Fortinet NSE7_SSE_AD-25 Exam - Topic 4 Question 5 Discussion

The FortiSASE On/off-net detection feature is a two-part configuration designed to optimize bandwidth and user experience by determining when a device is in a trusted environment.

Rule Set Definition: The first part involves defining what constitutes an 'on-net' or 'on-fabric' status. In this scenario, the customer successfully configured a rule set named CERT-PUBLIC-IP using the Connects with a known public IP detection type. This tells FortiSASE that if the endpoint's public WAN IP matches the corporate gateway, it is considered to be on the corporate network.

Profile Exemption Logic: Defining the rule set is not enough to stop the VPN connection. Within the Endpoint Profile (under the Connection tab > On/off-net Settings), there is a specific toggle labeled Exempt endpoint from FortiSASE auto-connect when endpoint is on-net (or in some versions, Bypass FortiSASE when endpoint is on-net).

Exhibit Analysis: Looking at the provided exhibit (image_57097d.jpg), the 'Exempt endpoint from FortiSASE auto-connect...' toggle is clearly disabled (switched to the left).

Root Cause: Because this toggle is disabled, FortiClient identifies that it is 'on-net' based on the IP rule, but it has no instruction to skip the VPN connection. Consequently, the 'Automatically' initiate tunnel setting remains the dominant instruction, causing the VPN to connect regardless of the network location.

To resolve the issue, the administrator must enable the Exempt endpoint from FortiSASE auto-connect when endpoint is on-net option in the SASECert01 profile.