Overview:

FortiSASE has three types of policies, each serving a specific purpose tailored for different use cases.

1. Internet Access Policy: Configure this policy when dealing with a Secure Internet Access (SIA) use case, specifically when FortiClient is installed on the endpoint. This approach is known as SIA Agent Based.
2. Secure Web Gateway (SWG) Policy: Configure this policy in an SIA Agentless use case, particularly when a PAC File is installed on the endpoint. This approach is known as SIA Agentless.
3. Private Access Policy: Configure this policy in the Secure Private Access (SPA) use case, specifically when connecting to internal resources behind the Hub FortiGate.                                                                     

Note that every type of policy may be necessary to configure when all of the above use cases are configured on the environment. Traffic will match the relevant Policy based on the destination of the traffic and the type of the endpoint.

Creating an Internet Access Policy (SIA Policy):

Go to Configuration -> Policies -> Internet Access -> Create.

In the policy below, only users connected to SSL-VPN with a Windows-Compliant tag as part of the 'IT_Group' user group will be allowed to access the internet.

Creating an SWG Policy:

1. Enable SWG Configuration
   
   Before Configuring the SWG policy, make sure that the SWG Configuration is enabled.
   The FortiSASE will not show the SWG Policy option under the configuration tab when SWG is Disabled.

Go to Configuration -> SWG Policies -> Create and configure the options most appropriate for the current setup.

Creating an SPA Policy:

Before Configuring the SWG policy, make sure that Secure Private access is configured and the IPSec tunnel is up as shown in the screenshot below. The FortiSASE will not show an option to gain private access to the Policy option when Secure private access is not configured.

Go to Configuration -> Policies -> Private Access -> Create.

Configure the options based on requirements.