Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Connection

Connection

To configure the Connection tab:
  1. Create a new profile or edit an existing one:
    1. Go to Configuration > Profiles. By default, the Profiles tab is selected.
    2. Click Create or edit an existing profile.
    3. In the Name field, enter the desired name of the endpoint profile.
  2. On the Connection tab, to enable VPN autoconnect, for Connect to FortiSASE, select On device login. Enable the toggle for Disable disconnect from VPN to prevent endpoints from being able to disconnect from FortiSASE’s secure internet access (SIA) VPN.

    To let endpoint users manually connect to FortiSASE’s SIA VPN, select Manually under Connect to FortiSASE. This disables the autoconnect feature to connect to FortiSASE’s SIA VPN.

    Note

    Setting Connect to FortiSASE to On-device login enables autoconnect. This option is equivalent to configuring Auto-connect to FortiSASE in prior FortiSASE versions.

    Similarly, enabling Disable disconnect from VPN is equivalent to enabling Force Always On VPN in prior FortiSASE versions.

  3. Under Bypass FortiSASE, configure Endpoints will not auto-connect to VPN when the selected on-fabric rule set is satisfied.

    On-fabric rule sets determine if FortiSASE considers endpoints trusted or on-fabric, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection. This also helps to optimize FortiSASE bandwidth usage.

    For example, when you add an on-fabric rule set using your corporate network's public IP address, the endpoints on this network do not automatically connect to FortiSASE VPN when they are on-fabric. Therefore, endpoints only autoconnect to FortiSASE VPN when they have public IP addresses that do not match the configured trusted public IP addresses, meaning when they are considered untrusted or off-fabric and require FortiSASE security inspection.

    FortiSASE supports on-fabric rule sets with the following detection types to determine if an endpoint is connecting from a trusted location:

    Detection type

    Description

    Connects with a known public IP

    In the Known public (WAN) IP addresses field, enter the desired IP address. You can configure multiple addresses using the + button. FortiSASE supports configuration of single IP addresses and /24 ranges.

    FortiSASE considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified.

    Is connected to a known DNS server

    In the Known server IP addresses field, configure at least one IP address for the desired DNS server. You can configure multiple IP addresses using the + button.

    FortiSASE considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration.

    Is connected to a known DHCP server

    When Identify servers by IP/MAC addresses is enabled, configure the IP and/or MAC address for the desired DHCP server in the Known server IP addresses and Known MAC addresses fields, respectively. If configuring the Identify servers by IP/MAC addresses option, the MAC Address field is optional.

    When Identify servers by DHCP option 224 is enabled, configure the DHCP code for the desired DHCP server. If the DHCP server is a FortiGate, then you can use the FortiGate serial number as the DHCP code, if desired. Otherwise, the DHCP code can be any string configured in the DHCP server as option 224.

    You can configure just the Identify servers by IP/MAC addresses option, just the Identify servers by DHCP option 224 option, or both options. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    FortiSASE considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration.

    Connects from a known local subnet

    In the Known subnets field, enter a range of IP addresses. In the Known gateway MAC addresses field, optionally enter the default gateway MAC address. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    FortiSASE considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured.

    Can ping a known server

    In the Known server IP addresses field, enter the server IP address. You can configure multiple addresses using the + button.

    FortiSASE considers the endpoint as satisfying the rule if it can access the server at the specified IP address.

    Configure an on-fabric rule set to prevent auto connect to FortiSASE VPN when endpoints are on-net:

    1. Next to Endpoints will not auto-connect to VPN when the selected on-fabric rule set, click the dropdown and click + to create a new on-fabric rule set.
    2. In the Create new rule set slide-in, select one or more detection types by toggling them.
    3. Configure the required fields as described for each detection type.
    4. Click OK to save the on-fabric rule set.
    5. Click OK to select the newly created on-fabric rule set.
    6. Click OK to save the profile configuration.
    Note

    On-fabric rule sets can also be created, edited, and deleted in Configuration > Profiles from the On-fabric rule sets tab. From this tab, you can also view which profiles each rule set is used in.

  4. Under Bypass FortiSASE, configure Split tunneling destinations. Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface by passing FortiSASE. This also helps optimize FortiSASE bandwidth usage. For example, you may want to add a high bandwidth-consuming application, such as Microsoft Teams or Zoom, as a split tunneling destination. Configure a split tunneling destination:
    1. Click Create.
    2. Configure the following fields:

      Option

      Description

      Type

      Select Infrastructure, FQDN, Local Application, or Subnet.

      Match

      • If you selected Infrastructure, select the desired application from the dropdown list.
      • If you selected FQDN, enter the desired fully qualified domain name (FQDN). The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. For example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com. When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
      • If you selected Local Application, specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

        For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

        • Application Name: teams.exe;firefox.exe

        • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe

        • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

        To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

      • If you selected Subnet, enter the desired subnet. The subnet is dynamically added to the route table when in use, and is removed after disconnection.

        You can select host groups when using the Subnet match type. You must create host groups in Configuration > Hosts before they become visible in the Edit Match dialog.

      Note

      Subnet destinations cannot be created in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.

      Note

      Wildcard FQDNs are not supported when configuring an FQDN split tunneling destination.

    3. Click OK.
  5. Under Debugging options, when you enable Endpoints can disconnect from FortiSASE, FortiClient’s Zero Trust Telemetry tab shows a Disconnect option.

    Alternatively you can enable Require disconnect password and enter a password. When this option is configured, the endpoint user must enter the password on FortiClient to disconnect from the FortiSASE Management Service. You can use this option as an offline method of deregistering a FortiClient endpoint from the FortiSASE Management Service.

  6. Under VPNs available to users, you can configure a custom IPsec or SSL VPN configuration or edit the default SSL VPN configuration for Secure Internet Access. These configurations are typically useful for use cases that require endpoints to connect to an on-premise FortiGate via VPN.
    Note

    In FortiSASE 24.1.c and older versions, Authenticate with SSO was previously located in the Settings tab.

    In FortiSASE 24.2.a and later, you can find Authenticate with SSO in the Connection tab, in VPNs available to users, and by collapsing Advanced Settings. Also, in FortiSASE 24.2.a and later, you can edit the default SSL VPN Secure Internet Access configuration.

    To create an alternative custom VPN, do the following:

    1. Click Create, and select SSL VPN or IPsec VPN as per your requirement.
    2. Enter the Name of the VPN tunnel.
    3. Do one of the following:
      • For an IPsec VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Authentication method

        Select preshared key, smart card certificate, or system store certificate to connect to the IPsec VPN gateway.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient.

      • For an SSL VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Port

        SSL VPN port number.

        Require certificate

        Enable to use certificate-based user authentication.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent. To use an external browser, enable Use external browser as user-agent for SAML login.

        Note

        FortiSASE supports authentication using multiple SSO providers using FortiTrust Identity. See Configuring FortiSASE with FortiAuthenticator Cloud as SAML IdP proxy for Entra ID SSO.

  7. The SSL VPN settings apply to alternative SSL VPN tunnels. Enable the respective options to prevent connection errors on FortiClient due to invalid SSL certificates installed on the on-premise VPN gateway.
    Note

    If you set Connect to FortiSASE to On device login, for endpoints with profiles that have custom alternative VPNs configured, the autoconnect feature works only to connect the endpoint to FortiSASE SIA VPN.

    To configure autoconnect to work with alternative VPNs, set Connect to FortiSASE to Manually and enable Show Auto Connect under Advanced Settings for individual alternative VPN tunnel configurations. If the VPN connections fails, the VPN does not automatically connect to the backup FortiSASE SIA VPN. Endpoint users must then manually connect to FortiSASE SIA VPN.

  8. You must configure some more important FortiClient settings on the Settings tab. See Settings.
Previous
Next

Connection

To configure the Connection tab:
  1. Create a new profile or edit an existing one:
    1. Go to Configuration > Profiles. By default, the Profiles tab is selected.
    2. Click Create or edit an existing profile.
    3. In the Name field, enter the desired name of the endpoint profile.
  2. On the Connection tab, to enable VPN autoconnect, for Connect to FortiSASE, select On device login. Enable the toggle for Disable disconnect from VPN to prevent endpoints from being able to disconnect from FortiSASE’s secure internet access (SIA) VPN.

    To let endpoint users manually connect to FortiSASE’s SIA VPN, select Manually under Connect to FortiSASE. This disables the autoconnect feature to connect to FortiSASE’s SIA VPN.

    Note

    Setting Connect to FortiSASE to On-device login enables autoconnect. This option is equivalent to configuring Auto-connect to FortiSASE in prior FortiSASE versions.

    Similarly, enabling Disable disconnect from VPN is equivalent to enabling Force Always On VPN in prior FortiSASE versions.

  3. Under Bypass FortiSASE, configure Endpoints will not auto-connect to VPN when the selected on-fabric rule set is satisfied.

    On-fabric rule sets determine if FortiSASE considers endpoints trusted or on-fabric, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection. This also helps to optimize FortiSASE bandwidth usage.

    For example, when you add an on-fabric rule set using your corporate network's public IP address, the endpoints on this network do not automatically connect to FortiSASE VPN when they are on-fabric. Therefore, endpoints only autoconnect to FortiSASE VPN when they have public IP addresses that do not match the configured trusted public IP addresses, meaning when they are considered untrusted or off-fabric and require FortiSASE security inspection.

    FortiSASE supports on-fabric rule sets with the following detection types to determine if an endpoint is connecting from a trusted location:

    Detection type

    Description

    Connects with a known public IP

    In the Known public (WAN) IP addresses field, enter the desired IP address. You can configure multiple addresses using the + button. FortiSASE supports configuration of single IP addresses and /24 ranges.

    FortiSASE considers the endpoint as satisfying the rule if its public (WAN) IP address matches the one specified.

    Is connected to a known DNS server

    In the Known server IP addresses field, configure at least one IP address for the desired DNS server. You can configure multiple IP addresses using the + button.

    FortiSASE considers the endpoint as satisfying the rule if it is connected to a DNS server that matches the specified configuration.

    Is connected to a known DHCP server

    When Identify servers by IP/MAC addresses is enabled, configure the IP and/or MAC address for the desired DHCP server in the Known server IP addresses and Known MAC addresses fields, respectively. If configuring the Identify servers by IP/MAC addresses option, the MAC Address field is optional.

    When Identify servers by DHCP option 224 is enabled, configure the DHCP code for the desired DHCP server. If the DHCP server is a FortiGate, then you can use the FortiGate serial number as the DHCP code, if desired. Otherwise, the DHCP code can be any string configured in the DHCP server as option 224.

    You can configure just the Identify servers by IP/MAC addresses option, just the Identify servers by DHCP option 224 option, or both options. You can configure multiple IP and MAC addresses and DHCP codes using the + button on each tab.

    FortiSASE considers the endpoint as satisfying the rule if it is connected to a DHCP server that matches the specified configuration.

    Connects from a known local subnet

    In the Known subnets field, enter a range of IP addresses. In the Known gateway MAC addresses field, optionally enter the default gateway MAC address. Configuring the MAC address is optional. You can configure multiple addresses using the + button.

    FortiSASE considers the endpoint as satisfying the rule if its Ethernet or wireless IP address is within the range specified and if its default gateway MAC address matches the one specified, if it is configured.

    Can ping a known server

    In the Known server IP addresses field, enter the server IP address. You can configure multiple addresses using the + button.

    FortiSASE considers the endpoint as satisfying the rule if it can access the server at the specified IP address.

    Configure an on-fabric rule set to prevent auto connect to FortiSASE VPN when endpoints are on-net:

    1. Next to Endpoints will not auto-connect to VPN when the selected on-fabric rule set, click the dropdown and click + to create a new on-fabric rule set.
    2. In the Create new rule set slide-in, select one or more detection types by toggling them.
    3. Configure the required fields as described for each detection type.
    4. Click OK to save the on-fabric rule set.
    5. Click OK to select the newly created on-fabric rule set.
    6. Click OK to save the profile configuration.
    Note

    On-fabric rule sets can also be created, edited, and deleted in Configuration > Profiles from the On-fabric rule sets tab. From this tab, you can also view which profiles each rule set is used in.

  4. Under Bypass FortiSASE, configure Split tunneling destinations. Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface by passing FortiSASE. This also helps optimize FortiSASE bandwidth usage. For example, you may want to add a high bandwidth-consuming application, such as Microsoft Teams or Zoom, as a split tunneling destination. Configure a split tunneling destination:
    1. Click Create.
    2. Configure the following fields:

      Option

      Description

      Type

      Select Infrastructure, FQDN, Local Application, or Subnet.

      Match

      • If you selected Infrastructure, select the desired application from the dropdown list.
      • If you selected FQDN, enter the desired fully qualified domain name (FQDN). The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection. For example, if you want to exclude YouTube from the VPN tunnel, you can enter youtube.com. When endpoint users use any popular browser such as Chrome, Edge, or Firefox to access youtube.com or *.youtube.com, this traffic does not go through the VPN tunnel.
      • If you selected Local Application, specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.

        For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:

        • Application Name: teams.exe;firefox.exe

        • Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe

        • Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\

        To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

      • If you selected Subnet, enter the desired subnet. The subnet is dynamically added to the route table when in use, and is removed after disconnection.

        You can select host groups when using the Subnet match type. You must create host groups in Configuration > Hosts before they become visible in the Edit Match dialog.

      Note

      Subnet destinations cannot be created in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.

      Note

      Wildcard FQDNs are not supported when configuring an FQDN split tunneling destination.

    3. Click OK.
  5. Under Debugging options, when you enable Endpoints can disconnect from FortiSASE, FortiClient’s Zero Trust Telemetry tab shows a Disconnect option.

    Alternatively you can enable Require disconnect password and enter a password. When this option is configured, the endpoint user must enter the password on FortiClient to disconnect from the FortiSASE Management Service. You can use this option as an offline method of deregistering a FortiClient endpoint from the FortiSASE Management Service.

  6. Under VPNs available to users, you can configure a custom IPsec or SSL VPN configuration or edit the default SSL VPN configuration for Secure Internet Access. These configurations are typically useful for use cases that require endpoints to connect to an on-premise FortiGate via VPN.
    Note

    In FortiSASE 24.1.c and older versions, Authenticate with SSO was previously located in the Settings tab.

    In FortiSASE 24.2.a and later, you can find Authenticate with SSO in the Connection tab, in VPNs available to users, and by collapsing Advanced Settings. Also, in FortiSASE 24.2.a and later, you can edit the default SSL VPN Secure Internet Access configuration.

    To create an alternative custom VPN, do the following:

    1. Click Create, and select SSL VPN or IPsec VPN as per your requirement.
    2. Enter the Name of the VPN tunnel.
    3. Do one of the following:
      • For an IPsec VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Authentication method

        Select preshared key, smart card certificate, or system store certificate to connect to the IPsec VPN gateway.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient.

      • For an SSL VPN tunnel, configure the following settings:

        Field

        Value

        Remote gateway

        Remote gateway FQDN or IP address.

        Port

        SSL VPN port number.

        Require certificate

        Enable to use certificate-based user authentication.

        Prompt for username

        Display a prompt for the end user to enter their username and password for user authentication.

        Advanced Settings

        Enable the toggle for required options to be visible on FortiClient. When you enable Authenticate with SSO, FortiClient is enabled with SSO as an authentication option and uses its built-in browser agent. To use an external browser, enable Use external browser as user-agent for SAML login.

        Note

        FortiSASE supports authentication using multiple SSO providers using FortiTrust Identity. See Configuring FortiSASE with FortiAuthenticator Cloud as SAML IdP proxy for Entra ID SSO.

  7. The SSL VPN settings apply to alternative SSL VPN tunnels. Enable the respective options to prevent connection errors on FortiClient due to invalid SSL certificates installed on the on-premise VPN gateway.
    Note

    If you set Connect to FortiSASE to On device login, for endpoints with profiles that have custom alternative VPNs configured, the autoconnect feature works only to connect the endpoint to FortiSASE SIA VPN.

    To configure autoconnect to work with alternative VPNs, set Connect to FortiSASE to Manually and enable Show Auto Connect under Advanced Settings for individual alternative VPN tunnel configurations. If the VPN connections fails, the VPN does not automatically connect to the backup FortiSASE SIA VPN. Endpoint users must then manually connect to FortiSASE SIA VPN.

  8. You must configure some more important FortiClient settings on the Settings tab. See Settings.
Previous
Next