Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

Design topology

Design topology

In this example topology, minor changes to the existing physical infrastructure were necessary. FortiGates replaced existing firewalls at the headquarters (HQ) data center. The internal application servers stayed in place with the same IP scheme in the server VLAN.

Secure internet access using FortiSASE was achieved as follows:

  • As the coffee shop remote user demonstrates, FortiClient was installed on supported endpoints to provide remote users with agent-based access to FortiSASE using SSL VPN dial-up tunnels.
  • As the home remote user demonstrates, for endpoints that do not support FortiClient, the web browser settings were configured to support explicit web proxy functionality using agentless access to FortiSASE.
  • As the regional branch office remote user demonstrates, for endpoints where FortiClient was not supported or were not chosen to be used, FortiExtender as a LAN extension was configured, and endpoints configured to point to the FortiExtender as the default gateway.

Authentication for agent-based and agentless FortiSASE remote users was achieved using the internal LDAP server.

For FortiSASE remote users, no access is provided directly to the internal network.

  • ZTNA access proxy is used and the required ZTNA components were deployed to achieve secure private access for TCP-based applications. See Design topology.

  • The existing SD-WAN network and FortiSASE private access capability were deployed to achieve secure private access for UDP-based applications.

For secure SaaS access, FortiCASB was used by network administrators to gain visibility and achieve reporting on all user activity using out-of-band API communication for configured SaaS applications. Based on periodic audits of FortiCASB reports and configuration of triggers and notifications, network administrators were able to fine-tune their FortiSASE and FortiGate configurations to mitigate suspicious cloud activity.

As an alternate secure SaaS access use case, FortiSASE Inline-CASB functionality for its application control and web filter security components can be used with SSL deep inspection to provide secure SaaS access to FortiSASE agent-based and agentless remote users including the ability to block access to SaaS applications since detection occurs inline with the SaaS user traffic itself.

Previous
Next

Design topology

In this example topology, minor changes to the existing physical infrastructure were necessary. FortiGates replaced existing firewalls at the headquarters (HQ) data center. The internal application servers stayed in place with the same IP scheme in the server VLAN.

Secure internet access using FortiSASE was achieved as follows:

  • As the coffee shop remote user demonstrates, FortiClient was installed on supported endpoints to provide remote users with agent-based access to FortiSASE using SSL VPN dial-up tunnels.
  • As the home remote user demonstrates, for endpoints that do not support FortiClient, the web browser settings were configured to support explicit web proxy functionality using agentless access to FortiSASE.
  • As the regional branch office remote user demonstrates, for endpoints where FortiClient was not supported or were not chosen to be used, FortiExtender as a LAN extension was configured, and endpoints configured to point to the FortiExtender as the default gateway.

Authentication for agent-based and agentless FortiSASE remote users was achieved using the internal LDAP server.

For FortiSASE remote users, no access is provided directly to the internal network.

  • ZTNA access proxy is used and the required ZTNA components were deployed to achieve secure private access for TCP-based applications. See Design topology.

  • The existing SD-WAN network and FortiSASE private access capability were deployed to achieve secure private access for UDP-based applications.

For secure SaaS access, FortiCASB was used by network administrators to gain visibility and achieve reporting on all user activity using out-of-band API communication for configured SaaS applications. Based on periodic audits of FortiCASB reports and configuration of triggers and notifications, network administrators were able to fine-tune their FortiSASE and FortiGate configurations to mitigate suspicious cloud activity.

As an alternate secure SaaS access use case, FortiSASE Inline-CASB functionality for its application control and web filter security components can be used with SSL deep inspection to provide secure SaaS access to FortiSASE agent-based and agentless remote users including the ability to block access to SaaS applications since detection occurs inline with the SaaS user traffic itself.

Previous
Next