNA refers to traffic that is destined directly to private resources using the FortiGate ZTNA access proxy traffic flow, " whereas for SD-WAN SPA, the PoPs " rely on IPsec overlays... to secure and route traffic between PoPs and the networks behind an organization’s SD-WAN hubs. "

To resolve internal hostnames using internal DNS servers for remotely connected endpoints, the following two components must be configured on FortiSASE:

Split DNS Rules:

Split DNS allows the configuration of specific DNS queries to be directed to internal DNS servers instead of public DNS servers.

This ensures that internal hostnames are resolved using the organization ' s internal DNS infrastructure, maintaining privacy and accuracy for internal network resources.

Split Tunneling Destinations:

Split tunneling allows specific traffic (such as DNS queries for internal domains) to be routed through the VPN tunnel while other traffic is sent directly to the internet.

By configuring split tunneling destinations, you can ensure that DNS queries for internal hostnames are directed through the VPN to the internal DNS servers.