View all questions & answers for the NSE 7 - FortiSASE 25 Enterprise Administrator Exam Materials exam


Question 26 Discussion

Refer to the exhibit. A customer wants to fine-tune network assignments on FortiSASE, so they modified the IPAM configuration as shown in the exhibit. After this configuration, the customer started having connectivity problems and noticed that devices are using excluded ranges. What could be causing the unexpected behavior and connectivity problems? (Choose two answers)

  • A. The pool must include at least one /20 per security POP for the IPAM to work correctly.
  • B. The pool must include at least one /16 per Instance for the IPAM to work correctly.
  • C. The pool must include at least one /20 per Instance for the IPAM to work correctly.
  • D. The customer excluded too many networks from the pool.
Correct Answer: A,D

Brave-Dump Clients Votes

AD 100%

Comments



Brave-Dumps Admin 2025-10-30 13:55:58

Selected Answers: A, D


It needs additional check

javaughn Bryan 2025-11-21 19:19:14

Selected Answers: A, D


For A: When excluding subnets from the IPAM pool, you must leave a /20 subnet mask free for each security PoP and a /24 subnet mask free for each Edge device. This ensures that there are sufficient IP addresses to assign to each security PoP and Edge device. With IPAM, you cannot control which /20 subnet mask is assigned to which security PoP.

https://docs.fortinet.com/document/fortisase/latest/feature-administration-guide/51293/ip-management
(BOTTOM OF PAGE)

For D: Explanation:

The configured IP pool is 172.16.0.0/12. A /12 subnet has 1,048,576 total IP addresses. The customer has excluded eight /15 subnets. Each /15 subnet contains 131,072 IP addresses. The total excluded IP space is 8 * 131,072 = 1,048,576 IP addresses. This is the entire /12 pool. By excluding the entire range specified in the pool (172.16.0.0/15 to 172.30.0.0/15 covers the entire 172.16.0.0/12 block), there are no IP addresses left for FortiSASE to assign to tunnel and edge devices, which causes the connectivity problems.

Additionally, FortiSASE has a requirement to have a minimum allocation per Point-of-Presence (POP), which is a /20. If exclusions prevent this minimum allocation from being met, the configuration will fail. In this case, the exclusions leave no addresses at all, which certainly violates this requirement.

https://docs.fortinet.com/document/fortisase/latest/feature-administration-guide/51293/ip-management
(BOTTOM OF PAGE)