Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

Planning and provisioning

Planning and provisioning

This section outlines the general deployment workflow for planning and provisioning the designs that previous sections describe.

SIA for agent-based remote users

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users.
  3. Configure policies to apply desired scanning and filtering for your users.
  4. Download and install FortiClient on Windows, macOS, and Linux endpoints.
  5. Using the invitation code, connect FortiClient to FortiSASE to activate the SASE license and provision the FortiSASE VPN tunnel.
  6. In FortiClient, connect to the FortiSASE tunnel using the username and password assigned to each user.
  7. Test access to the Internet using a remote device.

SIA for agentless remote users

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users.
  3. Configure secure web gateway policies to apply desired scanning and filtering for your users.
  4. Download the proxy autoconfiguration (PAC) file from the FortiSASE portal. Customize the file to exclude internal corporate networks.
  5. Host the PAC file on an externally accessible server.
  6. Configure proxy settings on endpoints to point to the PAC file.
  7. Test access to the Internet using a remote device.

SIA for site-based remote users

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Register the FortiExtender 200F device used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE.
  3. Factory reset the FortiExtender and configure it via the FortiExtender GUI or CLI to connect to FortiSASE.
  4. Authorize the FortiExtender.
  5. Configure a policy to allow traffic from the thin-edge LAN to FortiSASE for secure Internet access (SIA) and apply desired scanning and filtering for your site-based users.
  6. Configure the remote user endpoints to direct Internet traffic to the FortiExtender as the default gateway
  7. Test access to the Internet using a remote device.

SPA using ZTNA

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users.
  3. Configure VPN policies to apply desired scanning and filtering for your users.
  4. Configure zero trust network access (ZTNA) tags and tagging rules.
  5. Connect the FortiGate to FortiSASE over the FortiClient Cloud Fabric connector. Authorize the FortiGate on FortiSASE. FortiSASE automatically synchronizes the tags to the FortiGate.
  6. On the FortiGate, configure remote authentication servers, authentication schemes, and rules.
  7. Configure ZTNA servers.
  8. Configure ZTNA policies and use user groups and ZTNA tags for access control.
  9. In FortiSASE, configure ZTNA connection rules to push to clients.
  10. Test and monitor the configuration using a remote device.

For details on ZTNA configuration on the FortiGate, see the ZTNA Deployment Guide. For details on integrating ZTNA with FortiSASE, see the FortiSASE SPA Using ZTNA Deployment Guide.

SPA Using SD-WAN

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Ensure the FortiGate SD-WAN deployment has the proper configuration:
    1. Configure a new FortiGate SD-WAN deployment using FortiManager.
    2. Review and modify the configuration settings of an existing FortiGate SD-WAN deployment using FortiManager.
  3. Using the FortiSASE Secure Private Access page, configure the FortiSASE security PoPs as spokes of the FortiGate SD-WAN hub using its specific network attributes as parameters.
  4. Verify IPsec tunnels on the FortiGate SD-WAN hub(s).
  5. Verify BGP routing on the FortiGate SD-WAN hub(s).
  6. Test private access connectivity to the FortiGate SD-WAN network from remote users.

SPA Using NGFW

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Convert the FortiGate next generation firewall (NGFW) to a FortiSASE SPA hub:
    1. Convert FortiGate NGFW configured using FortiOS CLI or GUI.
    2. Convert FortiGate NGFW managed by FortiManager.
  3. Using the FortiSASE Secure Private Access page, configure the FortiSASE security PoPs as spokes of the FortiSASE SPA hub using its specific network attributes as parameters.
  4. Verify IPsec tunnels on the FortiSASE SPA hub.
  5. Verify BGP routing on the FortiSASE SPA hub.
  6. Test private access connectivity to the FortiSASE SPA hub network from remote users.

SSA Using FortiSASE Inline-CASB

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users based on SIA use cases.
  3. Configure SSL deep inspection.
  4. Customize inline-CASB headers for restricted SaaS access using web filter.
  5. Configure application control with Inline-CASB to control access to SaaS cloud applications, as desired.
  6. Configure policies to apply desired application control scanning and web filtering for your users.
  7. Establish connectivity to FortiSASE and redirect traffic for SIA.
  8. Test Web Filter with Inline-CASB using a FortiClient endpoint.
  9. Test Application Control with Inline-CASB using a FortiClient endpoint.
Previous
Next

Planning and provisioning

This section outlines the general deployment workflow for planning and provisioning the designs that previous sections describe.

SIA for agent-based remote users

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users.
  3. Configure policies to apply desired scanning and filtering for your users.
  4. Download and install FortiClient on Windows, macOS, and Linux endpoints.
  5. Using the invitation code, connect FortiClient to FortiSASE to activate the SASE license and provision the FortiSASE VPN tunnel.
  6. In FortiClient, connect to the FortiSASE tunnel using the username and password assigned to each user.
  7. Test access to the Internet using a remote device.

SIA for agentless remote users

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users.
  3. Configure secure web gateway policies to apply desired scanning and filtering for your users.
  4. Download the proxy autoconfiguration (PAC) file from the FortiSASE portal. Customize the file to exclude internal corporate networks.
  5. Host the PAC file on an externally accessible server.
  6. Configure proxy settings on endpoints to point to the PAC file.
  7. Test access to the Internet using a remote device.

SIA for site-based remote users

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Register the FortiExtender 200F device used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE.
  3. Factory reset the FortiExtender and configure it via the FortiExtender GUI or CLI to connect to FortiSASE.
  4. Authorize the FortiExtender.
  5. Configure a policy to allow traffic from the thin-edge LAN to FortiSASE for secure Internet access (SIA) and apply desired scanning and filtering for your site-based users.
  6. Configure the remote user endpoints to direct Internet traffic to the FortiExtender as the default gateway
  7. Test access to the Internet using a remote device.

SPA using ZTNA

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users.
  3. Configure VPN policies to apply desired scanning and filtering for your users.
  4. Configure zero trust network access (ZTNA) tags and tagging rules.
  5. Connect the FortiGate to FortiSASE over the FortiClient Cloud Fabric connector. Authorize the FortiGate on FortiSASE. FortiSASE automatically synchronizes the tags to the FortiGate.
  6. On the FortiGate, configure remote authentication servers, authentication schemes, and rules.
  7. Configure ZTNA servers.
  8. Configure ZTNA policies and use user groups and ZTNA tags for access control.
  9. In FortiSASE, configure ZTNA connection rules to push to clients.
  10. Test and monitor the configuration using a remote device.

For details on ZTNA configuration on the FortiGate, see the ZTNA Deployment Guide. For details on integrating ZTNA with FortiSASE, see the FortiSASE SPA Using ZTNA Deployment Guide.

SPA Using SD-WAN

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Ensure the FortiGate SD-WAN deployment has the proper configuration:
    1. Configure a new FortiGate SD-WAN deployment using FortiManager.
    2. Review and modify the configuration settings of an existing FortiGate SD-WAN deployment using FortiManager.
  3. Using the FortiSASE Secure Private Access page, configure the FortiSASE security PoPs as spokes of the FortiGate SD-WAN hub using its specific network attributes as parameters.
  4. Verify IPsec tunnels on the FortiGate SD-WAN hub(s).
  5. Verify BGP routing on the FortiGate SD-WAN hub(s).
  6. Test private access connectivity to the FortiGate SD-WAN network from remote users.

SPA Using NGFW

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Convert the FortiGate next generation firewall (NGFW) to a FortiSASE SPA hub:
    1. Convert FortiGate NGFW configured using FortiOS CLI or GUI.
    2. Convert FortiGate NGFW managed by FortiManager.
  3. Using the FortiSASE Secure Private Access page, configure the FortiSASE security PoPs as spokes of the FortiSASE SPA hub using its specific network attributes as parameters.
  4. Verify IPsec tunnels on the FortiSASE SPA hub.
  5. Verify BGP routing on the FortiSASE SPA hub.
  6. Test private access connectivity to the FortiSASE SPA hub network from remote users.

SSA Using FortiSASE Inline-CASB

  1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed.
  2. Configure remote authentication and onboard users based on SIA use cases.
  3. Configure SSL deep inspection.
  4. Customize inline-CASB headers for restricted SaaS access using web filter.
  5. Configure application control with Inline-CASB to control access to SaaS cloud applications, as desired.
  6. Configure policies to apply desired application control scanning and web filtering for your users.
  7. Establish connectivity to FortiSASE and redirect traffic for SIA.
  8. Test Web Filter with Inline-CASB using a FortiClient endpoint.
  9. Test Application Control with Inline-CASB using a FortiClient endpoint.
Previous
Next