Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.107
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Secure Private Access Architecture Guide

    Home FortiSASE Secure Private Access Architecture Guide

    What is the FortiSASE Secure Private Access architecture?

    What is the FortiSASE Secure Private Access architecture?

    With FortiSASE, remote users form secure connections to corporate, private applications by accessing global FortiSASE Security Points of Presence (PoPs), which enforce an organization’s security policies regardless of the locations of remote users. FortiSASE Secure Private Access (SPA) enforces security when users access private applications.

    FortiSASE can seamlessly integrate with the following SPA Connector options to provide secure access to private applications in the customer’s data center, private cloud, or public cloud tenant:

    • An existing FortiGate SD-WAN hub.

    • Any existing FortiGate NGFW or DC Firewall.

    SPA can leverage user identity and device context based zero-trust access to explicit applications with continuous device posture re-assessment from remote or on-premises locations.

    The most common SPA use cases for FortiSASE are described as follows:

    Direction of traffic flow

    SPA use case

    Description

    Client-initiated

    Agent access to private applications using the application IP address or domain name and security posture tags

    This is the most common SPA use case.

    Remote users on supported endpoint devices use FortiClient software to steer traffic to a FortiSASE security PoP and then steer private traffic to the on-prem network over the IPsec tunnel between the FortiSASE security PoP and the SPA Connector.

    Applications can be accessed via either private IP addresses or domain names when DNS redirection is used. Security posture tags are used for security posture checking.

    Agentless access to private web applications for remote users where the installation of FortiClient is not possible.

    Remote users with web browsers supporting Proxy (formerly Secure Web Gateway or SWG) to steer web traffic to a FortiSASE security PoP and then steer private traffic to the on-prem network over the IPsec tunnel between the FortiSASE security PoP and the SPA Connector.

    Applications are accessed via either private IP addresses or domain names when DNS redirection is used.

    Agentless access to private web applications using a bookmark portal for unmanaged devices

    Contractors or temporary remote users use browser-only solutions to access private web-based applications from a protected bookmark portal.

    Access to private applications from on-premises users and devices (servers and IoT) where installation of FortiClient is not feasible

    Branch offices use a Thin Edge device including FortiAP, FortiExtender, or FortiBranchSASE, or a branch device including a FortiGate Secure Edge device or a Branch On-Ramp device to securely access private applications.

    Server-initiated

    Server-to-Client applications access

    Private application servers securely access remote user endpoints running FortiClient software.

    Client-to-Client applications access

    Remote user endpoints running FortiClient software securely access similar remote user endpoints.

    Optionally, remote user endpoints can be configured with pre-logon connectivity. This feature allows onboarding of remote users who have never logged in to their domain-joined Windows endpoints to access the corporate Active Directory (AD) server. These endpoints are preconfigured for pre-logon connectivity.

    Moreover, remote user endpoints are configured with autoconnect tunnel connectivity that makes use of automatically connecting to a Security PoP, remembering the login password, and enforcing an always-up tunnel connection.

    • With Windows endpoints, the remember password feature works with OAuth authentication and SAML authentication with IdP support for persistent sessions.

    • With MacOS endpoints, the remember password feature works with SAML authentication with IdP support for persistent sessions.

    Intended Audience

    Mid-level network and security architects in companies of all sizes and verticals should find this guide helpful.

    About this guide

    This guide is meant to provide high level insight into FortiSASE architectures for secure access service edge (SASE), namely, Secure Private Access (SPA) use cases and relevant features. It is meant to be used in conjunction with other technical documentation for each of the components listed in the guide. Where relevant, links to the administrative guides and other technical reference guides will be listed. See More information.

    Previous
    Next

    What is the FortiSASE Secure Private Access architecture?

    What is the FortiSASE Secure Private Access architecture?

    With FortiSASE, remote users form secure connections to corporate, private applications by accessing global FortiSASE Security Points of Presence (PoPs), which enforce an organization’s security policies regardless of the locations of remote users. FortiSASE Secure Private Access (SPA) enforces security when users access private applications.

    FortiSASE can seamlessly integrate with the following SPA Connector options to provide secure access to private applications in the customer’s data center, private cloud, or public cloud tenant:

    • An existing FortiGate SD-WAN hub.

    • Any existing FortiGate NGFW or DC Firewall.

    SPA can leverage user identity and device context based zero-trust access to explicit applications with continuous device posture re-assessment from remote or on-premises locations.

    The most common SPA use cases for FortiSASE are described as follows:

    Direction of traffic flow

    SPA use case

    Description

    Client-initiated

    Agent access to private applications using the application IP address or domain name and security posture tags

    This is the most common SPA use case.

    Remote users on supported endpoint devices use FortiClient software to steer traffic to a FortiSASE security PoP and then steer private traffic to the on-prem network over the IPsec tunnel between the FortiSASE security PoP and the SPA Connector.

    Applications can be accessed via either private IP addresses or domain names when DNS redirection is used. Security posture tags are used for security posture checking.

    Agentless access to private web applications for remote users where the installation of FortiClient is not possible.

    Remote users with web browsers supporting Proxy (formerly Secure Web Gateway or SWG) to steer web traffic to a FortiSASE security PoP and then steer private traffic to the on-prem network over the IPsec tunnel between the FortiSASE security PoP and the SPA Connector.

    Applications are accessed via either private IP addresses or domain names when DNS redirection is used.

    Agentless access to private web applications using a bookmark portal for unmanaged devices

    Contractors or temporary remote users use browser-only solutions to access private web-based applications from a protected bookmark portal.

    Access to private applications from on-premises users and devices (servers and IoT) where installation of FortiClient is not feasible

    Branch offices use a Thin Edge device including FortiAP, FortiExtender, or FortiBranchSASE, or a branch device including a FortiGate Secure Edge device or a Branch On-Ramp device to securely access private applications.

    Server-initiated

    Server-to-Client applications access

    Private application servers securely access remote user endpoints running FortiClient software.

    Client-to-Client applications access

    Remote user endpoints running FortiClient software securely access similar remote user endpoints.

    Optionally, remote user endpoints can be configured with pre-logon connectivity. This feature allows onboarding of remote users who have never logged in to their domain-joined Windows endpoints to access the corporate Active Directory (AD) server. These endpoints are preconfigured for pre-logon connectivity.

    Moreover, remote user endpoints are configured with autoconnect tunnel connectivity that makes use of automatically connecting to a Security PoP, remembering the login password, and enforcing an always-up tunnel connection.

    • With Windows endpoints, the remember password feature works with OAuth authentication and SAML authentication with IdP support for persistent sessions.

    • With MacOS endpoints, the remember password feature works with SAML authentication with IdP support for persistent sessions.

    Intended Audience

    Mid-level network and security architects in companies of all sizes and verticals should find this guide helpful.

    About this guide

    This guide is meant to provide high level insight into FortiSASE architectures for secure access service edge (SASE), namely, Secure Private Access (SPA) use cases and relevant features. It is meant to be used in conjunction with other technical documentation for each of the components listed in the guide. Where relevant, links to the administrative guides and other technical reference guides will be listed. See More information.

    Previous
    Next