SPA Design Advice

Forum|Forum|11 months ago
June 30, 2025
1 reply
420 views

Hi,

We have 2 fortigates in different locations and each of them include SPA license, in a addition to a FortiSASE subscription.

To maintain policy consistency for remote users and also branch site users, we are planning to use the branch fortigate as an Edge Device in FortiSASE instead of establishing a direct tunnel between branch fortigate and the HQ one.

I'm just wondering how common is this ? it looks so complicated reading the admin guide

PS: we have UTP bundle with each fortigate (HQ and branch), in my opinion a direct tunnel between both sites is better, and FortiSASE will be used mainly for remote users only.

fabs-net

Explorer III

Hi,

I would also say that if UTP is available at the locations, a breakout at the location is used in the direction of the internet or to the other location.
This saves the hop to the SASE-cloud for the on prem users and security is still guaranteed.
For all remote users, the sites are also available via SPA from SASE and can be accessed securely.

I hope I have understood the question correctly and gave some input.

KR Fabian

Every packet has a journey.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded