Fortinet NSE5_SSE_AD-7.6 Exam - Topic 2 Question 4 Discussion

According to the FortiSASE 7.6 Administration Guide and the FCP - FortiSASE 24/25 Administrator curriculum, the Agentless deployment mode---commonly referred to as Secure Web Gateway (SWG) mode---is a vital component of the Secure Internet Access (SIA) framework.

Deployment Mechanism: In an agentless deployment, FortiSASE functions as an explicit web proxy. This is achieved by distributing a PAC (Proxy Auto-Configuration) file to the user's browser, which instructs the device to send its web traffic to the nearest FortiSASE Point of Presence (PoP).

Target Use Case: This mode is specifically designed for unmanaged endpoints, such as those used by contractors, partners, or temporary workers, where the organization does not have the authority or capability to install the FortiClient agent.

Security Capabilities: Even without an agent, FortiSASE applies a full security stack to the redirected traffic. This includes Web Filtering, Anti-Malware, SSL Inspection, and Inline-CASB to secure HTTP and HTTPS sessions.

Protocol Limitations: Because it relies on proxy settings, this mode is limited to web protocols (HTTP/HTTPS) and does not inherently secure non-web traffic like ICMP, DNS, or custom TCP/UDP applications unless they are specifically proxied.

Why other options are incorrect:

Option A: While it provides secure browsing, session isolation (RBI) is a specific feature that can be used in either mode; the defining characteristic of the agentless use case is the proxy-based redirection for unmanaged devices.

Option C: A PAC file can only secure web traffic (protocols that support proxying), not non-web traffic protocols.

Option D: Agentless mode is the opposite of requiring FortiClient; ZTNA tags generally require the FortiClient agent to provide the necessary telemetry for tag evaluation.