FortiSASE 23 Administrator Study Guide PDF

DO NOT REPRINT © FORTINET FortiSASE Administrator Study Guide FortiSASE 23 DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home 11/30/2023 DO NOT REPRINT © FORTINET TABLE OF CONTENTS 01 SASE Overview 4 02 Deployment 21 03 Authentication 41 04 Endpoint Components and Security Policy 63 05 Use Cases 101 06 Dashboards and Analytics 124 SASE Overview DO NOT REPRINT © FORTINET In this lesson, you will learn about traditional VPN architecture, secure access service edge (SASE) architecture and components, and the Fortinet SASE solution. FortiSASE 23 Administrator Study Guide 4 SASE Overview DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSASE 23 Administrator Study Guide 5 SASE Overview DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of the standard virtual private network (VPN) architecture, and the different work-from-anywhere challenges, you will be able to describe the issues associated with it. FortiSASE 23 Administrator Study Guide 6 SASE Overview DO NOT REPRINT © FORTINET In a traditional VPN architecture, a next generation firewall (NGFW) is deployed on the edge of an organization’s network. Remote access VPNs are intended to extend corporate networks to remote users, in a secure way, using a software client or agent. Remote access VPNs rely on IPsec or SSL-based VPN implementations. Remote access VPNs are deployed with either full tunneling or split tunneling enabled. In full tunneling mode, traffic destined for the organization’s internal network and the internet, is sent through the VPN tunnel to the NGFW, for threat detection and mitigation. In split tunneling mode, traffic destined for the internal network is sent through the VPN tunnel, and the internet traffic is sent out through their local internet service provider (ISP) link. FortiSASE 23 Administrator Study Guide 7 SASE Overview DO NOT REPRINT © FORTINET The standard firewall architecture is well-defined, but it faces significant challenges when dealing with work- from-anywhere practices. Typically, off-net endpoints are unmanaged, meaning the endpoints could fail security postures due to unpatched software and vulnerability updates. These devices cannot be trusted when accessing the corporate network resources. When working from anywhere, the majority of the internet traffic is routed through an ISP without any network security protection, which make it susceptible to malware and other network security threats. To overcome this issue, organizations started deploying full tunneling VPNs to utilize the NGFW security features at the network edge. An increase in the number of employees working remotely introduced extra load on the NGFW and its WAN links, leading to WAN link network congestion. Another challenge that comes with a remote workforce is unmanaged off-net devices with outdated software. These devices can lead to potential vulnerabilities. FortiSASE 23 Administrator Study Guide 8 SASE Overview DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 9 SASE Overview DO NOT REPRINT © FORTINET Good job! You now understand the traditional VPN architecture. Now, you will learn about SASE architecture and components. FortiSASE 23 Administrator Study Guide 10 SASE Overview DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of the SASE architecture, SASE components, and the Fortinet SASE solution, you will understand the purpose and capabilities of a SASE solution. FortiSASE 23 Administrator Study Guide 11 SASE Overview DO NOT REPRINT © FORTINET According to Gartner, secure access service edge, or SASE, delivers converged network and security as a service capability, including SD-WAN, SWG, cloud access security broker (CASB), NGFW and zero trust network access (ZTNA). SASE supports branch offices, remote workers, and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero-trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies. The SASE architecture focuses on using a cloud-delivered service that enforces secure access at the farthest edge of the network—namely, at the service edge or at the user endpoints. The goal of SASE is to offer a secure connection to the user connecting from anywhere. FortiSASE 23 Administrator Study Guide 12 SASE Overview DO NOT REPRINT © FORTINET A cloud-hosted security solution frees devices from the need to rely on protection that is hosted at a physical corporate data center. Cloud-host security includes components like firewall-as-a-service (FWaaS), SWG, and CASB. FWaaS provides the same security features as a standard hardware firewall, but using software in the cloud. SWG blocks unauthorized traffic from getting into your organization’s network with web filtering, antivirus, file filtering, DLP, and more for both managed and unmanaged devices. CASB is positioned between the user accessing the cloud and the cloud-based application they are trying to access. It is used to monitor activity and enforce an organization’s security policies. In context of a SASE architecture, network components are used for optimized path selection and application- based routing. An SD-WAN solution can decide the best path for network traffic, and application-based routing provides access to the user to perform their jobs regardless of their location. ZTNA is built on the zero-trust access core principle of "never trust, always verify.” All users, devices, and applications are assumed to be threats, and until they prove otherwise, they are not allowed to connect. FortiSASE 23 Administrator Study Guide 13 SASE Overview DO NOT REPRINT © FORTINET When remote users connect through VPN and their internet traffic is redirected through the corporate NGFW, they experience high latency. SASE reduces this latency by allowing remote users to connect directly to the closest geographical point of presence (PoP) for a cloud-delivered FWaaS, where the internet traffic is subject to advanced threat measures. Also, each PoP can scale to meet user demand and reduce the possibility that a single WAN link becomes a congestion point for these remote users. ZTNA allows you to apply zero-trust principles to control which users will access what application over the network. Applications are accessed when needed, directly through an access proxy or broker. With ZTNA, a user can more seamlessly work from the office or remotely, which creates a smoother user experience. FortiSASE 23 Administrator Study Guide 14 SASE Overview DO NOT REPRINT © FORTINET FortiSASE, Fortinet’s single-vendor SASE approach, empowers organizations to consistently apply enterprise-grade security and superior user experience across all edges, converging networking and security across a unified OS and agent. The cloud-delivered security service is located between the remote endpoints and any networks those endpoints access, regardless of the location of the remote endpoints. FortiSASE extends FortiGuard security services across thin edge, secure edge, and remote users, enabling secure access to users both on and off the network. You will learn more about the different deployment methods in another lesson. FortiSASE supports FWaaS and SWG functionality, both of which rely on threat intelligence that FortiGuard labs provides. The FortiSASE FWaaS has all the same features, security, and reliability that customers depend on from Fortinet’s FortiGate NGFW physical and virtual appliances. Likewise, FortiSASE SWG relies on FortiOS explicit web proxy, captive portal, and authentication features to secure customers’ web traffic. Single-sign-on (SSO) integration through SAML is supported for SWG and VPN deployments. FortiSASE 23 Administrator Study Guide 15 SASE Overview DO NOT REPRINT © FORTINET FortiSASE supports ZTNA. In this configuration, the corporate FortiGate device is configured as a FortiClient cloud fabric connector and it acts as a ZTNA access proxy to process ZTNA traffic. FortiSASE synchronizes the ZTNA tags with the corporate FortiGate device. The ZTNA tags are used by FortiGate to allow or deny access to corporate resources. FortiSASE uses the ZTNA tags to check for device postures in secure internet access policy and secure private access policy. You will learn more about the different policies in another lesson. FortiCASB provides cloud-based and API-based features to enable deep inspection of Software-as-a-Service (SaaS) applications to enable detailed monitoring, analysis, and reporting features. FortiSASE also provides inline-CASB functionality with a web filter and application control security features. Organizations can integrate FortiSASE with an existing FortiGate SD-WAN deployments in order to provide remote users access to private resources. In this configuration, FortiSASE communicates with the FortiGate SD-WAN hub. After completing this configuration, the FortiSASE security PoP act as spokes to this hub. FortiSASE provides secure access to remote users for the following use cases: Secure internet access (SIA) when remote users access internet and web-based applications Secure private access (SPA) when remote users access private company-hosted applications protected by FortiGate Secure SaaS access (SSA) when remote users access SaaS applications You will learn more about the different use cases in another lesson. FortiSASE 23 Administrator Study Guide 16 SASE Overview DO NOT REPRINT © FORTINET Fortinet provides a complete ZTNA and SWG solution through the deployment of FortiGate, or FortiSASE. FortiGate provides a complete firewall solution with SWG protecting against web-based threats, such as phising, malware, and so on. FortiGate also supports a ZTNA solution to secure access to remote resources. FortiSASE provides a FWaaS, SWG, ZTNA, and CASB functionality with the main objective to secure access for off-net endpoints. To use the ZTNA feature you must install FortiClient on the endpoint. FortiProxy is developed for features specific to SWG only. FortiProxy follows a proxy-oriented software architecture, and its hardware supports more RAM and disk space for caching. FortiSASE 23 Administrator Study Guide 17 SASE Overview DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 18 SASE Overview DO NOT REPRINT © FORTINET Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson. FortiSASE 23 Administrator Study Guide 19 SASE Overview DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you now know and understand the standard VPN architecture, SASE architecture, SASE components, and the Fortinet SASE solution. FortiSASE 23 Administrator Study Guide 20 Deployment DO NOT REPRINT © FORTINET In this lesson, you will learn how to provision FortiSASE, understand the different license types, and learn about the common FortiSASE solutions. FortiSASE 23 Administrator Study Guide 21 Deployment DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSASE 23 Administrator Study Guide 22 Deployment DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of FortiSASE provisioning and license types, you will be able to provision FortiSASE and identify the license type that matches your requirements. FortiSASE 23 Administrator Study Guide 23 Deployment DO NOT REPRINT © FORTINET To provision FortiSASE, you will need to register the FortiSASE contract on https://support.fortinet.com using your FortiCloud account. You can use this FortiCloud account for only one FortiSASE instance and cannot register a FortiClient EMS cloud to this account. You can create additional IAM users to provide FortiSASE portal access using this FortiCloud account. You can access the FortiSASE portal by going to https://support.fortinet.com and then clicking on Services > FortiSASE. IAM users can log in to FortiSASE through https://portal.prod.fortisase.com. FortiSASE 23 Administrator Study Guide 24 Deployment DO NOT REPRINT © FORTINET When you access the FortiSASE portal for the first time, you need to select the location of the data centers that suit the requirements of your organization. The FortiSASE POP location is used to route remote users to the POP that is geographically closest to them. The logging data center hosts the logging service. The FortiClient endpoint management retrieves configuration information and validates FortiClient endpoint licenses. For more details about POP locations, see the FortiSASE Administration Guide. FortiSASE 23 Administrator Study Guide 25 Deployment DO NOT REPRINT © FORTINET FortiSASE offers user-based licenses and add-on licenses for thin edge, and secure private access (SPA) deployments. You can mix and match license types to suit the needs of your organization. User-based licenses allow users to connect with multiple devices concurrently. You can use user-based licenses in agent-based or proxy-based mode. In proxy-based mode, FortiSASE provides FWaaS and acts as a secure web gateway (SWG). The features in proxy-based mode include URL filtering, anti-malware, DNS filtering, layer 3 to 7 firewalling, and an in-line cloud access security broker (CASB). To use agent-based mode you must install FortiClient on the endpoint. Agent-based mode offers the same features as proxy- based mode, with the addition of endpoint protection with zero trust network access (ZTNA). Each user can use up to three devices and a combination of agent-based and proxy-based modes. FortiSASE 23 Administrator Study Guide 26 Deployment DO NOT REPRINT © FORTINET A thin edge license enables customers to connect branch offices to FortiSASE. Thin edge license are currently supported only on FortiExtender 200F. FortiExtender and FortiSASE should be registered under the same FortiCloud account. You can provision a FortiExtender to FortiSASE using FortiZTP. FortiZTP enables the deployment of Fortinet security, network, and wireless devices at remote locations where on-site provisioning technical expertise is limited. Remote devices can be assigned to a specific Fortinet management appliance or service. You can access the FortiZTP portal, by clicking Services > FortiZTP on FortiSASE. FortiSASE 23 Administrator Study Guide 27 Deployment DO NOT REPRINT © FORTINET An SPA license allows remote users and branch locations to connect to private applications. The SPA license is supported by the FortiGate 100+ series and FortiGate VM02+. If FortiGate is in a high availability (HA) cluster, you will need a separate license for each HA member. To establish a dedicated tunnel to FortiSASE, the FortiGate SD-WAN hub requires an SPA license. Remote users connected to FortiSASE can access private applications behind the FortiGate using this secure dedicated tunnel. FortiSASE 23 Administrator Study Guide 28 Deployment DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 29 Deployment DO NOT REPRINT © FORTINET Good job! You now understand FortiSASE provisioning and licensing. Now, you will learn about the different FortiSASE solutions. FortiSASE 23 Administrator Study Guide 30 Deployment DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of FortiSASE solutions, you will be able to use endpoint and SWG mode, and deploy thin edge and SPA. FortiSASE 23 Administrator Study Guide 31 Deployment DO NOT REPRINT © FORTINET In endpoint mode, FortiClient connects to FortiSASE using a secure SSLVPN tunnel. Once the connection is established, FortiSASE acts as a firewall and is placed between the endpoint and the internet. The VPN policy on FortiSASE is configured with the required security components, such as web filter, application control, and so on, to secure the internet traffic. Endpoint mode also supports configuring zero-trust network access (ZTNA). In this deployment configuration, FortiSASE joins the Fortinet Security Fabric to share endpoint information with the FortiGate, allowing a corporate FortiGate to implement ZTNA for remote users who are already registered to FortiSASE. FortiSASE 23 Administrator Study Guide 32 Deployment DO NOT REPRINT © FORTINET This slide shows the flow of events that occurs during endpoint mode manual activation. 1. The FortiSASE administrator sends an invitation email to the remote user, as part of user onboarding. 2. The end user downloads FortiClient and connects to FortiSASE endpoint management system (EMS) to activate the license, using the code in the email. 3. Once the license is activated, a secure SSL VPN is established from FortiClient to the nearest FortiSASE PoP based on geolocation selection. 4. The FortiSASE administrator can apply security profiles on the VPN policies, to secure internet traffic. FortiClient can also be provisioned using FortiClient installers that can be downloaded from FortiSASE portal by clicking Configuration, and then in the ACCESS section, click Users > Onboard Users > Download Installer. You can then provision your endpoints by doing one of the following: Use a mobile device management (MDM) software suite using this installer Distribute this installer to end users and have them install it on their endpoints FortiSASE 23 Administrator Study Guide 33 Deployment DO NOT REPRINT © FORTINET SWG mode is an agentless deployment for remote users. Remote users configure FortiSASE as an explicit web proxy through their web browser or by using a proxy autoconfiguration (PAC) file. A PAC file can be pushed to the end user by IT administrators using a group policy object (GPO). FortiSASE supports a Chrome extension that allows enforcing SWG connectivity for selected endpoints with the Chrome browser installed, including Chromebooks, based on the endpoint operating system (OS) and the corresponding extension policy that the Google Workspace administrator configured. The web browser redirects HTTP and HTTPS traffic to FortiSASE, which secures user web traffic by implementing SWG security policies. All other non-web traffic bypasses FortiSASE and is forwarded directly to the internet. FortiSASE 23 Administrator Study Guide 34 Deployment DO NOT REPRINT © FORTINET FortiSASE can be integrated with FortiExtender, which is configured as a LAN extension. A FortiExtender with the LAN extension configuration allows a thin edge deployment. A thin edge deployment is a branch office with a LAN segment behind FortiExtender, and the internet is secured by a backhaul connection to FortiSASE. When FortiExtender is configured as a LAN extension, a VXLAN-over-IPsec tunnel is established between FortiExtender and FortiSASE. This creates a Layer 2 network between FortiSASE and the network behind the remote FortiExtender. The thin edge policies on FortiSASE can be configured with security profiles to secure internet traffic. In this deployment, no endpoint needs to be configured with explicit proxy web settings or have FortiClient installed. For more details about the thin edge deployment requirements, see the SIA Site-based Deployment Guide. FortiSASE 23 Administrator Study Guide 35 Deployment DO NOT REPRINT © FORTINET FortiSASE can integrate with FortiGate ZTNA to provide a seamless experience for end users while securing your most important corporate assets behind the FortiGate application gateway. A FortiSASE ZTNA solution includes products like FortiSASE, FortiGate, and FortiClient. FortiGate and FortiSASE needs to be registered using the same FortiCloud account. FortiOS running 7.0 or later firmware can act as a ZTNA access proxy. FortiOS maintains a continuous connection to FortiSASE to synchronize endpoint information and ZTNA tags. FortiOS can use these ZTNA tags to grant or deny access to the network. FortiSASE uses ZTNA tags to manage the device and security postures of managed endpoints. This information from the managed endpoints is shared with FortiGate. FortiSASE also generates and installs client certificates on managed endpoints to uniquely identify each endpoint. A FortiClient endpoint registered to FortiSASE shares its device information, user information, and security postures. FortiClient uses the certificates it receives from FortiSASE to identify itself to FortiGate. FortiSASE 23 Administrator Study Guide 36 Deployment DO NOT REPRINT © FORTINET Organizations with new or existing FortiGate SD-WAN deployments can provide their FortiSASE remote users with access to private resources. You must configure FortiSASE to communicate with the FortiGate SD-WAN hub. You must enter this configuration on FortiSASE portal by clicking Network > Private Access. After you complete the configuration, FortiSASE POPs act as spokes to this hub, relying on IPsec VPN overlays and iBGP to secure and route traffic between POPs and the networks behind the organization’s FortiGate SD- WAN hub-and-spoke network. FortiSASE remote users may access private resources behind the FortiGate hub directly through FortiSASE to hub IPsec tunnels. FortiSASE 23 Administrator Study Guide 37 Deployment DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 38 Deployment DO NOT REPRINT © FORTINET Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson. FortiSASE 23 Administrator Study Guide 39 Deployment DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to provision FortiSASE and the different license types. You also learned about the different FortiSASE solutions. FortiSASE 23 Administrator Study Guide 40 Authentication DO NOT REPRINT © FORTINET In this lesson, you will learn about user authentication on FortiSASE. FortiSASE 23 Administrator Study Guide 41 Authentication DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSASE 23 Administrator Study Guide 42 Authentication DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding local authentication, you will be able to create and onboard local users on FortiSASE. FortiSASE 23 Administrator Study Guide 43 Authentication DO NOT REPRINT © FORTINET You can configure local users on FortiSASE. These users will directly authenticate with FortiSASE. You can do this by clicking Configuration and then, in the ACCESS section, click Users. First, type an email address for FortiClient to send the invitation code to. The email address is also the username. The user uses the invitation code to connect FortiClient to FortiSASE. FortiSASE can also import users in bulk from a CSV file. Click Configuration, and then in the ACCESS section, click Users > Import/Export > Import Users. FortiSASE 23 Administrator Study Guide 44 Authentication DO NOT REPRINT © FORTINET As part of onboarding, FortiSASE sends the user an onboarding email to activate their account. The user clicks Activate and then sets a password. The onboarding email also contains links to download FortiClient installers and an invitation code for FortiClient to connect to FortiSASE. This slide shows an example of an onboarding email. FortiSASE 23 Administrator Study Guide 45 Authentication DO NOT REPRINT © FORTINET To connect FortiClient to FortiSASE, the user copies the invitation code from the onboarding email, pastes it in FortiClient in the ZERO TRUST TELEMETRY> Register with Zero Trust Fabric field, and then clicks Connect. After FortiClient has registered successfully, the REMOTE ACCESS > VPN Name field displays Secure Internet Access. Now the FortiSASE Endpoint Management Service manages the endpoint. The user can connect to the Secure Internet Access VPN tunnel by using the credentials set up during user activation or remote authentication, if configured. All user internet traffic is routed using FortiSASE VPN policies.. FortiSASE 23 Administrator Study Guide 46 Authentication DO NOT REPRINT © FORTINET You can enable Secure Web Gateway (SWG) on the System > SWG Configuration page. When you enable SWG, users can configure their browser to proxy all HTTP and HTTPS web traffic for the FortiSASE SWG policies to inspect. While the web traffic is being proxied, FortiSASE replaces and signs the certificates of secure protocols like HTTPS. You should provide users with the required CA certificate and proxy autoconfiguration (PAC) file to connect to the FortiSASE gateway. You can download the SWG certificate and the PAC file from the System > SWG Configuration page. FortiSASE 23 Administrator Study Guide 47 Authentication DO NOT REPRINT © FORTINET The user can configure the SWG settings at the OS level or in a browser by using a PAC file or by specifying the URL of the hosted PAC file, which is provided by FortiSASE. When the user starts a new web browser session, they are prompted to log in. The user can log in using the credentials that they set up during activation or any remote authentication, if configured. FortiSASE 23 Administrator Study Guide 48 Authentication DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 49 Authentication DO NOT REPRINT © FORTINET Good job! You now understand how to create local users. Now, you will learn how to configure remote authentication servers. FortiSASE 23 Administrator Study Guide 50 Authentication DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding remote authentication, you will be able to configure LDAP, RADIUS, and SSO authentication on FortiSASE. FortiSASE 23 Administrator Study Guide 51 Authentication DO NOT REPRINT © FORTINET FortiSASE provides support for many remote authentication servers, including RADIUS, LDAP, and security assertion markup language (SAML) for single sign-on (SSO). Unlike local user accounts, where FortiSASE knows the credentials, remote authentication servers verify user credentials and provide group membership information to FortiSASE on demand. FortiSASE 23 Administrator Study Guide 52 Authentication DO NOT REPRINT © FORTINET You can configure FortiSASE to connect to a remote LDAP server on the LDAP page. You must enter all required information about the remote LDAP server, such as the IP address (or FQDN) as well as the connecting port. The Common Name Identifier setting is the attribute name you use to find the username. Some schemas allow you to use the attribute uid. AD most commonly uses sAMAccountName or cn, but can use others as well. The Distinguished Name setting identifies the top of the tree where the users are located, which is generally the dc value; however, it can be a specific container or ou. The Bind Type setting depends on the security settings of the LDAP server. You must use the setting Regular (to specify a regular bind) if you are searching across multiple domains and require the credentials of a user that is authorized to perform LDAP queries (for example, an LDAP administrator). When selecting a bind type, which determines how the authentication information is sent to the server, you can select: Simple, to bind using the user’s password, which is sent to the server in plaintext without a search. Regular, to bind using the user’s DN and password and then perform a search. Regular bind is required, if searching for a user across multiple domains. Anonymous, to bind using anonymous user and search starting from the DN and recurse over the subtrees. Many LDAP servers do not allow this by default. If you want to have a secure connection between FortiSASE and the remote LDAP server, enable Secure Connection and include the LDAP server protocol (LDAPS) as well as any trusted CA certificates. FortiSASE 23 Administrator Study Guide 53 Authentication DO NOT REPRINT © FORTINET You can import remote LDAP users on the Users page. You can either import users or import users by group membership. When you are configuring the user group on FortiSASE, select the LDAP server as the remote authentication server and select specific LDAP groups to add to your user group, as defined on the LDAP server. You can enter the email addresses of the LDAP users to send the invitation emails by clicking Configuration, and then in the ACCESS section, click Users > Onboard Users. FortiSASE 23 Administrator Study Guide 54 Authentication DO NOT REPRINT © FORTINET You can configure FortiSASE to connect to a remote RADIUS server on the RADIUS page. You must enter all required information about the remote RADIUS server, such as the IP address, port, and shared secret. You also have the option to set up a secondary server for redundancy. You cannot import RADIUS users individually, but you can configure a user group on FortiSASE with RADIUS as the remote authentication server and add user groups based on RADIUS attributes for group membership. The Primary Server Secret setting is the secret that is set up on the RADIUS server in order to allow remote queries from this client. Note that FortiSASE must be listed on the RADIUS server as a client of that RADIUS server, or the server will not reply to FortiSASE queries. The Authentication Type setting refers to the authentication protocol that the RADIUS server supports. Options include Common-Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP), Microsoft CHAP (MS-CHAP), and MSCHAP2. The Include All Users option adds the RADIUS server and all users that can authenticate against it, to every user group created on FortiSASE. This slide shows an example of FortiAuthenticator as the RADIUS server and FortiSASE as the RADIUS client. FortiSASE 23 Administrator Study Guide 55 Authentication DO NOT REPRINT © FORTINET SAML defines a framework for exchanging security assertions between SAML entities. It uses an XML-based framework and browser cookies to exchange security assertions between entities to achieve SSO. One of the main SAML use cases is a multiple-domain web SSO. Online business partners can exchange SAML assertions, to provide user access to multiple web services, without asking the user to log in to each domain. At a minimum, you need the following SAML entities to perform SSO: Principal: requests access to a service that usually requires authentication and authorization using the SAML model. A principal can be a user, group, or machine. IdP: responsible for creating, maintaining, and managing identity information for principals. It is responsible for responding to requests for SAML assertions within a federation. SP: provides a service to a principal. It relies on an IdP for authentication and authorization information that it can use to provide access a principal. FortiSASE 23 Administrator Study Guide 56 Authentication DO NOT REPRINT © FORTINET You can enable SSO authentication for FortiSASE endpoint users by configuring SAML. SSO authentication is supported for both SWG and VPN modes. When configuring FortiSASE as a SAML SP, you do not need to host the user database locally. User authentication is performed by a IdP, and FortiSASE directs principals to the IdP portal for authentication. You can configure SSO authentication on the VPN User SSO page for VPN users or SWG User SSO page for SWG users. The service provider fields are preconfigured and should be added to your IDP server. You will need to enter the IDP configuration into FortiSASE to complete the SSO configuration. You can upload a certificate for use with SAML SSO authentication on the Certificates page under System. Enabling SSO authentication overrides any other previously created authentication methods (local database, LDAP, or RADIUS). Fortinet products like FortiAuthenticator or FortiTrust Identity can act as an IdP for this configuration. FortiSASE 23 Administrator Study Guide 57 Authentication DO NOT REPRINT © FORTINET From FortiSASE, you can test the SSO configuration settings end-to-end by logging into a user account configured on your SSO server. This feature allows you to open a test window that points to the SSO login page. This test provides SSO configuration test results and raw log output of SAML debug from the Security PoP that can help you troubleshoot issues with any misconfigured SSO configuration settings. You can perform this test by clicking on Start Test on the VPN User SSO page. The Start Test option is available only after the SSO configuration is submitted. FortiSASE 23 Administrator Study Guide 58 Authentication DO NOT REPRINT © FORTINET You can configure user groups on the Users page. You can add local users to the user group, or you can add preconfigured remote servers to the group. User groups simplify your configuration, if you want to treat specific users in the same way. FortiSASE 23 Administrator Study Guide 59 Authentication DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 60 Authentication DO NOT REPRINT © FORTINET Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson. FortiSASE 23 Administrator Study Guide 61 Authentication DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned about the different authentication methods on FortiSASE. FortiSASE 23 Administrator Study Guide 62 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET In this lesson, you will learn about endpoint profile, zero trust network access (ZTNA), and security policy on FortiSASE. FortiSASE 23 Administrator Study Guide 63 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSASE 23 Administrator Study Guide 64 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the basic configuration of endpoint profile and ZTNA, you will be able to configure endpoint profile on FortiSASE and implement ZTNA in your environment. FortiSASE 23 Administrator Study Guide 65 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can configure the endpoint profile on the Profile page. Endpoint profile defines the configuration of FortiClient software on endpoints. You can enable features like antivirus, anti-ransomware, vulnerability scans, sandbox detection, ZTNA connection rules, and so on using this profile. No additional endpoint profile can be created. Secure web gateway (SWG) mode is an agentless solution and endpoint profiles do not apply to SWG deployment. FortiSASE 23 Administrator Study Guide 66 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET Zero-trust tags determines the security posture of an endpoint running FortiClient. Zero-trust tags are configured through zero-trust tagging rules on FortiSASE. You can create zero-trust tagging rules for Windows, macOS, and Linux endpoints based on their OS versions, antivirus software installation, logged in domains, running processes, and other criteria. FortiSASE 23 Administrator Study Guide 67 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy by eliminating the user of dial-up IPSec VPNs. FortiGate can act as an access proxy and supports the following methods: HTTPS access proxy: works as a reverse proxy for the HTTP server. When a client connects to a web page hosted by the protected server, the address resolves to the FortiGate access proxy virtual IP (VIP). FortiGate proxies the connection and takes steps to authenticate the device. It prompts the user for the endpoint certificate on the browser, and verifies this against the ZTNA endpoint record that is synchronized from FortiSASE. TCP forwarding access proxy (TFAP): is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source. ZTNA connection rules needs to be configured on FortiSASE. Note that your Destination Host is the real internal IP address and port of the server. FortiSASE 23 Administrator Study Guide 68 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can configure the FortiClient EMS connector on FortiGate by clicking Security Fabric > Fabric Connectors. You must select FortiClient EMS Cloud, and FortiGate must accept the FortiSASE certificate. You must register FortiGate and FortiSASE under the same FortiCloud account. Next, you must authorize FortiGate on FortiSASE. On FortiSASE, you can click Configuration > ENDPOINTS > ZTNA Access Proxies, select the FortiGate device, and then authorize it. Note that the FortiClient EMS connector status appears to be down until you authorize FortiGate on FortiSASE. FortiGate automatically synchronizes ZTNA tags after it connects to FortiSASE. FortiSASE 23 Administrator Study Guide 69 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiClient must connect to FortiSASE using the invitation code received during user onboarding. You can verify connection status on the FortiClient console in the ZERO TRUST TELEMETRY menu, or on the FortiSASE GUI by clicking Network > Managed Endpoints.. FortiSASE 23 Administrator Study Guide 70 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can create, edit, and delete zero-trust tagging rules for Windows, macOS, Linux, iOS, and Android endpoints. FortiSASE 23 Administrator Study Guide 71 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET This slide shows the zero-trust tags workflow. The following happens when you use zero-trust tagging rules with FortiSASE and FortiClient: FortiSASE sends zero-trust tagging rules to endpoints through telemetry communication. FortiClient checks endpoints using the provided rules and sends the results to FortiSASE. FortiSASE receives the results from FortiClient. FortiSASE dynamically groups endpoints together using the tag configured for each rule. You can view the dynamic endpoint groups by clicking Configuration > ENDPOINTS > ZTNA Tagging > ZTNA Tags. You can select the desired ZTNA tag, and then click View Tagged Endpoints to see which endpoint is tagged. FortiSASE 23 Administrator Study Guide 72 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET To enable ZTNA on the GUI, you must enable the feature on FortiGate System > Feature Visibility, and then enable Zero Trust Network Access. ZTNA configuration on FortiGate requires the following configuration: FortiClient EMS added as a fabric connector in the Security Fabric to connect to FortiSASE. FortiGate maintains a continuous connection to FortiSASE to synchronize endpoint device information, and automatically synchronizes ZTNA tags. You can create groups and add tags to use in the ZTNA rules and firewall policies. The ZTNA server defines the access proxy VIP and the real servers that clients connect to. The firewall policy matches and redirects client requests to the access proxy VIP. You can also enable authentication. A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust, role-based access. You can configure security profiles to protect this traffic. You can also configure authentication to the access proxy. ZTNA supports basic HTTP and SAML methods. FortiSASE 23 Administrator Study Guide 73 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET After you add FortiClient EMS as the fabric connector and you sync ZTNA tags with FortiGate, you must create a ZTNA server or access proxy. The access proxy VIP is the FortiGate ZTNA gateway that clients make HTTPS connections to. The service and server mappings define the virtual host matching rules and the real server mappings of the HTTPS requests. The Servers table allows you to configure the real server IP address, port number, and status. You can configure multiple servers and server mappings. FortiSASE 23 Administrator Study Guide 74 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET A ZTNA rule is a proxy policy used to enforce access control. You can define ZTNA tags or tag groups to enforce zero-trust, role-based access. To create a rule, type a rule name, and add IP addresses and ZTNA tags or tag groups that are allowed or blocked access. You can also select the ZTNA server as the destination and apply security profiles to protect this traffic. If authentication is enabled, you need to add user groups in ZTNA Rules in the Source field, otherwise no policy match will take place. FortiSASE 23 Administrator Study Guide 75 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET This slide demonstrates ZTNA telemetry, tags, and policy enforcement. You configure ZTNA tag conditions on FortiSASE. FortiSASE shares the tag information with FortiGate through Security Fabric integration. FortiClient communicates directly with FortiSASE to continuously share device status information through ZTNA telemetry. FortiGate can then use ZTNA tags to enforce access control rules on incoming traffic through ZTNA access. ZTNA proxy traffic will go directly to FortiGate and not pass through FortiSASE. FortiSASE 23 Administrator Study Guide 76 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 77 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET Good job! You now understand how to configure endpoint profile and ZTNA. Now, you will learn how to configure security profile on FortiSASE. FortiSASE 23 Administrator Study Guide 78 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the basic configuration of security profile, you will be able to apply security profile group in your FortiSASE policies. FortiSASE 23 Administrator Study Guide 79 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can create security profile groups on the Security page. Security profile groups allow you to group different security profile settings together. You can then configure the profile group as part of a policy. You can customize and enable or disable security profiles within the security group. You can create separate security profile groups for different policies, depending on your organizations requirements. FortiSASE has a pre- configured default profile, and it cannot be deleted. The following security profiles are available in a security profile group: Antivirus Web Filtering With Inline-CASB File Filter Intrusion Prevention Data Leak Prevention DNS Filter Application Control With Inline-CASB SSL Inspection You will learn about some of the security profiles in this lesson. FortiSASE 23 Administrator Study Guide 80 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET When you use certificate inspection, FortiSASE inspects only the header information of the packets. You use certificate inspection to verify the identity of web servers. You can also use it to make sure that the HTTPS protocol isn't used as a workaround to access sites you have blocked using web filtering. Certificate inspection offers some level of security, but it does not allow FortiSASE to inspect the flow of encrypted data between the outside server and the internal client. FortiSASE 23 Administrator Study Guide 81 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiSASE performs web proxy and must act as a certificate authority (CA) in order for it to perform SSL deep inspection. The internal CA must generate an SSL private key and certificate each time an internal user connects to an external SSL server. The key pair and certificate are generated immediately so the user connection with the web server is not delayed. Although it appears as though the user browser is connected to the web server, the browser is connected to FortiSASE. FortiSASE is acting as a proxy web server. In order for FortiSASE to act in these roles, its CA certificate must have the basic constraints extension set to cA=True and the value of the keyUsage extension set to keyCertSign. The cA=True value identifies the certificate as a CA certificate. The keyUsage=keyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. For more information, see RFC 5280 Section 4.2.1.9 Basic Constraints. All FortiSASE devices that support SSL deep inspection can use the self-signed Fortinet_CA_SSL certificate that is provided with FortiSASE, or an internal CA, to issue FortiSASE a CA certificate. When FortiSASE uses an internal CA, FortiSASE acts as a subordinate CA. Note that your client machines and devices must import the root CA certificate, in order to trust FortiSASE and accept an SSL session. FortiSASE 23 Administrator Study Guide 82 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can configure SSL inspection on the Security page, by selecting the appropriate security profile group. You can click Customize in the SSL inspection profile and then select Certificate Inspection to enable certificate inspection. To enable deep inspection, select Deep Inspection. Within the deep inspection profile, you can also specify which FortiGuard categories or hosts, if any, you want to exempt from SSL inspection. You may need to exempt traffic from SSL inspection, if it is causing problems with traffic, or for legal reasons. FortiSASE 23 Administrator Study Guide 83 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can configure the Web Filter With Inline-CASB profile on the Security page, by selecting the appropriate security profile group. Rather than blocking or allowing websites individually, FortiGuard category filtering reviews the category that a website has been rated with. Then, FortiSASE takes action based on that category, not based on the URL. In addition, by default, FortiSASE blocks web pages that return a rating error. You can change this behavior by enabling Allow websites when a rating error occurs. You can enable the FortiGuard category filtering on the web filter. Categories and subcategories are listed, and you can customize the actions to perform individually. The following actions are available: Allow: passes the traffic to the remaining web filters, antivirus inspection engine, and DLP inspection engine. If the URL does not appear in the URL list, FortiSASE allows the traffic. Monitor: processes the traffic the same way as the allow action. For the monitor action, FortiSASE generates a log message each time it establishes a matching traffic pattern. Block: denies or blocks attempts to access any URL that belongs to the category. A replacement message is displayed. Warning: displays a message to the user allowing them to continue if they choose. FortiSASE 23 Administrator Study Guide 84 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET Static URL filtering is another web filter feature. FortiSASE checks configured URLs in the URL filter against the visited websites. If FortiSASE finds a match, it takes the configured action. URL filtering has the following pattern matches: simple, regular expressions, and wildcard. The following actions are available: Allow: passes the traffic to the remaining web filters, antivirus inspection engine, and DLP inspection engine. If the URL does not appear in the URL list, FortiSASE allows the traffic. Block: denies or blocks attempts to access any URL that matches the URL pattern. A replacement message displays. Exempt: allows the traffic to pass through, bypassing other web filters, antivirus inspection engine, and DLP inspection engine. Monitor: Processes the traffic the same way as the allow action. For the monitor action, FortiSASE generates a log message each time it establishes a matching traffic pattern. FortiSASE 23 Administrator Study Guide 85 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can also control web content in the web filter profile by blocking access to websites containing specific words or patterns. This helps to prevent access to sites with questionable material. You can add words, phrases, patterns, wildcards, and Perl regular expressions to match content on websites. You configure this feature at the web filter level, not at the global level. So, it is possible to add multiple web content filter lists and then select the best list for each web filter profile. FortiSASE 23 Administrator Study Guide 86 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET The FortiSASE web filter inline cloud access security broker (CASB) component can be used to customize HTTP headers when agentless (proxy) or agent-based (FortiClient) remote users are accessing Software-as- a-Service (SaaS) applications. Customizing HTTP headers requires SSL deep inspection enabled on the security profile group. FortiSASE can intercept HTTP headers to add or remove header requests/responses, as required by the SaaS application. You must know the format and content of vendor-specific headers supported by a SaaS application to use this feature. FortiSASE intercepts HTTP headers and can modify them for outgoing traffic as follows: Add to request Add to response Remove from request Remove from response The example on this slide shows how to restrict access to personal accounts using the login.live.com domain. You can restrict access to personal accounts by adding a request to the HTTP header with the vendor header name and header content. You can find the format and content of vendor-specific headers on the vendor’s website. The headers used this in example, can be found on https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tenant- restrictions. You will also need to apply SSL deep inspection to the security profile group, and then apply the security profile group to the applicable policy. When the end user tries to access login.live.com, their access will be blocked with a Microsoft error page. FortiSASE 23 Administrator Study Guide 87 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiSASE can recognize network traffic generated by a large number of applications. Network traffic is analyzed to detect application traffic, even if the traffic uses non-standard ports or protocols. You can configure the profile Application Control With Inline-CASB profile on the Security page, by selecting the appropriate security group. You can configure actions based on categories, and application overrides. The Unknown Applications setting matches traffic that can’t be matched to any application control signature and identifies the traffic as unknown application in the logs. The number listed beside the cloud symbol indicates the number of cloud applications in the category. FortiGate scans packets for matches, in this order, for the application control profile: 1. Application overrides: If you have configured any application, the application control profile considers those first. It looks for a matching override starting at the top of the list. 2. Categories: Finally, the application control profile applies the action that you’ve configured for applications in your selected categories. FortiSASE 23 Administrator Study Guide 88 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiSASE antivirus delivers automated updates that protect against the latest polymorphic attacks, viruses, spyware, and other content-level threats. Based on patented content pattern recognition language (CPRL), the anti-malware engine is designed to prevent known and previously unknown malware variants. You can customize which protocol needs to be inspected using antivirus for secure internet access. You can configure an Antivirus profile on the Security page, by selecting the appropriate security profile group. For antivirus scanning, the block replacement page is displayed immediately when a virus is detected. FortiSASE 23 Administrator Study Guide 89 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET A file filter can be configured to control the flow of different types of files passing through FortiSASE. This is done by setting up rules that specify which file types are allowed or blocked. File filtering is based on only the file type (file metadata) and not on file size or content. The FortiSASE data leak prevention (DLP) system prevents sensitive data from leaving your network by scanning for various patterns while inspecting traffic passing through FortiSASE. Data that matches defined sensitive data patterns is blocked, allowed, or monitored when it passes through FortiSASE. You can add individual filters based on predetermined content patterns or a custom regular expression. FortiSASE 23 Administrator Study Guide 90 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 91 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET Good job! You now understand how to a configure security profile. Now, you will learn how to configure a policy on FortiSASE. FortiSASE 23 Administrator Study Guide 92 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in policy configuration, you will be able to configure VPN, thin-edge, private access, and secure web gateway (SWG) policies on FortiSASE. FortiSASE 23 Administrator Study Guide 93 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET Any traffic passing through FortiSASE must be associated with a policy. Policies control where the traffic goes, how it’s processed, and whether or not FortiSASE allows it to pass through. The following policy types are available on FortiSASE: VPN policy: A VPN policy is used to control traffic between the FortiClient endpoint to FortiSASE for secure internet access. Thin-edge policy: A thin-edge policy is used to control the traffic between the thin-edge LAN to FortiSASE for secure internet access. Private access policy: A private access policy is used to control traffic between FortiSASE agent-based remote users to private applications hosted behind the FortiGate hub. SWG policy: An SWG policy is used to control web traffic between the proxy client endpoint to FortiSASE for secure web access. FortiSASE 23 Administrator Study Guide 94 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET When you create a policy, you configure the following parameters: Name: The unique policy name is a mandatory parameter, and it helps in analysis in FortiView and logging. Source Scope: You can select VPN Users or Thin-Edge, based on the endpoint traffic requirement. VPN Users: Policies with the VPN users scope control the traffic that goes through the SSL VPN tunnel established by FortiClient. Thin-Edge: Policies with thin-edge scope control the traffic that goes through thin-edge devices such as FortiExtender. Source: You can add ZTNA tags to enforce device posture checks for agent-based (FortiClient) users in internet access policy or private access policy. User: This parameter is available only when you select VPN Users. This parameter is based on a user identity that can be from several authentication authorities. It will be a single user or group that has been set up in advance and can be selected in the drop-down menu. Destination: You can define policies to connect to specific addresses on the internet. Service: The services chosen represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or groups of protocols. Profile Group: You can create security profile groups, which allow you to group different security profile settings together and then apply them to the policy. Force Certificate Inspection: When enabled, this policy will ignore the SSL inspection mode specified in the profile group and user certificate inspection. Action: If the traffic matches a firewall policy, FortiSASE applies the action configured in the policy. If the Action is set to DENY, FortiSASE drops the session. If the Action is set to ACCEPT, FortiSASE allows the session and applies other configured settings for packet processing, such as user authentication, source, antivirus scanning, web filtering, and so on. FortiSASE 23 Administrator Study Guide 95 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET You can use the private access policy to restrict access to private applications of any protocol (TCP, UDP, ICMP, and so on) behind a FortiGate hub. You can also apply ZTNA tags to remote users based on specified endpoint posture checks. FortiSASE 23 Administrator Study Guide 96 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET SWG policies control the traffic that is proxied through FortiSASE by the user’s client software such, as a web browser. You can configure an SWG policy on the SWG Policies page. The parameters used to configure an SWG policy are similar to a VPN policy. FortiSASE 23 Administrator Study Guide 97 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 98 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson. FortiSASE 23 Administrator Study Guide 99 Endpoint Components and Security Policy DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to configure and use endpoint profiles, ZTNA, security profiles, and policies on FortiSASE. FortiSASE 23 Administrator Study Guide 100 Use Cases DO NOT REPRINT © FORTINET In this lesson, you will learn about the common use cases of FortiSASE deployment. FortiSASE 23 Administrator Study Guide 101 Use Cases DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSASE 23 Administrator Study Guide 102 Use Cases DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of secure internet access (SIA), you will be able identify use cases for SIA. FortiSASE 23 Administrator Study Guide 103 Use Cases DO NOT REPRINT © FORTINET FortiSASE SIA extends an organization’s security by enforcing a common security policy for intrusion prevention systems (IPS) and application control, web filtering, antimalware, sandboxing, and so on, to remote users. FortiSASE acts as a gatekeeper to inspect and secure all the internet traffic, which allows safe browsing from anywhere for off-net users. All the internet traffic of remote users is redirected to the closest FortiSASE point of presence (PoP) using geolocation selection. FortiSASE 23 Administrator Study Guide 104 Use Cases DO NOT REPRINT © FORTINET Agent-based deployment is the most common use case in FortiSASE deployment. In this use case, FortiClient is deployed on endpoints and they connect back to FortiSASE using a secure SSLVPN tunnel. FortiSASE Firewall-as-a-Service (FwaaS) comes between the FortiClient endpoint and the internet to secure the internet. FortiSASE FWaaS uses its security profile component, which includes web filter, application control, SSL deep inspection, and so on, to inspect the internet traffic. FortiClient offers endpoint protection platform (EPP) functionality, which includes features like antivirus, vulnerability scanning, sandbox inspection, and so on. Agent-based deployment also supports zero trust network access (ZTNA) for continuous posture check and enforcement. FortiSASE 23 Administrator Study Guide 105 Use Cases DO NOT REPRINT © FORTINET The use case for agentless deployment does not require the installation of FortiClient endpoints. In this use case, FortiSASE acts as a secure web gateway (SWG) and a proxy auto-configuration file (PAC) file is distributed to end users to use the FortiSASE SWG service as an explicit web proxy. SWG deployment only secures web traffic protocols such as HTTP and HTTPS. The SWG component on FortiSASE offers a full security stack with antivirus, web filter, application control, and so on. The security profiles can be shared between agent and agentless deployment, for consistent protection. This use case is usually recommended for unmanaged endpoints like a contractor’s or temporary employee’s endpoint. FortiSASE 23 Administrator Study Guide 106 Use Cases DO NOT REPRINT © FORTINET In this SIA use case, the FortiExtender is responsible for centralizing site connectivity to the FortiSASE FwaaS through a VXLAN-over-IPSEC tunnel. There is no configuration required on endpoints. All endpoint traffic is routed from the FortiExtender to FortiSASE FwaaS, where traffic is secured using the security profiles. FortiSASE 23 Administrator Study Guide 107 Use Cases DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 108 Use Cases DO NOT REPRINT © FORTINET Good job! You now understand SIA use cases. Now, you will learn about SPA use cases. FortiSASE 23 Administrator Study Guide 109 Use Cases DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of secure private access (SPA), you will be able identify use cases for SPA. FortiSASE 23 Administrator Study Guide 110 Use Cases DO NOT REPRINT © FORTINET FortiSASE SPA allows access to corporate applications that are protected by an on-premises data center or public cloud FortiGate. FortiSASE acts as a bridge to connect a remote worker to the corporate applications hosted behind your FortiGate device. The appropriate level of security and access can be achieved by using one or more of the following: ZTNA-FortiSASE integration with FortiGate ZTNA access proxy NGFW/SD-WAN-FortiSASE with a NGFW standalone hub or an existing SD-WAN deployment to form a traditional hub-and-spoke topology FortiSASE 23 Administrator Study Guide 111 Use Cases DO NOT REPRINT © FORTINET ZTNA is an access control method that uses client device identification, authentication, and zero-trust tags to provide role-based application access. ZTNA grants access to applications only after device verification, authenticating the user’s identity, authorizing the user, and then performing context-based posture checks using zero-trust tags. ZTNA functionality offers direct connection to protected resources, without having to establish a persistent VPN tunnel. ZTNA use cases work well for TCP-based applications. This use case offers a direct (shortest) path to private resources and per-session user authentication, resulting in greater performance and security. ZTNA has the following requirements: A FortiGate (on-premises or cloud deployment) configured as a ZTNA access proxy to control access to resources behind FortiGate, using zero-trust tags FortiClient installed on remote endpoints FortiSASE 23 Administrator Study Guide 112 Use Cases DO NOT REPRINT © FORTINET In the SPA NGW use case, you must convert your existing FortiGate NGFW to a standalone IPSEC VPN hub. The FortiSASE PoP acts as a spoke to this FortiGate NGFW hub. A secure tunnel is established between FortiSASE PoPs and FortiGate NGFW, and BGP is used to route traffic between them. FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to the IPsec tunnels of the hubs. This use case works well for seamless access for both TCP-based and UDP-based private applications hosted behind FortiGate. FortiSASE 23 Administrator Study Guide 113 Use Cases DO NOT REPRINT © FORTINET In the SPA SD-WAN use case, you add FortiSASE as a spoke to an existing FortiGate-SDWAN deployment. FortiSASE security PoPs and the FortiGate SD-WAN hubs form a traditional hub-and-spoke topology that supports the Fortinet auto discovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand direct tunnels (known as shortcut tunnels), between each other to avoid routing through the topology's hub device. If a private resource is behind an organization’s spoke device, it may connect directly to that resource through an on-demand tunnel. Like the SPA NGFW use case, the SPA SD-WAN use case also works well for seamless access to TCP- based and UDP-based privately hosted applications. FortiSASE 23 Administrator Study Guide 114 Use Cases DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 115 Use Cases DO NOT REPRINT © FORTINET Good job! You now understand SPA use cases. Now, you will learn about SSA use cases. FortiSASE 23 Administrator Study Guide 116 Use Cases DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating a competent understanding of secure SaaS access (SSA), you will be able identify use cases for SSA. FortiSASE 23 Administrator Study Guide 117 Use Cases DO NOT REPRINT © FORTINET FortiSASE secures SaaS access and enables: Cloud application visibility: Discover cloud applications usage across all sanctioned and unsanctioned (shadow IT) cloud applications to help enforce policy-based controls. Data security: Protect data in motion and at rest within cloud applications. Control productivity, privacy, compliance, and security of corporate and non-corporate tenants. Assess risk: Evaluate application usage spikes to determine risk and ensure corporate data is handled safely. FortiSASE 23 Administrator Study Guide 118 Use Cases DO NOT REPRINT © FORTINET Inline-CASB recognizes network traffic generated by many applications. Application control with inline-CASB using IPS protocol decoders can analyze network traffic to detect application traffic, even if the traffic uses nonstandard ports or protocols. Application control with inline-CASB supports traffic detection using HTTP (versions 1.0, 1.1, and 2.0). FortiSASE uses web filter and SSL deep inspection to intercept HTTP headers and can modify them for outgoing traffic. By customizing HTTP headers for FortiSASE outgoing traffic destined for SaaS applications, the web filter with inline-CASB can control SaaS application behavior by restricting tenant access. FortiSASE 23 Administrator Study Guide 119 Use Cases DO NOT REPRINT © FORTINET The cloud-native CASB service provides visibility, compliance, data security, and threat protection for cloud applications. Using direct API access, it enables deep inspection and policy management for data stored in SaaS and Infrastructure-as-a-Service (IaaS) applications. It also provides advanced tools that provide detailed user analytics and centralized management to ensure policies are enforced and your organization’s data isn’t getting into the wrong hands. Access to FortiCASB is included with per-user and per-endpoint FortiSASE licensing. FortiSASE 23 Administrator Study Guide 120 Use Cases DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 121 Use Cases DO NOT REPRINT © FORTINET Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson. FortiSASE 23 Administrator Study Guide 122 Use Cases DO NOT REPRINT © FORTINET This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned about the common use cases of FortiSASE. FortiSASE 23 Administrator Study Guide 123 Dashboards and Analytics DO NOT REPRINT © FORTINET In this lesson, you will learn about dashboards and analytics on FortiSASE. FortiSASE 23 Administrator Study Guide 124 Dashboards and Analytics DO NOT REPRINT © FORTINET In this lesson, you will learn about the topics shown on this slide. FortiSASE 23 Administrator Study Guide 125 Dashboards and Analytics DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in FortiView and dashboards, you will be able to effectively monitor and look up FortiSASE status and security events. FortiSASE 23 Administrator Study Guide 126 Dashboards and Analytics DO NOT REPRINT © FORTINET What is FortiView? FortiView is another method of inspecting current and previous events in more aggregate views. Simply put, FortiView provides a consolidated series of consoles for administrators to analyze security events, over a period of time, based on a number of different sorting criteria. Information can be presented in various graphical or text-based consoles to simplify the process of locating the data you're searching for. FortiView uses the logs that are available within the GUI, but presents metadata about them, rather than presenting each log individually. This can make searching easier, in some circumstances, compared to log viewing. FortiSASE 23 Administrator Study Guide 127 Dashboards and Analytics DO NOT REPRINT © FORTINET Multiple consoles are available by default under the Dashboards menu on the FortiSASE GUI. The time period selection drop-down menu located, on the upper-right section of the console, is used to narrow or expand the events to the past hour, day, or week. In the example shown on this slide, the FortiView Sources console has been loaded, which shows all of the sources that have generated traffic through FortiSASE in the past day. Each entry displays the authenticated user accounts; a threat score; total number of bytes uploaded and downloaded; total sessions; with a visual breakdown of blocked and allowed sessions; and the security point of presence (PoP) location the user is connected to. FortiSASE 23 Administrator Study Guide 128 Dashboards and Analytics DO NOT REPRINT © FORTINET Dashboards are customizable pages within the FortiSASE GUI that display a combination of system information, performance, and event widgets. You can also place FortiView consoles widgets in your dashboards. You can create dashboards to monitor various system events, security profile inspection events, and so on. You can customize their size, position, and appearance attributes of dashboard widgets. After you create a new dashboard, it appears as a menu option under the Dashboards menu on the GUI. FortiSASE 23 Administrator Study Guide 129 Dashboards and Analytics DO NOT REPRINT © FORTINET The Status dashboard that you see when you first log in contains some of the most common FortiSASE widgets for monitoring the status of the device. As this slide shows, some of these widgets track the health status of FortiSASE components, license entitlement, managed endpoints, user connection monitor, and so on. In addition to providing real-time details, you can also add FortiView consoles to dashboards as widgets. You can add widgets to any dashboard by clicking Add Widget on the upper-left section of the dashboard. Some widgets are interactive, allowing you to drill down into details. You can click More Information on the Health Status widget to be redirected to status.fortisase.com, which provides the health status of all the FortiSASE components and a list of the ongoing and past FortiSASE infrastructure maintenance. FortiSASE 23 Administrator Study Guide 130 Dashboards and Analytics DO NOT REPRINT © FORTINET You can click the Managed Endpoints widget to view all FortiClient endpoints connected to FortiSASE. On the Managed Endpoints window, you can view endpoint details, such as OS, hardware, ZTNA tags, and so on. You can also enable or disable the management connection to FortiClient from FortiSASE. You can click the User Connection Monitor widget to view all the remote users connected to FortiSASE for secure internet access and their authentication method. FortiSASE 23 Administrator Study Guide 131 Dashboards and Analytics DO NOT REPRINT © FORTINET The Security dashboard contains information about which security features are enabled in each security profile group and a vulnerability summary of all the FortiClient endpoints connected to FortiSASE. You view details about vulnerabilities by clicking the category you want, such as Operating System. You can click the desired vulnerability, and then click View Affected Endpoints to see which endpoint is vulnerable. FortiSASE 23 Administrator Study Guide 132 Dashboards and Analytics DO NOT REPRINT © FORTINET The Private Access dashboard contains information about the health status of the VPN tunnel, from FortiSASE to the FortiGate hub, and the top-ten users that access the corporate resources hosted behind the FortiGate hub. You can also verify the private access hub status and location by using asset map in the Network > Asset Map page. FortiSASE 23 Administrator Study Guide 133 Dashboards and Analytics DO NOT REPRINT © FORTINET FortiSASE 23 Administrator Study Guide 134 Dashboards and Analytics DO NOT REPRINT © FORTINET Good job! You now understand FortiView and dashboards. Now, you will learn about logging on FortiSASE. FortiSASE 23 Administrator Study Guide 135 Dashboards and Analytics DO NOT REPRINT © FORTINET After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in logging, you will be able to more effectively analyze log data on FortiSASE. FortiSASE 23 Administrator Study Guide 136 Dashboards and Analytics DO NOT REPRINT © FORTINET When traffic passes from endpoints to the internet through FortiSASE, FortiSASE scans the traffic, and then takes action, based on the policies in place. This activity is recorded, and the information is contained in a log message. The log message is stored in a log file. The log file is then stored on a logging service that was configured when FortiSASE is deployed. Fort

FortiSASE 23 Administrator Study Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue