Free Preparation Discussions
MENU
Fortinet NSE7_SSE_AD-25 Exam - Topic 2 Question 1 Discussion
Topic #: 2
Refer to the exhibits.
A FortiSASE administrator has configured FortiSASE as a spoke to a FortiGate hub. The tunnel is up to the FortiGate hub. However, the remote FortiClient is not able to access the web server hosted behind the FortiGate hub. What is the reason for the access failure? (Choose one answer)
Based on the detailed analysis of the provided exhibits (image_65feb6.jpg), the connectivity failure is caused by a mismatch in the Hub firewall policy configuration.
Endpoint Analysis: The Network Diagram shows the FortiClient endpoint has an IP address of 100.65.80.2/20 and currently carries the FortiSASE-Compliant ZTNA tag.
FortiSASE Policy Validation: The Private access policy on FortiSASE shows an 'Accept' rule for traffic originating from 'FortiSASE-Compliant' sources destined for 'All Private Access Traffic'. This confirms the traffic is successfully leaving the FortiSASE PoP.
Routing Validation: The Learned BGP Routes on FortiSASE table shows the prefix 10.160.160.0/24 (the Server subnet) is correctly received via Next Hop 10.11.11.1. Routing is correctly established.
Hub Firewall Policy Error: Examining the Hub firewall policy (edit 7), the srcaddr is set to 'SASE_Remote_Access'. Looking at the address object definition for 'SASE_Remote_Access,' it is configured with the subnet 10.11.11.0 255.255.255.0.
The Conflict: The FortiClient's actual IP address (100.65.80.2) does not fall within the 10.11.11.0/24 range defined in the policy's source address. On a FortiGate hub, for traffic to be permitted through the tunnel to the internal server, the firewall policy must include the specific subnet assigned to the remote clients, not just the tunnel interface subnet. Because the FortiClient address range is missing from the hub's policy, the traffic is dropped at the hub.
Currently there are no comments in this discussion, be the first to comment!