View all questions & answers for the FCSS - FortiSASE 25 Administrator Exam Materials exam


Question 50 Discussion

Which two of the following can release the network lockdown on the endpoint applied by FortiSASE? (Choose two answers)

  • A. When the endpoint connects to the FortiSASE tunnel
  • B. When the endpoint is determined as on-net
  • C. When the endpoint is rebooted
  • D. When the endpoint is determined as compliant using ZTNA tags
Correct Answer: A,B

Brave-Dump Clients Votes

AB 60%
AC 20%
AD 20%

Comments



Jo 2025-07-30 05:41:45

Selected Answers: A, B


AB
FortiClient exits from network lockdown, when the endpoints are determined to be on net again or when a VPN connection is established.

Page 135 study guide

leocopek 2025-07-31 19:05:52

Selected Answers: A, C


The grace period provides some time for users to attempt connecting to the FortiSASE Cloud Security tunnel or an alternate or personal tunnel to regain its on-net status. Any tunnel connection attempts made during grace period resets grace period for respective endpoint. During grace period, users can retry authenticating to the tunnel, up to a configurable maximum tunnel authentication limit, beyond which, endpoints must be rebooted to refresh its tunnel authentication attempts limits.

Eslam Mohamed 2025-08-18 14:33:17

Selected Answers: A, B


A. When the endpoint connects to the FortiSASE tunnel. Network lockdown is enforced only while off-fabric/not connected; connecting to the VPN tunnel satisfies the condition and lifts lockdown.
B. When the endpoint is determined as on-net. FortiSASE’s docs state lockdown activates only when an endpoint is off-net, so once it’s identified as on-net, lockdown no longer applies.

Mohamed laamouri 2025-10-25 14:41:08

Selected Answers: A, B


Network lockdown activates only when an endpoint is off-net. FortiClient exits from network lockdown when the endpoint is determined to be on-net again."

Taz 2025-11-02 12:35:09

Selected Answers: A, D


The two correct answers are A. When the endpoint connects to the FortiSASE tunnel and D. When the endpoint is determined as compliant using ZTNA tags.


Explanation:

Connecting to the FortiSASE tunnel: This establishes a secure connection, allowing the endpoint to be considered "on-net" and potentially release the lockdown.

ZTNA tag compliance: FortiSASE uses Zero Trust Network Access (ZTNA) tags to verify an endpoint's security posture. If the endpoint meets the ZTNA tag requirements, it is considered compliant and can be released from the lockdown.

Why the other options are incorrect:

When the endpoint is determined as on-net: While being on-net can be a condition for releasing the lockdown, it's not the sole factor. The endpoint must also be connected to the FortiSASE tunnel and/or be compliant with ZTNA tags.


When the endpoint is rebooted: Rebooting an endpoint doesn't automatically guarantee compliance or secure connection. It only restarts the device, and further verification through tunnel connection or ZTNA tag evaluation is needed.