Fortinet black logo

Architecture Guide

Home FortiSASE Architecture Guide

Design examples

Design examples

We can consider an example architecture for an organization that would like to extend the security perimeter to remote users for security internet access (SIA), has multiple applications hosted internally, and makes use of multiple SaaS applications from a variety of providers.

This organization has the following security goals and the corresponding SASE solution for each goal:

Security goal

SASE solution

Ensure SIA to remote users with endpoints such as workstations and mobile devices

Secure SIA for agent-based remote users using FortiClient and the FortiSASE firewall-as-a-service

Ensure SIA to remote users for web traffic only or for endpoints based on web browsers such as Chromebooks

SIA for agentless remote users using explicit web proxy on web browsers and the FortiSASE secure web gateway service

Ensure SIA for sites using a thin-edge device

SIA for site-based remote users using FortiExtender as a LAN extension to FortiSASE

Ensure SIA for sites using a FortiGate device while providing secure private access (SPA) to private resources behind the FortiGate

SIA for site-based remote users using FortiGate as a LAN extension to FortiSASE
Ensure SIA for sites using a FortiAP edge device SIA for site-based remote users using FortiAP managed by FortiSASE

Control direct access to internal networks for TCP-based applications such as web applications or remote desktop

SPA using FortiGate zero trust network access proxies, FortiClient, and FortiSASE Endpoint Management Service

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications

 SPA using SD-WAN

Allow seamless access to internal networks behind newly deployed FortiGate next generation firewall (NGFW) for TCP-based and UDP-based applications

 SPA using NGFW

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications using Fabric Overlay Orchestrator

SPA using NGFW and Fabric Overlay Orchestrator
Monitor, analyze, and report on suspicious user activity, threats, and policy compliance for SaaS applications using API-based deep inspection Secure SaaS access (SSA) using FortiCASB

Restrict tenant access to SaaS applications using FortiSASE Web Filter with Inline-CASB and SSL deep inspection. Allow, monitor, or block SaaS traffic access using FortiSASE Application Control with Inline-CASB and SSL deep inspection

SSA using FortiSASE Inline-CASB

This section focuses on each of the individual FortiSASE use cases and the corresponding designs and topologies deployed in those use cases. You can combine these individual topologies to combine FortiSASE use cases based on your security goals and requirements.

Previous
Next

Design examples

We can consider an example architecture for an organization that would like to extend the security perimeter to remote users for security internet access (SIA), has multiple applications hosted internally, and makes use of multiple SaaS applications from a variety of providers.

This organization has the following security goals and the corresponding SASE solution for each goal:

Security goal

SASE solution

Ensure SIA to remote users with endpoints such as workstations and mobile devices

Secure SIA for agent-based remote users using FortiClient and the FortiSASE firewall-as-a-service

Ensure SIA to remote users for web traffic only or for endpoints based on web browsers such as Chromebooks

SIA for agentless remote users using explicit web proxy on web browsers and the FortiSASE secure web gateway service

Ensure SIA for sites using a thin-edge device

SIA for site-based remote users using FortiExtender as a LAN extension to FortiSASE

Ensure SIA for sites using a FortiGate device while providing secure private access (SPA) to private resources behind the FortiGate

SIA for site-based remote users using FortiGate as a LAN extension to FortiSASE
Ensure SIA for sites using a FortiAP edge device SIA for site-based remote users using FortiAP managed by FortiSASE

Control direct access to internal networks for TCP-based applications such as web applications or remote desktop

SPA using FortiGate zero trust network access proxies, FortiClient, and FortiSASE Endpoint Management Service

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications

 SPA using SD-WAN

Allow seamless access to internal networks behind newly deployed FortiGate next generation firewall (NGFW) for TCP-based and UDP-based applications

 SPA using NGFW

Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications using Fabric Overlay Orchestrator

SPA using NGFW and Fabric Overlay Orchestrator
Monitor, analyze, and report on suspicious user activity, threats, and policy compliance for SaaS applications using API-based deep inspection Secure SaaS access (SSA) using FortiCASB

Restrict tenant access to SaaS applications using FortiSASE Web Filter with Inline-CASB and SSL deep inspection. Allow, monitor, or block SaaS traffic access using FortiSASE Application Control with Inline-CASB and SSL deep inspection

SSA using FortiSASE Inline-CASB

This section focuses on each of the individual FortiSASE use cases and the corresponding designs and topologies deployed in those use cases. You can combine these individual topologies to combine FortiSASE use cases based on your security goals and requirements.

Previous
Next