Configuring a private access policy for remote VPN users and edge devices

To configure a private access policy from remote VPN users and edge devices to SPA hubs:

1. Go to Configuration > Policies.
2. Click the Private Access tab and then click the To hubs subtab.
3. Click +Create to create a new policy.
4. Configure these fields:

   Field	Value
   Name	Enter a unique private access policy name.
   Source Scope	All: all FortiSASE VPN users and edge devices VPN Users: remote endpoint users Edge Devices: Edge devices such as FortiExtender Specify: specify selected hosts and host groups if you selected VPN Users or authorized Edge devices if you selected Edge Devices.
   Destination	Private Access Traffic: all private access traffic Specify: specify selected private access hosts or host groups
   Service	Click + and select entries.
   Action	Accept or Deny
   Profile Group	Default or Specify and select a profile group.
   Force Certificate Inspection	Enabled or disabled. When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.
   Status	Enable or disable.
   Log Allowed Traffic	Enable or disable. Security Events: log traffic that has a security profile applied to it. All Sessions: log all sessions that this policy accepts or denies.

5. Click OK.

To configure a private access policy to remote users from SPA hubs:

The display of the From hubs subtab and resulting functionality requires a FortiSASE instance with the remote VPN user identification selected availability feature. See Remote VPN user identification. Otherwise, the From hubs subtab does not display. Currently, FortiSASE supports traffic from SPA hubs to remote VPN users only.

1. Go to Configuration > Policies.
2. Click the Private Access tab and then click the From hubs subtab.
3. Click +Create to create a new policy.
4. Configure these fields:

   Field	Value
   Name	Enter a unique private access policy name.
   Source Scope	Private Access Traffic: all private access traffic Specify: specify selected private access hosts or host groups.
   Destination	All: all FortiSASE users/devices VPN Users: remote endpoint users
   Service	Click + and select entries.
   Action	Accept or Deny
   Profile Group	Default or Specify and select a profile group.
   Force Certificate Inspection	Enabled or disabled. When enabled, this policy ignores the SSL inspection mode defined in the selected profile group and instead uses certificate inspection.
   Status	Enable or disable.
   Log Allowed Traffic	Enable or disable. Security Events: log traffic that has a security profile applied to it. All Sessions: log all sessions that this policy accepts or denies.

5. Click OK.

To configure a FortiGate SPA hub firewall policy required for traffic from SPA hubs:

On the FortiGate SPA hub, you must configure a firewall policy allowing traffic from the desired local interface(s) or spokes behind the hub to the remote VPN users via the SPA overlay. This policy ensures that traffic from networks connected to the FortiGate SPA hub are allowed to FortiSASE remote VPN users.

In this example, for the FortiGate SPA hub, the SPA overlay (IPsec VPN tunnel) is defined as fgt_hub1 and the local connected networks DMZ_HQ and LAN_HQ are on port2 and port4, respectively. Therefore, we create a policy that allows traffic from the local connected networks on the hub to the FortiSASE remote VPN users.

1. On the FortiGate SPA hub, go to Policy & Objects > Firewall Policy.
2. Click +Create New to create a new policy.
3. Configure these fields:

   Field	Value
   Name	Enter a unique private access policy name.
   Incoming Interface	DMZ_HQ (port2) LAN_HQ (port4)
   Outgoing Interface	fgt_hub1
   Source	all
   Destination	All
   Schedule	always
   Service	ALL
   Action	ACCEPT
   NAT	You can enable or disable NAT depending on the IP configuration of the organization’s FortiGate SPA hub.
   IP Pool Configuration	Use Outgoing Interface Address

4. Click OK.