Design examples
We can consider an example architecture for an organization that would like to extend the security perimeter to remote users for SIA, has multiple applications hosted internally, and makes use of multiple SaaS applications from a variety of providers.
This organization has the following security goals and the corresponding SASE solution for each of these goals:
Security Goal |
SASE Solution |
---|---|
Ensure Secure Internet Access to remote users with endpoints such as workstations and mobile devices |
Secure Internet Access for agent-based remote users using FortiClient and the FortiSASE FWaaS |
Ensure Secure Internet Access to remote users for web traffic only, or for endpoints based on web browsers such as Chromebooks |
Secure Internet Access for agentless remote users using explicit web proxy on web browsers and the FortiSASE SWG service |
Ensure Secure Internet Access for sites using a thin-edge device |
Secure Internet Access for site-based remote users using FortiExtender as a LAN extension to FortiSASE |
Ensure Secure Internet Access for sites using a FortiGate device while providing Secure Private Access to private resources behind the FortiGate |
Secure Internet Access for site-based remote users using FortiGate as a LAN extension to FortiSASE |
Ensure Secure Internet Access for sites using a FortiAP edge device | Secure Internet Access for site-based remote users using FortiAP managed by FortiSASE |
Control direct access to internal networks for TCP-based applications such as web applications or remote desktop |
Secure Private Access using FortiGate ZTNA access proxies, FortiClient, and FortiSASE Endpoint Management Service |
Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications |
Secure Private Access using SD-WAN |
Allow seamless access to internal networks behind newly deployed FortiGate NGFW for TCP-based and UDP-based applications |
Secure Private Access using NGFW |
Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications using Fabric Overlay Orchestrator |
SPA using NGFW and Fabric Overlay Orchestrator |
Monitor, analyze, and report on suspicious user activity, threats, and policy compliance for SaaS applications using API-based deep inspection | Secure SaaS Access using FortiCASB |
Restrict tenant access to SaaS applications using FortiSASE Web Filter with Inline-CASB and SSL deep inspection. Allow, monitor, or block SaaS traffic access using FortiSASE Application Control with Inline-CASB and SSL deep inspection |
Secure SaaS Access using FortiSASE Inline-CASB |
This section focuses on each of the individual FortiSASE use cases and the corresponding designs and topologies deployed in those use cases. Note that these individual topologies can be combined if FortiSASE use cases are combined based on your security goals and requirements.