Help
FortiSASE
FortiSASE delivers both a consistent security posture and an optimal user experience for users working from anywhere. Secure your hybrid workforce by closing security gaps, plus simplify operations.
sjoshi
Staff
Staff

Created on ‎12-27-2023 10:55 AM

Article Id 290791

Technical Tip: How to provide internet access to the remote user connected to FortiSASE via VPN

Description

 

This article describes how to use the Secure Internet Access (SIA) Mechanism.

 

Scope

 

FortiSASE.

 

Solution

 

This article assumes that the end user VPN configuration has been completed and that the user is able to connect the VPN to FortiSASE.

 

Once the end user is able to connect the VPN, it is necessary to configure policy on a user basis to give them access accordingly.

 

It is important to link all traffic passing through FortiSASE with a corresponding policy. These policies dictate the path of the traffic, determine how FortiSASE handles it, and establish whether the traffic is permitted to traverse through the system

When a session is started through the VPN tunnel, FortiSASE checks the connection using VPN policies. It goes through each policy from top to bottom, comparing the session details to the policy settings. If it finds a match and the action is 'Accept,' FortiSASE applies security measures. If the action is 'Deny,' FortiSASE stops the traffic.

 

  • Go to Configuration -> Policies.

By default, the 'allow all' policy will be seen.

Fine-tune it as desired with user group, create a separate policy for each user group, allow the access as required.

In this example, a new policy was created to allow the VPN_User to match the group.

 

Picture1.png

 

Note Force Certificate Inspection. If this is enabled, it will ignore the SSL inspection configured in the selected profile group and use certificate inspection instead.

Even if deep inspection is defined in the profile: if Force Certificate Inspection is enabled, traffic matching this particular policy will use Certificate inspection.

 

The UTM profile can be defined through traits like webfilter, app control, filter filter, DNS filter, DLP, IPS, AV, etc.

 

  • How to configure a UTM Profile.

Go to Configuration -> Security.

 

Picture1.png

 

On the top right side, the profile group name will be seen, which can be pulled out in the policy.

 

  • Monitor the logs for SIA traffic by going to the portal Analytics -> Logs -> Traffic -> Internet Access Traffic.

 

Picture1.png

 

 

  • Similarly, UTM logs will be available under Analytics -> Logs -> Security.

 

Picture1.png

 

  • The Dashboard can also be used to monitor the user traffic

 

Picture1.png

138
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.