Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

SPA using NGFW

Copy Link
Copy Doc ID 90c0ddd8-c520-11ee-8c42-fa163e15d75b:861490
Download PDF

SPA using NGFW

Organizations with existing FortiGate next generation firewall (NGFW) deployments can provide their remote users using FortiSASE with access to private resources. This use case offers broader and seamless access to privately hosted applications, both TCP- and UDP-based.

In the NGFW SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub and the security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and BGP to secure and route traffic between PoPs and the networks behind the organization’s NGFW. This example design supports up to four hubs.

For a list of product prerequisites, see SPA using a FortiGate SD-WAN hub.

A typical topology for deploying this example design is as follows:

FortiSASE security PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

Previous
Next

SPA using NGFW

Organizations with existing FortiGate next generation firewall (NGFW) deployments can provide their remote users using FortiSASE with access to private resources. This use case offers broader and seamless access to privately hosted applications, both TCP- and UDP-based.

In the NGFW SPA use case, you must first convert the NGFW to a standalone IPsec VPN hub and the security points of presence (PoP) act as spokes to this hub, relying on IPsec VPN overlays and BGP to secure and route traffic between PoPs and the networks behind the organization’s NGFW. This example design supports up to four hubs.

For a list of product prerequisites, see SPA using a FortiGate SD-WAN hub.

A typical topology for deploying this example design is as follows:

FortiSASE security PoPs and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel. Therefore, the SPA use cases with FortiGate hubs only allow traffic to be initiated from FortiSASE spokes to FortiGate spokes.

Previous
Next