Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Release Notes

    Home FortiSASE Release Notes

    Limitations

    Limitations

    FortiAP

    FortiSASE does not recommend firmware versions for FortiAP G-series edge devices and does not indicate whether the installed FortiAP OS version for these devices is up to date.

    FortiClient (Android)

    When the CA certificate is downloaded from FortiSASE and manually installed on certain Android devices, untrusted certificate warnings for this certificate display constantly. This behavior is the result of Android system limitations on certain devices.

    FortiClient (iOS)

    If Settings > Apps > Safari > Privacy & Security > Not Secure Connection Warning is enabled, VPN connection may fail.

    FortiClient Cloud

    The FortiSASE license includes the FortiClient Cloud instance that licenses and provisions endpoints. You cannot access the FortiClient Cloud instance to configure it. You must use FortiSASE with the included FortiClient Cloud instance. You cannot apply a FortiSASE license to an existing FortiClient Cloud instance.

    FortiCloud

    Support for FortiCloud subuser accounts or subaccounts is discontinued. Therefore, you must use Identity & Access Management (IAM) users in cases where multiple users access the FortiSASE customer portal.

    To migrate existing subuser accounts from FortiCloud and convert them to IAM users, see Migrating sub users.

    FortiClient desktop (Windows, macOS, Linux)

    • FortiClient blocks IPv6 traffic. Only IPv4 traffic traverses through the FortiSASE tunnel.

    • For an endpoint to be able to connect to FortiSASE via an SSL VPN tunnel, the FortiSASE environment must have at least one SSL VPN allow policy configured. See Adding policies to perform granular firewall actions and inspection.

    • Only Windows endpoints running FortiClient 7.0.13 or later support Microsoft Entra ID domains.

    • The endpoint upgrade rule does not apply to Entra ID user groups if the FortiClient version on endpoints is 7.0.12 or earlier.

    • On FortiClient (macOS), if the Non-Secure site connections > Warn before connecting to a website over HTTP option is enabled in Safari and using an external browser for SAML authentication is configured in FortiSASE, VPN connection may fail.

    Caution

    Using alternate VPN clients in combination with FortiSASE is not recommended nor supported.

    FortiSandbox

    To connect to a FortiSandbox appliance behind a firewall, you must open ports 514 and 443.

    Agentless ZTNA

    Although you must configure secure web gateway (SWG) and SWG single sign on (SSO) to configure agentless zero trust network access (ZTNA), you do not need to configure the remote user endpoints for SWG. In other words, you do not need to configure remote user endpoints with a proxy autoconfiguration file or with a CA certificate for SSL deep inspection. Agentless ZTNA simply uses configuration from SWG and SWG SSO for remote user authentication.

    When you enable a valid VPN or SWG configuration on a FortiSASE instance, an endpoint enabled with matching VPN or SWG remote user settings cannot access a private application using its agentless ZTNA URL bookmark in the secure application bookmark portal. Agentless ZTNA traffic is proxied to the private application server directly, bypassing the typical secure internet access VPN or SWG traffic flow. This aligns with the agentless ZTNA use case where the user accesses a private application without connecting to FortiSASE as a VPN or SWG user. Therefore, for valid VPN or SWG endpoints, configuring and accessing private applications using secure private access only instead of using agentless ZTNA is best practice.

    Authentication

    • Other user authentication methods do not work once you enable SAML SSO.
    • Not all options for LDAP server configuration are available on FortiSASE.
    • Deauthenticating a SWG SSO user does not direct user to reauthenticate on device without clearing browser cache first.

    • For SWG SSO users, to properly proxy legacy Skype traffic, bypass SSO authentication by customizing the PAC file. See Customizing the PAC file.

    • For SWG SSO users, at least one SWG policy using SSO authentication must have deep inspection enabled in the configured security profile group. SSO authentication requires deep inspection to work.
      • Any traffic from SWG SSO users that is destined for hosts or URL categories defined as deep inspection exemptions does not work.
      • You must not configure SWG policies using SSO authentication with certificate inspection.
      • If certificate inspection is required in a SWG policy, then SSO authentication must not be configured in that policy.
    • LDAP authentication is unavailable for remote VPN users using IPsec VPN.

      Workaround: using FortiAuthenticator, configure a RADIUS server that uses remote LDAP server as user repository and configure RADIUS server for remote user authentication in FortiSASE.

    Security features

    When Application Control With Inline-CASB and deep inspection are enabled in a security profile group, a replacement message is not provided to the endpoint when traffic is blocked.

    VPN Policies

    For SSL VPN remote users, whenever changes are made to an existing Internet Access or Private Access policy, they take effect only after SSL VPN users reconnect to FortiSASE.

    Previous
    Next

    Limitations

    Limitations

    FortiAP

    FortiSASE does not recommend firmware versions for FortiAP G-series edge devices and does not indicate whether the installed FortiAP OS version for these devices is up to date.

    FortiClient (Android)

    When the CA certificate is downloaded from FortiSASE and manually installed on certain Android devices, untrusted certificate warnings for this certificate display constantly. This behavior is the result of Android system limitations on certain devices.

    FortiClient (iOS)

    If Settings > Apps > Safari > Privacy & Security > Not Secure Connection Warning is enabled, VPN connection may fail.

    FortiClient Cloud

    The FortiSASE license includes the FortiClient Cloud instance that licenses and provisions endpoints. You cannot access the FortiClient Cloud instance to configure it. You must use FortiSASE with the included FortiClient Cloud instance. You cannot apply a FortiSASE license to an existing FortiClient Cloud instance.

    FortiCloud

    Support for FortiCloud subuser accounts or subaccounts is discontinued. Therefore, you must use Identity & Access Management (IAM) users in cases where multiple users access the FortiSASE customer portal.

    To migrate existing subuser accounts from FortiCloud and convert them to IAM users, see Migrating sub users.

    FortiClient desktop (Windows, macOS, Linux)

    • FortiClient blocks IPv6 traffic. Only IPv4 traffic traverses through the FortiSASE tunnel.

    • For an endpoint to be able to connect to FortiSASE via an SSL VPN tunnel, the FortiSASE environment must have at least one SSL VPN allow policy configured. See Adding policies to perform granular firewall actions and inspection.

    • Only Windows endpoints running FortiClient 7.0.13 or later support Microsoft Entra ID domains.

    • The endpoint upgrade rule does not apply to Entra ID user groups if the FortiClient version on endpoints is 7.0.12 or earlier.

    • On FortiClient (macOS), if the Non-Secure site connections > Warn before connecting to a website over HTTP option is enabled in Safari and using an external browser for SAML authentication is configured in FortiSASE, VPN connection may fail.

    Caution

    Using alternate VPN clients in combination with FortiSASE is not recommended nor supported.

    FortiSandbox

    To connect to a FortiSandbox appliance behind a firewall, you must open ports 514 and 443.

    Agentless ZTNA

    Although you must configure secure web gateway (SWG) and SWG single sign on (SSO) to configure agentless zero trust network access (ZTNA), you do not need to configure the remote user endpoints for SWG. In other words, you do not need to configure remote user endpoints with a proxy autoconfiguration file or with a CA certificate for SSL deep inspection. Agentless ZTNA simply uses configuration from SWG and SWG SSO for remote user authentication.

    When you enable a valid VPN or SWG configuration on a FortiSASE instance, an endpoint enabled with matching VPN or SWG remote user settings cannot access a private application using its agentless ZTNA URL bookmark in the secure application bookmark portal. Agentless ZTNA traffic is proxied to the private application server directly, bypassing the typical secure internet access VPN or SWG traffic flow. This aligns with the agentless ZTNA use case where the user accesses a private application without connecting to FortiSASE as a VPN or SWG user. Therefore, for valid VPN or SWG endpoints, configuring and accessing private applications using secure private access only instead of using agentless ZTNA is best practice.

    Authentication

    • Other user authentication methods do not work once you enable SAML SSO.
    • Not all options for LDAP server configuration are available on FortiSASE.
    • Deauthenticating a SWG SSO user does not direct user to reauthenticate on device without clearing browser cache first.

    • For SWG SSO users, to properly proxy legacy Skype traffic, bypass SSO authentication by customizing the PAC file. See Customizing the PAC file.

    • For SWG SSO users, at least one SWG policy using SSO authentication must have deep inspection enabled in the configured security profile group. SSO authentication requires deep inspection to work.
      • Any traffic from SWG SSO users that is destined for hosts or URL categories defined as deep inspection exemptions does not work.
      • You must not configure SWG policies using SSO authentication with certificate inspection.
      • If certificate inspection is required in a SWG policy, then SSO authentication must not be configured in that policy.
    • LDAP authentication is unavailable for remote VPN users using IPsec VPN.

      Workaround: using FortiAuthenticator, configure a RADIUS server that uses remote LDAP server as user repository and configure RADIUS server for remote user authentication in FortiSASE.

    Security features

    When Application Control With Inline-CASB and deep inspection are enabled in a security profile group, a replacement message is not provided to the endpoint when traffic is blocked.

    VPN Policies

    For SSL VPN remote users, whenever changes are made to an existing Internet Access or Private Access policy, they take effect only after SSL VPN users reconnect to FortiSASE.

    Previous
    Next