Network restrictions removed
FortiSASE includes support for removing network restrictions.
The following networks are available for your network configuration:
- 10.0.0.0/8
- 100.64.0.0/10 (except 100.65.0.0/16)
- 172.16.0.0/12
- 192.168.0.0/16
This feature is a select availability feature in FortiSASE that is not enabled by default on existing instances created prior to FortiSASE 23.4.b. If you require this feature for your existing FortiSASE instance, create a new ticket with FortiCare Support.
With the requested network restrictions removed, note the following:
FortiSASE can connect to DNS, RADIUS, or LDAP servers with internal IP addresses or FQDNs if you set Access Type to Private in the RADIUS or LDAP server settings, internal servers are located behind a secure private access (SPA) hub, and the SPA hub in FortiSASE has been configured with BGP per overlay.
Implicit and split DNS rules for VPN traffic configured with internal IP addresses work with SPA hubs configured with any BGP routing design.
Ensure that your FortiSASE remote users have access to the internal DNS server, internal RADIUS server, or internal LDAP server. If access to the SPA hub is being restricted by a firewall policy, you must ensure security PoPs are allowed to access the SPA hub. See Restricting access using a FortiGate SPA hub/spoke policy.
When the FortiSASE Endpoint Management Service uses AD servers with Groups & AD Users for endpoint profile assignments, these servers must use public IP addresses or publicly accessible FQDNs when configuring the Server address in the AD connection and may require some configuration or topology changes.