Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Testing the dynamic private access policy

    Testing the dynamic private access policy

    (Optional) To display tags on the FortiClient endpoint:
    1. In FortiSASE, go to Configuration > Endpoints > Profile.
    2. Enable Show tags on FortiClient.
    3. Click Apply. When this option is enabled, detected tags appear on the FortiClient avatar page.

    To test that FortiSASE allows a FortiClient endpoint tagged as SASE-Compliant access to a private server:
    1. In FortiClient, go to the REMOTE ACCESS tab.
    2. From the VPN Name dropdown list, select Secure Internet Access.
    3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
    4. In Windows Defender, set Real-time protection to On as Stay protected with Windows Security describes. This turns on antivirus (AV) and ensures that FortiSASE dynamically tags the endpoint as compliant.
    5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Compliant Zero Trust tag applied.
    6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
    7. Observe the following output indicating the ping succeeded since FortiSASE allows access: 
      C:\> ping 10.100.99.101

Pinging 10.100.99.101 with 32 bytes of data:
Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
Reply from 10.100.99.101: bytes=32 time=136ms TTL=62

Ping statistics for 10.100.99.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 136ms, Maximum = 137ms, Average = 136ms
    8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count increased and that the Deny-SASE-Non-Compliant dynamic private access policy hit count has not changed.

    To test that FortiSASE denies a FortiClient endpoint tagged as SASE-Non-Compliant access to a private server:
    1. In FortiClient, go to the REMOTE ACCESS tab.
    2. From the VPN Name dropdown list, select Secure Internet Access.
    3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
    4. In Windows Defender, set Real-time protection to Off as Stay protected with Windows Security describes. This turns off AV and ensures that FortiSASE dynamically tags the endpoint as non-compliant.
    5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Non-Compliant Zero Trust tag applied.
    6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
    7. Observe the following output indicating the ICMP ping has timed out since FortiSASE denies access to the specific server: 
      C:\> ping 10.100.99.101

Pinging 10.100.99.101 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.100.99.101:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count has not changed and that the Deny-SASE-Non-Compliant dynamic private access policy hit count increased.
    Previous
    Next

    Testing the dynamic private access policy

    Testing the dynamic private access policy

    (Optional) To display tags on the FortiClient endpoint:
    1. In FortiSASE, go to Configuration > Endpoints > Profile.
    2. Enable Show tags on FortiClient.
    3. Click Apply. When this option is enabled, detected tags appear on the FortiClient avatar page.

    To test that FortiSASE allows a FortiClient endpoint tagged as SASE-Compliant access to a private server:
    1. In FortiClient, go to the REMOTE ACCESS tab.
    2. From the VPN Name dropdown list, select Secure Internet Access.
    3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
    4. In Windows Defender, set Real-time protection to On as Stay protected with Windows Security describes. This turns on antivirus (AV) and ensures that FortiSASE dynamically tags the endpoint as compliant.
    5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Compliant Zero Trust tag applied.
    6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
    7. Observe the following output indicating the ping succeeded since FortiSASE allows access: 
      C:\> ping 10.100.99.101

Pinging 10.100.99.101 with 32 bytes of data:
Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
Reply from 10.100.99.101: bytes=32 time=136ms TTL=62

Ping statistics for 10.100.99.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 136ms, Maximum = 137ms, Average = 136ms
    8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count increased and that the Deny-SASE-Non-Compliant dynamic private access policy hit count has not changed.

    To test that FortiSASE denies a FortiClient endpoint tagged as SASE-Non-Compliant access to a private server:
    1. In FortiClient, go to the REMOTE ACCESS tab.
    2. From the VPN Name dropdown list, select Secure Internet Access.
    3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
    4. In Windows Defender, set Real-time protection to Off as Stay protected with Windows Security describes. This turns off AV and ensures that FortiSASE dynamically tags the endpoint as non-compliant.
    5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Non-Compliant Zero Trust tag applied.
    6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
    7. Observe the following output indicating the ICMP ping has timed out since FortiSASE denies access to the specific server: 
      C:\> ping 10.100.99.101

Pinging 10.100.99.101 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.100.99.101:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count has not changed and that the Deny-SASE-Non-Compliant dynamic private access policy hit count increased.
    Previous
    Next