Design components

Consider the components of a SASE solution and align them to the existing network and security infrastructure. Review any changes that may be necessary to prepare for the SASE implementation.

SASE Component	Existing infrastructure
Secure internet access	Ensure endpoints (agent-based, agentless remote users) and FortiExtender devices (site-based remote users) can access the Security PoPs from everywhere. Consider the bandwidth requirements of the remote users and their applications and obtain the corresponding bandwidth licensing. The remote user connectivity methods used by the SIA use cases are also used by the SPA use cases and the SSA use cases.
Security and Analytics PoPs	Consider selecting Security PoPs that are geographically near to your remote users. Review log storage privacy requirements (such as GDPR) and consider choosing the log storage location or Analytics PoP that meets these requirements.
Remote Authentication Source	Consider the type of remote authentication source (LDAP, RADIUS, or SAML Identity Providers such as Azure AD or Okta) that you will use to control network access for devices and users on your network. When SAML identity providers (IdPs) are involved, FortiSASE will act as a service provider (SP). Ensure that appropriate users and groups are created in the remote authentication source that align with your security goals. Authentication can be applied to FortiClient agent-based and SWG agentless access.
Security Profiles	Consider the security features that will extend the enterprise security perimeter for remote users including IPS and Application Control, Web and DNS filtering, anti-malware, sandboxing, anti-botnet/command-and-control. Consider the specific settings within the security features that are sufficient to secure your remote users.
VPN Policies	Consider the common security policy used to extend the enterprise security perimeter for agent-based remote users and site-based remote users. Consider which specific security features and user groups you will configure in individual policies.
SWG Policies	Consider the common security policy used to extend the enterprise security perimeter for agentless remote users. Consider which specific security features and user groups you will configure in individual policies.
Secure Private Access	For private access to TCP-based applications consider deploying the ZTNA use case. Ensure that the ZTNA design components (FortiClient, FortiClient EMS, FortiOS ZTNA access proxy, SAML IdPs) and their requirements are considered. See the ZTNA Architecture Guide for details. For broader and seamless access to every private application (TCP and UDP), consider deploying the SD-WAN and NGFW SPA use cases. Ensure that the SD-WAN hubs are remotely accessible for SD-WAN overlay interconnectivity with FortiSASE PoPs.
Secure SaaS Access	For FortiCASB use cases, ensure that you have purchased the proper per-user and per-endpoint FortiSASE licensing to obtain access to this cloud-based service.

Design components

Consider the components of a SASE solution and align them to the existing network and security infrastructure. Review any changes that may be necessary to prepare for the SASE implementation.

SASE Component

Existing infrastructure

Secure internet access

Ensure endpoints (agent-based, agentless remote users) and FortiExtender devices (site-based remote users) can access the Security PoPs from everywhere. Consider the bandwidth requirements of the remote users and their applications and obtain the corresponding bandwidth licensing. The remote user connectivity methods used by the SIA use cases are also used by the SPA use cases and the SSA use cases.

Security and Analytics PoPs

Consider selecting Security PoPs that are geographically near to your remote users. Review log storage privacy requirements (such as GDPR) and consider choosing the log storage location or Analytics PoP that meets these requirements.

Remote Authentication Source

Consider the type of remote authentication source (LDAP, RADIUS, or SAML Identity Providers such as Azure AD or Okta) that you will use to control network access for devices and users on your network. When SAML identity providers (IdPs) are involved, FortiSASE will act as a service provider (SP). Ensure that appropriate users and groups are created in the remote authentication source that align with your security goals. Authentication can be applied to FortiClient agent-based and SWG agentless access.

Security Profiles

Consider the security features that will extend the enterprise security perimeter for remote users including IPS and Application Control, Web and DNS filtering, anti-malware, sandboxing, anti-botnet/command-and-control. Consider the specific settings within the security features that are sufficient to secure your remote users.

VPN Policies

Consider the common security policy used to extend the enterprise security perimeter for agent-based remote users and site-based remote users. Consider which specific security features and user groups you will configure in individual policies.

SWG Policies

Consider the common security policy used to extend the enterprise security perimeter for agentless remote users. Consider which specific security features and user groups you will configure in individual policies.

Secure Private Access

For private access to TCP-based applications consider deploying the ZTNA use case. Ensure that the ZTNA design components (FortiClient, FortiClient EMS, FortiOS ZTNA access proxy, SAML IdPs) and their requirements are considered. See the ZTNA Architecture Guide for details.

For broader and seamless access to every private application (TCP and UDP), consider deploying the SD-WAN and NGFW SPA use cases. Ensure that the SD-WAN hubs are remotely accessible for SD-WAN overlay interconnectivity with FortiSASE PoPs.

Secure SaaS Access

For FortiCASB use cases, ensure that you have purchased the proper per-user and per-endpoint FortiSASE licensing to obtain access to this cloud-based service.