Profiles

FortiSASE supports multiple endpoint profiles to provide granular behavior for different types of users belong to AD group or a non-AD group, such as:

• IT can disconnect from always-on VPN.
• Marketing can use removable media and authenticates using LDAP.
• All other users cannot disconnect from always-on VPN or use removable media, and authenticate using single sign on (SSO).

Configuration > Profiles presents a table of profiles, with the Default profile assigned to all other users if you have not defined custom profiles. You cannot delete the Default profile.

You can prioritize and assign endpoint profiles to on-net endpoints based on matching AD domain users and groups or you can assign endpoint profiles based on endpoints assigned to different non-AD groups.

Viewing users and groups from an AD server requires an LDAP server configuration. LDAP user and group information is shared with the FortiSASE Endpoint Management service, which assigns profiles to endpoints that are locally connected to the LDAP domain whenever domain users are logged in by matching selected users or groups.

If you have an existing LDAP server configured prior to FortiSASE 23.4, the custom endpoint profile cannot use it immediately. First, you must synchronize the LDAP server settings with the FortiSASE Endpoint Management Service using these steps: From Configuration > LDAP, Edit the existing LDAP server. Click Back twice to get back to the first page, Set up server. On the Set up server page, click Next. On the Authenticate page, select the Bind type, reenter the LDAP administrator credentials, and click Next. On the Review page, click Submit.

The FortiSASE Endpoint Management Service does not support importing LDAP subdomains if you have already imported the LDAP parent domain previously into it.

FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay. When the FortiSASE Endpoint Management Service uses LDAP servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs with Access Type set to Public in the LDAP server settings and may require some configuration or topology changes. See Network restrictions removed.

From Configuration > LDAP, by right-clicking any LDAP server, you can synchronize custom endpoint profiles with any updates from the LDAP server, if necessary:

When creating a new endpoint profile, you can use the Groups & AD Users tab to select which AD users/groups or non-AD groups the profile will apply to, and you can use an option in the Connection tab to enable/disable SSO authentication per profile. To assign endpoints to different non-AD groups, see Groups & AD Users.

To configure Profiles options:

1. Go to Configuration > Profiles.
2. Click Create or edit an existing profile.
3. In the Name field, enter the desired name of the endpoint profile.
4. Configure the options on each tab as the following topics describe:
   • Connection
   • Protection
   • Sandbox
   • ZTNA
   • Groups & AD Users
   • Settings