Product integration and support
FortiSASE supports the following FortiClient versions:
- FortiClient (Windows) 7.2.9
- FortiClient (macOS) 7.2.9
- FortiClient (Linux) 7.0.13
- FortiClient (Android)
- FortiClient (iOS)
FortiClient 7.2.9 is the recommended version for FortiSASE for desktop users. FortiSASE has updated installers and download links to use FortiClient 7.2.9.
- The "recommended version" is the preferred agent release with full compatibility with FortiSASE features.
- Fortinet Support supports newer FortiClient versions on a best-effort basis as they are not yet officially recommended versions for FortiSASE. Newer versions are agent releases newer than the recommended version, which resolve known issues for specific customer deployments.
- Fortinet Support supports older versions until these FortiClient versions are no longer fully supported with FortiSASE. Older versions are earlier agent releases which were previously recommended versions for FortiSASE.
- Newer and older versions pertain to patch releases within the same minor releases. Currently, only patch versions within FortiClient 7.2 are supported for FortiSASE.
Considerations
- For existing instances created before 24.4.b.1 with remote user connectivity to FortiSASE using SSL VPN, the recommended version is FortiClient 7.2.9.
- Starting in FortiSASE 24.4.b.1, IPsec VPN remote user support is enabled by default on new instances.
- For instances with IPsec VPN remote user support enabled, the recommended version is FortiClient 7.2.9.
- For instances created before 24.4.b.1, implementing IPsec VPN remote user support is a significant mode change that impacts the overall FortiSASE instance operation. It has several constraints and is subject to continual improvements.
- You cannot disable or revert IPsec VPN remote user support implementation without significant data loss and service disruption.
- Fortinet recommends that you only raise a request to implement IPsec VPN remote user support after careful consideration and understanding of impact and service disruptions.
Supported FortiClient features
The following table lists the FortiClient platform and version and each version's corresponding features that FortiSASE supports:
|
Feature |
Windows 7.2.9 |
macOS 7.2.9 |
Linux 7.0.13 |
Android |
iOS |
|---|---|---|---|---|---|
|
Diagnostic logs on-demand requests from FortiSASE |
✓ |
|
|
|
|
|
Digital experience monitoring agent* |
✓ |
✓ |
|
|
|
|
FortiGuard Forensics Analysis* |
✓ |
|
|
|
|
|
Access |
|
|
|
|
|
|
Autoconnect to FortiSASE using Microsoft Entra ID credentials |
✓ |
|
|
|
|
|
Autoconnect to FortiSASE using SAML single sign on (SSO) |
✓ |
✓ |
|
✓ |
✓ |
|
Bypass FortiSASE using application-based split tunnel |
✓ |
|
|
|
|
|
Bypass FortiSASE using on-net endpoint detection via DNS server |
✓ |
✓ |
✓ |
|
|
| Bypass FortiSASE using on-net endpoint detection via DHCP server |
✓ |
✓ |
✓ |
|
|
| Bypass FortiSASE using on-net endpoint detection via local subnet |
✓ |
✓ |
✓ |
|
|
| Bypass FortiSASE using on-net endpoint detection via ping server |
✓ |
✓ |
✓ |
|
|
| Bypass FortiSASE using on-net endpoint detection via public IP address |
✓ |
✓ |
✓ |
|
|
|
Endpoint profile assignment based on Microsoft Entra ID groups |
✓ |
|
|
|
|
|
Endpoint profile change notifications |
✓ |
✓ |
✓ |
|
|
|
Endpoint telemetry |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Endpoint VPN connectivity notifications |
✓ |
✓ |
✓ |
|
|
|
Endpoint VPN disconnection by disabling management connection from FortiSASE |
✓ |
✓ |
✓ |
|
|
|
External browser as user-agent for SAML login |
|
|
✓ |
|
|
|
Force always on VPN |
✓ |
✓ |
✓ |
✓ |
✓ FortiClient (iOS) does not disable the VPN button instantly. You must navigate away from the VPN page to disable the VPN button. |
|
IPsec VPN to FortiSASE |
✓ |
✓ |
|
|
|
|
Network lockdown |
✓ |
✓ |
|
|
|
|
Pre-logon VPN |
✓ |
|
|
|
|
|
Show zero trust network access (ZTNA) tags on FortiClient |
✓ |
✓ |
✓ |
|
✓ Does not support hiding tags. |
|
Split DNS |
✓ |
✓ |
|||
|
SSL VPN connection remains active after endpoint has been idle |
✓ |
✓ |
✓ |
|
✓ |
|
SSL VPN support for DTLS** |
✓ |
✓ |
|
|
|
|
SSL VPN to FortiSASE |
|
|
✓ |
✓ |
✓ |
|
FSSO |
|||||
|
FortiClient SSO mobility agent |
✓ |
✓ |
|
|
|
|
Protection |
|
|
|
|
|
|
Antiransomware |
✓ |
|
|
|
|
|
Next generation antivirus (AV) – real-time AV and cloud malware protection |
✓ |
✓ |
✓ |
|
|
|
Removable media access control |
✓ |
✓ FortiClient (macOS) does not support rules. It only supports allow and block actions. |
✓ FortiClient (Linux) does not support rules. It only supports allow and block actions. |
|
|
|
Removable media access control – notify endpoint of blocks |
|
✓ |
✓ |
|
|
|
Vulnerability scan |
✓ |
✓ |
✓ |
|
|
|
Vulnerability scan - event-based scan |
✓ |
✓ |
✓ |
|
|
|
Sandbox |
|
|
|
|
|
|
Sandboxing - on-premise and FortiSASE Cloud Sandbox |
✓ |
✓ |
|
|
|
|
ZTNA |
|
|
|
|
|
|
ZTNA remote access |
✓ |
✓ |
✓ |
|
|
|
ZTNA tagging rules |
✓ |
✓ |
✓ |
✓ |
✓ |
* Requires Advanced or Comprehensive License
** DTLS support is enabled by default for existing and new FortiSASE instances.
Common use cases
To connect to a FortiSandbox appliance behind a firewall, you must open ports 514 and 443.
In some scenarios, FortiSASE interacts with other Fortinet products. The following lists the supported versions for each scenario:
|
Use case |
Description |
|---|---|
|
Secure access to the internet using FortiClient agent. |
|
|
Secure access to the internet using Thin Edge FortiExtender device as FortiSASE LAN extension. |
|
|
SIA for FortiGate SD-WAN secure edge site-based remote users |
Secure access to the internet using FortiGate SD-WAN Secure Edge device as FortiGate SD-WAN Secure Edge device as FortiSASE LAN extension. |
|
Secure access to the internet using FortiAP device as FortiSASE edge device. |
|
|
Secure access to the internet using SD-WAN devices via IPsec acting as an on-ramp to FortiSASE. |
|
|
Forward logs to an external server, such as FortiAnalyzer. |
|
|
Centrally manage FortiSASE configuration settings from FortiManager |
|
|
For secure web gateway (SWG) users, isolate browser sessions of certain websites or categories in an isolated environment, which renders content safely in a remote container. |
|
|
Access to private company-hosted TCP-based applications behind the FortiGate ZTNA application gateway for various ZTNA use cases. |
|
|
Access to private company-hosted applications behind the FortiGate SD-WAN hub-and-spoke network. |
|
|
Access to private company-hosted applications behind the FortiGate next generation firewall (NGFW). |
|
|
Seamless integration of FortiGate with FortiSASE for SPA to simplify the journey from SD-WAN to SASE. |
|
|
SPA using a FortiSASE SPA hub with Fabric overlay orchestrator |
Access to private company-hosted applications behind the FortiGate NGFW using Fabric Overlay Orchestrator. |
|
Access to private company-hosted applications behind the FortiGate secure private access (SPA) hub shared in a managed security service provider (MSSP), multi-tenant environment. |
|
|
Visibility, compliance, data security, and threat protection for cloud-based services. |
SIA for FortiClient agent-based remote users
To allow remote users to connect to FortiSASE, ensure you have purchased the per-user FortiSASE licensing contracts and applied them to FortiCloud.
See the supported FortiClient versions.
SIA for FortiExtender site-based remote users
FortiSASE supports FortiExtender models for the LAN extension feature. The FortiExtender should run 7.4.3 and later. This feature requires a separate FortiSASE subscription license per FortiExtender.
You must register FortiExtender devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.
FortiSASE supports a maximum of 1024 FortiExtender devices combined that you can configure as FortiSASE edge devices.
Certain FortiExtender models are equipped with wired and/or wireless capabilities, along with advanced performance metrics to extend your microbranch LAN deployments. These models, also known as FortiBranchSASE, provide superior performance and flexibility.
The following table lists key features for different FortiExtender models that the FortiSASE for LAN extension feature supports:
|
Feature |
FortiExtender 200F |
FortiBranchSASE 20G |
FortiBranchSASE 20G WiFi |
FortiBranchSASE 10F WiFi |
|---|---|---|---|---|
|
LAN extension |
✓ |
✓ |
✓ |
✓ |
|
Zero-touch provisioning |
✓ |
✓ |
✓ |
✓ |
|
Wi-Fi support |
✓ |
✓ |
||
|
Ethernet support |
✓ |
✓ |
✓ |
✓ |
|
Available Ethernet ports |
5 x GbE RJ45 |
4 x 1GE RJ45 + 1 SFP/RJ45 |
4 x 1GE RJ45 + 1 SFP/RJ45 |
2 x 1GE RJ45 |
For information on FortiBranchSASE, see the FortiBranchSASE series datasheet.
|
For existing instances provisioned before FortiSASE 24.1.b and using FortiExtender, create a new FortiCare ticket to have the resolution for the resolved issue in Bug ID 1003287 applied to your instance. See Resolved issues for relevant issues resolved. |
SIA for FortiGate SD-WAN secure edge site-based remote users
FortiGate SD-WAN as a secure edge requires a separate FortiSASE subscription license per FortiGate. All FortiGate F- and G-series desktop platforms including FortiWiFi below the 100 series running FortiOS 7.4.2 and later can support FortiSASE Secure Edge connectivity.
You must register FortiGate devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.
FortiSASE supports a maximum of 16 FortiGate and FortiWiFi devices combined that you can configure as FortiSASE edge devices.
SIA for FortiAP site-based remote users
FortiAP edge device support requires a separate FortiSASE subscription license per FortiAP. This feature supports FortiAP devices running FortiAP firmware 7.2.4 and later:
-
FortiAP 23JF, 231F, 234F, 431F, 432F, 432FR, 433F, 831F
-
FortiAP 231G, 233G, 234G, 431G, 432G, 433G
FortiSASE also supports profile configuration for 6G connectivity and LAN port management for selected FortiAP models.
You must register FortiAP devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.
FortiSASE supports a maximum of 240 FortiAP devices that you can configure as FortiSASE edge devices.
SIA for SD-WAN On-Ramp site-based remote users
FortiSASE SD-WAN On-Ramp enables customers to connect certified IPsec devices for inbound connectivity to FortiSASE for secure internet access (SIA), secure SaaS access, and SPA. IPsec service connections require the FortiSASE instance to have these licenses applied:
- Advanced or Comprehensive license
- FortiSASE SD-WAN On-Ramp Location subscription license corresponding to the Advanced or Comprehensive license
See the FortiSASE Ordering Guide.
|
|
SD-WAN On-Ramp and SPA share BGP configuration. You must configure the SPA network configuration before deploying an SD-WAN On-Ramp location but you can create SPA service connections after deploying an SD-WAN On-Ramp location. |
The FortiSASE SD-WAN On-Ramp Location subscription license has these features:
- IPsec connectivity to a number of FortiSASE locations depending on the number of connections (two to eight) that the license specifies
- 1 Gbps of shared bandwidth for up to 10 simultaneous dialup IPsec connections from the IPsec device to the selected FortiSASE locations
- FQDN and static IP address to use for each IPsec On-Ramp location
- Enable connectivity from different IPsec device types as part of the same license
You must purchase the license multiple times if the expected bandwidth exceeds 1 Gbps for the location or the number of connected devices in one location exceeds 10.
Alternatively, if you require more than 10 connected devices in on location, you can purchase the SD-WAN On-Ramp Connection add-on license corresponding to the Advanced or Comprehensive license. This add-on can be purchased in increments of 1-2000 per location. With a maximum of 8 locations for on-ramp connections and maximum of 2000 connections per location, customers can have up to 16000 connections per account.
For example, if a customer has 200 branches using SD-WAN On-Ramp then 200 connections are required, and the following licenses can be purchased:
- 2 SD-WAN On-Ramp Location licenses, each including 10 connections for a total of 20 connections
- 1 SD-WAN On-Ramp Connection add-on license containing 180 connections:
- Assign 90 connections to first On-Ramp location
- Assign 90 connections to second On-Ramp location
See the FortiSASE Ordering Guide.
Supported SD-WAN On-Ramp IPsec devices
|
Device |
Supported firmware version |
|---|---|
|
FortiGate |
7.2.8 or later |
The FortiGate is the only certified IPsec device that you can use for SD-WAN On-Ramp.
Log forwarding
If using FortiAnalyzer for log forwarding, the FortiAnalyzer should be on 7.0.4 or later.
Central management using FortiManager
When using FortiManager for central management, the FortiManager or FortiManager Cloud should be on 7.4.4 or a later 7.4 version and only FortiManager VM platforms are supported. FortiSASE does not support using FortiManager 7.6 or FortiManager Cloud 7.6 for central management.
- You cannot add FortiSASE to version 7.0 administrative domains (ADOM) or the global ADOM.
-
FortiManager only supports adding FortiSASE to FortiGate and Fabric ADOMs. Other ADOMs where the connector appears including FortiProxy, FortiFirewallCarrier, FortiFirewall, FortiCarrier, and the Global Database ADOMs are not supported. Additionally, you cannot add FortiSASE to ADOMs operating in backup mode. Attempting to do so presents the user with an An unexpected error has occurred error.
RBI
FortiSASE must have an Advanced remote users license to use remote browser isolation (RBI) with the following limitations:
- Supported for SWG users only
- Maximum of five simultaneous RBI sessions per user
- Sessions time out after 10 minutes of inactivity
- 100 MB of monthly isolation data per user included (1.2 GB per year)
ZTNA
If using ZTNA, the FortiGate acting as the ZTNA access proxy should be on the following FortiOS versions:
-
7.0.10 or later
-
7.2.4 or later
SPA
For securing private TCP- and UDP-based applications, FortiSASE supports a SPA deployment using an existing FortiGate SD-WAN hub or SPA using a FortiGate NGFW converted to a standalone FortiSASE SPA hub. These SPA use cases are based on IPsec VPN overlays and BGP.
SPA Service Connection license
A single SPA Service Connection license is required per FortiGate and allows inbound connectivity to the licensed device from all remote user and branch locations.
-
FortiGate desktop platforms are recommended as a single NGFW location only.
-
FortiGate 100F series and later are recommended for an SD-WAN hub.
See the FortiSASE Ordering Guide.
For the MSSP hub use case, see SPA for an MSSP hub.
SPA FortiCloud account prerequisites
You must register FortiGate devices to the same FortiCloud account used to log into FortiSASE before using these devices as SPA hubs with FortiSASE.
To activate the SPA feature on FortiSASE, you must purchase and apply a FortiSASE Service Connection license to each FortiGate device registered.
For details on registering products, see Registering assets.
SPA using a FortiGate SD-WAN hub
This use case requires a license per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection license and SPA FortiCloud account prerequisites.
If you deploy SPA using a FortiGate SD-WAN hub, use the following versions:
|
Product |
Supported firmware version |
|---|---|
|
FortiGate |
|
|
FortiManager |
|
|
FortiClient |
7.2.9 |
SPA using a FortiSASE SPA hub
This use case requires a license per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection license and SPA FortiCloud account prerequisites.
If you deploy SPA using a FortiSASE SPA hub, use the following versions:
|
Product |
Supported firmware version |
|---|---|
|
FortiGate |
|
|
FortiClient |
7.2.9 |
SPA using FortiGate SASE bundle license
Fortinet’s FortiGate SASE bundle license enables seamless integration of FortiGate with FortiSASE for SPA to simplify the journey from SD-WAN to SASE.
The FortiGate SASE Bundle license is available for FortiGate G-series hardware models starting from 120G and above. Each FortiGate device intended for SPA connectivity must be licensed individually with its own FortiGate SASE SPA Bundle license.
The FortiGate SASE Bundle includes the following:
- FortiSASE SPA: enables SPA connectivity from FortiGate to FortiSASE.
- FortiSASE Standard Starter Kit: includes FortiSASE Standard remote user licenses. The number of included remote user seats depends on the model of G-series FortiGate licensed, outlined as follows:
Model
Included remote user seats for each model
Below 120G
None
120G to 600G
10
900G to 1500G
50
1800G+
100
VM and Cloud
None
The number of remote user seats are cumulative and based on the number and model of FortiGates that have the FortiGate SASE bundle license applied under the same FortiCloud account as FortiSASE. For example, consider that a customer purchases the FortiGate SASE bundle license for:
|
Device |
Included remote user seats for each model |
|---|---|
|
One 120G FortiGate |
10 |
|
One 900G FortiGate |
50 |
In this case, the total number of included FortiSASE Standard remote user seats is 60 seats (10 + 50).
See the FortiSASE Ordering Guide.
SPA using a FortiSASE SPA hub with Fabric overlay orchestrator
This use case requires a license per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection license and SPA FortiCloud account prerequisites.
If you deploy SPA using a FortiSASE SPA hub with the Fabric Overlay Orchestrator, use the following versions:
|
Product |
Supported firmware version |
|---|---|
|
FortiGate |
|
|
FortiClient |
7.2.9 |
The SPA easy configuration key for FortiSASE is supported in the Fabric Overlay Orchestrator in the following FortiOS version:
|
Product |
Supported firmware version |
|---|---|
|
FortiGate |
|
SPA for an MSSP hub
For MSSPs using FortiCloud Organizations to arrange accounts into a root organizational unit (OU) and sub-OUs and where many tenants share a FortiGate SPA hub, FortiSASE supports tenants within a sub-OU inheriting SPA licenses from the root OU account.
For a FortiSASE instance within a sub-OU, the number of supported SPA hubs is the sum of the number of SPA licenses registered in the tenant sub-OU account and the number of SPA licenses registered in the root OU, up to a maximum of 12 SPA licenses in total.
Data protection using FortiCASB
FortiCASB is Fortinet's cloud-native cloud access security broker (CASB) service, which provides visibility, compliance, data security, and threat protection for cloud-based services. FortiSASE supports registering a FortiCASB data protection add-on license. The add-on license must be registered in the same FortiCloud account as FortiSASE. FortiSASE supports FortiCASB 24.4.b.