The provided exhibit (image_57e69d.jpg) displays the Software Installations dashboard within the FortiSASE portal. This dashboard is a key component of the endpoint visibility and management features provided by the integrated FortiClient EMS functionality.

Visible Metadata: The output provides a granular list of all software detected on managed endpoints, including the application Name , the Vendor (e.g., Igor Pavlov, Microsoft Corporation, Adobe), the specific Version currently installed, and critical timestamps such as First Detected and Last Installed .

Administrative Utility: This information allows an administrator to audit the software environment effectively. By reviewing these details, they can identify unwanted software (PUA), shadow IT, or outdated software versions that may possess known vulnerabilities.

Actions Available: While the primary view is informational, the presence of the View Endpoints button (visible in the top-left) allows administrators to pivot from a specific application to a list of all individual devices where that software is present, facilitating targeted remediation.

Analysis of Incorrect Options:

Option A: While FortiSASE manages profiles and tags, this specific " Software Installations " view is focused purely on software inventory.

Option B: Although the " First Detected " date is visible, FortiSASE does not support " automatic patching " of third-party software directly from this inventory screen.

Option C: The dashboard shows what is installed, not the " latest available " version in the market, nor does it provide a mechanism to " push updates " to these third-party applications.

FortiSASE Geofencing and Regional Compliance allow administrators to control where remote users connect based on their physical location, which is determined by the endpoint ' s public IP address. 3

Default Connection Behavior: By default, FortiSASE uses a " best-effort " geolocation logic to ensure the lowest latency for the user. If an administrator has not configured a specific regional compliance rule for a user ' s country or region, FortiClient will automatically attempt to connect to the closest available FortiSASE security PoP (Point of Presence) based on proximity. 4

Regional Compliance Rules: When an organization must enforce data residency or specific security routing requirements, they create Regional Compliance rules. According to the FortiSASE 25 Feature Administration Guide , these rules allow the administrator to override the default " closest PoP " behavior for specific countries.

Connectivity Options: Within a regional compliance rule, the administrator must specify the destination for the traffic. The system provides a choice between two distinct connection types: a FortiSASE Security PoP or an On-premises device (such as a FortiGate acting as a gateway). 5 The documentation specifies that a rule is designed to point to one of these types at a time to satisfy the compliance requirement for that specific region.

Connection Priority: While multiple connections can be managed in a priority table, the logic for Regional Compliance is focused on directing the user to the designated compliant entry point. Option D is incorrect because the connection order is determined by the Priority and custom fail-over connections table ; an administrator can manually adjust the sequence, so it is not " always " the security PoP first.

When configuring FortiSASE Secure Private Access (SPA) with SD-WAN integration, establishing a routing adjacency between FortiSASE and the FortiGate SD-WAN hub requires the use of the Border Gateway Protocol (BGP).

BGP (Border Gateway Protocol):

BGP is widely used for establishing routing adjacencies between different networks, particularly in SD-WAN environments.

It provides scalability and flexibility in managing dynamic routing between FortiSASE and the FortiGate SD-WAN hub.

Routing Adjacency:

BGP enables the exchange of routing information between FortiSASE and the FortiGate SD-WAN hub.

This ensures optimal routing paths and efficient traffic management across the hybrid network.

The core of the issue shown in the exhibits is the lack of visibility into encrypted traffic.

HTTPS Encryption: The eicar.org website uses the HTTPS protocol for its downloads. This means the data payload, including the test malware file, is encrypted as it traverses the network.

SSL Inspection Modes: As seen in the Security profile group exhibit (image_5705fc.jpg), the SSL inspection mode is explicitly set to Certificate inspection mode .

Visibility Gap: Certificate inspection only analyzes the initial SSL handshake, such as the server certificate and SNI (Server Name Indication). It does not decrypt the traffic payload. Consequently, the antivirus engine in FortiSASE cannot " see " or scan the eicar.com-zip file hidden within the encrypted session.

Resolution Requirement: To detect and block malicious files over HTTPS, SSL Deep Inspection must be enabled. Deep inspection allows FortiSASE to act as a proxy, decrypting the traffic for full content scanning by the antivirus and IPS engines before re-encrypting it for the endpoint.

Log Analysis: While the web filtering logs (image_5704e5.jpg) show the traffic is " Allowed " because the URL is not blocked by a web filter category, this is only the first step of inspection. The antivirus engine is present but ineffective because it is blind to the encrypted content due to the lack of deep inspection.

Comprehensive and Detailed Explanation From FortiSASE 24.x/25.x, FortiOS 7.4, FortiAuthenticator 6.5, FortiClient 7.0 and later Exact Extract study guide:

In FortiSASE environments, Single Sign-On (SSO) is prioritized as the primary enterprise authentication mechanism. According to the FortiSASE Configuration Guide and Security Operations documentation, when you configure SAML SSO (Single Sign-On), it serves as a global authentication setting that overrides any previously configured local or remote (RADIUS/LDAP) user authentication methods for the secure web gateway (SWG) and VPN tunnels.

The architectural logic is designed to ensure a seamless " Zero Trust " identity provider (IdP) experience. Once SSO is enabled and configured (typically using Azure AD, Okta, or FortiAuthenticator as the IdP), FortiSASE redirects authentication requests to the defined IdP. This effectively supersedes manual local user databases or legacy RADIUS configurations to maintain a single source of truth for identity management. While MFA is often a component of the authentication process, it is a secondary factor, whereas SSO is the foundational method that dictates the authentication flow and overrides prior settings.

If the daily summary report generated by FortiSASE contains very little data, one possible explanation is that the " Log allowed traffic " setting is configured to log only " Security Events " for all policies. This configuration limits the amount of data logged, as it only includes security events and excludes normal allowed traffic.

Log Allowed Traffic Setting:

The " Log allowed traffic " setting determines which types of traffic are logged.

When set to " Security Events, " only traffic that triggers a security event (such as a threat detection or policy violation) is logged.

Impact on Report Data:

If the log setting excludes regular allowed traffic, the amount of data captured and reported is significantly reduced.

This results in reports with minimal data, as only security-related events are included.

According to the NSE7 SASE Enterprise Guide (Pages 46 & 61) , deploying Secure Private Access (SPA) with SD-WAN provides advanced security and networking capabilities by routing traffic through global Points of Presence (PoPs).

Inline Security Inspection (D): A major advantage of this approach is that traffic is routed through FortiSASE PoPs before it reaches private applications. This enables inline security inspection , providing robust protection against threats by applying the full SASE security stack—including antivirus, intrusion prevention, and deep packet inspection—to private access traffic.

Support for TCP and UDP (B): Organizations with existing FortiGate SD-WAN deployments benefit from broader and seamless access to privately hosted applications. The SD-WAN SPA use case explicitly supports both TCP- and UDP-based applications , ensuring that legacy or specialized services that rely on UDP function correctly over the secure tunnel.

SD-WAN Optimization: This method leverages the benefits of SD-WAN to optimize traffic flow between the SASE PoP and the corporate SD-WAN hub or data center FortiGate. It is particularly useful for mission-critical applications that require an extra layer of security combined with path optimization.

Architecture: In this configuration, the FortiSASE Security PoPs act as spokes in the organization’s SD-WAN network, relying on IPsec VPN overlays and BGP for secure dynamic routing.

While ZTNA posture checks are a feature of the broader ecosystem, the NSE7 Guide specifically highlights inline inspection and application support (TCP/UDP) as primary advantages of the SD-WAN integrated SPA approach.

FortiSASE hides user information when viewing and analyzing logs by hashing data using salt. This approach ensures that sensitive user information is obfuscated, enhancing privacy and security.

Hashing Data with Salt:

Hashing data involves converting it into a fixed-size string of characters, which is typically a hash value.

Salting adds random data to the input of the hash function, ensuring that even identical inputs produce different hash values.

This method provides enhanced security by making it more difficult to reverse-engineer the original data from the hash value.

Security and Privacy:

Using salted hashes ensures that user information remains secure and private when stored or analyzed in logs.

This technique is widely used in security systems to protect sensitive data from unauthorized access.

In the context of Zero Trust Network Access (ZTNA) , security posture tagging is the fundamental mechanism used to enforce compliance and security standards before granting access to protected resources.

Granular Access Control: The primary purpose of tagging is to provide granular access control . 3 Instead of relying solely on static credentials, ZTNA uses these dynamic tags to determine if a device or user meets specific security requirements at the moment of the connection request.

Compliance-Based Enforcement: Tags are assigned based on the compliance status of the endpoint. For example, the FortiSASE Endpoint Management Service (EMS) can verify if a device has an active antivirus, is running a specific OS version, or is joined to the corporate domain. 5 If the device fails any of these checks, the " Compliant " tag is removed, and access is automatically revoked.

Dynamic and Continuous Assessment: Unlike traditional VPNs that check posture only at login, ZTNA posture tagging allows for continuous assessment . If a device ' s security posture changes—for instance, if the user disables their firewall—the tag is updated in real-time across the Security Fabric, and the ZTNA policy will immediately deny further access. 8

Integration with Policies: On the FortiGate (acting as a ZTNA proxy) or within FortiSASE, these tags are used as source criteria in ZTNA policies . 9 Only traffic originating from endpoints with the required tags (e.g., " EMS-Tag: Corporate-Managed " ) is permitted to reach the protected application.

Zero-trust tags are critical in implementing zero-trust network access (ZTNA) policies. Here are the two key advantages of using zero-trust tags:

Access Control (Allow or Deny):

Zero-trust tags can be used to define policies that either allow or deny access to specific network resources based on the tag associated with the user or device.

This granular control ensures that only authorized users or devices with the appropriate tags can access sensitive resources, thereby enhancing security.

Determining Security Posture:

Zero-trust tags can be utilized to assess and determine the security posture of an endpoint.

Based on the assigned tags, FortiSASE can evaluate the device ' s compliance with security policies, such as antivirus status, patch levels, and configuration settings.

Devices that do not meet the required security posture can be restricted from accessing the network or given limited access.