Fortinet black logo

Design examples

Copy Link
Copy Doc ID 90c0ddd8-c520-11ee-8c42-fa163e15d75b:520918
Download PDF

Design examples

We can consider an example architecture for an organization that would like to extend the security perimeter to remote users for SIA, has multiple applications hosted internally, and makes use of multiple SaaS applications from a variety of providers.

This organization has the following security goals and the corresponding SASE solution for each of these goals:

Security Goal

SASE Solution

Ensure Secure Internet Access to remote users with endpoints such as workstations and mobile devices

Secure Internet Access for agent-based remote users using FortiClient and the FortiSASE FWaaS

Ensure Secure Internet Access to remote users for web traffic only, or for endpoints based on web browsers such as Chromebooks

Secure Internet Access for agentless remote users using explicit web proxy on web browsers and the FortiSASE SWG service

Ensure Secure Internet Access for sites using a thin-edge device

Secure Internet Access for site-based remote users using FortiExtender as a LAN extension to FortiSASE

Ensure Secure Internet Access for sites using a FortiGate device while providing Secure Private Access to private resources behind the FortiGate

Secure Internet Access for site-based remote users using FortiGate as a LAN extension to FortiSASE

Ensure Secure Internet Access for sites using a FortiAP edge device Secure Internet Access for site-based remote users using FortiAP managed by FortiSASE

Control direct access to internal networks for TCP-based applications such as web applications or remote desktop

Secure Private Access using FortiGate ZTNA access proxies, FortiClient, and FortiSASE Endpoint Management Service

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications

Secure Private Access using SD-WAN

Allow seamless access to internal networks behind newly deployed FortiGate NGFW for TCP-based and UDP-based applications

Secure Private Access using NGFW

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications using Fabric Overlay Orchestrator

SPA using NGFW and Fabric Overlay Orchestrator

Monitor, analyze, and report on suspicious user activity, threats, and policy compliance for SaaS applications using API-based deep inspection Secure SaaS Access using FortiCASB

Restrict tenant access to SaaS applications using FortiSASE Web Filter with Inline-CASB and SSL deep inspection. Allow, monitor, or block SaaS traffic access using FortiSASE Application Control with Inline-CASB and SSL deep inspection

Secure SaaS Access using FortiSASE Inline-CASB

This section focuses on each of the individual FortiSASE use cases and the corresponding designs and topologies deployed in those use cases. Note that these individual topologies can be combined if FortiSASE use cases are combined based on your security goals and requirements.

Design examples

We can consider an example architecture for an organization that would like to extend the security perimeter to remote users for SIA, has multiple applications hosted internally, and makes use of multiple SaaS applications from a variety of providers.

This organization has the following security goals and the corresponding SASE solution for each of these goals:

Security Goal

SASE Solution

Ensure Secure Internet Access to remote users with endpoints such as workstations and mobile devices

Secure Internet Access for agent-based remote users using FortiClient and the FortiSASE FWaaS

Ensure Secure Internet Access to remote users for web traffic only, or for endpoints based on web browsers such as Chromebooks

Secure Internet Access for agentless remote users using explicit web proxy on web browsers and the FortiSASE SWG service

Ensure Secure Internet Access for sites using a thin-edge device

Secure Internet Access for site-based remote users using FortiExtender as a LAN extension to FortiSASE

Ensure Secure Internet Access for sites using a FortiGate device while providing Secure Private Access to private resources behind the FortiGate

Secure Internet Access for site-based remote users using FortiGate as a LAN extension to FortiSASE

Ensure Secure Internet Access for sites using a FortiAP edge device Secure Internet Access for site-based remote users using FortiAP managed by FortiSASE

Control direct access to internal networks for TCP-based applications such as web applications or remote desktop

Secure Private Access using FortiGate ZTNA access proxies, FortiClient, and FortiSASE Endpoint Management Service

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications

Secure Private Access using SD-WAN

Allow seamless access to internal networks behind newly deployed FortiGate NGFW for TCP-based and UDP-based applications

Secure Private Access using NGFW

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications using Fabric Overlay Orchestrator

SPA using NGFW and Fabric Overlay Orchestrator

Monitor, analyze, and report on suspicious user activity, threats, and policy compliance for SaaS applications using API-based deep inspection Secure SaaS Access using FortiCASB

Restrict tenant access to SaaS applications using FortiSASE Web Filter with Inline-CASB and SSL deep inspection. Allow, monitor, or block SaaS traffic access using FortiSASE Application Control with Inline-CASB and SSL deep inspection

Secure SaaS Access using FortiSASE Inline-CASB

This section focuses on each of the individual FortiSASE use cases and the corresponding designs and topologies deployed in those use cases. Note that these individual topologies can be combined if FortiSASE use cases are combined based on your security goals and requirements.