https://community.fortinet.com/t5/FortiSASE/Technical-Tip-Force-Certificate-Inspection-option-inFortiSASE/ta-p/302617

:

:

To meet the requirements of implementing device posture checks for remote endpoints and ensuring

that TCP traffic between the endpoints and protected servers is processed by FortiGate, the following

three setups are necessary:

Configure ZTNA tags on FortiGate (Option A):

ZTNA (Zero Trust Network Access) tags are used to define access control policies based on the

security posture of devices. By configuring ZTNA tags on FortiGate, administrators can enforce

granular access controls, ensuring that only compliant devices can access protected resources.

Configure FortiGate as a zero trust network access (ZTNA) access proxy (Option B):

FortiGate can act as a ZTNA access proxy, which allows it to mediate and secure connections

between remote endpoints and protected servers. This setup ensures that all TCP traffic passes

through FortiGate, enabling inspection and enforcement of security policies.

Configure ZTNA servers and ZTNA policies on FortiGate (Option C):

To enable ZTNA functionality, administrators must define ZTNA servers (the protected resources) and

create ZTNA policies on FortiGate. These policies determine how traffic is routed, inspected, and

controlled based on device posture and user identity.

Here’s why the other options are incorrect:

D . Configure private access policies on FortiSASE with ZTNA: While FortiSASE supports ZTNA, the

requirement specifies that TCP traffic must be processed by FortiGate. Configuring private access

policies on FortiSASE would route traffic through FortiSASE instead of FortiGate, which does not meet

the stated requirements.

E . Sync ZTNA tags from FortiSASE to FortiGate: Synchronizing ZTNA tags is unnecessary in this

scenario because the focus is on FortiGate processing the traffic. The tags can be directly configured

on FortiGate without involving FortiSASE.

Reference:

Fortinet FCSS FortiSASE Documentation - Zero Trust Network Access (ZTNA) Deployment

FortiGate Administration Guide - ZTNA Configuration

================

:

Zero Trust Network Access (ZTNA) is the FortiSASE feature that ensures least-privileged user access

to all applications. ZTNA operates on the principle of "never trust, always verify," providing secure

access based on the identity of users and devices, regardless of their location.

Zero Trust Network Access (ZTNA):

ZTNA ensures that only authenticated and authorized users and devices can access applications.

It applies the principle of least privilege by granting access only to the resources required by the user,

minimizing the potential for unauthorized access.

Implementation:

ZTNA continuously verifies user and device trustworthiness and enforces granular access control

policies.

This approach enhances security by reducing the attack surface and limiting lateral movement within

the network.

Reference:

FortiOS 7.2 Administration Guide: Provides detailed information on ZTNA and its role in ensuring

least-privileged access.

FortiSASE 23.2 Documentation: Explains the implementation and benefits of ZTNA within the

FortiSASE environment.

:

:

To block user attempts to log in to non-company resources while using Microsoft Office 365, the Web

Filter with Inline-CASB feature in FortiSASE is the most appropriate solution. Inline-CASB (Cloud

Access Security Broker) provides real-time visibility and control over cloud application usage. When

combined with Web Filtering, it can enforce policies to restrict access to unauthorized or non-

company resources within sanctioned applications like Microsoft Office 365. This ensures that users

cannot access unapproved cloud resources while still allowing legitimate use of Office 365.

Here’s why the other options are incorrect:

B . SSL deep inspection: While SSL deep inspection is useful for decrypting and inspecting encrypted

traffic, it does not specifically address the need to block access to non-company resources within

Office 365. It focuses on securing traffic rather than enforcing application-specific policies.

C . Data loss prevention (DLP): DLP is designed to prevent sensitive data from being leaked or

exfiltrated. While it is a valuable security feature, it does not directly block access to non-company

resources within Office 365.

D . Application Control with Inline-CASB: Application Control focuses on managing access to specific

applications rather than enforcing granular policies within an application like Office 365. Web Filter

with Inline-CASB is better suited for this use case.

Reference:

Fortinet FCSS FortiSASE Documentation - Inline-CASB and Web Filtering

FortiSASE Administration Guide - Securing Cloud Applications

================

: