DOCUMENT LIBRARY
DOCUMENT LIBRARY
Products
Best Practices
Hardware Guides
Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
More >>
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Lacework FortiCNAPP
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
More >>
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
SOC-as-a-Service (SOCaaS)
Identity
FortiAuthenticator
FortiTrust Identity
FortiPAM
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
More >>
Secure Networking
Hybrid Mesh Firewall
FortiGate/ FortiOS
FortiGate-5000
/
6000
/
7000
NOC Management
FortiManager
/
FortiManager Cloud
Managed Fortigate Service
FortiAIOps
LAN
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiEdge Cloud
FortiNAC-F
WAN
Secure SD-WAN
FortiExtender
Communication & Surveillance
FortiVoice
/
FortiVoice Cloud
FortiFone
FortiCamera
FortiRecorder
FortiCentral
Unified SASE
Single Vendor SASE
FortiSASE
Secure SD-WAN
Zero Trust Network Access (ZTNA)
FortiProxy
FortiMonitor
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Cloud Network Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiGate CNF
FortiFlex
Cloud-Native Security
Lacework FortiCNAPP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiADC
FortiDAST
Security Operations
Security Operations Automation
FortiAnalyzer
/
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
Endpoint
FortiClient
/
FortiClient Cloud
FortiEDR/XDR
Data Protection
FortiDLP
FortiDLP Agent
FortiDLP Policies
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken
/
FortiToken Cloud
FortiPAM
Email
FortiMail
FortiPhish
Early Detection & Prevention
FortiSandbox
/
FortiSandbox Cloud
FortiNDR
FortiDeceptor
FortiRecon
Expert Services
SOC-as-a-Service (SOCaaS)
Edge Firewall
FortiGate/FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Overlay-as-a-Service
SD Branch
FortiSwitch
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Application Delivery
FortiADC
/
FortiGSLB
Single Vendor SASE
FortiSASE
Secure Endpoint Connectivity
FortiClient
/
FortiClient Cloud
Secure Private Access
Secure SD-WAN
Zero Trust Network Access (ZTNA)
Thin Edge
FortiGate/ FortiOS
FortiAP / FortiWiFi
FortiExtender
/
FortiExtender Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Application Gateway
FortiGate/ FortiOS
FortiProxy
FortiADC
/
FortiGSLB
Enterprise Asset Management
FortiClient EMS
Endpoint Agent
FortiClient
/
FortiClient Cloud
Agentless Security Posture
FortiNAC-F
FortiSIEM
/
FortiSIEM Cloud
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Wireless
FortiAP / FortiWiFi
FortiAP-U Series
FortiGate Cloud
Switching
FortiSwitch
FortiEdge Cloud
FortiNAC-F
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Privilege Acccess Management
FortiPAM
Next Generation Firewall
FortiGate / FortiOS
FortiGate-5000
/
6000
/
7000
FortiGate Public Cloud
FortiGate Private Cloud
Orchestration & management
FortiManager
/
FortiManager Cloud
FortiAnalyzer
/
FortiAnalyzer Cloud
Expert Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
All
FortiADC Public Cloud
FortiAnalyzer Public Cloud
FortiAuthenticator Public Cloud
FortiDeceptor Public Cloud
FortiGate Public Cloud
FortiIsolator Public Cloud
FortiManager Public Cloud
FortiNDR Public Cloud
FortiPAM Public Cloud
FortiPortal Public Cloud
FortiProxy Public Cloud
FortiSandbox Public Cloud
FortiTester Public Cloud
FortiVoice Public Cloud
FortiWeb Manager Public Cloud
FortiWeb Public Cloud
All
FortiADC Private Cloud
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Private Cloud
FortiAuthenticator Private Cloud
FortiDeceptor Private Cloud
FortiGate Private Cloud
FortiManager Private Cloud
FortiNDR Private Cloud
FortiPAM Private Cloud
FortiProxy Private Cloud
FortiSandbox Private Cloud
FortiTester Private Cloud
FortiVoice Private Cloud
FortiWeb Manager Private Cloud
FortiWeb Private Cloud
Account Management
FortiCloud Services
SAAS Management
FortiGate Cloud
FortiEdge Cloud
FortiEdge Cloud
FortiExtender Cloud
FortiPresence Cloud
FortiToken Cloud
FortiTrust Identity
FortiZTP
FortiCamera Cloud
SAAS Application Security
FortiWeb Cloud
FortiGSLB
FortiCASB
FortiCNP
FortiInsight
FortiPhish
FortiGate CNF
Managed Services
SOC-as-a-Service (SOCaaS)
Managed Fortigate Service
Platform as a service (PAAS)
FortiSASE
FortiAnalyzer Cloud
FortiManager Cloud
FortiClient Cloud
FortiSandbox Cloud
FortiMail Cloud
FortiSOAR Cloud
Other SAAS Services
Overlay-as-a-Service
FortiRecon
FortiConverter
ForiIPAM
FortiFlex
FortiCare Elite
4D Resources
Solution Hubs
Define, design, deploy, demo
4D Pillars
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Curated Links by Solution
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
Next Generation Firewall
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiGate
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Search documents and hardware ...
Administration Guide
Introduction
FortiClient agent-based mode using FortiClient
SWG agentless mode
Dedicated public IP addresses
Embedded onboarding guide
FortiFlex licensing
License renewal notification
Remote VPN user identification
Required services and ports
Signing in as an IAM user
System status notifications
Select availability features
Central management
Network restrictions removed
Supporting external IdP users
Beta features
FortiClient 7.2 support
FortiGuard Forensics Analysis
IPsec VPN remote user support
VPN Settings
Pre-logon VPN
ZTNA Windows tagging rules for certificate subject CN regex or wildcard matching
On-net rule sets
RBI
Example: Configuring RBI with SWG
Dashboards
Adding a custom dashboard
Resetting all dashboards
Drilling down on vulnerabilities
FortiView monitors
Adding a custom monitor
Resetting all monitors
Monitoring edge device bandwidth usage
Edge Devices
Edge devices
FortiExtender
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Connecting and logging into the FortiExtender 200F
Configuring the discovery interface's IP address
SSL deep inspection for site-based users
Viewing notifications for a new FortiExtender
Configuring FortiExtender as FortiSASE LAN Extension
Connecting FortiExtender to FortiSASE using FortiZTP
Connecting a FortiExtender to FortiSASE using alternative connection methods
Troubleshooting a FortiExtender that FortiSASE does not see
Authorizing a FortiExtender
Deauthorizing a FortiExtender
Disconnecting a FortiExtender
FortiGate
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Connecting and logging into the FortiGate
SSL deep inspection for site-based users
Viewing notifications for a new FortiGate
Configuring FortiGate as FortiSASE LAN Extension
Connecting FortiGate to FortiSASE using the GUI and CLI
Troubleshooting a FortiGate that FortiSASE does not see
Authorizing a FortiGate
Deauthorizing a FortiGate
Disconnecting a FortiGate
FortiAP
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Connecting and logging into the FortiAP
SSL deep inspection for site-based users
Viewing notifications for a new FortiAP
Configuring FortiAP as FortiSASE edge device
Connecting a FortiAP to FortiSASE using FortiZTP
Managing FortiAPs
Authorizing a FortiAP and upgrading to a supported FortiAP firmware version
Deauthorizing a FortiAP
Disconnecting a FortiAP
Editing a FortiAP
Upgrading to the latest supported FortiAP firmware version after authorization
Diagnostics
Editing a FortiAP profile
Example: Configure LAN ports for a FortiAP device
Creating a FortiAP profile and applying it to a FortiAP
Creating an SSID
Example: Configuring an SSID using WPA2 Enterprise with a local user group
Troubleshooting a FortiAP that FortiSASE does not see
Connecting a FortiAP to FortiSASE using alternative connection methods
Upgrading to a supported FortiAP firmware version using alternative connection methods
SD-WAN On-Ramp
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
SSL deep inspection for site-based users
Configuring IPsec device as SD-WAN On-Ramp
Configuring BGP
Configuring On-Ramp locations
Configuring a FortiGate IPsec connection to FortiSASE
Connect and logging into the FortiGate
IPsec VPN configuration using IPsec wizard and CLI
BGP, SD-WAN, and routing configuration
Verifying and troubleshooting IPsec VPN connection
Verifying and troubleshooting BGP and static routing with SD-WAN
Viewing IPsec connections
Configuring profile groups and policies to control traffic flow from branch devices
Captive portal
Configuring an exemption policy for SSO authentication for Entra ID
Configuring an exemption policy for an edge device
Example: Configuring a captive portal only SSID for FortiAP
Example: Configuring a captive portal for FortiExtender
Network
SPA
Prerequisites
SPA license and account prerequisites
Network restrictions
Configuring the FortiSASE security PoPs as the FortiGate hub's spokes
Configuring network configuration
Configuring a new service connection
Viewing health and VPN tunnel status
Updating service connection priorities
Deleting a hub configuration
Configuring SPA using the REST API
Monitoring private access hubs
Configuring a private access policy for remote VPN users and edge devices
Configuring a private access policy for SWG users
Configuring a private access security profile
Configuring ZTNA tags in private access policies
Using ZTNA tags to configure dynamic policies
Configuration workflow
Configuring ZTNA rule sets to dynamically tag agent-based remote users
Configuring dynamic private access policies using ZTNA tags
Testing the dynamic private access policy
Verifying IPsec VPN tunnels on the FortiGate hub
Testing private access connectivity to FortiGate hub network from remote VPN users and edge devices
Testing private access connectivity to FortiGate hub network from remote SWG users
Testing private access connectivity from FortiGate hub network to remote VPN users
Verifying BGP routing on the FortiGate hub
Verifying private access traffic in FortiSASE portal
Verifying private access traffic from hubs
Verifying private access hub status and location using the asset map
Managed Endpoints
Examples
Example: Confirming an endpoint is added to management by default
Example: Removing an endpoint from management
Example: Adding an endpoint to management after it was previously removed
Digital Experience
Application inventory for managed endpoints
Requesting FortiClient diagnostic logs from endpoints
Connected Users
Packet Capture
Connected wireless devices
Digital Experience Monitoring
Configuration
DNS Settings
Split DNS rules
Policies
Default VPN policies
Adding policies to perform granular firewall actions and inspection
Configuring a policy to allow traffic from an Edge device to FortiSASE
SWG Policies
Default SWG policies
Configuring a SWG policy
Agentless ZTNA
Prerequisites
Configuration workflow
Configuring a private application
Configuring an application policy
Accessing the bookmark portal
Verifying agentless ZTNA functionality
Security
Security profile groups
SSL Inspection
Certificate and deep inspection modes
Exempting hosts and URL categories from deep inspection
Uploading a certificate for deep inspection mode
Installing a certificate for deep inspection mode
Configuring common options for invalid certificates
Blocking QUIC
AntiVirus
Intrusion prevention
File Filter
DLP
Blocking HTTPS upload traffic with credit card info example
Blocking ChatGPT using keywords and FQDN example
Blocking file with MPIP sensitivity label example
Web Filter
Restricting web usage using FortiGuard URL categories and URL filter
Restricting web usage using content filter
Web rating override using custom categories
Enforcing safe search in web filter
Customizing inline-CASB headers
Prerequisites
Customizing inline-CASB headers for restricted SaaS access
Configuring inline-CASB header for Office 365 example
DNS Filter
Enforcing safe search in DNS filter
Application Control With Inline-CASB
Network protocol enforcement
Blocking applications detected on non-default ports
Video Filter
Profile resources
Geofencing
Region IP addresses
External feeds
Configuring an external feed
Applying an external feed
Authentication Sources and Access
Configuring FortiSASE with an LDAP server for remote user authentication in FortiClient agent-based mode
Configuring FortiSASE with an LDAP server for remote user authentication in SWG agentless mode
Configuring FortiSASE with a RADIUS server for remote user authentication
Configuring FortiSASE with Entra ID SSO: SAML configuration fields
Configuring FortiSASE with Entra ID SSO in FortiClient agent-based mode
Configuring API permissions and determining Entra ID SSO credentials
Configuring Entra ID options for agent-based VPN autoconnect
Searching user groups from Entra ID SSO
Configuring FortiSASE with Entra ID SSO in SWG agentless mode
Configuring FortiSASE with AD FS SSO
Configuring FortiSASE with Okta SSO
Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO
Configuring Entra ID
Configuring FortiAuthenticator Cloud - I
Configuring SAML settings for the FortiSASE application in Azure
Configuring FortiAuthenticator Cloud - II
Configuring FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode
Configuring FortiAuthenticator Cloud - III
Searching user groups from SAML IdP
Configuring API permissions and determining Entra ID SSO credentials
Searching user groups from Entra ID SSO
Testing SSO configuration from FortiSASE
Users
PKI
Endpoints
Profiles
Global connection settings
Connection
Protection
Sandbox
ZTNA
FSSO
Groups & AD Users
Settings
Example: Configuring a custom endpoint profile applied to an AD group
Example: Configuring FSSOMA support with FortiAuthenticator behind SPA hub for Windows domain endpoint
Tagging
Tagging rule types
ZTNA Access Proxies
Domains
Entra ID domains
System
Certificates
HTML Templates
SWG Configuration
Endpoint Upgrade
Central Management
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Mapping FortiManager objects to FortiSASE configuration settings
Enabling central management
Configuring FortiManager for central management
Verifying configuration updates performed using central management
Configuring security profiles in FortiManager
Creating and applying a new CASB profile to Web Filter profile
Configuring custom CA certificates for SSL Inspection profile
Configuring DLP dictionaries, sensors, and profiles
Configuring and applying Video Filter
Configuring and applying an Application Control profile
Analytics
Reports
Scheduling a report
Manually running a report
Report types
Logging
Forwarding logs to an external server
Example: Forwarding logs to an on-premise FortiAnalyzer in an SPA hub network
Log anonymization
Administrator Events
Log retention policy
Forwarding logs to SOCaaS
Client onboarding
Managed endpoint client onboarding
SWG client onboarding
PAC file customization
Downloading the preconfigured PAC file
Customizing the PAC file
Hosting the custom PAC file
Additional endpoint configuration steps
Certificate installation
Proxy configuration
Windows
macOS
Chrome OS
Managed Chromebook
SWG Chrome extension and Chromebook support
Enterprise mobility management
MSSP portal
Prerequisites
Configuration workflow
Resource-based permissions
Using the MSSP portal
Accessing the MSSP portal
Monitoring a tenant's instance
Managing a tenant's instance
SPA for an MSSP hub
Troubleshooting
FAQs
Dedicated public IP addresses
Licensing
PoPs
Shifting from FortiClient EMS to FortiSASE
Appendix A - FortiSASE data centers
Appendix B - REST API
Appendix C - VPN performance
Appendix D - Maximum values
Home
FortiSASE
Administration Guide
System
System
You can configure the following in
System
:
Certificates
HTML Templates
SWG Configuration
Endpoint Upgrade
Previous
Next
System
System
You can configure the following in
System
:
Certificates
HTML Templates
SWG Configuration
Endpoint Upgrade
Previous
Next
Home
Product Pillars
Network Security
Network Security
FortiGate / FortiOS
FortiGate 5000
FortiGate 6000
FortiGate 7000
FortiProxy
NOC & SOC Management
FortiManager
FortiManager Cloud
FortiAnalyzer
FortiAnalyzer Cloud
FortiMonitor
FortiGate Cloud
Enterprise Networking
Secure SD-WAN
FortiLAN Cloud
FortiSwitch
FortiAP / FortiWiFi
FortiAP-U Series
FortiNAC-F
FortiExtender
FortiExtender Cloud
FortiAIOps
Business Communications
FortiFone
FortiVoice
FortiVoice Cloud
FortiRecorder
FortiCamera
Zero Trust Access
ZTNA
Zero Trust Network Access
FortiClient EMS
SASE
FortiSASE
Identity
FortiAuthenticator
FortiTrust Identity
FortiToken Cloud
FortiToken
Cloud Security
Hybrid Cloud Security
FortiGate Public Cloud
FortiGate Private Cloud
FortiFlex
Cloud Native Protection
FortiCNP
FortiDevSec
Web Application / API Protection
FortiWeb
FortiWeb Cloud
FortiADC
FortiGSLB
FortiGuard ABP
SAAS Security
FortiMail
FortiMail Cloud
FortiCASB
Security Operations
SOC Platform
FortiAnalyzer
FortiAnalyzer Cloud
FortiSIEM
/
FortiSIEM Cloud
FortiSOAR
FortiPhish
Advanced Threat Protection
FortiSandbox
FortiSandbox Cloud
FortiNDR
FortiNDR Cloud
FortiDeceptor
FortiInsight
FortiInsight Cloud
FortiIsolator
Endpoint Security
FortiClient
FortiClient Cloud
FortiEDR
Best Practices
Solution Hubs
Cloud
FortiCloud
Public & Private Cloud
Popular Solutions
Secure SD-WAN
Zero Trust Network Access
Secure Access
Next Generation Firewall
Security Fabric
Tele-Working
Multi-Factor Authentication
FortiASIC
Operational Technology
MSSP
4-D Resources
Secure SD-WAN
Zero Trust Network Access
Wireless
Switching
Secure Access Service Edge
Identity and Access Management
Next Generation Firewall
Hardware Guides
FortiAnalyzer
FortiAnalyzer Big-Data
FortiADC
FortiAP / FortiWiFi
FortiAP U-Series
FortiAuthenticator
FortiCache
FortiCarrier
FortiController
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiExtender
FortiGate
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiHypervisor
FortiIsolator
FortiMail
FortiManager
FortiNAC
FortiNDR
FortiProxy
FortiRecorder
FortiRPS
FortiSandbox
FortiSIEM
FortiSwitch
FortiTester
FortiToken
FortiVoice
FortiWAN
FortiWeb
FortiWLC
FortiWLM
Product A-Z
AscenLink
AV Engine
AWS Firewall Rules
Container FortiOS
FortiADC
FortiADC E Series
FortiADC Manager
FortiADC Private Cloud
FortiADC Public Cloud
FortiAIOps
FortiAnalyzer
FortiAnalyzer BigData
FortiAnalyzer BigData Private Cloud
FortiAnalyzer Cloud
FortiAnalyzer Private Cloud
FortiAnalyzer Public Cloud
FortiAP / FortiWiFi
FortiAP-U Series
FortiAuthenticator
FortiAuthenticator Private Cloud
FortiAuthenticator Public Cloud
FortiAuthProxy
FortiBalancer
FortiBranchSASE
FortiBridge
FortiCache
FortiCamera
FortiCamera Cloud
FortiCare Elite
FortiCarrier
FortiCASB
FortiCentral
FortiClient
FortiClient Cloud
FortiCloud Services
FortiCNP
FortiConnect
FortiController
FortiConverter Service
FortiConverter Tool
FortiCore
FortiCSPM
FortiCWP
FortiDAST
FortiDB
FortiDDoS
FortiDDoS-F
FortiDeceptor
FortiDeceptor DaaS
FortiDeceptor Private Cloud
FortiDeceptor Public Cloud
FortiDevSec
FortiDLP
FortiDLP Agent
FortiDLP Policies
FortiDNS
FortiEdge Cloud
FortiEDR/XDR
FortiEndpoint
FortiExplorer
FortiExplorer Go
FortiExtender
FortiFlex
FortiFone
FortiGate / FortiOS
FortiGate Cloud
FortiGate CNF
FortiGate Private Cloud
FortiGate Public Cloud
FortiGate-5000
FortiGate-6000
FortiGate-7000
FortiGate-as-a-Service
FortiGSLB
FortiGuard Advanced Bot Protection
FortiGuest
FortiHypervisor
FortiInsight
FortiInsight Cloud
FortiIPAM
FortiIsolator
FortiIsolator Public Cloud
FortiLAN Cloud
FortiMail
FortiMail Cloud
FortiManager
FortiManager Cloud
FortiManager Private Cloud
FortiManager Public Cloud
FortiMonitor
FortiNAC
FortiNAC-F
FortiNDR
FortiNDR (on-premise) Private Cloud
FortiNDR (on-premise) Public Cloud
FortiNDR Cloud
FortiNDR Cloud Sensors
FortiPAM
FortiPAM Private Cloud
FortiPAM Public Cloud
FortiPhish
FortiPlanner
FortiPolicy
FortiPortal
FortiPortal Public Cloud
FortiPresence
FortiPresence VM
FortiProxy
FortiProxy Private Cloud
FortiProxy Public Cloud
FortiRecon
FortiRecorder
FortiRPS
FortiSandbox
FortiSandbox Cloud
FortiSandbox Private Cloud
FortiSandbox Public Cloud
FortiSASE
FortiScanner
FortiSIEM
FortiSIEM Cloud
FortiSOAR
FortiSOAR Cloud
FortiSRA
FortiSwitch
FortiSwitch Manager
FortiTap
FortiTester
FortiTester Private Cloud
FortiTester Public Cloud
FortiToken
FortiToken Cloud
FortiTrust Identity
FortiVoice
FortiVoice Cloud
FortiVoice Private Cloud
FortiVoice Public Cloud
FortiWAN
FortiWAN Controller
FortiWeb
FortiWeb Cloud
FortiWeb Manager Private Cloud
FortiWeb Manager Public Cloud
FortiWeb Private Cloud
FortiWeb Public Cloud
FortiWLM
FortiZTP
IPS Engine
Lacework FortiCNAPP
Managed FortiGate Service
Overlay-as-a-Service
Security Awareness and Training
SOCaaS
Wireless Controller
Ordering Guides
Download PDF
Table of Contents
Introduction
FortiClient agent-based mode using FortiClient
SWG agentless mode
Dedicated public IP addresses
Embedded onboarding guide
FortiFlex licensing
License renewal notification
Remote VPN user identification
Required services and ports
Signing in as an IAM user
System status notifications
Select availability features
Central management
Network restrictions removed
Supporting external IdP users
Beta features
FortiClient 7.2 support
FortiGuard Forensics Analysis
IPsec VPN remote user support
VPN Settings
Pre-logon VPN
ZTNA Windows tagging rules for certificate subject CN regex or wildcard matching
On-net rule sets
RBI
Example: Configuring RBI with SWG
Dashboards
Adding a custom dashboard
Resetting all dashboards
Drilling down on vulnerabilities
FortiView monitors
Adding a custom monitor
Resetting all monitors
Monitoring edge device bandwidth usage
Edge Devices
Edge devices
FortiExtender
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Connecting and logging into the FortiExtender 200F
Configuring the discovery interface's IP address
SSL deep inspection for site-based users
Viewing notifications for a new FortiExtender
Configuring FortiExtender as FortiSASE LAN Extension
Connecting FortiExtender to FortiSASE using FortiZTP
Connecting a FortiExtender to FortiSASE using alternative connection methods
Troubleshooting a FortiExtender that FortiSASE does not see
Authorizing a FortiExtender
Deauthorizing a FortiExtender
Disconnecting a FortiExtender
FortiGate
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Connecting and logging into the FortiGate
SSL deep inspection for site-based users
Viewing notifications for a new FortiGate
Configuring FortiGate as FortiSASE LAN Extension
Connecting FortiGate to FortiSASE using the GUI and CLI
Troubleshooting a FortiGate that FortiSASE does not see
Authorizing a FortiGate
Deauthorizing a FortiGate
Disconnecting a FortiGate
FortiAP
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Connecting and logging into the FortiAP
SSL deep inspection for site-based users
Viewing notifications for a new FortiAP
Configuring FortiAP as FortiSASE edge device
Connecting a FortiAP to FortiSASE using FortiZTP
Managing FortiAPs
Authorizing a FortiAP and upgrading to a supported FortiAP firmware version
Deauthorizing a FortiAP
Disconnecting a FortiAP
Editing a FortiAP
Upgrading to the latest supported FortiAP firmware version after authorization
Diagnostics
Editing a FortiAP profile
Example: Configure LAN ports for a FortiAP device
Creating a FortiAP profile and applying it to a FortiAP
Creating an SSID
Example: Configuring an SSID using WPA2 Enterprise with a local user group
Troubleshooting a FortiAP that FortiSASE does not see
Connecting a FortiAP to FortiSASE using alternative connection methods
Upgrading to a supported FortiAP firmware version using alternative connection methods
SD-WAN On-Ramp
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
SSL deep inspection for site-based users
Configuring IPsec device as SD-WAN On-Ramp
Configuring BGP
Configuring On-Ramp locations
Configuring a FortiGate IPsec connection to FortiSASE
Connect and logging into the FortiGate
IPsec VPN configuration using IPsec wizard and CLI
BGP, SD-WAN, and routing configuration
Verifying and troubleshooting IPsec VPN connection
Verifying and troubleshooting BGP and static routing with SD-WAN
Viewing IPsec connections
Configuring profile groups and policies to control traffic flow from branch devices
Captive portal
Configuring an exemption policy for SSO authentication for Entra ID
Configuring an exemption policy for an edge device
Example: Configuring a captive portal only SSID for FortiAP
Example: Configuring a captive portal for FortiExtender
Network
SPA
Prerequisites
SPA license and account prerequisites
Network restrictions
Configuring the FortiSASE security PoPs as the FortiGate hub's spokes
Configuring network configuration
Configuring a new service connection
Viewing health and VPN tunnel status
Updating service connection priorities
Deleting a hub configuration
Configuring SPA using the REST API
Monitoring private access hubs
Configuring a private access policy for remote VPN users and edge devices
Configuring a private access policy for SWG users
Configuring a private access security profile
Configuring ZTNA tags in private access policies
Using ZTNA tags to configure dynamic policies
Configuration workflow
Configuring ZTNA rule sets to dynamically tag agent-based remote users
Configuring dynamic private access policies using ZTNA tags
Testing the dynamic private access policy
Verifying IPsec VPN tunnels on the FortiGate hub
Testing private access connectivity to FortiGate hub network from remote VPN users and edge devices
Testing private access connectivity to FortiGate hub network from remote SWG users
Testing private access connectivity from FortiGate hub network to remote VPN users
Verifying BGP routing on the FortiGate hub
Verifying private access traffic in FortiSASE portal
Verifying private access traffic from hubs
Verifying private access hub status and location using the asset map
Managed Endpoints
Examples
Example: Confirming an endpoint is added to management by default
Example: Removing an endpoint from management
Example: Adding an endpoint to management after it was previously removed
Digital Experience
Application inventory for managed endpoints
Requesting FortiClient diagnostic logs from endpoints
Connected Users
Packet Capture
Connected wireless devices
Digital Experience Monitoring
Configuration
DNS Settings
Split DNS rules
Policies
Default VPN policies
Adding policies to perform granular firewall actions and inspection
Configuring a policy to allow traffic from an Edge device to FortiSASE
SWG Policies
Default SWG policies
Configuring a SWG policy
Agentless ZTNA
Prerequisites
Configuration workflow
Configuring a private application
Configuring an application policy
Accessing the bookmark portal
Verifying agentless ZTNA functionality
Security
Security profile groups
SSL Inspection
Certificate and deep inspection modes
Exempting hosts and URL categories from deep inspection
Uploading a certificate for deep inspection mode
Installing a certificate for deep inspection mode
Configuring common options for invalid certificates
Blocking QUIC
AntiVirus
Intrusion prevention
File Filter
DLP
Blocking HTTPS upload traffic with credit card info example
Blocking ChatGPT using keywords and FQDN example
Blocking file with MPIP sensitivity label example
Web Filter
Restricting web usage using FortiGuard URL categories and URL filter
Restricting web usage using content filter
Web rating override using custom categories
Enforcing safe search in web filter
Customizing inline-CASB headers
Prerequisites
Customizing inline-CASB headers for restricted SaaS access
Configuring inline-CASB header for Office 365 example
DNS Filter
Enforcing safe search in DNS filter
Application Control With Inline-CASB
Network protocol enforcement
Blocking applications detected on non-default ports
Video Filter
Profile resources
Geofencing
Region IP addresses
External feeds
Configuring an external feed
Applying an external feed
Authentication Sources and Access
Configuring FortiSASE with an LDAP server for remote user authentication in FortiClient agent-based mode
Configuring FortiSASE with an LDAP server for remote user authentication in SWG agentless mode
Configuring FortiSASE with a RADIUS server for remote user authentication
Configuring FortiSASE with Entra ID SSO: SAML configuration fields
Configuring FortiSASE with Entra ID SSO in FortiClient agent-based mode
Configuring API permissions and determining Entra ID SSO credentials
Configuring Entra ID options for agent-based VPN autoconnect
Searching user groups from Entra ID SSO
Configuring FortiSASE with Entra ID SSO in SWG agentless mode
Configuring FortiSASE with AD FS SSO
Configuring FortiSASE with Okta SSO
Configuring FortiSASE with FortiTrust ID as SAML IdP proxy for Entra ID SSO
Configuring Entra ID
Configuring FortiAuthenticator Cloud - I
Configuring SAML settings for the FortiSASE application in Azure
Configuring FortiAuthenticator Cloud - II
Configuring FortiSASE with FortiAuthenticator Cloud in FortiClient agent-based mode
Configuring FortiAuthenticator Cloud - III
Searching user groups from SAML IdP
Configuring API permissions and determining Entra ID SSO credentials
Searching user groups from Entra ID SSO
Testing SSO configuration from FortiSASE
Users
PKI
Endpoints
Profiles
Global connection settings
Connection
Protection
Sandbox
ZTNA
FSSO
Groups & AD Users
Settings
Example: Configuring a custom endpoint profile applied to an AD group
Example: Configuring FSSOMA support with FortiAuthenticator behind SPA hub for Windows domain endpoint
Tagging
Tagging rule types
ZTNA Access Proxies
Domains
Entra ID domains
System
Certificates
HTML Templates
SWG Configuration
Endpoint Upgrade
Central Management
Prerequisites
Supported models and firmware
FortiCloud account prerequisites
Network topology
Mapping FortiManager objects to FortiSASE configuration settings
Enabling central management
Configuring FortiManager for central management
Verifying configuration updates performed using central management
Configuring security profiles in FortiManager
Creating and applying a new CASB profile to Web Filter profile
Configuring custom CA certificates for SSL Inspection profile
Configuring DLP dictionaries, sensors, and profiles
Configuring and applying Video Filter
Configuring and applying an Application Control profile
Analytics
Reports
Scheduling a report
Manually running a report
Report types
Logging
Forwarding logs to an external server
Example: Forwarding logs to an on-premise FortiAnalyzer in an SPA hub network
Log anonymization
Administrator Events
Log retention policy
Forwarding logs to SOCaaS
Client onboarding
Managed endpoint client onboarding
SWG client onboarding
PAC file customization
Downloading the preconfigured PAC file
Customizing the PAC file
Hosting the custom PAC file
Additional endpoint configuration steps
Certificate installation
Proxy configuration
Windows
macOS
Chrome OS
Managed Chromebook
SWG Chrome extension and Chromebook support
Enterprise mobility management
MSSP portal
Prerequisites
Configuration workflow
Resource-based permissions
Using the MSSP portal
Accessing the MSSP portal
Monitoring a tenant's instance
Managing a tenant's instance
SPA for an MSSP hub
Troubleshooting
FAQs
Dedicated public IP addresses
Licensing
PoPs
Shifting from FortiClient EMS to FortiSASE
Appendix A - FortiSASE data centers
Appendix B - REST API
Appendix C - VPN performance
Appendix D - Maximum values
