Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

Site-based remote users using FortiGate SD-WAN as a secure edge

Copy Link
Copy Doc ID 90c0ddd8-c520-11ee-8c42-fa163e15d75b:273110
Download PDF

Site-based remote users using FortiGate SD-WAN as a secure edge

Note

FortiGate SD-WAN as a secure edge is a controlled General Availability feature that requires a separate FortiSASE subscription license per FortiGate. All FortiGate F-series and G-series desktop platforms running FortiOS 7.4.2 and above can support FortiSASE Secure Edge connectivity.

Contact your Fortinet Sales/Partner representative to purchase a FortiSASE subscription license for each FortiGate and to enable this feature for your tenant after it has been licensed accordingly.

You can configure a FortiGate SD-WAN device as a LAN extension by setting up a VXLAN-over-IPsec tunnel between the FortiGate and FortiSASE. This creates a layer 2 network between FortiSASE and the network behind the remote FortiGate. In this use case, because the FortiGate is responsible for centralizing its remote users’ site connectivity to the FortiSASE FWaaS, the endpoints only need to be configured in their IP settings to forward traffic to the FortiGate as the default gateway. For more details, see FortiGate LAN extension.

Therefore, for this use case, individual workstation or device setup is minimized because FortiClient does not need to be installed on endpoints and web browser-based endpoint do not require explicit web proxy settings to be configured.

Also, for this use case, FortiSASE can be configured using Secure Private Access (SPA) support as described later, to allow other FortiSASE remote users to access private resources behind the FortiGate device configured as either an SD-WAN hub or an NGFW converted to an SPA hub.

A typical topology for deploying this example design is as follows:

Previous
Next

Site-based remote users using FortiGate SD-WAN as a secure edge

Note

FortiGate SD-WAN as a secure edge is a controlled General Availability feature that requires a separate FortiSASE subscription license per FortiGate. All FortiGate F-series and G-series desktop platforms running FortiOS 7.4.2 and above can support FortiSASE Secure Edge connectivity.

Contact your Fortinet Sales/Partner representative to purchase a FortiSASE subscription license for each FortiGate and to enable this feature for your tenant after it has been licensed accordingly.

You can configure a FortiGate SD-WAN device as a LAN extension by setting up a VXLAN-over-IPsec tunnel between the FortiGate and FortiSASE. This creates a layer 2 network between FortiSASE and the network behind the remote FortiGate. In this use case, because the FortiGate is responsible for centralizing its remote users’ site connectivity to the FortiSASE FWaaS, the endpoints only need to be configured in their IP settings to forward traffic to the FortiGate as the default gateway. For more details, see FortiGate LAN extension.

Therefore, for this use case, individual workstation or device setup is minimized because FortiClient does not need to be installed on endpoints and web browser-based endpoint do not require explicit web proxy settings to be configured.

Also, for this use case, FortiSASE can be configured using Secure Private Access (SPA) support as described later, to allow other FortiSASE remote users to access private resources behind the FortiGate device configured as either an SD-WAN hub or an NGFW converted to an SPA hub.

A typical topology for deploying this example design is as follows:

Previous
Next