FORTINET FortiSASE Secure Private Access User Guide

FORTINET FortiSASE Secure Private Access

Product Information

Specifications:

• Product Name: FortiSASE
• Functionality: Extend corporate perimeter to secure data to/from all endpoints, enable secure access to Internet, private applications, and SaaS applications

Product Usage Instructions

Remote User Subscriptions:

Cloud-based firewall and secure web proxy that provides security (FortiGuard Labs) for remote users regardless of location when accessing the Internet.

• Secure Internet Access (SIA)
• SSL Inspection
• Inline Anti-virus (AV) and Sandbox
• Intrusion Prevention
• Web and DNS Filtering
• Botnet C&C Filtering

Branch Locations:

Easily connect branch locations directly to the FortiSASE network.

• Secure Internet Access (SIA)
• SSL Inspection
• Inline Anti-virus (AV) and Sandbox
• Web and DNS Filtering
• Botnet C&C Filtering
• Secure SaaS Access (SSA)
• Inline CASB
• Inline DLP

SD-WAN On-Ramp:

Add subscriptions for branch locations to an existing FortiSASE User Subscription.

• Connect FortiGate SD-WAN and 3rd party SD-WAN locations to FortiSASE using IPsec

ORDERING GUIDE

FortiSASE and Zero Trust
Extend the corporate perimeter to secure data to/from all endpoints, and enable secure access to the Internet, private applications, and SaaS applications.

With the rise of hybrid work, combined with application migration to cloud and SaaS, organizations must now secure employees who access the network and applications from anywhere. This shift has significantly expanded the attack surface, thereby increasing the complexity of network, application, and data security.
Companies with existing Fortinet deployments can seamlessly expand their network to include SASE loca-tions that join natively with their SD-WAN, NGFW or DCFW segments. This enables SASE adoption without impact to NOC/SOC teams, plus eliminates the need to architect & maintain complex routing configurations. Zero Trust is included with all FortiSASE deployments.

HOW IT WORKS

Once deployed, all users or thin branch traffic is automatically inspected by FortiSASE (with optional zero trust enforcement) before allowing access to the Internet, private networks or corporate SaaS applications.
Deployed SASE points of presence (POPs) seamlessly connect to existing FortiGate NGFW, SD-WAN or DCFW deployments. And, with FortiOS everywhere, existing NOC/SOC processes can easily manage to new SASE locations.

REMOTE USER SUBSCRIPTIONS

Cloud-based firewall and secure web proxy that provides security (FortiGuard Labs) for remote users regardless of location when accessing the Internet.

 |  | REMOTE USERS|
---|---|---|---
 | STANDARD| ADVANCED| COMPREHENSIVE
Secure Internet Access (SIA)|  |  |
SSL Inspection| | |
Inline Anti-virus (AV) and Sandbox| | |
Intrusion Prevention| | |
Web and DNS Filtering| | |
Botnet C &C Filtering| | |
Secure SaaS Access (SSA)|  |  |
Inline CASB| | |
Inline DLP| | |
Cloud API CASB & DLP| License Included| License Included| License Included
Secure Private Access (SPA)|  |  |
FortiGate Private Access| | |
Zero Trust Network Access (ZTNA)| | |
Agentless ZTNA|  | Coming Soon| Coming Soon
License Includes|  |  |
Devices per User| Up to 3 ➁| Up to 3 ➁| Up to 3 ➁
Dedicated Public IPs| Add-on| |
Endpoint Security ➂|  |  |
Vulnerability Management| | |
Endpoint Protection Platform| | |
OS Support| Windows, MacOS, Linux, iOS, Android| Windows, MacOS, Linux, iOS, Android| Windows, MacOS, Linux, iOS, Android
NOC / SOC Integration|  |  |
SASE Cloud Management| | |
REST API| | |
SASE Cloud Logging, Reporting & Log Forwarding| | |
Digital Experience Monitoring|  | |
SOC-as-a-Service Integration|  | |
FortiGuard Forensics (Response) Service|  | |
Data Center|  |  |
Locations| Fortinet Cloud Locations| Fortinet Cloud Locations| Fortinet & Public Cloud Locations
Customer Support Services|  |  |
24×7 Premium Support| | |
Assisted On-boarding|  | |

1. FortiGate SD-WAN Hub requires SPA License
2. Each user can use up to three devices and can be a combination of agent-based and/or proxy-based.
3. Applicable to agent-based only

ORDERING INFORMATION

Remote Users

FC2-10-EMS05-759-02-DD ➀
500 – 1,999| FC3-10-EMS05-547-02-DD| FC3-10-EMS05-676-02-DD| FC3-10-EMS05-759-02-DD
2,000 – 9,999| FC4-10-EMS05-547-02-DD| FC4-10-EMS05-676-02-DD| FC4-10-EMS05-759-02-DD
10,000+| FC5-10-EMS05-547-02-DD| FC5-10-EMS05-676-02-DD| FC5-10-EMS05-759-02-DD

1. Comprehensive subscriptions of less than 200 users have limited POP availability. Refer to the FAQ.

BRANCH LOCATIONS

Easily connect branch locations directly to the FortiSASE network

COMPREHENSIVE
Secure Internet Access (SIA) SIA|  |  |  |
SSL Inspection| | | |
Inline Anti-virus (AV) and Sandbox| | | |
Intrusion Prevention| | | |
Web and DNS Filtering| | | |
Botnet C &C Filtering| | | |
Secure SaaS Access (SSA)|  |  |  |
Inline CASB| | | |
Inline DLP| | | |
Cloud API CASB & DLP| Add-on| Add-on| Add-on| Add-on
Secure Private Access (SPA)|  |  |  |
FortiGate SD-WAN Integration| | | |
NOC / SOC Integration|  |  |  |
SASE Cloud Management| | | |
Thin Edge Device Management| | |  |
REST API| | | |
SASE Cloud Logging, Reporting &

Log Forwarding

| | | |
Data Center|  |  |  |
Locations| Fortinet Cloud Locations| Public Cloud Locations| Fortinet Cloud Locations| Fortinet & Public Cloud Locations
Customer Support Services|  |  |  |
24×7 Premium Support| | | |
Assisted On-boarding|  | | |

1. FortiGate SD-WAN Hub requires SPA License

ORDERING INFORMATION

Add subscriptions for branch locations to an existing FortiSASE User Subscription

SD-WAN On-Ramp
Connect FortiGate SD-WAN and 3rd party SD-WAN locations to FortiSASE using IPsec

FC1-10-EMS05-770-02-DD

FortiExtender Thin Edge

FortiAP Thin Edge

ACCOUNT ADD-ONS

Network Add-ons

Add bandwidth, public IP addresses and additional locations to your deployment.

FC1-10-EMS05-658-02-DD
FortiGate SPA| License required per FortiGate| FC-10-XXXXX-662-02-DD
Fortinet Location Add-on| 1-16 Locations| FC1-10-EMS05-752-02-DD
Public Cloud Location Add-on| 1-16 Locations| FC1-10-EMS05-766-02-DD

FORTINET TRAINING AND CERTIFICATION

FCSS – FortiSASE Administrator Training and Certification Learn how to use FortiSASE features, including policy types and security profiles. Explore FortiSASE deployment, user authentication,use cases, and monitoring. Also learn how to protect your web traffic and SaaS applications using content inspection, such as antivirus,web filtering, application control, and logging.

Course Description
For more information about prerequisites, agenda topics and learning objectives, please refer to the course description at https://training.fortinet.com/local/staticpage/view.php?page =library_fortisase-administrator

FORTISASE SUPPORT SERVICES

Fortinet offers comprehensive Support options tailored to streamline onboarding and provide technical assistance for your FortiSASE deployment. Our Support services are designed to seamlessly adapt to the evolving needs of your organization’s SASE requirements whether you have standard deployments, advanced capabilities, or configurations with increasing complexity and customizations. Rest assured that you can confidently leverage our technical expertise and best practices knowledge throughout your FortiSASE journey.

FEATURES

straightforward best practices. 24x7x365 Technical assistance with FortiSASE questions and issues.| Publicly available resources. Technical support included with all FortiSASE Subscriptions.
Assisted Onboarding| Dedicated support queue for direct access to specialists who can advise on enterprise integrations| Included with FortiSASE Advanced and Comprehensive Subscriptions
Advanced Deployment Service ➀| Consultant-led Professional Services based on predefined best-practice modules, combined with a Service Delivery Manager. 3 months.| Service Proposal
Custom ➀| Complex enterprise deployments requiring fully customized onboarding and advanced dedicated 24x7x365 technical support.| Custom Scope

FREQUENTLY ASKED QUESTIONS

Q: What are the different user subscription bands available for Remote Users?
A: The user bands available are 50-499, 500-1,999, 2,000-9,999, and 10,000+.

Q: What is required for FortiGate SD-WAN Hub usage?
A: FortiGate SD-WAN Hub requires a SPA License. Each user can use up to three devices with a combination of agent-based and/or proxy-based access.

Q: Are there limitations on Comprehensive subscriptions for less than 200 users?
A: Yes, comprehensive subscriptions of less than 200 users have limited POP availability. Refer to the FAQ section for more details.

How do I get started with FortiSASE?
All new customers should purchase a User-based license to get started. All other SKUs are registered on top of the initial deployment.

How many locations are included with the User Subscription?
FortiSASE Standard and Advanced user subscriptions include up to 4 locations, selected during activation.
FortiSASE Comprehensive subscriptions of less than 200 users include access to 1-2 locations. Refer to https://links.fortinet.com/fortisase/dcs-per-license for details.

How many locations can be supported with the Location Add-on license?
Up to 16 additional locations can be purchased for a maximum of 20 total locations.

What locations are supported in Standard, Advanced and Comprehensive?
Refer to: https://links.fortinet.com/fortisase/global-data-centers.

Can I mix Standard, Advanced and Comprehensive together in the same account?
No – all components in the account must use the same type. Comprehensive subscriptions can now use both Fortinet and Public Cloud locations. Multiple accounts can be used for different types.

What FortiGate platforms does the SPA Service connection support?
All platforms are supported, but for SD-WAN deployments the FortiGate-100F and above is strongly recommended. Desktop platforms may be used for single NGFW connections.

Is the SPA license required for every FortiGate in an SD-WAN deployment?
No, the SPA license is only required for the Hub locations.

If the Hub or single NGFW location is an HA Cluster, is a license needed for each member?
Yes.
I already purchased the FortiClient ZTNA/VPN or EPP/APT options. Can I upgrade them to SASE?
Yes. Refer to the following documentation: https://links.fortinet.com/fortisase/faqs.

I have an existing customer with a registered FortiSASE device-based license who wants to purchase the FortiTrust Standard, Advanced or Comprehensive. What should I do?
The device-based and user-based licenses cannot be combined or directly converted. Please contact customer support to review conversion options.

How is bandwidth pooled and enforced?
Account level bandwidth is calculated by adding up the entitlement for all purchased contracts. Bandwidth is enforced at the 95th percentile, allowing for burst traffic. For example, a subscription for 1000 users would be entitled for 1.5 Gbps globally.

How many dedicated IPs can I add to a single location?
Each FortiSASE location can support up to 7 dedicated IPs for source IP anchoring rules.

How many connections can an SD-WAN On-Ramp Location support?
Each SD-WAN On-Ramp Location includes 1 Gbps of shared bandwidth for up to 10 supported devices. Bandwidth is dedicated to the Location and not shared with Remote Users or Edge Devices. Multiple On-Ramp Locations can be provisioned in the same FortiSASE Region. Each location has a Standalone bandwidth limit.

What SD-WAN devices can connect to an SD-WAN On-Ramp Location?
For a full list of supported device types refer to: https://links.fortinet.com/fortisase/sd-wan-on-ramp

How many Locations can be supported with the SD-WAN On-Ramp License?
Up to 8 SD-WAN On-Ramp Locations can be purchased for a single account. A minimum of 2 locations are required for redundancy.

Visit www.fortinet.com for more details

Copyright © 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s SVP Legal and above, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet.

For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer,or otherwise revise this publication without notice, and the most current version of the publication shall be applicable

References

• Global Leader of Cybersecurity Solutions and Services | Fortinet
• Welcome to the Fortinet Community!
• 4-D Resources
• Fortinet Videos - Products
• Global Leader of Cybersecurity Solutions and Services | Fortinet

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>