Design examples
We can consider an example architecture for an organization that would like to extend the security perimeter to remote users for security internet access (SIA), has multiple applications hosted internally, and makes use of multiple SaaS applications from a variety of providers.
This organization has the following security goals and the corresponding SASE solution for each goal:
Security goal |
SASE solution |
---|---|
Ensure SIA to remote users with endpoints such as workstations and mobile devices |
Secure SIA for agent-based remote users using FortiClient and the FortiSASE firewall-as-a-service |
Ensure SIA to remote users for web traffic only or for endpoints based on web browsers such as Chromebooks |
SIA for agentless remote users using explicit web proxy on web browsers and the FortiSASE secure web gateway service |
Ensure SIA for sites using a thin-edge device |
SIA for site-based remote users using FortiExtender as a LAN extension to FortiSASE |
Ensure SIA for sites using a FortiGate device while providing secure private access (SPA) to private resources behind the FortiGate |
SIA for site-based remote users using FortiGate as a LAN extension to FortiSASE |
Ensure SIA for sites using a FortiAP edge device | SIA for site-based remote users using FortiAP managed by FortiSASE |
Control direct access to internal networks for TCP-based applications such as web applications or remote desktop |
SPA using FortiGate zero trust network access proxies, FortiClient, and FortiSASE Endpoint Management Service |
Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications |
SPA using SD-WAN |
Allow seamless access to internal networks behind newly deployed FortiGate next generation firewall (NGFW) for TCP-based and UDP-based applications |
SPA using NGFW |
Allow seamless access to internal networks behind existing FortiGate SD-WAN networks for TCP-based and UDP-based applications using Fabric Overlay Orchestrator |
SPA using NGFW and Fabric Overlay Orchestrator |
Monitor, analyze, and report on suspicious user activity, threats, and policy compliance for SaaS applications using API-based deep inspection | Secure SaaS access (SSA) using FortiCASB |
Restrict tenant access to SaaS applications using FortiSASE Web Filter with Inline-CASB and SSL deep inspection. Allow, monitor, or block SaaS traffic access using FortiSASE Application Control with Inline-CASB and SSL deep inspection |
SSA using FortiSASE Inline-CASB |
This section focuses on each of the individual FortiSASE use cases and the corresponding designs and topologies deployed in those use cases. You can combine these individual topologies to combine FortiSASE use cases based on your security goals and requirements.