Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    Configuring a private access policy for server-to-client traffic

    Configuring a private access policy for server-to-client traffic

    Secure private access (SPA) server-to-client communication allows traffic initiated from SPA hubs (or local networks behind SPA hubs) to remote users (currently VPN users only). This communication requires the Remote VPN and edge device user identification feature and additional configuration steps on the FortiGate SPA hub itself. See Prerequisites and considerations.

    For details on SPA client-to-server communication, see Configuring a private access policy for client-to-server traffic.

    To configure a private access policy to remote users from SPA hubs:
    1. Go to Configuration > Policies.
    2. Click the Private Access tab and then click the From hubs subtab.
    3. Click +Create to create a new policy.
    4. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.
      Source Scope
      • Private Access Traffic: all private access traffic
      • Specify: specify selected private access hosts or host groups.
      Destination
      • All: all FortiSASE users/devices
      • VPN Users: remote endpoint users
      ServiceClick + and select services or service groups.
      ActionAccept or Deny
      Profile GroupDefault or Specify and select a profile group.
      Force Certificate Inspection

      Enabled or disabled.

      When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.

      Schedule

      Select always or another recurring schedule.

      StatusEnable or disable.
      Log Allowed Traffic

      Enable or disable.

      • Security Events: log traffic that has a security profile applied to it.
      • All Sessions: log all sessions that this policy accepts or denies.

      Comments

      Enter comments up to the listed maximum number of characters.

    5. Click OK.
    To configure a FortiGate SPA hub firewall policy required for traffic from SPA hubs:

    On the FortiGate SPA hub, you must configure a firewall policy allowing traffic from the desired local interface(s) or spokes behind the hub to the remote VPN and edge device users via the SPA overlay. This policy ensures that traffic from networks connected to the FortiGate SPA hub are allowed to FortiSASE remote VPN and edge device users.

    In this example, for the FortiGate SPA hub, the SPA overlay (IPsec VPN tunnel) is defined as fgt_hub1 and the local connected networks DMZ_HQ and LAN_HQ are on port2 and port4, respectively. Therefore, we create a policy that allows traffic from the local connected networks on the hub to the FortiSASE remote VPN users.

    1. On the FortiGate SPA hub, go to Policy & Objects > Firewall Policy.
    2. Click +Create New to create a new policy.
    3. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.

      Incoming Interface

      DMZ_HQ (port2)

      LAN_HQ (port4)

      Outgoing Interface

      fgt_hub1

      Source

      all

      Destination

      All

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      You can enable or disable NAT depending on the IP configuration of the organization’s FortiGate SPA hub.

      IP Pool Configuration

      Use Outgoing Interface Address

    4. Click OK.

    Prerequisites and considerations

    Prerequisites

    • The display of the From hubs subtab and resulting functionality requires a FortiSASE instance with the remote VPN user identification feature, which is included with new instances created after the FortiSASE 24.3.b release and may need to be added on instances created before that release. See Remote VPN and edge device user identification. Otherwise, the From hubs subtab does not display.
    • Currently, FortiSASE supports traffic from SPA hubs to remote VPN users only.
    • On the FortiGate SPA hub, you must configure a firewall policy allowing traffic from the desired local interface(s) or spokes behind the hub to the remote VPN users via the SPA overlay. This policy ensures that traffic from networks connected to the FortiGate SPA hub are allowed to FortiSASE remote VPN users.

    Considerations

    • For SSL VPN remote users, whenever changes are made to an existing Internet Access or Private Access policy, they take effect only after SSL VPN users reconnect to FortiSASE.

    • With the addition of support for identity-based policies for edge devices in FortiSASE 24.3.a, the behaviour of edge device traffic based on policies has changed in existing FortiSASE instances:

      • Any policies you created before FortiSASE 24.3.a, specifically for edge devices, namely, policies with Source Scope set to Edge Devices will have User set to Captive Portal Exempt.
      • Any policies you created before FortiSASE 24.3.a with Source Scope set to All will not be modified. Therefore, any edge devices whose traffic matched an All allow policy before will now have authentication enforced using the captive portal. You must explicitly create a new exemption policy and place it above any All allow policies to avoid captive portal authentication for any impacted edge devices. See Configuring an exemption policy for an edge device.

    • When SSO authentication is used with the captive portal for edge devices, you must add an exemption policy for the SAML IdP URLs specified using hosts or infrastructure selections for the Destination field to allow SSO authentication traffic destined for the IdP to bypass the captive portal. See Configuring an exemption policy for SSO authentication for Entra ID.

    Previous
    Next

    Configuring a private access policy for server-to-client traffic

    Configuring a private access policy for server-to-client traffic

    Secure private access (SPA) server-to-client communication allows traffic initiated from SPA hubs (or local networks behind SPA hubs) to remote users (currently VPN users only). This communication requires the Remote VPN and edge device user identification feature and additional configuration steps on the FortiGate SPA hub itself. See Prerequisites and considerations.

    For details on SPA client-to-server communication, see Configuring a private access policy for client-to-server traffic.

    To configure a private access policy to remote users from SPA hubs:
    1. Go to Configuration > Policies.
    2. Click the Private Access tab and then click the From hubs subtab.
    3. Click +Create to create a new policy.
    4. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.
      Source Scope
      • Private Access Traffic: all private access traffic
      • Specify: specify selected private access hosts or host groups.
      Destination
      • All: all FortiSASE users/devices
      • VPN Users: remote endpoint users
      ServiceClick + and select services or service groups.
      ActionAccept or Deny
      Profile GroupDefault or Specify and select a profile group.
      Force Certificate Inspection

      Enabled or disabled.

      When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.

      Schedule

      Select always or another recurring schedule.

      StatusEnable or disable.
      Log Allowed Traffic

      Enable or disable.

      • Security Events: log traffic that has a security profile applied to it.
      • All Sessions: log all sessions that this policy accepts or denies.

      Comments

      Enter comments up to the listed maximum number of characters.

    5. Click OK.
    To configure a FortiGate SPA hub firewall policy required for traffic from SPA hubs:

    On the FortiGate SPA hub, you must configure a firewall policy allowing traffic from the desired local interface(s) or spokes behind the hub to the remote VPN and edge device users via the SPA overlay. This policy ensures that traffic from networks connected to the FortiGate SPA hub are allowed to FortiSASE remote VPN and edge device users.

    In this example, for the FortiGate SPA hub, the SPA overlay (IPsec VPN tunnel) is defined as fgt_hub1 and the local connected networks DMZ_HQ and LAN_HQ are on port2 and port4, respectively. Therefore, we create a policy that allows traffic from the local connected networks on the hub to the FortiSASE remote VPN users.

    1. On the FortiGate SPA hub, go to Policy & Objects > Firewall Policy.
    2. Click +Create New to create a new policy.
    3. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.

      Incoming Interface

      DMZ_HQ (port2)

      LAN_HQ (port4)

      Outgoing Interface

      fgt_hub1

      Source

      all

      Destination

      All

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      You can enable or disable NAT depending on the IP configuration of the organization’s FortiGate SPA hub.

      IP Pool Configuration

      Use Outgoing Interface Address

    4. Click OK.

    Prerequisites and considerations

    Prerequisites

    • The display of the From hubs subtab and resulting functionality requires a FortiSASE instance with the remote VPN user identification feature, which is included with new instances created after the FortiSASE 24.3.b release and may need to be added on instances created before that release. See Remote VPN and edge device user identification. Otherwise, the From hubs subtab does not display.
    • Currently, FortiSASE supports traffic from SPA hubs to remote VPN users only.
    • On the FortiGate SPA hub, you must configure a firewall policy allowing traffic from the desired local interface(s) or spokes behind the hub to the remote VPN users via the SPA overlay. This policy ensures that traffic from networks connected to the FortiGate SPA hub are allowed to FortiSASE remote VPN users.

    Considerations

    • For SSL VPN remote users, whenever changes are made to an existing Internet Access or Private Access policy, they take effect only after SSL VPN users reconnect to FortiSASE.

    • With the addition of support for identity-based policies for edge devices in FortiSASE 24.3.a, the behaviour of edge device traffic based on policies has changed in existing FortiSASE instances:

      • Any policies you created before FortiSASE 24.3.a, specifically for edge devices, namely, policies with Source Scope set to Edge Devices will have User set to Captive Portal Exempt.
      • Any policies you created before FortiSASE 24.3.a with Source Scope set to All will not be modified. Therefore, any edge devices whose traffic matched an All allow policy before will now have authentication enforced using the captive portal. You must explicitly create a new exemption policy and place it above any All allow policies to avoid captive portal authentication for any impacted edge devices. See Configuring an exemption policy for an edge device.

    • When SSO authentication is used with the captive portal for edge devices, you must add an exemption policy for the SAML IdP URLs specified using hosts or infrastructure selections for the Destination field to allow SSO authentication traffic destined for the IdP to bypass the captive portal. See Configuring an exemption policy for SSO authentication for Entra ID.

    Previous
    Next