Version:


Table of Contents

23.1.8
Download PDF
Copy Link

Deployment overview

Organizations that have resources behind a newly deployed FortiGate next generation firewall (NGFW) standalone site or behind a newly deployed FortiGate NGFW in a data center and are not configured with SD-WAN enabled can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate NGFW converted to a FortiSASE secure private access (SPA) hub and involving an existing FortiGate SD-WAN hub allow broader and seamless access to privately hosted TCP- and UDP-based applications.

In the NGFW SPA use case, you must first convert the newly deployed NGFW to a FortiSASE SPA hub. After configuring FortiSASE to communicate with this hub, the FortiSASE security points of presence (PoPs) act as spokes to this hub, relying on IPsec VPN overlays and internal border gateway protocol (iBGP) to secure and route traffic between PoPs and the networks behind the organization’s NGFW.

Supporting this deployment does not require additional licensing on the FortiGate or FortiSASE side.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure a new FortiGate NGFW deployment to convert it to become a FortiSASE SPA standalone hub with no spokes and covers the cases when you configure the newly deployed FortiGate NGFW using the FortiOS CLI or GUI, or FortiManager manages the FortiGate NGFW. After performing the conversion steps and subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

Intended audience

Midlevel network and security administrators of FortiGate NGFW devices in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a FortiGate NGFW converted to a FortiSASE SPA hub.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.

Deployment overview

Organizations that have resources behind a newly deployed FortiGate next generation firewall (NGFW) standalone site or behind a newly deployed FortiGate NGFW in a data center and are not configured with SD-WAN enabled can provide their FortiSASE remote users with access to private resources.

Scenarios involving a FortiGate NGFW converted to a FortiSASE secure private access (SPA) hub and involving an existing FortiGate SD-WAN hub allow broader and seamless access to privately hosted TCP- and UDP-based applications.

In the NGFW SPA use case, you must first convert the newly deployed NGFW to a FortiSASE SPA hub. After configuring FortiSASE to communicate with this hub, the FortiSASE security points of presence (PoPs) act as spokes to this hub, relying on IPsec VPN overlays and internal border gateway protocol (iBGP) to secure and route traffic between PoPs and the networks behind the organization’s NGFW.

Supporting this deployment does not require additional licensing on the FortiGate or FortiSASE side.

A typical topology for deploying this example design is as follows:

This deployment guide describes how to configure a new FortiGate NGFW deployment to convert it to become a FortiSASE SPA standalone hub with no spokes and covers the cases when you configure the newly deployed FortiGate NGFW using the FortiOS CLI or GUI, or FortiManager manages the FortiGate NGFW. After performing the conversion steps and subsequent FortiSASE configuration steps, FortiSASE remote users can privately access internal networks behind these deployments.

Intended audience

Midlevel network and security administrators of FortiGate NGFW devices in companies of all sizes and verticals should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiManager configuration and the Fortinet Security Fabric is helpful.

About this guide

This deployment guide describes the steps involved in deploying a specific architecture for the FortiSASE SPA use case using a FortiGate NGFW converted to a FortiSASE SPA hub.

Readers should first evaluate their environment to determine whether the architecture outlined in this guide suits them. Reviewing the reference architecture guide(s), such as the FortiSASE Architecture Guide, is advisable if readers are still in the process of selecting the right architecture. See also the FortiSASE Concept Guide.

This deployment guide presents one of possibly many ways to deploy the solution. It may also omit specific steps where readers must make design decisions to further configure their devices. Reviewing supplementary material found on the Fortinet Document Library in product administration guides, example guides, cookbooks, release notes, and other documents is recommended, where appropriate.