Fortinet white logo
Fortinet white logo

SPA with a FortiGate SD-WAN Deployment Guide

Testing the dynamic private access policy

Testing the dynamic private access policy

(Optional) To display tags on the FortiClient endpoint:
  1. In FortiSASE, go to Configuration > Endpoints > Profile.
  2. Enable Show tags on FortiClient.
  3. Click Apply. When this option is enabled, detected tags appear on the FortiClient avatar page.

To test that FortiSASE allows a FortiClient endpoint tagged as SASE-Compliant access to a private server:
  1. In FortiClient, go to the REMOTE ACCESS tab.
  2. From the VPN Name dropdown list, select Secure Internet Access.
  3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
  4. In Windows Defender, set Real-time protection to On as Stay protected with Windows Security describes. This turns on antivirus (AV) and ensures that FortiSASE dynamically tags the endpoint as compliant.
  5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Compliant Zero Trust tag applied.
  6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
  7. Observe the following output indicating the ping succeeded since FortiSASE allows access:
    C:\> ping 10.100.99.101
    
    Pinging 10.100.99.101 with 32 bytes of data:
    Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
    Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
    Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
    Reply from 10.100.99.101: bytes=32 time=136ms TTL=62
    
    Ping statistics for 10.100.99.101:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 136ms, Maximum = 137ms, Average = 136ms
    
  8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count increased and that the Deny-SASE-Non-Compliant dynamic private access policy hit count has not changed.

To test that FortiSASE denies a FortiClient endpoint tagged as SASE-Non-Compliant access to a private server:
  1. In FortiClient, go to the REMOTE ACCESS tab.
  2. From the VPN Name dropdown list, select Secure Internet Access.
  3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
  4. In Windows Defender, set Real-time protection to Off as Stay protected with Windows Security describes. This turns off AV and ensures that FortiSASE dynamically tags the endpoint as non-compliant.
  5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Non-Compliant Zero Trust tag applied.
  6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
  7. Observe the following output indicating the ICMP ping has timed out since FortiSASE denies access to the specific server:
    C:\> ping 10.100.99.101
    
    Pinging 10.100.99.101 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 10.100.99.101:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
  8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count has not changed and that the Deny-SASE-Non-Compliant dynamic private access policy hit count has increased.

Testing the dynamic private access policy

Testing the dynamic private access policy

(Optional) To display tags on the FortiClient endpoint:
  1. In FortiSASE, go to Configuration > Endpoints > Profile.
  2. Enable Show tags on FortiClient.
  3. Click Apply. When this option is enabled, detected tags appear on the FortiClient avatar page.

To test that FortiSASE allows a FortiClient endpoint tagged as SASE-Compliant access to a private server:
  1. In FortiClient, go to the REMOTE ACCESS tab.
  2. From the VPN Name dropdown list, select Secure Internet Access.
  3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
  4. In Windows Defender, set Real-time protection to On as Stay protected with Windows Security describes. This turns on antivirus (AV) and ensures that FortiSASE dynamically tags the endpoint as compliant.
  5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Compliant Zero Trust tag applied.
  6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
  7. Observe the following output indicating the ping succeeded since FortiSASE allows access:
    C:\> ping 10.100.99.101
    
    Pinging 10.100.99.101 with 32 bytes of data:
    Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
    Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
    Reply from 10.100.99.101: bytes=32 time=137ms TTL=62
    Reply from 10.100.99.101: bytes=32 time=136ms TTL=62
    
    Ping statistics for 10.100.99.101:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 136ms, Maximum = 137ms, Average = 136ms
    
  8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count increased and that the Deny-SASE-Non-Compliant dynamic private access policy hit count has not changed.

To test that FortiSASE denies a FortiClient endpoint tagged as SASE-Non-Compliant access to a private server:
  1. In FortiClient, go to the REMOTE ACCESS tab.
  2. From the VPN Name dropdown list, select Secure Internet Access.
  3. Enter the user credentials based on the VPN user authentication defined on FortiSASE. Click Connect.
  4. In Windows Defender, set Real-time protection to Off as Stay protected with Windows Security describes. This turns off AV and ensures that FortiSASE dynamically tags the endpoint as non-compliant.
  5. From the FortiClient avatar page, ensure that the endpoint is non-compliant and has the SASE-Non-Compliant Zero Trust tag applied.
  6. In Windows Command Prompt, enter ping 10.100.99.101 to test an ICMP ping to the specified private server with IP address 10.100.99.101 behind the FortiGate hub.
  7. Observe the following output indicating the ICMP ping has timed out since FortiSASE denies access to the specific server:
    C:\> ping 10.100.99.101
    
    Pinging 10.100.99.101 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 10.100.99.101:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
  8. In FortiSASE, in Configuration > Policies, observe that the Allow-SASE-Compliant dynamic private access policy hit count has not changed and that the Deny-SASE-Non-Compliant dynamic private access policy hit count has increased.