Hello All,I’m working on a case and would like your input on the best approach to resolve it.The current setup is as follows:FortiSASE is configured as a spoke to a FortiGate “Hub” via SPA hub-and-spoke.Two branch FortiGates are connected to the Hub through IPsec VPN tunnels.My goal is to allow FortiClient users connected to the FortiSASE to access resources located behind both branch FortiGates.Do you have any recommendations or best practices on how to implement this?

BIRO

New Member

Question

Connect FortiSASE to branch Fortigates

Forum|Forum|9 months ago
August 14, 2025
1 reply
573 views

Hello All,

I’m working on a case and would like your input on the best approach to resolve it.

The current setup is as follows:

FortiSASE is configured as a spoke to a FortiGate “Hub” via SPA hub-and-spoke.
Two branch FortiGates are connected to the Hub through IPsec VPN tunnels.

My goal is to allow FortiClient users connected to the FortiSASE to access resources located behind both branch FortiGates.

Do you have any recommendations or best practices on how to implement this?

FortiSASE Network Diagram.png

FortiGate

ozkanaltas

Valued Contributor III

Hello @BIRO ,

I don't have experience related to topology. But if I think logically, you can use existing ipsec tunnels for service access. Normally direct tunnel from the branch to SASE would work better than this scenario, but if I know correctly, you should buy a SPA license for these branch FortiGates. Because of that, your scenario looks like the best implementation scenario now.

BIROAuthor

New Member

Thanks for your reply.

I am aware of purchase of new SPA license for the branch, but I am looking for a work around to access private network behind the branches firewalls.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded