Fortinet black logo

Concept Guide

Home FortiSASE Concept Guide

SASE architecture

Copy Link
Copy Doc ID 0d39b943-c520-11ee-8c42-fa163e15d75b:832511
Download PDF

SASE architecture

This section describes the overall secure access service edge (SASE) architecture and goals. The following diagram illustrates the SASE architecture as Gartner describes:

As the previous section describes, the standard firewall architecture and practice of working from anywhere introduces network security challenges. Organizations can overcome these challenges using the SASE architecture.

The SASE architecture focuses on using a cloud-delivered security service that enforces secure access at the farthest network edge, namely, at the service edge or at the user endpoints. This architecture has the following goals:

  • Achieve secure internet access for off-net endpoints that connect to a cloud-delivered security service that comes between a user and the internet
  • Reduce latency by having off-net endpoints connect to a cloud-delivered security service's closest point of presence (PoP)
  • Meet off-net endpoints' traffic demand by providing a cloud-delivered security service that can scale dynamically
  • Reduce congestion by distributing endpoint traffic to different PoPs with sufficient geographical spread and avoiding a single point required for traffic flow
  • Enforce a zero trust model to provide protected network access for off-net endpoints

An endpoint or branch redirects its traffic to the cloud, data center, or software-as-a-service (SaaS) to pass through a firewall-as-a-service or a secure web gateway where the traffic is subject to security policies and advanced threat protection measures. For traffic redirection, remote users’ endpoints rely on a software agent, while devices and branches rely on a thin edge device.

You can use cloud access security broker and zero trust network access services within the SASE architecture to restrict access to cloud/SaaS and data centers, respectively. In the SASE architecture, WAN capabilities from the branch to a cloud-delivered security service or from within the cloud-delivered service itself can use a variety of WAN technologies, with SD-WAN currently being at the forefront of those technologies.

The cloud-delivered security service is located between the remote endpoints and any networks those endpoints access, regardless of the location of the remote endpoints: essentially, moving the security to the cloud and delivering secure access from anywhere.

Previous
Next

SASE architecture

This section describes the overall secure access service edge (SASE) architecture and goals. The following diagram illustrates the SASE architecture as Gartner describes:

As the previous section describes, the standard firewall architecture and practice of working from anywhere introduces network security challenges. Organizations can overcome these challenges using the SASE architecture.

The SASE architecture focuses on using a cloud-delivered security service that enforces secure access at the farthest network edge, namely, at the service edge or at the user endpoints. This architecture has the following goals:

  • Achieve secure internet access for off-net endpoints that connect to a cloud-delivered security service that comes between a user and the internet
  • Reduce latency by having off-net endpoints connect to a cloud-delivered security service's closest point of presence (PoP)
  • Meet off-net endpoints' traffic demand by providing a cloud-delivered security service that can scale dynamically
  • Reduce congestion by distributing endpoint traffic to different PoPs with sufficient geographical spread and avoiding a single point required for traffic flow
  • Enforce a zero trust model to provide protected network access for off-net endpoints

An endpoint or branch redirects its traffic to the cloud, data center, or software-as-a-service (SaaS) to pass through a firewall-as-a-service or a secure web gateway where the traffic is subject to security policies and advanced threat protection measures. For traffic redirection, remote users’ endpoints rely on a software agent, while devices and branches rely on a thin edge device.

You can use cloud access security broker and zero trust network access services within the SASE architecture to restrict access to cloud/SaaS and data centers, respectively. In the SASE architecture, WAN capabilities from the branch to a cloud-delivered security service or from within the cloud-delivered service itself can use a variety of WAN technologies, with SD-WAN currently being at the forefront of those technologies.

The cloud-delivered security service is located between the remote endpoints and any networks those endpoints access, regardless of the location of the remote endpoints: essentially, moving the security to the cloud and delivering secure access from anywhere.

Previous
Next