An organization must ensure that connected users can access only the company SaaS tenant while blocking personal tenants. Which FortiSASE feature can help meet this requirement? (Choose one answer)

A. Intrusion prevention under the Security Profile
B. API-Based CASB from FortiSASE
C. DNS Filter under the Security Profile
D. Inline-CASB Headers under Web-Filtering

Correct Answer: D

Brave-Dump Clients Votes

D 100%

Comments

Miguel 2025-12-16 00:35:30

Selected Answers: D

D is the correct answer, because the requirement is not “block a domain”—it’s allow access only to the company SaaS tenant while blocking personal tenants within the same SaaS service (for example Microsoft 365, Google Workspace, Salesforce, etc.).

In real life, personal tenants and corporate tenants often use the same FQDNs/URLs (e.g., login.microsoftonline.com, office.com, accounts.google.com).
Therefore:
DNS Filter (C) cannot reliably distinguish “corporate tenant vs personal tenant” if both rely on the same domains.

IPS (A) is not relevant: IPS detects and blocks attack patterns/exploits, not which tenant a user logs into.

API-Based CASB (B) is typically out-of-band. It’s great for visibility, auditing, and remediation via SaaS APIs (posture, files, sharing, etc.), but it’s not the usual mechanism to stop a user in real time from signing in to a personal tenant during web access.

Inline-CASB Headers (D) is designed exactly for this use case: since FortiSASE is in the traffic path (proxy/web inspection), it can inject specific HTTP headers toward the SaaS provider to enforce the SaaS vendor’s own tenant restriction capability. As a result:

if a user tries to authenticate to a personal tenant, the SaaS rejects it, and if the user authenticates to the approved corporate tenant, it works.
CORRECT - D