This document presents information about the secure access service edge (SASE) networking and security architecture and provides a broad overview of Fortinet’s SASE solution, a cloud-delivered service called FortiSASE.
SASE is an architecture that combines network, security, and WAN capabilities delivered as a service to provide endpoints (remote users, devices, and branches) with secure Internet, cloud, and data center network access. The SASE architecture achieves secure network access using network security technologies including firewall-as-a-service (FWaaS), secure web gateway (SWG), zero trust network access (ZTNA), and cloud access security broker (CASB), and relying on WAN technologies including software-defined wide-area network (SD-WAN).
Today’s work from anywhere environment makes it difficult for IT administrators to keep up with securing users’ devices. These users’ devices, also known as endpoints, are off-net, that is, located outside the corporate network. SASE extends network security functions beyond where they have been typically available in the past, namely, beyond an organization’s internal network. SASE aims to provide remote users and branches located anywhere with secure network access.
Typically, an organization has a remote user use a virtual private network (VPN) connection to redirect their Internet traffic to a next generation firewall (NGFW) located at its data center. After performing its security functions, the NGFW sends the user’s web traffic out the NGFW’s WAN link. Remote users with VPN connections established also experience high latency when accessing the Internet over this backhauled WAN connection because the firewall’s WAN link becomes congested with Internet traffic that other remote users generate. SASE reduces this latency by allowing remote users to connect directly to the closest geographical point-of-presence (PoP) for a cloud-delivered FWaaS. Also, each PoP can scale to meet user demand and reduce the possibility that a single WAN link becomes a congestion point for these remote users.
FortiSASE is Fortinet’s cloud-delivered security service that implements the SASE architecture (FWaaS, SWG, ZTNA) to provide secure access to remote users through the following use cases:
- Secure Internet access (SIA) when users access Internet and web-based applications
- Secure private access (SPA) when users access private company-hosted applications protected by a FortiGate NGFW
- Secure SaaS access (SSA) when users access SaaS applications
This document explores SASE concepts, components, and architecture, and describes how Fortinet delivers its SASE solution.
This concept guide is intended for a technical audience, including system and network architects, design engineers, network engineers, and security engineers who want to understand the SASE architecture and the FortiSASE service offering to secure their remote workers and branch offices.
This guide is targeted at small- and medium-sized organizations and enterprises. It assumes that the reader is familiar with basic concepts of applications, networking, routing, security, and proxies, and has a basic understanding of network and data center architectures.
This guide provides a broad overview of SASE concepts and introduces the FortiSASE cloud-delivered service and related Fortinet products used to deploy a SASE solution. It uses industry standard terminologies, with introductions to Fortinet specific terms, concepts, and technologies.
Once readers are familiar with FortiSASE concepts and terminology and ready to explore different architectures in their environment, they can proceed to the FortiSASE Architecture Guide.