FortiSASE Secure Private Access (SPA) provides flexible connectivity to internal corporate resources using a hub-and-spoke architecture where FortiSASE PoPs act as spokes to an organization's FortiGate hub.

Flow from Agent-based users to Private Resources (C): This is the core functionality of SPA. Remote users running FortiClient (agent-based) connect to the nearest FortiSASE PoP. The PoP, integrated into the corporate SD-WAN fabric, uses IPsec and BGP to route traffic to the private applications located behind the FortiGate hub or associated spokes.

Flow from Thin Branches/Branch On-ramp to Private Resources (E): FortiSASE extends its security and connectivity to physical locations through "Thin Edge" (e.g., FortiExtender, FortiAP) or "Branch On-ramp" (e.g., branch FortiGates). These sites form tunnels to the FortiSASE PoP, which then provides them with access to the same private resources in the SD-WAN network as the remote agent-based users.

Flow from Private Resources to Agent-based users (A): The SPA architecture is designed for bidirectional communication. Documentation confirms that traffic can be initiated from the FortiGate hub (or local networks behind it) to the remote VPN agents. This "Server-to-Client" flow is essential for administrative tasks, log forwarding, or real-time communication applications like VoIP.

Incorrect Options:

Option B: Traffic from private resources to the internet is handled via Secure Internet Access (SIA) or local gateway policies, not the SPA use case, which is dedicated to internal private application access.

Option D: While FortiSASE can facilitate branch-to-branch communication via ADVPN shortcuts, the term "SPA" specifically refers to the access layer for users and is not used to describe resource-to-resource or hub-to-hub traffic.

In the FortiSASE architecture, there are two primary methods for delivering Secure Internet Access (SIA): Agent-based (using FortiClient) and Agentless (using Secure Web Gateway/SWG).

Use Case Analysis: The scenario describes a contractor—an unmanaged user—who requires temporary access for a web-based application (the POS system). For contractors or guests using personal/non-corporate devices where installing the FortiClient agent is either not feasible or not desired, FortiSASE provides the SIA Agentless deployment model.

Mechanism (SWG & PAC): In this mode, FortiSASE functions as an explicit web proxy. To steer the contractor's web traffic (HTTP/HTTPS) to the SASE cloud for inspection, the administrator provides the user with a proxy auto-configuration (PAC) file. The contractor simply configures their browser or operating system to point to the URL of this PAC file.

Security Enforcement: Once the PAC file is applied, all web traffic from the contractor's device is redirected to the FortiSASE SWG PoP. Here, the traffic is subject to the organization’s full security stack, including SSL deep inspection, Antivirus, Web Filtering, and Application Control, ensuring that even temporary contractor access is fully secured and logged.

Why other options are incorrect:

Option B (Tunnel Policy): This refers to agent-based access where a VPN tunnel is established. This requires FortiClient, which is generally not used for temporary contractors on unmanaged devices.

Option C (ZTNA Unmanaged): While ZTNA supports agentless access to private applications (SPA), providing internet access (SIA) to an unmanaged endpoint is specifically the role of the SWG/Proxy service.

Option D (Self-registration): While FortiSASE has a User Portal for onboarding, it is a method for user registration/credential management, not the technical traffic-steering mechanism used to provide internet connectivity.

According to the FortiSASE 25 Secure Internet Access Architecture Guide, the SWG (Agentless) approach is the recommended best practice for securing web-only traffic from unmanaged endpoints and third-party contractors.

The exhibit indicates that the URL https://www.bbc.com/ is being blocked due to containing a banned word ("fight"). To allow access to this specific URL, you need to adjust the URL filter settings on FortiSASE.

URL Filtering:

URL filtering allows administrators to define policies that block or allow access to specific URLs or URL patterns.

In this case, the URL filter is set to block any URL containing the word "fight."

Modifying URL Filter:

Navigate to the Web Filter configuration in FortiSASE.

Locate the URL filter settings.

Add an exception for the URL https://www.bbc.com/ to allow access, even if it contains a banned word.

Alternatively, remove or adjust the banned word list to exclude the word "fight" if it's not critical to the security policy.

The reason for the ping failures is due to the quick mode selectors restricting the subnet. Quick mode selectors define the IP ranges and protocols that are allowed through the VPN tunnel, and if they are not configured correctly, traffic to certain subnets can be blocked.

Quick Mode Selectors:

Quick mode selectors specify the source and destination subnets that are allowed to communicate through the VPN tunnel.

If the selectors do not include the subnet of the webserver (192.168.10.0/24), then the traffic will be restricted, and the ping will fail.

Diagnostic Output:

The diagnostic output shows the VPN configuration details, but it is important to check the quick mode selectors to ensure that the necessary subnets are included.

If the quick mode selectors are too restrictive, they will prevent traffic to and from the specified subnets.

Configuration Check:

Verify the quick mode selectors on both the FortiSASE and FortiGate hub to ensure they match and include the subnet of the webserver.

Adjust the selectors to allow the necessary subnets for successful communication.

According to the NSE7 SASE Enterprise Guide (Pages 64 & 153), FortiSASE utilizes an intelligent engine to manage connectivity to private resources through various selection methods:

Hub Health and Priority: FortiSASE incorporates a built-in SD-WAN engine for intelligent routing selection among established IPsec links. The health check IP address periodically receives performance metrics, including jitter, latency, and packet loss, for each service connection. In this mode, FortiSASE evaluates the available hubs and selects the one with the highest priority (the most preferred value) within each POP, provided that the hub meets the defined service-level agreement (SLA) requirements. For this configuration to function correctly, both FortiSASE and the SPA hub must use the same Autonomous System Number (ASN).

BGP Multiple Exit Discriminator (MED): This method leverages the standard BGP MED attribute, which allows an autonomous system to signal its preferred entry point to a peer. FortiSASE learns the MED values advertised by the configured hubs. The architecture is designed so that the lower the MED value, the more preferred the path is to the receiving router. Consistent with the "Zero Trust" and "Secure Access" principles, even when using BGP MED, the selection is gated by the health engine; therefore, the hub is only selected if it also satisfies the configured SLA thresholds.

While SLA thresholds can be configured, the primary logic for hub selection focuses on how priority and dynamic routing attributes (like MED) interact with the real-time health of the tunnel.

In the Fortinet SASE architecture, Zero Trust Network Access (ZTNA) tags (which have been renamed to Security Posture Tags starting with FortiClient/EMS 7.4.0) play a critical role in continuous posture assessment. These tags are dynamic metadata assign8ed to an endpoint based on specific conditions or "tagging rules" defined in the FortiSASE Endpoint Management Service (EMS).

Posture Determination: The FortiClient agent, installed on the endpoint, monitors the device for various security attributes—such as whether an antivirus is running, the presence of specific registry keys, OS version, or the absence of critical vulnerabilities.

SIA (Secure Internet Access) Use Case: In SIA scenarios, FortiSASE uses these tags within security policies to control internet access. For example, a policy may allow full internet access only to endpoints tagged as "Compliant" while redirecting "Non-Compliant" devices to a restricted remediation portal.

SPA (Secure Private Access) Use Case: In SPA (specifically ZTNA Proxy mode), the tags are synchronized from FortiSASE to the corporate FortiGate (acting as the ZTNA Access Proxy).12 When a user attempts to access a private application, the FortiGate checks the endpoint's client certificate and its synchronized ZTNA tags.13 If the endpoint does not meet the required posture (e.g., it is missing a required "Domain-Joined" tag), access is denied at the session level.

According to the FortiSASE 25 Enterprise Administrator Study Guide, ZTNA tags are fundamental to the "Zero Trust" principle because they move beyond static identity (username/password) to verify the real-time security state of the device before granting access to either the internet or internal private resources.

In a FortiSASE environment, the Unified FortiClient agent is the critical component that fulfills the requirement for "always-on" connectivity and security for remote users.

Persistent Encrypted Tunnels: The Unified FortiClient maintains a persistent, always-on connection to the FortiSASE infrastructure.4 This is typically achieved through an auto-connect VPN tunnel (SSL or IPsec) that initiates as soon as the user logs into their device and has internet access.

Continuous Security Enforcement: By staying connected to a nearby FortiSASE Point of Presence (PoP), the endpoint ensures that all traffic is inspected. This allows the organization to enforce a consistent security posture—including Web Filtering, Antivirus, and Application Control—regardless of whether the user is at home, in a coffee shop, or traveling.

Zero-Trust Integration: Beyond simple connectivity, the unified agent supports Universal ZTNA. It continuously verifies the identity of the user and the security posture of the device before granting access to specific applications, thereby satisfying modern zero-trust security mandates.

Comparison of Other Components:

SD-WAN on-ramp (B): Used primarily to integrate existing branch office SD-WAN networks with the SASE cloud for private application access.

Secure Web Gateway (C): While a feature of the SASE PoP, the agentless SWG deployment (using PAC files) does not provide the same level of "always-on" persistent tunnel protection as the FortiClient agent.

Thin-branch SASE extension (D): Focused on securing small branch locations (using FortiAP or FortiExtender) where individual client agents may not be deployed on every device.