Version:


Table of Contents

23.1.8
Download PDF
Copy Link

Introduction

This document presents information about the secure access service edge (SASE) networking and security architecture and provides a broad overview of Fortinet’s SASE solution, a cloud-delivered service called FortiSASE.

Executive summary

SASE is an architecture that combines network, security, and WAN capabilities delivered as a service to provide endpoints (remote users, devices, and branches) with secure Internet, cloud, and data center network access. The SASE architecture achieves secure network access using network security technologies including firewall-as-a-service (FWaaS), secure web gateway (SWG), zero trust network access (ZTNA), and cloud access security broker (CASB), and relying on WAN technologies including software-defined wide-area network (SD-WAN).

Today’s work from anywhere environment makes it difficult for IT administrators to keep up with securing users’ devices. These users’ devices, also known as endpoints, are off-net, that is, located outside the corporate network. SASE extends network security functions beyond where they have been typically available in the past, namely, beyond an organization’s internal network. SASE aims to provide remote users and branches located anywhere with secure network access.

Typically, an organization has a remote user use a virtual private network (VPN) connection to redirect their Internet traffic to a next generation firewall (NGFW) located at its data center. After performing its security functions, the NGFW sends the user’s web traffic out the NGFW’s WAN link. Remote users with VPN connections established also experience high latency when accessing the Internet over this backhauled WAN connection because the firewall’s WAN link becomes congested with Internet traffic that other remote users generate. SASE reduces this latency by allowing remote users to connect directly to the closest geographical point-of-presence (PoP) for a cloud-delivered FWaaS. Also, each PoP can scale to meet user demand and reduce the possibility that a single WAN link becomes a congestion point for these remote users.

FortiSASE is Fortinet’s cloud-delivered security service that implements the SASE architecture (FWaaS, SWG, ZTNA) to provide secure access to remote users using the FortiClient software agent or the web browser’s proxy settings and to branch offices using thin edge devices such as FortiExtender. FortiSASE is a security solution that FortiOS powers, delivered as a cloud service, which remote users and branch offices access using global PoPs.

This document explores SASE concepts, components, and architecture, and describes how Fortinet delivers its SASE solution.

Intended audience

This concept guide is intended for a technical audience, including system and network architects, design engineers, network engineers, and security engineers who want to understand the SASE architecture and the FortiSASE service offering to secure their remote workers and branch offices.

This guide is targeted at small- and medium-sized organizations and enterprises. It assumes that the reader is familiar with basic concepts of applications, networking, routing, security, and proxies, and has a basic understanding of network and data center architectures.

About this guide

This guide provides a broad overview of SASE concepts and introduces the FortiSASE cloud-delivered service and related Fortinet products used to deploy a SASE solution. It uses industry standard terminologies, with introductions to Fortinet specific terms, concepts, and technologies.

Once readers are familiar with FortiSASE concepts and terminology and ready to explore different architectures in their environment, they can proceed to these guides:

Introduction

This document presents information about the secure access service edge (SASE) networking and security architecture and provides a broad overview of Fortinet’s SASE solution, a cloud-delivered service called FortiSASE.

Executive summary

SASE is an architecture that combines network, security, and WAN capabilities delivered as a service to provide endpoints (remote users, devices, and branches) with secure Internet, cloud, and data center network access. The SASE architecture achieves secure network access using network security technologies including firewall-as-a-service (FWaaS), secure web gateway (SWG), zero trust network access (ZTNA), and cloud access security broker (CASB), and relying on WAN technologies including software-defined wide-area network (SD-WAN).

Today’s work from anywhere environment makes it difficult for IT administrators to keep up with securing users’ devices. These users’ devices, also known as endpoints, are off-net, that is, located outside the corporate network. SASE extends network security functions beyond where they have been typically available in the past, namely, beyond an organization’s internal network. SASE aims to provide remote users and branches located anywhere with secure network access.

Typically, an organization has a remote user use a virtual private network (VPN) connection to redirect their Internet traffic to a next generation firewall (NGFW) located at its data center. After performing its security functions, the NGFW sends the user’s web traffic out the NGFW’s WAN link. Remote users with VPN connections established also experience high latency when accessing the Internet over this backhauled WAN connection because the firewall’s WAN link becomes congested with Internet traffic that other remote users generate. SASE reduces this latency by allowing remote users to connect directly to the closest geographical point-of-presence (PoP) for a cloud-delivered FWaaS. Also, each PoP can scale to meet user demand and reduce the possibility that a single WAN link becomes a congestion point for these remote users.

FortiSASE is Fortinet’s cloud-delivered security service that implements the SASE architecture (FWaaS, SWG, ZTNA) to provide secure access to remote users using the FortiClient software agent or the web browser’s proxy settings and to branch offices using thin edge devices such as FortiExtender. FortiSASE is a security solution that FortiOS powers, delivered as a cloud service, which remote users and branch offices access using global PoPs.

This document explores SASE concepts, components, and architecture, and describes how Fortinet delivers its SASE solution.

Intended audience

This concept guide is intended for a technical audience, including system and network architects, design engineers, network engineers, and security engineers who want to understand the SASE architecture and the FortiSASE service offering to secure their remote workers and branch offices.

This guide is targeted at small- and medium-sized organizations and enterprises. It assumes that the reader is familiar with basic concepts of applications, networking, routing, security, and proxies, and has a basic understanding of network and data center architectures.

About this guide

This guide provides a broad overview of SASE concepts and introduces the FortiSASE cloud-delivered service and related Fortinet products used to deploy a SASE solution. It uses industry standard terminologies, with introductions to Fortinet specific terms, concepts, and technologies.

Once readers are familiar with FortiSASE concepts and terminology and ready to explore different architectures in their environment, they can proceed to these guides: