Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    Configuring a private access policy for client-to-server traffic

    Configuring a private access policy for client-to-server traffic

    Secure private access (SPA) client-to-server communication is the typical SPA use case, allowing traffic initiated from remote users (VPN users, secure web gateway (SWG) users, edge devices) to SPA hubs (or local networks behind SPA hubs).

    For details on SPA server-to-client communication, see Configuring a private access policy for server-to-client traffic.

    To configure a private access policy from remote VPN users and edge devices to SPA hubs:
    1. Go to Configuration > Policies.
    2. Click the Private Access tab and then click the To hubs subtab.
    3. Click +Create to create a new policy.
    4. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.
      Source Scope
      • All: all FortiSASE VPN users and edge devices
      • VPN Users: remote endpoint users
      • Edge Device: Edge devices such as FortiExtender

      Source

      • All Edge Devices: Applies to all edge devices
      • Specify: specify selected hosts and host groups if you selected VPN Users, or authorized Edge devices if you selected Edge Device.

      User

      • Specify: specify selected users and user groups for all source scopes
      • Captive Portal Exempt: If Source Scope is set to Edge Device, exempt the edge device traffic from encountering a captive portal to determine the identity of a connected endpoint. By default, a captive portal is enforced when edge device traffic matches policies with Source Scope set to All.
      Destination
      • Private Access Traffic: all private access traffic
      • Specify: specify selected private access hosts or host groups
      ServiceClick + and select services or service groups.
      ActionAccept or Deny
      Profile GroupDefault or Specify and select a profile group.
      Force Certificate Inspection

      Enabled or disabled.

      When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.

      Schedule

      Select always or another recurring schedule.

      StatusEnable or disable.
      Log Allowed Traffic

      Enable or disable.

      • Security Events: log traffic that has a security profile applied to it.
      • All Sessions: log all sessions that this policy accepts or denies.

      Comments

      Enter comments up to the listed maximum number of characters.

    5. Click OK.
    To configure a private access policy from SWG users to SPA hubs:
    1. Go to Configuration > SWG Policies.
    2. Click the Private Access tab and then click the To hubs subtab.
    3. Click +Create to create a new policy.
    4. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.
      Source Scope
      • All: all HTTP and HTTPS traffic from SWG users
      • Specify: specify selected hosts and host groups

      User

      • All Secure Web Gateway Users: All SWG users
      • Specify: specify selected users or users groups
      Destination
      • Private Access Traffic: all private access traffic
      • Specify: specify selected private access hosts or host groups
      ActionAccept or Deny
      Profile GroupDefault or Specify and select a profile group.
      Force Certificate Inspection

      Enabled or disabled.

      When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.

      Schedule

      Select always or another recurring schedule.

      StatusEnable or disable.
      Log Allowed Traffic

      Enable or disable.

      • Security Events: log traffic that has a security profile applied to it.
      • All Sessions: log all sessions that this policy accepts or denies.

      Comments

      Enter comments up to the listed maximum number of characters.

    5. Click OK.

    Considerations

    • For SSL VPN remote users, whenever changes are made to an existing Internet Access or Private Access policy, they take effect only after SSL VPN users reconnect to FortiSASE.

    • With the addition of support for identity-based policies for edge devices in FortiSASE 24.3.a, the behaviour of edge device traffic based on policies has changed in existing FortiSASE instances:

      • Any policies you created before FortiSASE 24.3.a, specifically for edge devices, namely, policies with Source Scope set to Edge Devices will have User set to Captive Portal Exempt.
      • Any policies you created before FortiSASE 24.3.a with Source Scope set to All will not be modified. Therefore, any edge devices whose traffic matched an All allow policy before will now have authentication enforced using the captive portal. You must explicitly create a new exemption policy and place it above any All allow policies to avoid captive portal authentication for any impacted edge devices. See Configuring an exemption policy for an edge device.

    • When SSO authentication is used with the captive portal for edge devices, you must add an exemption policy for the SAML IdP URLs specified using hosts or infrastructure selections for the Destination field to allow SSO authentication traffic destined for the IdP to bypass the captive portal. See Configuring an exemption policy for SSO authentication for Entra ID.

    Previous
    Next

    Configuring a private access policy for client-to-server traffic

    Configuring a private access policy for client-to-server traffic

    Secure private access (SPA) client-to-server communication is the typical SPA use case, allowing traffic initiated from remote users (VPN users, secure web gateway (SWG) users, edge devices) to SPA hubs (or local networks behind SPA hubs).

    For details on SPA server-to-client communication, see Configuring a private access policy for server-to-client traffic.

    To configure a private access policy from remote VPN users and edge devices to SPA hubs:
    1. Go to Configuration > Policies.
    2. Click the Private Access tab and then click the To hubs subtab.
    3. Click +Create to create a new policy.
    4. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.
      Source Scope
      • All: all FortiSASE VPN users and edge devices
      • VPN Users: remote endpoint users
      • Edge Device: Edge devices such as FortiExtender

      Source

      • All Edge Devices: Applies to all edge devices
      • Specify: specify selected hosts and host groups if you selected VPN Users, or authorized Edge devices if you selected Edge Device.

      User

      • Specify: specify selected users and user groups for all source scopes
      • Captive Portal Exempt: If Source Scope is set to Edge Device, exempt the edge device traffic from encountering a captive portal to determine the identity of a connected endpoint. By default, a captive portal is enforced when edge device traffic matches policies with Source Scope set to All.
      Destination
      • Private Access Traffic: all private access traffic
      • Specify: specify selected private access hosts or host groups
      ServiceClick + and select services or service groups.
      ActionAccept or Deny
      Profile GroupDefault or Specify and select a profile group.
      Force Certificate Inspection

      Enabled or disabled.

      When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.

      Schedule

      Select always or another recurring schedule.

      StatusEnable or disable.
      Log Allowed Traffic

      Enable or disable.

      • Security Events: log traffic that has a security profile applied to it.
      • All Sessions: log all sessions that this policy accepts or denies.

      Comments

      Enter comments up to the listed maximum number of characters.

    5. Click OK.
    To configure a private access policy from SWG users to SPA hubs:
    1. Go to Configuration > SWG Policies.
    2. Click the Private Access tab and then click the To hubs subtab.
    3. Click +Create to create a new policy.
    4. Configure these fields:

      Field

      Value

      NameEnter a unique private access policy name.
      Source Scope
      • All: all HTTP and HTTPS traffic from SWG users
      • Specify: specify selected hosts and host groups

      User

      • All Secure Web Gateway Users: All SWG users
      • Specify: specify selected users or users groups
      Destination
      • Private Access Traffic: all private access traffic
      • Specify: specify selected private access hosts or host groups
      ActionAccept or Deny
      Profile GroupDefault or Specify and select a profile group.
      Force Certificate Inspection

      Enabled or disabled.

      When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.

      Schedule

      Select always or another recurring schedule.

      StatusEnable or disable.
      Log Allowed Traffic

      Enable or disable.

      • Security Events: log traffic that has a security profile applied to it.
      • All Sessions: log all sessions that this policy accepts or denies.

      Comments

      Enter comments up to the listed maximum number of characters.

    5. Click OK.

    Considerations

    • For SSL VPN remote users, whenever changes are made to an existing Internet Access or Private Access policy, they take effect only after SSL VPN users reconnect to FortiSASE.

    • With the addition of support for identity-based policies for edge devices in FortiSASE 24.3.a, the behaviour of edge device traffic based on policies has changed in existing FortiSASE instances:

      • Any policies you created before FortiSASE 24.3.a, specifically for edge devices, namely, policies with Source Scope set to Edge Devices will have User set to Captive Portal Exempt.
      • Any policies you created before FortiSASE 24.3.a with Source Scope set to All will not be modified. Therefore, any edge devices whose traffic matched an All allow policy before will now have authentication enforced using the captive portal. You must explicitly create a new exemption policy and place it above any All allow policies to avoid captive portal authentication for any impacted edge devices. See Configuring an exemption policy for an edge device.

    • When SSO authentication is used with the captive portal for edge devices, you must add an exemption policy for the SAML IdP URLs specified using hosts or infrastructure selections for the Destination field to allow SSO authentication traffic destined for the IdP to bypass the captive portal. See Configuring an exemption policy for SSO authentication for Entra ID.

    Previous
    Next