Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

Technology used

Copy Link
Copy Doc ID 90c0ddd8-c520-11ee-8c42-fa163e15d75b:87005
Download PDF

Technology used

The secure access service edge (SASE) architecture focuses on using a cloud-delivered security service that enforces secure access at the farthest edge of the network, namely, at the service edge or user endpoints. When connected to FortiSASE, remote users’ traffic to the internet, software-as-a-service (SaaS) applications, or privately hosted applications in the data center pass through a firewall-as-a-service (FWaaS) or secure web gateway (SWG) where the traffic is subject to security policies and advanced threat protection measures. For traffic redirection, remote users’ endpoints rely on a software agent, remote users behind sites rely on a thin edge device, and remote users with web browser-based devices are agentless and rely on web browser proxy settings.

FortiSASE is a cloud-delivered security service that implements the described SASE architecture. The FortiSASE solution is comprised of the following features powered by FortiOS and the Fortinet Security Fabric:

  • FWaaS functionality based on FortiOS Next-Generation Firewall (NGFW) features
  • SWG functionality based on FortiOS explicit web proxy, captive portal, and authentication features
  • FortiGuard Labs threat intelligence used by the FWaaS and the SWG
  • Global Security Points of Presence (PoPs) to provide access to remote users
  • Endpoint Management Service based on FortiClient EMS

Depending on the customer remote user devices and requirements, one or more of the following are required for secure internet access (SIA) use cases:

  • Agent-based: FortiClient software for Endpoint mode
  • Agentless: Web browser-based device, low-end device, or operational technology device with support for explicit web proxy settings for SWG mode
  • Site-based:
    • FortiExtender thin edge device configured for LAN extension mode
    • FortiGate device configured for LAN extension mode
    • FortiAP device configured with CAPWAP and data channel encrypted with an IPsec VPN tunnel

For ZTNA Secure Private Access (SPA) use cases involving TCP-based applications, the following components are required:

  • FortiGate Next-Generation Firewall (NGFW) configured with:
    • FortiClient Cloud fabric connector
    • ZTNA access proxy
  • FortiClient Agent-Based software for TCP access proxy redirection

ZTNA is limited to TCP-based applications because the FortiGate ZTNA access proxy relies on proxying connections, namely those supported by HTTP or other TCP traffic, over secure HTTPS connections with the client. Since UDP traffic is connectionless then it cannot be proxied. In addition, the FortiClient agent-based software is a requirement for ZTNA since it provides device information, user information, and security posture to FortiSASE, maintains ZTNA tags, and maintains a client certificate used for identification by the FortiGate ZTNA access proxy.

Therefore, because of the requirements to proxy TCP traffic and have FortiClient installed on endpoints, the ZTNA use case cannot be used with UDP-based applications and agentless remote users.

For SD-WAN and NGFW SPA use cases that allow seamless access to every private application (TCP and UDP), one of the following components is required:

  • Existing FortiGate SD-WAN hub-and-spoke network configured using one of the SD-WAN best practice setups
  • FortiGate NGFW configured as a new, standalone FortiSASE Secure Private Access (SPA) hub

For SSA use cases, FortiCASB provides cloud-based and API-based features to enable deep inspection of SaaS applications to enable detailed monitoring, analysis, and reporting features. Access to FortiCASB user-based SaaS security is included with FortiSASE per-user and per-endpoint licenses.

In addition, for an SSA use case, FortiSASE provides Inline-CASB functionality with web filter and application control security features. The FortiSASE Web Filter with Inline-CASB allows for restricted SaaS access from selected tenants by inspecting and modifying HTTP headers via HTTP header insertion. The FortiSASE Application Control with Inline-CASB allows for detection of SaaS application traffic and then the action of allowing, monitoring, or blocking the traffic because the CASB functionality is inline with the traffic.

Previous
Next

Technology used

The secure access service edge (SASE) architecture focuses on using a cloud-delivered security service that enforces secure access at the farthest edge of the network, namely, at the service edge or user endpoints. When connected to FortiSASE, remote users’ traffic to the internet, software-as-a-service (SaaS) applications, or privately hosted applications in the data center pass through a firewall-as-a-service (FWaaS) or secure web gateway (SWG) where the traffic is subject to security policies and advanced threat protection measures. For traffic redirection, remote users’ endpoints rely on a software agent, remote users behind sites rely on a thin edge device, and remote users with web browser-based devices are agentless and rely on web browser proxy settings.

FortiSASE is a cloud-delivered security service that implements the described SASE architecture. The FortiSASE solution is comprised of the following features powered by FortiOS and the Fortinet Security Fabric:

  • FWaaS functionality based on FortiOS Next-Generation Firewall (NGFW) features
  • SWG functionality based on FortiOS explicit web proxy, captive portal, and authentication features
  • FortiGuard Labs threat intelligence used by the FWaaS and the SWG
  • Global Security Points of Presence (PoPs) to provide access to remote users
  • Endpoint Management Service based on FortiClient EMS

Depending on the customer remote user devices and requirements, one or more of the following are required for secure internet access (SIA) use cases:

  • Agent-based: FortiClient software for Endpoint mode
  • Agentless: Web browser-based device, low-end device, or operational technology device with support for explicit web proxy settings for SWG mode
  • Site-based:
    • FortiExtender thin edge device configured for LAN extension mode
    • FortiGate device configured for LAN extension mode
    • FortiAP device configured with CAPWAP and data channel encrypted with an IPsec VPN tunnel

For ZTNA Secure Private Access (SPA) use cases involving TCP-based applications, the following components are required:

  • FortiGate Next-Generation Firewall (NGFW) configured with:
    • FortiClient Cloud fabric connector
    • ZTNA access proxy
  • FortiClient Agent-Based software for TCP access proxy redirection

ZTNA is limited to TCP-based applications because the FortiGate ZTNA access proxy relies on proxying connections, namely those supported by HTTP or other TCP traffic, over secure HTTPS connections with the client. Since UDP traffic is connectionless then it cannot be proxied. In addition, the FortiClient agent-based software is a requirement for ZTNA since it provides device information, user information, and security posture to FortiSASE, maintains ZTNA tags, and maintains a client certificate used for identification by the FortiGate ZTNA access proxy.

Therefore, because of the requirements to proxy TCP traffic and have FortiClient installed on endpoints, the ZTNA use case cannot be used with UDP-based applications and agentless remote users.

For SD-WAN and NGFW SPA use cases that allow seamless access to every private application (TCP and UDP), one of the following components is required:

  • Existing FortiGate SD-WAN hub-and-spoke network configured using one of the SD-WAN best practice setups
  • FortiGate NGFW configured as a new, standalone FortiSASE Secure Private Access (SPA) hub

For SSA use cases, FortiCASB provides cloud-based and API-based features to enable deep inspection of SaaS applications to enable detailed monitoring, analysis, and reporting features. Access to FortiCASB user-based SaaS security is included with FortiSASE per-user and per-endpoint licenses.

In addition, for an SSA use case, FortiSASE provides Inline-CASB functionality with web filter and application control security features. The FortiSASE Web Filter with Inline-CASB allows for restricted SaaS access from selected tenants by inspecting and modifying HTTP headers via HTTP header insertion. The FortiSASE Application Control with Inline-CASB allows for detection of SaaS application traffic and then the action of allowing, monitoring, or blocking the traffic because the CASB functionality is inline with the traffic.

Previous
Next