Design components
Consider the components of a SASE solution and align them to the existing network and security infrastructure. Review any changes that may be necessary to prepare for the SASE implementation.
SASE Component |
Existing infrastructure |
---|---|
Secure internet access |
Ensure endpoints (agent-based, agentless remote users) and FortiExtender devices (site-based remote users) can access the Security PoPs from everywhere. Consider the bandwidth requirements of the remote users and their applications and obtain the corresponding bandwidth licensing. The remote user connectivity methods used by the SIA use cases are also used by the SPA use cases and the SSA use cases. |
Security and Analytics PoPs |
Consider selecting Security PoPs that are geographically near to your remote users. Review log storage privacy requirements (such as GDPR) and consider choosing the log storage location or Analytics PoP that meets these requirements. |
Remote Authentication Source |
Consider the type of remote authentication source (LDAP, RADIUS, or SAML Identity Providers such as Azure AD or Okta) that you will use to control network access for devices and users on your network. When SAML identity providers (IdPs) are involved, FortiSASE will act as a service provider (SP). Ensure that appropriate users and groups are created in the remote authentication source that align with your security goals. Authentication can be applied to FortiClient agent-based and SWG agentless access. |
Security Profiles |
Consider the security features that will extend the enterprise security perimeter for remote users including IPS and Application Control, Web and DNS filtering, anti-malware, sandboxing, anti-botnet/command-and-control. Consider the specific settings within the security features that are sufficient to secure your remote users. |
VPN Policies |
Consider the common security policy used to extend the enterprise security perimeter for agent-based remote users and site-based remote users. Consider which specific security features and user groups you will configure in individual policies. |
SWG Policies |
Consider the common security policy used to extend the enterprise security perimeter for agentless remote users. Consider which specific security features and user groups you will configure in individual policies. |
Secure Private Access |
For private access to TCP-based applications consider deploying the ZTNA use case. Ensure that the ZTNA design components (FortiClient, FortiClient EMS, FortiOS ZTNA access proxy, SAML IdPs) and their requirements are considered. See the ZTNA Architecture Guide for details. For broader and seamless access to every private application (TCP and UDP), consider deploying the SD-WAN and NGFW SPA use cases. Ensure that the SD-WAN hubs are remotely accessible for SD-WAN overlay interconnectivity with FortiSASE PoPs. |
Secure SaaS Access |
For FortiCASB use cases, ensure that you have purchased the proper per-user and per-endpoint FortiSASE licensing to obtain access to this cloud-based service. |