NSE7_SSE_AD-25 Fortinet NSE 7 - FortiSASE 25 Enterprise Administrator Questions and Answers

In FortiSASE Secure Private Access (SPA) deployments, establishing a stable connection between the FortiSASE PoPs and the corporate FortiGate hub relies on two primary layers: the IPsec Tunnel and the BGP Peering.

Exhibit Analysis: The exhibit (image_577e17.jpg) shows the status of several Security PoPs (Singapore, Tokyo, Frankfurt, and San Jose) connected to an "FGT-Hub".

Tunnel Status vs. BGP Status: For all listed PoPs, the Health Check IP Status and Tunnel status are both shown with a green "Up" icon. This confirms that the underlying IPsec connectivity and the physical path between the SASE cloud and the hub are functioning correctly.

Identifying the Failure: The BGP Peering State is reported as Active. In BGP terminology, the "Active" state specifically indicates that the router is attempting to initiate a TCP connection with its peer but has not yet received a response. A fully functional and successful BGP connection must reach the Established state.

Root Cause Determination: Since the tunnel is up (eliminating Gateway or Authentication Method issues as the primary suspects) but the BGP state remains stuck in "Active," the most likely cause is a mismatch or misconfiguration in the BGP Peer IP or BGP neighbor settings. This prevents the exchange of routing information necessary for users to access private applications.

To resolve the connectivity problem, the administrator must ensure that the BGP neighbor IPs configured on the FortiGate hub match those assigned by the FortiSASE orchestration and that firewall policies on the hub allow BGP traffic (TCP port 179) across the tunnel.

The Network Lockdown feature in FortiSASE is a specialized security control designed to ensure that managed endpoints remain protected by the SASE security stack at all times.

Mechanism of Action: Network lockdown relies specifically on the connection status of the tunnel to FortiSASE. When this feature is enabled in the Endpoint Profile, the FortiClient agent monitors whether the secure VPN tunnel (SSL or IPsec) to a FortiSASE Point of Presence (PoP) is active.

Enforcement Logic: If the agent detects that the tunnel is disconnected, it immediately places the endpoint's network interface into a "locked" state. In this state, all inbound and outbound network traffic is blocked, with the exception of traffic required to re-establish the connection to the FortiSASE infrastructure.

Purpose: This prevents "leakage" where an endpoint might communicate directly with the internet without inspection if the VPN tunnel drops or is manually disabled by the user. It essentially mandates that the device is either connected to FortiSASE or has no network access at all.

Analysis of Incorrect Options:

Option A and B: While malware and vulnerabilities affect the security posture, they trigger different remediation actions (like quarantine or patching) rather than the "Network Lockdown" tunnel-state feature.

Option D: ZTNA tags identify the security posture to allow or deny access to specific applications, whereas Network Lockdown is a binary state (On/Off) affecting all network traffic based purely on tunnel connectivity.

In a FortiSASE environment, the ability of a remote user to establish a VPN tunnel is governed not only by their credentials and firewall policies but also by geographic access controls.

Geofencing Mechanism: FortiSASE includes a Geofencing feature (found under Configuration > Restrictions or Configuration > Geofencing in newer versions) that allows administrators to restrict or allow access to SASE services based on the geographic location of the endpoint's public IP address.

Connection Failure vs. SSO Success: The scenario describes a situation where users can successfully authenticate via SSO to reach third-party SaaS apps like Office 365 (O365) or Salesforce (SFDC) but cannot connect to the SASE VPN. This occurs because the SSO authentication is handled directly by the Identity Provider (IdP) (e.g., Microsoft Entra ID), which may not have the same geographic restrictions. However, when the FortiClient attempts to establish the tunnel to the FortiSASE Point of Presence (PoP), the SASE gateway checks the Geofencing list. If the country the user is visiting is on the Deny list (or not on the Allow list), the connection is dropped at the "local-in" policy level on the SASE backend, preventing the tunnel from forming.

Verification and Resolution: To resolve this, the administrator must verify the Geofencing settings and ensure that the countries where the traveling users are located are permitted to connect. If the feature is enabled with a "Deny" list, the specific country must be removed from that list; if it uses an "Allow" list, the country must be added.

Analysis of Other Options:

Option A: Firewall policies govern traffic after the tunnel is established; they cannot resolve a failure to connect the tunnel itself.

Option B: Restarting the device is a general troubleshooting step but will not bypass a server-side geographic block.

Option D: While keeping clients updated is a best practice, the issue described (specific to overseas travel while other functions work) points to a configuration restriction rather than a software bug.

FortiSASE Geofencing and Regional Compliance allow administrators to control where remote users connect based on their physical location, which is determined by the endpoint's public IP address.3

Default Connection Behavior: By default, FortiSASE uses a "best-effort" geolocation logic to ensure the lowest latency for the user. If an administrator has not configured a specific regional compliance rule for a user's country or region, FortiClient will automatically attempt to connect to the closest available FortiSASE security PoP (Point of Presence) based on proximity.4

Regional Compliance Rules: When an organization must enforce data residency or specific security routing requirements, they create Regional Compliance rules. According to the FortiSASE 25 Feature Administration Guide, these rules allow the administrator to override the default "closest PoP" behavior for specific countries.

Connectivity Options: Within a regional compliance rule, the administrator must specify the destination for the traffic. The system provides a choice between two distinct connection types: a FortiSASE Security PoP or an On-premises device (such as a FortiGate acting as a gateway).5 The documentation specifies that a rule is designed to point to one of these types at a time to satisfy the compliance requirement for that specific region.

Connection Priority: While multiple connections can be managed in a priority table, the logic for Regional Compliance is focused on directing the user to the designated compliant entry point. Option D is incorrect because the connection order is determined by the Priority and custom fail-over connections table; an administrator can manually adjust the sequence, so it is not "always" the security PoP first.

FortiSASE Secure Private Access (SPA) provides flexible connectivity to internal corporate resources using a hub-and-spoke architecture where FortiSASE PoPs act as spokes to an organization's FortiGate hub.

Flow from Agent-based users to Private Resources (C): This is the core functionality of SPA. Remote users running FortiClient (agent-based) connect to the nearest FortiSASE PoP. The PoP, integrated into the corporate SD-WAN fabric, uses IPsec and BGP to route traffic to the private applications located behind the FortiGate hub or associated spokes.

Flow from Thin Branches/Branch On-ramp to Private Resources (E): FortiSASE extends its security and connectivity to physical locations through "Thin Edge" (e.g., FortiExtender, FortiAP) or "Branch On-ramp" (e.g., branch FortiGates). These sites form tunnels to the FortiSASE PoP, which then provides them with access to the same private resources in the SD-WAN network as the remote agent-based users.

Flow from Private Resources to Agent-based users (A): The SPA architecture is designed for bidirectional communication. Documentation confirms that traffic can be initiated from the FortiGate hub (or local networks behind it) to the remote VPN agents. This "Server-to-Client" flow is essential for administrative tasks, log forwarding, or real-time communication applications like VoIP.

Incorrect Options:

Option B: Traffic from private resources to the internet is handled via Secure Internet Access (SIA) or local gateway policies, not the SPA use case, which is dedicated to internal private application access.

Option D: While FortiSASE can facilitate branch-to-branch communication via ADVPN shortcuts, the term "SPA" specifically refers to the access layer for users and is not used to describe resource-to-resource or hub-to-hub traffic.

When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a routing adjacency between FortiSASE and the FortiGate SD-WAN hub requires the use of the Border Gateway Protocol (BGP).

BGP (Border Gateway Protocol):

BGP is widely used for establishing routing adjacencies between different networks, particularly in SD-WAN environments.

It provides scalability and flexibility in managing dynamic routing between FortiSASE and the FortiGate SD-WAN hub.

Routing Adjacency:

BGP enables the exchange of routing information between FortiSASE and the FortiGate SD-WAN hub.

This ensures optimal routing paths and efficient traffic management across the hybrid network.

Based on the settings shown in the provided exhibits, the vulnerability remediation workflow is determined by the Endpoint Profile and the Vulnerability Dashboard.

Endpoint Profile Evaluation: The top exhibit displays the Scan for Vulnerabilities settings. The toggle for Automatically patch vulnerabilities is explicitly set to Disabled. Consequently, the system will not perform automated remediation when a scan completes.

Manual Patching Requirement: The Vulnerability Dashboard (bottom exhibit) lists several application vulnerabilities with a Patching status of Manual patching required. In a FortiSASE environment, "Manual" indicates that the vulnerability cannot be handled by the client's autonomous update process and requires a direct instruction from the management plane.

Administrative Intervention: The dashboard includes a Patch endpoints action button. Since auto-patching is disabled in the profile, an administrator must manually select the vulnerabilities and click the "Patch endpoints" button to remotely trigger the patching sequence on the managed endpoints via the FortiSASE cloud service.

Workflow Logic: While FortiClient acts as the "conductor" on the local machine to facilitate the download and installation, the trigger for this specific scenario is the administrator's remote action within the portal. This differentiates it from Option D (which is disabled) and Option C (which would involve a user manually browsing a website outside the managed SASE workflow).

In a default FortiSASE deployment, endpoints are typically onboarded using a shared invitation code sent via email. While this code simplifies deployment, it can represent a security risk if the code is leaked or intercepted, as any device with the code could potentially register with the SASE management service.

User Verification (SAML SSO): To mitigate this risk, administrators can enable user verification as an additional layer of security.3 When this feature is enforced, entering the invitation code is no longer sufficient to complete registration.

Authentication Workflow: After the end user enters the invitation code in FortiClient, they are prompted to provide their corporate credentials via a SAML SSO login.5 FortiSASE acts as the Service Provider (SP), while an external identity provider (IdP) such as Microsoft Entra ID, Okta, or FortiAuthenticator verifies the user's identity.

Security Benefit: This ensures that only authenticated users—not just anyone with a valid code—can successfully register an endpoint and receive the organization's security and VPN profiles. It prevents unauthorized "shadow" endpoints from joining the managed environment.

Incorrect Options:

Option A: Security posture tags are used after registration to determine if an endpoint is compliant (e.g., checking if an antivirus is active); they do not secure the registration process itself.

Option C and D: Device identification and application inventory are monitoring and visibility features that occur once the endpoint is already managed.

Refer to the exhibit. Based on the configuration shown in image_595357.jpg, FortiSASE will process sessions requiring FortiSandbox inspection in the following two ways:

A. Only endpoints assigned a profile for sandbox detection will be processed by the sandbox feature.

C. All files executed on a USB drive will be sent to FortiSandbox for analysis.

Answer: A, C

The provided exhibit displays an Endpoint Profile configuration specifically for the Sandbox module. This profile controls how the FortiClient agent on remote endpoints interacts with the integrated FortiSASE cloud sandbox engine.

Profile Assignment (A): In the FortiSASE architecture, security and endpoint settings are organized into profiles that must be explicitly assigned to users or user groups via endpoint policies. Consequently, the sandbox detection and remediation features are active only on those endpoints that have been assigned this specific endpoint profile. If an endpoint is not assigned a profile with sandbox enabled, it will not submit files for analysis.

Removable Media Analysis (C): Under the File Submission Options, the toggle for All Files Executed from Removable Media is enabled (shown in blue). Since USB drives are the most common form of removable media, this configuration ensures that any file executed from a USB drive is intercepted by FortiClient and submitted to the FortiSASE sandbox for behavioral analysis before being allowed to run, protecting the endpoint from offline-delivered threats.

Understanding Verdict Levels (B): The exhibit shows the Action is set to Quarantine and the Sandbox Detection Verdict Level is set to Medium. This configuration functions as a threshold; FortiClient will quarantine any file that receives a verdict of Medium or higher (including High and Malicious). Option B is incorrect because it claims only medium-level files are quarantined, which ignores the high-risk and malicious files that would also be blocked.

Sandbox Mode (D): The Sandbox Mode is clearly set to FortiSASE, which utilizes the built-in cloud-native sandbox. This contradicts Option D, which suggests the use of an on-premises or standalone sandbox appliance.

The FortiSASE On/off-net detection feature is a two-part configuration designed to optimize bandwidth and user experience by determining when a device is in a trusted environment.

Rule Set Definition: The first part involves defining what constitutes an "on-net" or "on-fabric" status. In this scenario, the customer successfully configured a rule set named CERT-PUBLIC-IP using the Connects with a known public IP detection type. This tells FortiSASE that if the endpoint’s public WAN IP matches the corporate gateway, it is considered to be on the corporate network.

Profile Exemption Logic: Defining the rule set is not enough to stop the VPN connection. Within the Endpoint Profile (under the Connection tab > On/off-net Settings), there is a specific toggle labeled Exempt endpoint from FortiSASE auto-connect when endpoint is on-net (or in some versions, Bypass FortiSASE when endpoint is on-net).

Exhibit Analysis: Looking at the provided exhibit (image_57097d.jpg), the "Exempt endpoint from FortiSASE auto-connect..." toggle is clearly disabled (switched to the left).

Root Cause: Because this toggle is disabled, FortiClient identifies that it is "on-net" based on the IP rule, but it has no instruction to skip the VPN connection. Consequently, the "Automatically" initiate tunnel setting remains the dominant instruction, causing the VPN to connect regardless of the network location.

To resolve the issue, the administrator must enable the Exempt endpoint from FortiSASE auto-connect when endpoint is on-net option in the SASECert01 profile.

Integrating FortiManager with FortiSASE allows for central management of configuration objects like addresses and5 security 6profiles. For this integration to function correctly, the following key prerequisites must be met:

Same FortiCloud Account: A fundamental requirement for the integration is that both 10the FortiSASE instance and the FortiManager (whether physical, VM, or Cloud) must be registered under the same FortiCloud (FortiCare) account. This common identity allows the platforms to securely discover and authorize each other for synchronization.

Supported Firmware Version: The FortiManager must run a firmware version that is compatible with the FortiSASE release. According to the FortiSASE 25 Enterprise Administrator Study Guide, FortiManager version 7.4.4 or later is generally required to support the specific API connectors and object synchronization logic used by current FortiSASE environments. Using an unsupported version may result in synchronization failures or missing configuration features.

Management Logic: Once these prerequisites are met, the administrator can enable "Central Management" in the FortiSASE portal. This creates a one-way synchronization where FortiManager acts as the source of truth for objects like Security Profile Groups, ensuring consistent security posture across both the SASE cloud and on-premises FortiGates.

In a FortiSASE environment, log management is governed by a cloud-native storage policy that prioritizes performance and resource availability.

Retention Policy Framework: All FortiSASE instances come with log retention enabled by default. The standard log retention period is 30 days, though administrators can customize this policy to any duration between 2 and 30 days. This policy applies across all log types, including traffic, security, and event logs.

Automatic Deletion (A): When logs exceed the configured retention threshold, FortiSASE automatically deletes the older logs from the platform.2 This automatic purging is necessary to free up storage space on the cloud infrastructure and maintain compliance with the organization's data lifecycle settings.

Persistence and Recovery: Once logs are deleted due to the expiration of the retention period, they are generally unrecoverable from the FortiSASE platform.

Long-Term Storage Solutions: Because FortiSASE is not designed as a long-term archival solution, customers who need to store logs for months or years for regulatory compliance should configure log forwarding to an external server, such as a FortiAnalyzer or a remote Syslog server.

Analysis of Incorrect Options: * Option B and D: While traditional FortiAnalyzer deployments use SQL indexing and separate "Archive" (raw/compressed) vs. "Analytics" (SQL) tiers, FortiSASE uses a simplified cloud storage model where data is purged rather than archived or tier-shifted upon expiry.

Option C: While FortiSASE is part of the FortiCloud ecosystem, it does not automatically "back up" expired logs to another FortiCloud service; the deletion is final unless external forwarding is active.

Integrating Fortinet SOCaaS (Security Operations Center as a Service) with FortiSASE provides a managed extension of your security team, combining automated AI/ML-driven triage with human expertise to secure remote and on-premises users.

Consistent Security Monitoring and Dashboards (C): Fortinet SOCaaS ensures that your security posture remains robust through seamless integration. This is achieved by configuring FortiSASE to forward pertinent security logs to the SOCaaS cloud, ensuring that analysts have the necessary data to detect anomalies across your network. The service provides verified threat notifications with detailed response guidance and mitigation recommendations. Furthermore, a built-in portal offers intuitive dashboards to track threats and manage escalated alerts.

24x7x365 Expert-Led Monitoring (D): This feature addresses the cybersecurity skills gap by providing around-the-clock vigilance. A global team of Fortinet Security Analysts works 24x7x365 to monitor logs and investigate events. The platform leverages AI and Machine Learning for automated alert triage, while human experts perform in-depth analysis to eliminate false positives and validate threats.

Operational Efficiency: By offloading tedious manual work and triage to Fortinet experts, your internal security team can reduce burnout and focus on higher-value tasks while maintaining a superior security posture for both SASE and on-premises environments.

The core of the issue shown in the exhibits is the lack of visibility into encrypted traffic.

HTTPS Encryption: The eicar.org website uses the HTTPS protocol for its downloads. This means the data payload, including the test malware file, is encrypted as it traverses the network.

SSL Inspection Modes: As seen in the Security profile group exhibit (image_5705fc.jpg), the SSL inspection mode is explicitly set to Certificate inspection mode.

Visibility Gap: Certificate inspection only analyzes the initial SSL handshake, such as the server certificate and SNI (Server Name Indication). It does not decrypt the traffic payload. Consequently, the antivirus engine in FortiSASE cannot "see" or scan the eicar.com-zip file hidden within the encrypted session.

Resolution Requirement: To detect and block malicious files over HTTPS, SSL Deep Inspection must be enabled. Deep inspection allows FortiSASE to act as a proxy, decrypting the traffic for full content scanning by the antivirus and IPS engines before re-encrypting it for the endpoint.

Log Analysis: While the web filtering logs (image_5704e5.jpg) show the traffic is "Allowed" because the URL is not blocked by a web filter category, this is only the first step of inspection. The antivirus engine is present but ineffective because it is blind to the encrypted content due to the lack of deep inspection.

To enable remote users to access internal applications located behind an existing FortiGate SD-WAN hub, the customer must license the FortiSASE Secure Private Access (SPA) add-on.

Secure Private Access (SPA) Use Case: This specific add-on is designed to extend the Fortinet Security Fabric into the SASE cloud, allowing for a hub-and-spoke architecture where the FortiSASE PoPs act as spokes and the customer's on-premises FortiGate acts as the hub.

Licensing Requirements: The SPA add-on is a per-hub (per service connection) license. It provides the necessary entitlements to establish IPsec tunnels and BGP peering between the SASE infrastructure and the corporate FortiGate.

Feature Enablement: Once the SPA license is applied, the Configuration > Private Access menu becomes available in the FortiSASE portal. This allows administrators to define "Service Connections" to their private data centers or cloud VPCs.

Analysis of Other Options:

Option A: The Global add-on is typically related to expanding the geographic reach or performance of the SASE PoPs, not specifically for private resource routing.

Option B: The Branch On-Ramp refers to connecting physical office locations (Thin Edge) to SASE, rather than the specific licensing for private application access for remote users.

Option D: Dedicated Public IP Address is used for source IP anchoring (SIA) to ensure remote users egress with a consistent IP for third-party SaaS IP-whitelisting.

FortiSASE utilizes Security Assertion Markup Language (SAML) to provide a seamless Single Sign-On (SSO) experience for remote users connecting to the cloud infrastructure.

Role Identification: In a SAML exchange, FortiSASE functions as the Service Provider (SP). It relies on an external Identity Provider (IdP)—such as Microsoft Entra ID (formerly Azure AD), Okta, or FortiAuthenticator—to authenticate the user's identity and provide security assertions.2

SAML Group Matching: One of the core features of the FortiSASE SAML implementation is the ability to perform group matching. During the authentication process, the IdP sends a SAML assertion that typically includes an "Attribute Statement" containing the user's group memberships.3 FortiSASE captures this attribute and matches it against locally defined SAML user groups.

Policy Enforcement: This group matching capability is critical because it allows administrators to apply different Security Internet Access (SIA) or Secure Private Access (SPA) policies based on the user's role (e.g., "Marketing" vs. "Finance") rather than managing individual users manually.

Analysis of Incorrect Options: * Options C and D are incorrect because FortiSASE does not natively act as a SAML IdP; it is designed to consume assertions from professional identity management platforms.

Option B is incorrect because FortiSASE fully supports and relies upon group matching for enterprise-scale policy management.

To meet the requirement of inspecting all endpoint internet traffic on FortiSASE while excluding Google Maps traffic from the FortiSASE VPN tunnel and redirecting it to the endpoint's physical interface, you should configure split tunneling. Split tunneling allows specific traffic to bypass the VPN tunnel and be routed directly through the endpoint's local interface.

Split Tunneling Configuration:

Split tunneling enables selective traffic to be routed outside the VPN tunnel.

By configuring the Google Maps Fully Qualified Domain Name (FQDN) as a split tunneling destination, you ensure that traffic to Google Maps bypasses the VPN tunnel and uses the endpoint's local interface instead.

Implementation Steps:

Access the FortiSASE endpoint profile configuration.

Add the Google Maps FQDN to the split tunneling destinations list.

This configuration directs traffic intended for Google Maps to bypass the VPN tunnel and be routed directly through the endpoint's physical network interface.

In a standard FortiSASE agent-based deployment, the FortiSASE Endpoint Management Service (EMS) acts as the central control plane for all managed FortiClient instances. When an endpoint is onboarded, the system is designed to provide "zero-touch" configuration for the core connectivity and security components.

CA Certificate (A): For SSL deep inspection to function without triggering browser certificate warnings, the endpoint must trust the FortiSASE CA. FortiSASE supports automatically installing the FortiSASE CA certificate for managed agent-based users. Once the endpoint connects to the FortiSASE EMS, the service automatically deploys the CA certificate to the trusted certificate store of the client machine.

Tunnel Profile (B): To enable Secure Internet Access (SIA), FortiClient requires a pre-configured VPN or tunnel profile that points to the FortiSASE cloud infrastructure. In a new deployment with default settings, FortiSASE automatically pushes the tunnel profile (including gateway information and auto-connect settings) to the FortiClient endpoint. This allows the user to establish a full-tunnel connection to the nearest Security PoP immediately after onboarding.

Analysis of Incorrect Options:

Real-time protection (C): While FortiSASE can manage Malware Protection and Sandbox settings, specific "Real-time protection" features often require manual activation or specific configuration within the Malware Protection profile before being pushed; they are not necessarily "automatically" active in the absolute default state without a profile assignment.

ZTNA tags (D): ZTNA tags are dynamic security posture attributes. While FortiSASE evaluates the endpoint to determine which tags apply, the tags themselves are not "pushed" to the client as a setting; rather, the ZTNA connection rules are pushed, and the tags are synchronized back to the security fabric for posture enforcement.

In a FortiSASE deployment, the Secure Private Access (SPA) use case is specifically designed to provide remote users with secure, high-performance connectivity to internal corporate applications hosted in private data centers or public clouds.5 This is achieved through two primary architectural methods:

SD-WAN Integration (A): FortiSASE integrates natively with existing Fortinet Secure SD-WAN networks.6 In this architecture, the FortiSASE global PoPs act as spokes that establish automated IPsec tunnels to the organization’s FortiGate SD-WAN hubs. This allows the platform to use intelligent application steering and dynamic routing to find the shortest, most efficient path to private resources, ensuring a superior user experience.

Zero Trust Network Access (ZTNA) (B): FortiSASE provides Universal ZTNA to enforce granular, per-session access control.7 Unlike traditional VPNs that grant broad network access, ZTNA verifies the user's identity and the endpoint's security posture (via ZTNA tags) before every application session. This ensures that users only have access to the specific corporate applications they are authorized to use, significantly reducing the attack surface.

Analysis of Other Options: * Thin Edge (C) is a connectivity method used to secure branch offices and micro-branches (typically using FortiExtender), rather than a specific feature for facilitating private corporate application access for individual remote users.

CASB (D) is used for Secure SaaS Access (SSA) to provide visibility and control over third-party cloud applications like Office 365, rather than private applications hosted on-premises.

To block all video and audio application traffic while granting access to videos from CNN, you need to configure an application override action in the Application Control with Inline-CASB. Here is the step-by-step detailed explanation:

Application Control Configuration:

Application Control is used to identify and manage application traffic based on predefined or custom application signatures.

Inline-CASB (Cloud Access Security Broker) extends these capabilities by allowing more granular control over cloud applications.

Blocking Video and Audio Applications:

To block all video and audio application traffic, you can create a policy within Application Control to deny all categories related to video and audio streaming.

Granting Access to Specific Videos (CNN):

To allow access to videos from CNN specifically, you must create an override rule within the same Application Control profile.

The override action "Exempt" ensures that traffic to specified URLs (such as those from CNN) is not subjected to the blocking rules set for other video and audio traffic.

Configuration Steps:

Navigate to the Application Control profile in the FortiSASE interface.

Set the application categories related to video and audio streaming to "Block."

Add a new override entry for CNN video traffic and set the action to "Exempt."

In a FortiSASE deployment, Digital Experience Monitoring (DEM) is the primary diagnostic tool used to troubleshoot connectivity and performance issues specifically for a single user or endpoint.

End-to-End Visibility: DEM provides real-time, end-to-end visibility into the network path between the end-user's device and the application they are trying to reach. This is critical when only one user reports an issue, as it allows administrators to pinpoint whether the problem resides on the local device, the local ISP, the SASE backbone, or the destination application.

Performance Metrics: The DEM agent (often integrated with the FortiMonitor agent on the endpoint) collects granular performance metrics such as latency, jitter, packet loss, and RTT (Round Trip Time). It also provides device-specific health data, including CPU and memory usage, to determine if the connectivity issue is actually caused by the remote computer's performance.

Hop-by-Hop Analysis: Unlike standard monitoring, DEM offers End-to-End Continuous Hop Analytics. This path monitoring visualizes every "hop" in the traffic route and highlights exactly where degraded service is occurring. For a single user experiencing issues while everyone else is fine, this tool immediately triangulates if a specific "problem hop" in their unique connection path is the cause.

Operational Comparison: * MDM (A) is used for managing device configurations and software distribution, not for real-time network performance troubleshooting.

Forensics (C) is a security-focused service used for investigating malware incidents or data breaches, not for measuring network latency.

SOCaaS (D) is a managed security service for threat monitoring and event triage; while it handles "security" connectivity issues (like a blocked IP), it is not a tool for performance metric evaluation.

FortiSASE hides user information when viewing and analyzing logs by hashing data using salt. This approach ensures that sensitive user information is obfuscated, enhancing privacy and security.

Hashing Data with Salt:

Hashing data involves converting it into a fixed-size string of characters, which is typically a hash value.

Salting adds random data to the input of the hash function, ensuring that even identical inputs produce different hash values.

This method provides enhanced security by making it more difficult to reverse-engineer the original data from the hash value.

Security and Privacy:

Using salted hashes ensures that user information remains secure and private when stored or analyzed in logs.

This technique is widely used in security systems to protect sensitive data from unauthorized access.