Product integration and support
FortiSASE supports the following FortiClient versions:
- FortiClient (Windows) 7.0.11
- FortiClient (macOS) 7.0.11
- FortiClient (Linux) 7.0.11
- FortiClient (Android)
- FortiClient (iOS)
Use of earlier FortiClient versions with FortiSASE is not actively supported and may cause behavior differences.
Fortinet Support supports newer FortiClient versions even if they are not yet the recommended versions for FortiSASE. |
FortiClient 7.0.11 is now the recommended version for FortiSASE for desktop users. FortiSASE has updated installers and download links to use FortiClient 7.0.11.
To provide improved performance and connectivity when connected to FortiSASE, for all existing managed endpoint users, each endpoint not running the currently available preconfigured installer of FortiClient 7.0.11 from the FortiSASE portal is prompted incrementally to upgrade to it. The user can perform this action immediately or schedule it to complete at a later time. See Managed endpoint client onboarding for details on the different FortiClient installer types. New tenants or those who requested that this feature be disabled on their instance will not automatically have this FortiClient managed endpoint enforcement feature.
Supported FortiClient features
The following table lists the FortiClient platform and version and each version's corresponding features that FortiSASE supports:
Feature |
Windows 7.0.11 |
macOS 7.0.11 |
Linux 7.0.11 |
Android |
iOS |
---|---|---|---|---|---|
Managed Endpoints |
|||||
Diagnostic logs on-demand requests from FortiSASE |
✓ |
|
|
|
|
Digital experience monitoring agent support (requires Advanced or Comprehensive License) |
✓ |
✓ |
|
|
|
FortiGuard Forensics Analysis support (requires Advanced or Comprehensive License) |
✓ |
|
|
|
|
Access |
|
|
|
|
|
Autoconnect to FortiSASE using Microsoft Entra ID credentials |
✓ |
|
|
|
|
Autoconnect to FortiSASE using SAML single sign on |
✓ |
✓ |
|
✓ |
✓ |
Bypass FortiSASE using application-based split tunnel |
✓ |
|
|
|
|
Bypass FortiSASE using on-net endpoint detection via public IP address |
✓ |
✓ |
✓ |
|
|
Endpoint profile change notifications |
✓ |
✓ |
✓ |
|
|
Endpoint telemetry |
✓ |
✓ |
✓ |
✓ |
✓ |
Endpoint VPN connectivity notifications |
✓ |
✓ |
✓ |
|
|
Endpoint VPN disconnection by disabling management connection from FortiSASE |
✓ |
✓ |
✓ |
|
|
Force always on VPN |
✓ |
✓ |
|
✓ |
✓ The VPN toggle button is not disabled instantly. You must navigate away from the VPN page to disable the VPN button. |
Split DNS |
✓ |
✓ |
✓ |
|
|
Show zero trust network access (ZTNA) tags on FortiClient |
✓ |
✓ |
✓ |
|
✓ Does not support hiding tags. |
SSL VPN connection remains active after endpoint has been idle |
✓ |
✓ |
✓ |
|
✓ |
SSL VPN support for DTLS* |
✓ |
✓ |
|
|
|
SSL VPN to FortiSASE |
✓ |
✓ |
✓ |
✓ |
✓ |
Protection |
|
|
|
|
|
Antiransomware |
✓ |
|
|
|
|
Next generation antivirus (AV) – real-time AV and cloud malware protection |
✓ |
✓ |
✓ |
|
|
Removable media access control |
✓ |
✓ FortiClient (macOS) does not support rules. It only supports allow and block actions. |
✓ FortiClient (Linux) does not support rules. It only supports allow and block actions. |
|
|
Removable media access control – notify endpoint of blocks |
|
✓ |
✓ |
|
|
Vulnerabilities scanning |
✓ |
✓ |
✓ |
|
|
Sandbox |
|
|
|
|
|
Sandboxing - on-premise and FortiSASE Cloud Sandbox |
✓ |
✓ |
|
|
|
ZTNA |
|
|
|
|
|
ZTNA remote access |
✓ |
✓ |
✓ |
|
|
ZTNA tagging rules |
✓ |
✓ |
✓ |
✓ |
✓ |
* DTLS support is enabled by default for existing and new FortiSASE instances.
Common use cases
To connect to a FortiSandbox appliance behind a firewall, you must open ports 514 and 443.
In some scenarios, FortiSASE interacts with other Fortinet products. The following lists the supported versions for each scenario:
Use case |
Description |
---|---|
Secure access to the Internet using FortiClient agent. |
|
Secure access to the Internet using Thin Edge FortiExtender device as FortiSASE LAN extension. |
|
SIA for FortiGate SD-WAN secure edge site-based remote users |
Secure access to the Internet using FortiGate SD-WAN Secure Edge device as FortiGate SD-WAN Secure Edge device as FortiSASE LAN extension. |
Secure access to the Internet using FortiAP device as FortiSASE edge device. |
|
Forward logs to an external server, such as FortiAnalyzer. |
|
Access to private company-hosted TCP-based applications behind the FortiGate ZTNA application gateway for various ZTNA use cases. |
|
Access to private company-hosted applications behind the FortiGate SD-WAN hub-and-spoke network. |
|
Access to private company-hosted applications behind the FortiGate next generation firewall (NGFW). |
|
SPA using a FortiSASE SPA hub with Fabric overlay orchestrator |
Access to private company-hosted applications behind the FortiGate NGFW using Fabric Overlay Orchestrator . |
SIA for FortiClient agent-based remote users
To allow remote users to connect to FortiSASE, ensure you have purchased the per-user FortiSASE licensing contracts and applied them to FortiCloud.
Use the following FortiClient versions:
- FortiClient (Windows) 7.0.11
- FortiClient (macOS) 7.0.11
- FortiClient (Linux) 7.0.11
- FortiClient (Android)
- FortiClient (iOS)
Use of earlier FortiClient versions with FortiSASE is not actively supported and may cause behavior differences.
SIA for FortiExtender site-based remote users
Currently, FortiSASE supports the FortiExtender 200F model for the LAN extension feature. The FortiExtender 200F should run 7.2.3. This feature requires a separate FortiSASE subscription license per FortiExtender.
You must register FortiExtender devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.
FortiSASE supports a maximum of 16 FortiExtender and FortiGate devices combined that you can configure as FortiSASE edge devices.
For existing instances provisioned before FortiSASE 24.1.b and using FortiExtender, create a new FortiCare ticket to have the resolution for the resolved issue in Bug ID 1003287 applied to your instance. See Resolved issues for relevant issues resolved. |
SIA for FortiGate SD-WAN secure edge site-based remote users
FortiGate SD-WAN as a secure edge is a controlled general availability (GA) feature that requires a separate FortiSASE subscription license per FortiGate. All FortiGate F- and G-series desktop platforms running FortiOS 7.4.2 and above can support FortiSASE Secure Edge connectivity.
You must register FortiExtender devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.
FortiSASE supports a maximum of 16 FortiExtender and FortiGate devices combined that you can configure as FortiSASE edge devices.
SIA for FortiAP site-based remote users
FortiAP edge device support is a controlled GA feature that requires a separate FortiSASE subscription license per FortiAP. This feature supports FortiAP 231F and 431F devices running FortiAP firmware 7.2.4 and above.
You must register FortiAP devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.
FortiSASE supports a maximum of 32 FortiAP devices that you can configure as FortiSASE edge devices.
Log forwarding
If using FortiAnalyzer for log forwarding, the FortiAnalyzer should be on 7.0.4 or later.
ZTNA
If using the ZTNA feature, the FortiGate acting as the ZTNA access proxy should be on the following FortiOS versions:
- 7.0.10 or later
- 7.2.4 or later
SPA
For securing private TCP- and UDP-based applications, FortiSASE supports a secure private access (SPA) deployment using an existing FortiGate SD-WAN hub or SPA using a FortiGate NGFW converted to a standalone FortiSASE SPA hub. These SPA use cases are based on IPsec VPN overlays and BGP.
SPA Service Connection license
A single SPA Service Connection license is required per FortiGate and allows inbound connectivity to the licensed device from all remote user and branch locations.
-
FortiGate desktop platforms are recommended as a single NGFW location only.
-
FortiGate 100F series and above recommended for an SD-WAN hub.
See the SASE and Zero Trust Ordering Guide.
SPA FortiCloud account prerequisites
You must register FortiGate devices to the same FortiCloud account used to log into FortiSASE before using these devices as SPA hubs with FortiSASE.
To activate the SPA feature on FortiSASE, you must purchase and apply a FortiSASE Service Connection license to each FortiGate device registered.
For details on registering products, see Registering assets.
SPA using a FortiGate SD-WAN hub
This use case requires a license per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection license and SPA FortiCloud account prerequisites.
If you deploy SPA using a FortiGate SD-WAN hub, use the following versions:
Product |
Supported firmware version |
---|---|
FortiGate |
|
FortiManager |
|
FortiClient |
7.0.11 |
SPA using a FortiSASE SPA hub
This use case requires a license per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection license and SPA FortiCloud account prerequisites.
If you deploy SPA using a FortiSASE SPA hub, use the following versions:
Product |
Supported firmware version |
---|---|
FortiGate |
|
FortiManager |
|
FortiClient |
7.0.11 |
SPA using a FortiSASE SPA hub with Fabric overlay orchestrator
This use case requires a license per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection license and SPA FortiCloud account prerequisites.
If you deploy SPA using a FortiSASE SPA hub with the Fabric Overlay Orchestrator, use the following versions:
Product |
Supported firmware version |
---|---|
FortiGate |
7.2.4 or later |
FortiClient |
7.0.11 |