FortiSASE integrates with a FortiGate next generation firewall (NGFW) device that is already protecting an organization’s network. This integration allows remote users to access these protected networks by deploying secure web gateway (SWG) with SSL VPN or FortiClient with FortiGate zero trust network access (ZTNA).
For organizations that already use VPN for remote access and want to secure their remote clients from malware and malicious attacks, endpoints can use SWG mode to secure Internet access through the FortiSASE SWG while using VPN connections to an NGFW to remotely access protected networks.
For networks already using FortiGate NGFW devices, you can implement this solution by configuring proxy settings on the endpoint’s system settings or web browser settings, and by using FortiClient software and SSL VPN configured on the FortiGate. The diagram depicts this architecture:
FortiSASE exempts traffic destined for corporate networks using the SSL VPN from being proxied by the FortiSASE SWG. FortiClient only tunnels traffic for the corporate network by using SSL VPN split tunneling. Therefore, with this solution, remote users establish distinct yet secure connections for all their traffic.
For complete deployment details, see the FortiSASE SWG with VPN Deployment Guide.
For organizations that are ready to deploy ZTNA for remote access and still want to protect their remote endpoints’ Internet access, endpoints can use endpoint mode for secure Internet access through the FortiSASE firewall-as-a-service while relying on the integration between FortiSASE, FortiGate, and the FortiClient endpoint to securely access resources behind a FortiGate acting as a ZTNA access proxy. The diagram depicts this architecture:
Unlike traditional IPsec and SSL VPN, ZTNA offers direct connections to protected resources without requiring establishment of a persistent tunnel.
The key to ZTNA is verifying the connecting device's and user's identities and ensuring the device's security posture before admitting it to the protected network. These security checks happen instantly and transparently thanks to the integration between FortiSASE, FortiGate, and the FortiClient endpoint. If a device cannot pass these security checks, it is considered untrusted and the connection is rejected.
For complete deployment details, see the FortiSASE and ZTNA Deployment Guide.