Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Endpoint mode

Endpoint mode

In endpoint mode, endpoints connect to a FortiSASE VPN tunnel to secure their traffic. Once provisioned, clients are connected through an always-up VPN connection to ensure FortiSASE scans traffic to the internet.

This mode requires FortiSASE user-based licensing. See the SASE and Zero Trust Ordering Guide.

The provisioning process for endpoint mode is as follows:

  1. The administrator initializes the FortiSASE environment.
  2. The administrator configures policies and security components in FortiSASE as desired, including configuring the desired policies. See Adding policies to perform granular firewall actions and inspection.
  3. The administrator provisions end users on FortiSASE and emails invitations to them. FortiSASE supports remote authentication methods such as LDAP. See Authentication Sources and Access for descriptions of the provisioning process for different authentication methods.
  4. Download FortiClient to endpoints and connect to FortiClient Cloud using the code included in the invitation email. This can be completed by the administrator when preprovisioning endpoints before distributing to end users, or by the end users themselves.
  5. FortiClient connects to FortiClient Cloud to activate its FortiSASE license and provision the FortiSASE VPN tunnel.
  6. End users connect to the FortiSASE tunnel to secure their traffic.
  7. FortiSASE applies the appropriate policies to endpoints.
  8. The administrator can view logs in FortiSASE and modify the configuration as desired. See Logging.

Endpoint mode also supports configuring Zero Trust Network Access (ZTNA). In this deployment configuration, FortiSASE joins the Fortinet Security Fabric to share endpoint information with the FortiGate, allowing a corporate FortiGate to implement ZTNA for remote users who are already registered to FortiSASE. See the FortiSASE ZTNA Deployment Guide for details.

Previous
Next

Endpoint mode

In endpoint mode, endpoints connect to a FortiSASE VPN tunnel to secure their traffic. Once provisioned, clients are connected through an always-up VPN connection to ensure FortiSASE scans traffic to the internet.

This mode requires FortiSASE user-based licensing. See the SASE and Zero Trust Ordering Guide.

The provisioning process for endpoint mode is as follows:

  1. The administrator initializes the FortiSASE environment.
  2. The administrator configures policies and security components in FortiSASE as desired, including configuring the desired policies. See Adding policies to perform granular firewall actions and inspection.
  3. The administrator provisions end users on FortiSASE and emails invitations to them. FortiSASE supports remote authentication methods such as LDAP. See Authentication Sources and Access for descriptions of the provisioning process for different authentication methods.
  4. Download FortiClient to endpoints and connect to FortiClient Cloud using the code included in the invitation email. This can be completed by the administrator when preprovisioning endpoints before distributing to end users, or by the end users themselves.
  5. FortiClient connects to FortiClient Cloud to activate its FortiSASE license and provision the FortiSASE VPN tunnel.
  6. End users connect to the FortiSASE tunnel to secure their traffic.
  7. FortiSASE applies the appropriate policies to endpoints.
  8. The administrator can view logs in FortiSASE and modify the configuration as desired. See Logging.

Endpoint mode also supports configuring Zero Trust Network Access (ZTNA). In this deployment configuration, FortiSASE joins the Fortinet Security Fabric to share endpoint information with the FortiGate, allowing a corporate FortiGate to implement ZTNA for remote users who are already registered to FortiSASE. See the FortiSASE ZTNA Deployment Guide for details.

Previous
Next