SPA
For securing FortiSASE remote user access to private TCP-based and UDP-based applications, FortiSASE supports secure private access (SPA) using SD-WAN or SPA using a next generation firewall converted to a standalone FortiSASE SPA hub. FortiSASE private access supports up to twelve FortiGate hubs.
For SPA use cases, the security points of presence (PoPs) act as spokes to the FortiGate hub (FortiGate SD-WAN hub or FortiSASE SPA hub), relying on IPsec VPN overlays and BGP to secure and route traffic between PoPs and the networks behind the organization's FortiGate hub.
FortiSASE security PoP and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.
FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel.
The SPA use cases with FortiGate hubs allow traffic flow in the following directions:
From... |
To... |
---|---|
Remote VPN users |
FortiGate hubs (or spokes connected to hubs) |
FortiGate hubs (or spokes connected to hubs) |
Remote VPN users |
FortiSASE supports these main routing design methods:
-
BGP per overlay (default)
The example network topology uses the following settings configured in FortiSASE:
Configuration setting | Value used in example network topology |
---|---|
Network Configuration settings | |
BGP routing design | BGP per overlay |
BGP router ID subnet | 10.20.1.0/28 |
Autonomous system number (ASN) | 65400 |
BGP recursive routing | Enabled |
Hub selection method | Hub health and priority |
Health check IP address | 10.30.100.1 |
Service Connection settings | |
Name | Datacenter 1 |
Remote gateway | 1.2.3.4 |
Authentication method | Pre-shared key |
Pre-shared key | mysecretkey |
BGP peer IP address | 10.20.1.253 |
Network Overlay ID | 2 |