Fortinet black logo

Public IP Deployment Guide

Home FortiSASE Public IP Deployment Guide

Deployment overview

Deployment overview

The FortiSASE default shared IP address environment presents some problems for customers and their remote users:

  • Since the same public IP address is used for all outgoing traffic, identification and isolation of each specific customer’s remote user traffic is not possible.

  • Since the public IP address used for outgoing traffic belongs to an IP address block in the same geographical location as the security point of presence (PoP) or region that users are connected to, their content is limited to that specific location when accessing services relying on geolocation.

See FortiSASE default shared IP address environment summary.

Using dedicated public IP addresses for each customer’s remote user traffic and public IP addresses that are mapped to a specified country can solve these problems.

The network diagram illustrates some benefits of using FortiSASE dedicated public IP addresses as this section further describes:

  • Traffic identification and isolation for IP reputation control

  • Geolocation rules

  • Source IP anchoring

Note

Implementing dedicated public IP addresses is currently impactful to the operation of the FortiSASE instance. FortiSASE Operations recommends that a request to implement dedicated public IP use cases be raised with ample time in advance before onboarding any remote users or implementing features such as FortiAP, FortiExtender, or FortiGate edge device support to avoid service disruption.

Note

The number of security PoPs that are accessible by remote users depends on the FortiSASE license tier and number of users. See Number of security data centers accessible per license.

Currently, you must manually configure the dedicated public IP use cases for FortiSASE on the backend.

Use case

Details

Dedicated IP addresses

One IP address is assigned to each configured PoP or region with a maximum of four PoPs. The default geolocation of a PoP is used. For this initial IP assignment per PoP, the instance is required to have one of these licenses applied:

  • FortiSASE-Dedicated-IP license as an add-on to a FortiSASE Standard license
  • FortiSASE Advanced license
  • FortiSASE Comprehensive license

Geolocation rules

Building upon the dedicated IP addresses use case, the geolocation (city, country) of a PoP is explicitly requested to differ from the default geolocation by defining geolocation rules in the backend.

Source IP anchoring

For each license for four public IP addresses purchased beyond the initial four public IP addresses, the request should specify which PoPs each of the additional IP addresses should be associated with and what geolocation (city, country) should be assigned to each. A source IP anchor consists of mapping of a dedicated public IP address and a geolocation and specific users who will use that dedicated IP address for source network address translation (NAT). Customers are limited to specifying seven source IP anchors per PoP.
Note

For source IP anchoring, you must purchase another Dedicated Public IP add-on license with four additional dedicated IP addresses beyond the initial number of dedicated IP addresses per PoP. The additional four dedicated IP addresses can be allocated as desired for source IP anchoring rules such as all in a single PoP, one per PoP, or any combination in between.
Note

For source IP anchoring, FortiSASE only supports country-level association of remote users. An alternative to determining the source of remote users that is more granular than their country is to use authentication (user groups). You should distinguish this from the geolocation advertised for a public IP using RFC8805 which supports city-level association.

Once you have acquired either the dedicated public IP license as an add-on to the FortiSASE Standard license and would like to implement the public IP assignments, you must open a Fortinet Support ticket with the FortiClient/EMS evolved technical assistance center (ETAC) team to make this request for your FortiSASE instance. The ETAC team will then engage FortiSASE Operations internally to complete the request.

Note

Dedicated IP addresses are automatically assigned to new FortiSASE instances with Advanced and Comprehensive license types. You do not need to open a Fortinet Support ticket to implement the public IP assignments for these license types. However, you will still require a support ticket to implement geolocation rules and source IP anchoring use cases even for these license types.

This deployment guide describes the FortiSASE dedicated public IP addresses features and use cases and information required to submit a request for manual configuration on the FortiSASE backend.

Intended audience

Mid-level network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE dedicated public IP use cases should find this guide helpful.

About this guide

This deployment guide describes the features and use cases covered available for customer administrators with the FortiSASE dedicated public IP add-on license as an add-on license, the FortiSASE Advanced license, or the FortiSASE Comprehensive license applied to their FortiSASE instance. The purpose is to ensure customer administrators have a proper understanding of dedicated public IP features and use cases to submit a request for manual configuration on the FortiSASE backend.

Previous
Next

Deployment overview

The FortiSASE default shared IP address environment presents some problems for customers and their remote users:

  • Since the same public IP address is used for all outgoing traffic, identification and isolation of each specific customer’s remote user traffic is not possible.

  • Since the public IP address used for outgoing traffic belongs to an IP address block in the same geographical location as the security point of presence (PoP) or region that users are connected to, their content is limited to that specific location when accessing services relying on geolocation.

See FortiSASE default shared IP address environment summary.

Using dedicated public IP addresses for each customer’s remote user traffic and public IP addresses that are mapped to a specified country can solve these problems.

The network diagram illustrates some benefits of using FortiSASE dedicated public IP addresses as this section further describes:

  • Traffic identification and isolation for IP reputation control

  • Geolocation rules

  • Source IP anchoring

Note

Implementing dedicated public IP addresses is currently impactful to the operation of the FortiSASE instance. FortiSASE Operations recommends that a request to implement dedicated public IP use cases be raised with ample time in advance before onboarding any remote users or implementing features such as FortiAP, FortiExtender, or FortiGate edge device support to avoid service disruption.

Note

The number of security PoPs that are accessible by remote users depends on the FortiSASE license tier and number of users. See Number of security data centers accessible per license.

Currently, you must manually configure the dedicated public IP use cases for FortiSASE on the backend.

Use case

Details

Dedicated IP addresses

One IP address is assigned to each configured PoP or region with a maximum of four PoPs. The default geolocation of a PoP is used. For this initial IP assignment per PoP, the instance is required to have one of these licenses applied:

  • FortiSASE-Dedicated-IP license as an add-on to a FortiSASE Standard license
  • FortiSASE Advanced license
  • FortiSASE Comprehensive license

Geolocation rules

Building upon the dedicated IP addresses use case, the geolocation (city, country) of a PoP is explicitly requested to differ from the default geolocation by defining geolocation rules in the backend.

Source IP anchoring

For each license for four public IP addresses purchased beyond the initial four public IP addresses, the request should specify which PoPs each of the additional IP addresses should be associated with and what geolocation (city, country) should be assigned to each. A source IP anchor consists of mapping of a dedicated public IP address and a geolocation and specific users who will use that dedicated IP address for source network address translation (NAT). Customers are limited to specifying seven source IP anchors per PoP.
Note

For source IP anchoring, you must purchase another Dedicated Public IP add-on license with four additional dedicated IP addresses beyond the initial number of dedicated IP addresses per PoP. The additional four dedicated IP addresses can be allocated as desired for source IP anchoring rules such as all in a single PoP, one per PoP, or any combination in between.
Note

For source IP anchoring, FortiSASE only supports country-level association of remote users. An alternative to determining the source of remote users that is more granular than their country is to use authentication (user groups). You should distinguish this from the geolocation advertised for a public IP using RFC8805 which supports city-level association.

Once you have acquired either the dedicated public IP license as an add-on to the FortiSASE Standard license and would like to implement the public IP assignments, you must open a Fortinet Support ticket with the FortiClient/EMS evolved technical assistance center (ETAC) team to make this request for your FortiSASE instance. The ETAC team will then engage FortiSASE Operations internally to complete the request.

Note

Dedicated IP addresses are automatically assigned to new FortiSASE instances with Advanced and Comprehensive license types. You do not need to open a Fortinet Support ticket to implement the public IP assignments for these license types. However, you will still require a support ticket to implement geolocation rules and source IP anchoring use cases even for these license types.

This deployment guide describes the FortiSASE dedicated public IP addresses features and use cases and information required to submit a request for manual configuration on the FortiSASE backend.

Intended audience

Mid-level network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE dedicated public IP use cases should find this guide helpful.

About this guide

This deployment guide describes the features and use cases covered available for customer administrators with the FortiSASE dedicated public IP add-on license as an add-on license, the FortiSASE Advanced license, or the FortiSASE Comprehensive license applied to their FortiSASE instance. The purpose is to ensure customer administrators have a proper understanding of dedicated public IP features and use cases to submit a request for manual configuration on the FortiSASE backend.

Previous
Next