Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Secure private access

Secure private access

For securing FortiSASE remote user access to private TCP-based and UDP-based applications, FortiSASE supports secure private access (SPA) using SD-WAN or SPA using a next generation firewall converted to a standalone FortiSASE SPA hub. FortiSASE private access supports up to four FortiGate hubs.

For SPA use cases, the security points of presence (PoPs) act as spokes to the FortiGate hub (FortiGate SD-WAN hub or FortiSASE SPA hub), relying on IPsec VPN overlays and BGP to secure and route traffic between PoPs and the networks behind the organization's FortiGate hub.

FortiSASE security points of presence and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel.

The SPA use cases with FortiGate hubs allow traffic flow in the following directions:

From...

To...

Remote VPN users

FortiGate hubs (or spokes connected to hubs)

FortiGate hubs (or spokes connected to hubs)

Remote VPN users

FortiSASE supports these main routing design methods:

Previous
Next

Secure private access

For securing FortiSASE remote user access to private TCP-based and UDP-based applications, FortiSASE supports secure private access (SPA) using SD-WAN or SPA using a next generation firewall converted to a standalone FortiSASE SPA hub. FortiSASE private access supports up to four FortiGate hubs.

For SPA use cases, the security points of presence (PoPs) act as spokes to the FortiGate hub (FortiGate SD-WAN hub or FortiSASE SPA hub), relying on IPsec VPN overlays and BGP to secure and route traffic between PoPs and the networks behind the organization's FortiGate hub.

FortiSASE security points of presence and the organization’s FortiGate hubs form a traditional hub-and-spoke topology that supports the Fortinet autodiscovery VPN (ADVPN) configuration. ADVPN is an IPsec technology that allows a traditional hub-and-spoke VPN’s spokes to establish dynamic, on-demand, direct tunnels, known as shortcut tunnels, between each other to avoid routing through the topology's hub device.

FortiSASE remote users may access private resources behind FortiGate hub(s) directly through FortiSASE to hub(s) IPsec tunnels. If a private resource is behind an organization’s spoke device, they may connect directly to that resource through an on-demand, direct, and dynamic ADVPN tunnel.

The SPA use cases with FortiGate hubs allow traffic flow in the following directions:

From...

To...

Remote VPN users

FortiGate hubs (or spokes connected to hubs)

FortiGate hubs (or spokes connected to hubs)

Remote VPN users

FortiSASE supports these main routing design methods:

Previous
Next