Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Connection

Connection

To configure the Connection tab:
  1. Create a new profile or edit an existing one:
    1. Go to Configuration > Profiles.
    2. Click Create or edit an existing profile.
    3. In the Name field, enter the desired name of the endpoint profile.
  2. On the Connection tab, to enable VPN autoconnect, for Connect to FortiSASE, select On device login. Enable the toggle for Disable disconnect from VPN to prevent endpoints to be able to disconnect from FortiSASE’s secure internet access (SIA) VPN.

    To let endpoint users manually connect to FortiSASE’s SIA VPN, select Manually under Connect to FortiSASE. This disables the autoconnect feature to connect to FortiSASE’s SIA VPN.

    Note

    Setting Connect to FortiSASE to On-device login enables autoconnect. This option is equivalent to configuring Auto-connect to FortiSASE in prior FortiSASE versions.

    Similarly, enabling Disable disconnect from VPN is equivalent to enabling Force Always On VPN in prior FortiSASE versions.

  3. Under Bypass FortiSASE, configure Split tunneling destinations. Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface by passing FortiSASE. This also helps optimize FortiSASE bandwidth usage. For example, you may want to add a high bandwidth-consuming application, such as Microsoft Teams or Zoom, as a split tunneling destination. Configure a split tunneling destination:
    1. Click Create.
    2. Configure the following fields:

      Option

      Description

      Type

      Select Infrastructure, FQDN, Local Application, or Subnet.

      Match

      • If you selected Infrastructure, select the desired application from the dropdown list.
      • If you selected FQDN, enter the desired fully qualified domain name (FQDN). The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. For example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com. When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
      • If you selected Local Application, specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

        For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

        • Application Name: teams.exe;firefox.exe

        • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe

        • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

        To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

      • If you selected Subnet, enter the desired subnet. The subnet is dynamically added to the route table when in use, and is removed after disconnection.

        You can select host groups when using the Subnet match type. You must create host groups in Configuration > Hosts before they become visible in the Edit Match dialog.

      Note

      Subnet destinations cannot be created in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.

      Note

      Wildcard FQDNs are not supported when configuring an FQDN split tunneling destination.

    3. Click OK.
  4. Under Bypass FortiSASE, configure Endpoints will not auto connect to VPN from these public IPs. Endpoints with public IPs matching the configured public IPs are considered trusted or on-net, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection. This also helps to optimize FortiSASE bandwidth usage. For example, when you add the public IP of your corporate network, the endpoints on this network will not automatically connect to FortiSASE VPN when they are on-net. Therefore, only when endpoints have public IPs that do not match the configured trusted public IPs will they auto connect to FortiSASE VPN, meaning when they are considered untrusted or off-net and require FortiSASE security inspection.

    Configure a public IP to prevent auto connect to FortiSASE VPN when endpoints are on-net:

    1. Click Create.
    2. Enter the public IP address in the Public IP text field.
    3. Click OK.
  5. Under Debugging options, when you enable Endpoints can disconnect from FortiSASE, FortiClient’s Zero Trust Telemetry tab shows a Disconnect option.

    Alternatively you can enable Require disconnect password and enter a password. When this option is configured, the endpoint user must enter the password on FortiClient to disconnect from the FortiSASE Management Service. You can use this option as an offline method of deregistering a FortiClient endpoint from the FortiSASE Management Service.

  6. Under Alternative VPNs, you can configure a custom IPsec or SSL VPN configuration. These configurations are typically useful for use cases that require endpoints to connect to an on-premise FortiGate via VPN. To create an alternative custom VPN, do the following:
    1. Click Create, and select SSL VPN or IPsec VPN as per your requirement.
    2. Enter the Name of the VPN tunnel.
    3. Do one of the following:
      • For an IPsec VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Authentication method

        Select preshared key, smart card certificate, or system store certificate to connect to the IPsec VPN gateway.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient.

      • For an SSL VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Port

        SSL VPN port number.

        Require certificate

        Enable to use certificate-based user authentication.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent. To use an external browser, enable Use external browser as user-agent for SAML login.

  7. The SSL VPN settings apply to alternative SSL VPN tunnels. Enable the respective options to prevent connection errors on FortiClient due to invalid SSL certificates installed on the on-premise VPN gateway.
    Note

    If you set Connect to FortiSASE to On device login, for endpoints with profiles that have custom alternative VPNs configured, the autoconnect feature works only to connect the endpoint to FortiSASE SIA VPN.

    To configure autoconnect to work with alternative VPNs, set Connect to FortiSASE to Manually and enable Show Auto Connect under Advanced Settings for individual alternative VPN tunnel configurations. If the VPN connections fails, the VPN does not automatically connect to the backup FortiSASE SIA VPN. Endpoint users must then manually connect to FortiSASE SIA VPN.

  8. You must configure some more important FortiClient settings on the Settings tab. See Settings.
Previous
Next

Connection

To configure the Connection tab:
  1. Create a new profile or edit an existing one:
    1. Go to Configuration > Profiles.
    2. Click Create or edit an existing profile.
    3. In the Name field, enter the desired name of the endpoint profile.
  2. On the Connection tab, to enable VPN autoconnect, for Connect to FortiSASE, select On device login. Enable the toggle for Disable disconnect from VPN to prevent endpoints to be able to disconnect from FortiSASE’s secure internet access (SIA) VPN.

    To let endpoint users manually connect to FortiSASE’s SIA VPN, select Manually under Connect to FortiSASE. This disables the autoconnect feature to connect to FortiSASE’s SIA VPN.

    Note

    Setting Connect to FortiSASE to On-device login enables autoconnect. This option is equivalent to configuring Auto-connect to FortiSASE in prior FortiSASE versions.

    Similarly, enabling Disable disconnect from VPN is equivalent to enabling Force Always On VPN in prior FortiSASE versions.

  3. Under Bypass FortiSASE, configure Split tunneling destinations. Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface by passing FortiSASE. This also helps optimize FortiSASE bandwidth usage. For example, you may want to add a high bandwidth-consuming application, such as Microsoft Teams or Zoom, as a split tunneling destination. Configure a split tunneling destination:
    1. Click Create.
    2. Configure the following fields:

      Option

      Description

      Type

      Select Infrastructure, FQDN, Local Application, or Subnet.

      Match

      • If you selected Infrastructure, select the desired application from the dropdown list.
      • If you selected FQDN, enter the desired fully qualified domain name (FQDN). The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. For example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com. When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
      • If you selected Local Application, specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

        For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

        • Application Name: teams.exe;firefox.exe

        • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe

        • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

        To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

      • If you selected Subnet, enter the desired subnet. The subnet is dynamically added to the route table when in use, and is removed after disconnection.

        You can select host groups when using the Subnet match type. You must create host groups in Configuration > Hosts before they become visible in the Edit Match dialog.

      Note

      Subnet destinations cannot be created in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.

      Note

      Wildcard FQDNs are not supported when configuring an FQDN split tunneling destination.

    3. Click OK.
  4. Under Bypass FortiSASE, configure Endpoints will not auto connect to VPN from these public IPs. Endpoints with public IPs matching the configured public IPs are considered trusted or on-net, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection. This also helps to optimize FortiSASE bandwidth usage. For example, when you add the public IP of your corporate network, the endpoints on this network will not automatically connect to FortiSASE VPN when they are on-net. Therefore, only when endpoints have public IPs that do not match the configured trusted public IPs will they auto connect to FortiSASE VPN, meaning when they are considered untrusted or off-net and require FortiSASE security inspection.

    Configure a public IP to prevent auto connect to FortiSASE VPN when endpoints are on-net:

    1. Click Create.
    2. Enter the public IP address in the Public IP text field.
    3. Click OK.
  5. Under Debugging options, when you enable Endpoints can disconnect from FortiSASE, FortiClient’s Zero Trust Telemetry tab shows a Disconnect option.

    Alternatively you can enable Require disconnect password and enter a password. When this option is configured, the endpoint user must enter the password on FortiClient to disconnect from the FortiSASE Management Service. You can use this option as an offline method of deregistering a FortiClient endpoint from the FortiSASE Management Service.

  6. Under Alternative VPNs, you can configure a custom IPsec or SSL VPN configuration. These configurations are typically useful for use cases that require endpoints to connect to an on-premise FortiGate via VPN. To create an alternative custom VPN, do the following:
    1. Click Create, and select SSL VPN or IPsec VPN as per your requirement.
    2. Enter the Name of the VPN tunnel.
    3. Do one of the following:
      • For an IPsec VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Authentication method

        Select preshared key, smart card certificate, or system store certificate to connect to the IPsec VPN gateway.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient.

      • For an SSL VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Port

        SSL VPN port number.

        Require certificate

        Enable to use certificate-based user authentication.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent. To use an external browser, enable Use external browser as user-agent for SAML login.

  7. The SSL VPN settings apply to alternative SSL VPN tunnels. Enable the respective options to prevent connection errors on FortiClient due to invalid SSL certificates installed on the on-premise VPN gateway.
    Note

    If you set Connect to FortiSASE to On device login, for endpoints with profiles that have custom alternative VPNs configured, the autoconnect feature works only to connect the endpoint to FortiSASE SIA VPN.

    To configure autoconnect to work with alternative VPNs, set Connect to FortiSASE to Manually and enable Show Auto Connect under Advanced Settings for individual alternative VPN tunnel configurations. If the VPN connections fails, the VPN does not automatically connect to the backup FortiSASE SIA VPN. Endpoint users must then manually connect to FortiSASE SIA VPN.

  8. You must configure some more important FortiClient settings on the Settings tab. See Settings.
Previous
Next