Fortinet NSE7_SSE_AD-25 Exam - Topic 2 Question 1 Discussion

Based on the detailed analysis of the provided exhibits (image_65feb6.jpg), the connectivity failure is caused by a mismatch in the Hub firewall policy configuration.

Endpoint Analysis: The Network Diagram shows the FortiClient endpoint has an IP address of 100.65.80.2/20 and currently carries the FortiSASE-Compliant ZTNA tag.

FortiSASE Policy Validation: The Private access policy on FortiSASE shows an 'Accept' rule for traffic originating from 'FortiSASE-Compliant' sources destined for 'All Private Access Traffic'. This confirms the traffic is successfully leaving the FortiSASE PoP.

Routing Validation: The Learned BGP Routes on FortiSASE table shows the prefix 10.160.160.0/24 (the Server subnet) is correctly received via Next Hop 10.11.11.1. Routing is correctly established.

Hub Firewall Policy Error: Examining the Hub firewall policy (edit 7), the srcaddr is set to 'SASE_Remote_Access'. Looking at the address object definition for 'SASE_Remote_Access,' it is configured with the subnet 10.11.11.0 255.255.255.0.

The Conflict: The FortiClient's actual IP address (100.65.80.2) does not fall within the 10.11.11.0/24 range defined in the policy's source address. On a FortiGate hub, for traffic to be permitted through the tunnel to the internal server, the firewall policy must include the specific subnet assigned to the remote clients, not just the tunnel interface subnet. Because the FortiClient address range is missing from the hub's policy, the traffic is dropped at the hub.