Common use cases

To connect to a FortiSandbox appliance behind a firewall, you must open ports 514 and 443.

In some scenarios, FortiSASE interacts with other Fortinet products. The following lists the supported versions for each scenario:

Use case	Description
SIA for FortiClient agent-based remote users	Secure access to the internet using FortiClient agent.
SIA for FortiExtender site-based remote users	Secure access to the internet using Thin Edge FortiExtender device as FortiSASE LAN extension.
SIA for FortiGate SD-WAN secure edge site-based remote users	Secure access to the internet using FortiGate SD-WAN Secure Edge device as FortiGate SD-WAN Secure Edge device as FortiSASE LAN extension.
SIA for FortiAP site-based remote users	Secure access to the internet using FortiAP device as FortiSASE edge device.
SIA for Branch On-ramp site-based remote users	Secure access to the internet using an IPsec device acting as an on-ramp to FortiSASE.
Log forwarding	Forward logs to an external server, such as FortiAnalyzer.
Central management using FortiManager	Centrally manage FortiSASE configuration settings from FortiManager
RBI	For proxy users, isolate browser sessions of certain websites or categories in an isolated environment, which renders content safely in a remote container.
Secure Browser	Integrated management of the FortiSASE Secure Browser extension. Administrators can gain full visibility into browser activity without deep inspection, can monitor and block web-based threats, and can prevent data exfiltration.
ZTNA	Access to private company-hosted TCP-based applications behind the FortiGate ZTNA application gateway for various ZTNA use cases.
SPA using a FortiGate SD-WAN hub	Access to private company-hosted applications behind the FortiGate SD-WAN hub-and-spoke network.
SPA using a FortiSASE SPA hub	Access to private company-hosted applications behind the FortiGate next generation firewall (NGFW).
SPA using FortiGate SD-WAN Service Bundle subscription	Seamless integration of FortiGate with FortiSASE for SPA to simplify the journey from SD-WAN to SASE.
SPA using a FortiSASE SPA hub with Fabric overlay orchestrator	Access to private company-hosted applications behind the FortiGate NGFW using Fabric Overlay Orchestrator.
SPA for an MSSP hub	Access to private company-hosted applications behind the FortiGate secure private access (SPA) hub shared in a managed security service provider (MSSP), multitenant environment.
Data protection using FortiCASB	Visibility, compliance, data security, and threat protection for cloud-based services.

SIA for FortiClient agent-based remote users

To allow remote users to connect to FortiSASE, ensure you have purchased the per-user FortiSASE licensing contracts and applied them to FortiCloud.

See the supported FortiClient versions.

SIA for FortiExtender site-based remote users

FortiSASE supports FortiExtender models for the LAN extension feature. The FortiExtender should run 7.4.3 and later. This feature requires a separate FortiSASE subscription per FortiExtender.

You must register FortiExtender devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.

FortiSASE supports a maximum of 1024 FortiExtender devices combined that you can configure as FortiSASE edge devices.

Certain FortiExtender models are equipped with wired and/or wireless capabilities, along with advanced performance metrics to extend your microbranch LAN deployments. These models, also known as FortiBranchSASE, provide superior performance and flexibility.

The following table lists key features for different FortiExtender models that the FortiSASE for LAN extension feature supports:

Feature	FortiExtender 200F	FortiBranchSASE 20G	FortiBranchSASE 20G WiFi	FortiBranchSASE 10F WiFi
LAN extension	✓	✓	✓	✓
Zero-touch provisioning	✓	✓	✓	✓
Wi-Fi support			✓	✓
Ethernet support	✓	✓	✓	✓
Available Ethernet ports	5 x GbE RJ45	4 x 1GE RJ45 + 1 SFP/RJ45	4 x 1GE RJ45 + 1 SFP/RJ45	2 x 1GE RJ45

For information on FortiBranchSASE, see the FortiBranchSASE series datasheet.

SIA for FortiGate SD-WAN secure edge site-based remote users

FortiGate SD-WAN as a secure edge requires a separate FortiSASE subscription per FortiGate. All FortiGate F- and G-series desktop platforms including FortiWiFi from the 40 series to the 100 series that support virtual domains (VDOM) running FortiOS 7.4.2 and later can support FortiSASE Secure Edge connectivity. See the FortiGate model-specific datasheet to confirm VDOM support.

You must register FortiGate devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.

FortiSASE supports a maximum of 16 FortiGate and FortiWiFi devices combined that you can configure as FortiSASE edge devices.

SIA for FortiAP site-based remote users

FortiAP edge device support requires a separate FortiSASE subscription per FortiAP. This feature supports FortiAP devices running FortiAP firmware 7.2.4 and later:

• FortiAP 23JF, 234F, 432FR, 831F

• FortiAP 234G, 431G, 432G, 433G

• FortiAP 23JK, 231K, 241K, 243K, 441K, 443K

FortiSASE also supports profile configuration for 6G connectivity and LAN port management for selected FortiAP models.

You must register FortiAP devices used with the LAN extension feature to the same FortiCloud account used to log into FortiSASE before using this feature.

FortiSASE supports a maximum of 240 FortiAP devices that you can configure as FortiSASE edge devices.

SIA for Branch On-ramp site-based remote users

FortiSASE Branch On-ramp enables customers to connect IPsec devices for inbound connectivity to FortiSASE for secure internet access (SIA), secure SaaS access, and SPA. IPsec service connections require the FortiSASE instance to have these subscriptions applied:

• Standard, Advanced, or Comprehensive subscription
• FortiSASE Branch On-ramp security PoP subscription corresponding to the Advanced or Comprehensive license

See the FortiSASE Ordering Guide.

The FortiSASE Branch On-ramp Location subscription has these features:

• IPsec connectivity to a number of FortiSASE On-Ramp security PoPs (2 to 20) depending on the number of seats that the subscription specifies
• 1 Gbps of shared bandwidth for up to 2000 simultaneous dialup IPsec connections from the IPsec device to the selected FortiSASE security PoPs

• 50 TB of data transfer per year based on 50 Mbps usage during business hours. Data transfer is aggregated at the account level and shared with remote users (250 GB per user). Additional data transfer subscriptions can be purchased if required. See the FortiSASE Service Description on the Fortinet Support portal.

• The Branch On-ramp Connection add-on subscription is discontinued after 25.3.b.

• FQDN and static IP address to use for each IPsec On-Ramp security PoP
• Enable connectivity from different IPsec device types, such as FortiGate or third-party IPsec devices

You must purchase the subscription multiple times if the expected bandwidth exceeds 1 Gbps for the security PoP.

Existing customers can contact their Fortinet Sales or Partner representative for assistance with co-terming an existing Branch On-ramp Location subscription to support additional On-Ramp security PoPs.

Log forwarding

If using FortiAnalyzer for log forwarding, the FortiAnalyzer should be on 7.0.4 or later.

Central management using FortiManager

When using FortiManager for central management, the FortiManager or FortiManager Cloud should be on 7.4.4 or a later 7.4 version. FortiSASE supports using FortiManager 7.6 or FortiManager Cloud 7.6 for central management when using FortiManager 7.6.4 or later.

• The central management feature requires FortiManager 7.4.4 or later for synchronizing configuration settings other than policy packages.

• The policy packages feature requires either FortiManager 7.4.8 or later, or FortiManager 7.6.4 or later for synchronizing policy packages.

• Support of central management for MSSP tenants requires FortiManager 7.4.9 or later, or FortiManager 7.6.5 or later.

• You cannot add FortiSASE to version 7.0 administrative domains (ADOM) or the global ADOM.

• FortiManager only supports adding FortiSASE to FortiGate and Fabric ADOMs. Other ADOMs where the connector appears including FortiProxy, FortiFirewallCarrier, FortiFirewall, FortiCarrier, and the Global Database ADOMs are not supported. Additionally, you cannot add FortiSASE to ADOMs operating in backup mode. Attempting to do so presents the user with an An unexpected error has occurred error.

RBI

FortiSASE must have an Advanced or Comprehensive remote users subscription to use remote browser isolation (RBI) with the following limitations:

• Supported for proxy users only
• Maximum of five simultaneous RBI sessions per user
• Sessions time out after 10 minutes of inactivity

• A yearly isolation data limit, enforced at the instance level, is 1.2 GB per user included per year. Beyond that limit, all users' isolation traffic will be blocked.

  • For example, for an instance with 50 users, the yearly isolation data limit that is enforced on the instance is 60 GB per year.

  • If the cumulative isolation traffic of these 50 users exceeds 60 GB at any time in the year, then isolation traffic for all 50 users in that instance will be blocked.

Secure Browser

• If the Secure Browser extension has already been deployed on endpoints as part of FortiMail Workspace Security, specifically, FortiMail Browser Security support, then the administrator should not enable Secure Browser in FortiSASE.

• FortiSASE Secure Browser requires a FortiSASE instance with an Advanced or Comprehensive remote users FortiSASE subscription.

• Currently, the FortiSASE Secure Browser extension is supported in Windows and MacOS on Google Chrome and Microsoft Edge web browsers.

• SAML SSO users must be integrated with FortiSASE Secure Browser before the feature can be configured and deployed. Therefore, this feature requires access to a SAML SSO IdP such as Entra ID.

• This feature is a select availability feature in FortiSASE that is not enabled by default on new instances. If you require this feature for your new or existing FortiSASE instance, create a new ticket with FortiCare Support.

ZTNA

If using ZTNA, the FortiGate acting as the ZTNA access proxy should be on the following FortiOS versions:

• 7.0.10 or later

• 7.2.4 or later

SPA

For securing private TCP- and UDP-based applications, FortiSASE supports a SPA deployment using an existing FortiGate SD-WAN hub or SPA using a FortiGate NGFW converted to a standalone FortiSASE SPA hub. These SPA use cases are based on IPsec overlays and BGP.

By default, each FortiSASE PoP allows up to 300 Mbps of aggregate SPA throughput to account for baseline customer SPA hub capacity. If additional traffic is expected in a given region and the customer SPA hub has available bandwidth, you can open a FortiCare Support ticket to increase this SPA throughput.

SPA Service Connection subscription

A single SPA Service Connection subscription is required per FortiGate and allows inbound connectivity to the licensed device from all remote user and branch locations.

• FortiGate desktop platforms are recommended as a single NGFW location only.

• FortiGate 100F series and later are recommended for an SD-WAN hub.

See the FortiSASE Ordering Guide.

For the MSSP hub use case, see SPA for an MSSP hub.

SPA FortiCloud account prerequisites

You must register FortiGate devices to the same FortiCloud account used to log into FortiSASE before using these devices as SPA hubs with FortiSASE.

To activate the SPA feature on FortiSASE, you must purchase and apply a FortiSASE Service Connection subscription to each FortiGate device registered.

For details on registering products, see Registering assets.

SPA using a FortiGate SD-WAN hub

This use case requires a subscription per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection subscription and SPA FortiCloud account prerequisites.

By default, each FortiSASE PoP allows up to 300 Mbps of aggregate SPA throughput to account for baseline customer SPA hub capacity. If additional traffic is expected in a given region and the customer SPA hub has available bandwidth, you can open a FortiCare Support ticket to increase this SPA throughput.

If you deploy SPA using a FortiGate SD-WAN hub, use the following versions:

Product	Supported firmware version
FortiGate	7.0.10 or later 7.2.4 or later 7.4.0 or later 7.6.0 or later
FortiManager	7.2.0 or later, which supports SD-WAN overlay templates 7.0.3 or later, which includes BGP and IPsec recommended templates for SD-WAN overlays 7.4.0 or later 7.6.0 or later
FortiClient	7.2.14 for existing instances created before 25.4.c 7.4.7 for new instances in 25.4.c or later

SPA using a FortiSASE SPA hub

This use case requires a subscription per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection subscription and SPA FortiCloud account prerequisites.

By default, each FortiSASE PoP allows up to 300 Mbps of aggregate SPA throughput to account for baseline customer SPA hub capacity. If additional traffic is expected in a given region and the customer SPA hub has available bandwidth, you can open a FortiCare Support ticket to increase this SPA throughput.

If you deploy SPA using a FortiSASE SPA hub, use the following versions:

Product	Supported firmware version
FortiGate	7.0.10 or later 7.2.4 or later 7.4.0 or later 7.6.0 or later
FortiClient	7.2.14 for existing instances created before 25.4.c 7.4.7 for new instances in 25.4.c or later

SPA using FortiGate SD-WAN Service Bundle subscription

Fortinet’s FortiGate SD-WAN Service Bundle subscription enables seamless integration of FortiGate with FortiSASE for SPA to simplify the journey from SD-WAN to SASE.

The FortiGate SD-WAN Service Bundle subscription is available for FortiGate F-series hardware models starting from 100F and above, and G-series hardware models starting from 120G and above. Each FortiGate device intended for SPA connectivity must be licensed individually with its own FortiGate SASE SPA Bundle subscription.

The FortiGate SD-WAN Service Bundle includes the following FortiSASE subscriptions:

• FortiSASE SPA: enables SPA connectivity from FortiGate to FortiSASE.
• FortiSASE Standard Starter Kit: includes FortiSASE Standard remote user subscriptions. The number of included remote user seats and available FortiSASE security points of presence (PoP) depend on the model of F-series FortiGate or G-series FortiGate licensed, outlined as follows:

  Model	Included remote user seats for each model	Number of security PoPs available
  Below 100F Below 120G	None	N/A
  100F to 600F 120G to 600G	10	2
  1000F 700G to 1500G	50	2 to 4
  1800F and above 1800G and above	100
  VM and Cloud	None	N/A

The number of remote user seats are cumulative and based on the number and model of FortiGates that have the FortiGate SD-WAN Service Bundle subscription applied under the same FortiCloud account as FortiSASE. For example, consider that a customer purchases the FortiGate SD-WAN Service Bundle subscription for:

Device	Included remote user seats for each model
One 120G FortiGate	10
One 900G FortiGate	50

In this case, the total number of included FortiSASE Standard remote user seats is 60 seats (10 + 50). In addition, as the total number of remote user seats is 50 and above, the number of available FortiSASE security PoPs to choose from is between 2 to 4.

See the FortiSASE Ordering Guide.

SPA using a FortiSASE SPA hub with Fabric overlay orchestrator

This use case requires a subscription per FortiGate device and requires each FortiGate device to be registered in the same FortiCloud account as FortiSASE. See SPA Service Connection subscription and SPA FortiCloud account prerequisites.

By default, each FortiSASE PoP allows up to 300 Mbps of aggregate SPA throughput to account for baseline customer SPA hub capacity. If additional traffic is expected in a given region and the customer SPA hub has available bandwidth, you can open a FortiCare Support ticket to increase this SPA throughput.

If you deploy SPA using a FortiSASE SPA hub with the Fabric Overlay Orchestrator, use the following versions:

Product	Supported firmware version
FortiGate	7.2.4 or later 7.4.0 or later 7.6.0 or later
FortiClient	7.2.14 for existing instances created before 25.4.c 7.4.7 for new instances in 25.4.c or later

The SPA easy configuration key for FortiSASE is supported in the Fabric Overlay Orchestrator in the following FortiOS version:

Product	Supported firmware version
FortiGate	7.4.5 and later 7.6.0 and later

SPA for an MSSP hub

For MSSPs using FortiCloud Organizations to arrange accounts into a root organizational unit (OU) and sub-OUs and where many tenants share a FortiGate SPA hub, FortiSASE supports tenants within a sub-OU inheriting SPA subscriptions from the root OU account.

For a FortiSASE instance within a sub-OU, the number of supported SPA hubs is the sum of the number of SPA subscriptions registered in the tenant sub-OU account and the number of SPA subscriptions registered in the root OU, up to a maximum of 12 SPA subscriptions in total.

Data protection using FortiCASB

FortiCASB is Fortinet's cloud-native cloud access security broker (CASB) service, which provides visibility, compliance, data security, and threat protection for cloud-based services. FortiSASE supports registering a FortiCASB data protection add-on subscription. The add-on subscription must be registered in the same FortiCloud account as FortiSASE. FortiSASE supports FortiCASB 24.4.b.