Was able to achieve the goal. Integration of FortiSASE (SPA) to On-prem FortiGate. An endpoint device was able to access the local resources through SPA. Endpoint internet access was also hitting the SIA policy and profile.
Is it possible that endpoint internet access may be redirected to FG (SPA HUB) so that I could use the SDWAN rule to redirect the internet access of my endpoint devices? Looking at the SASE SPA Overview (https://docs.fortinet.com/document/fortisase/23.2.32/spa-with-a-fortigate-sd-wan-deployment-guide/89... it did not give much info aside from allowing remote devices to access the local resources.
any advise from the expert is much appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello R_F,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi again R_F,
It looks like this article may be relevant to what you're after. I'll keep looking for someone who can help you directly in the meantime, but let me know if this helps.
Thanks for the swift revert @Stephen_G .
Maybe I wasn't clear about the goal I wanted to achieve. Again, not sure if this is achievable with the current FSASE version.
Through a series of simulations with regard to the SIA use case. I was able to gain knowledge of how it really works. Now, I am getting into a bit complex part which is exploring the SPA. SASE and my FG (On-prem) integrated via IPSec VPN and BGP. Thanks to some video tutorials found online and sase admin guide.
Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN.
Definetly if remote endpoint is virtual (ssl/ipsec) or directly connected with on-prem FG I can achieve above goal.
Hi R_F,
I'm really sorry, but I have so far been unable to find anyone who can help. FortiSASE is still a very recent solution with a few specialists.
Hopefully someone can reply to this topic with their insight. If you have any support queries, you're welcome to get in touch with our support team. I'll keep looking in the meantime.
Kind regards,
Hello again R_F,
I talked with one of our experts.
It sounds like this is what you are trying to achieve:
User - > FSS -> SPA HUB -> [SDWAN] Internet.
However, it would be more efficient to configure the following:
User -> FSS -> Internet
From what I understand, SSE already covers everything you would need the SPA HUB for. As a result, you would likely be better served by having only FSS as the connection intermediary i.e. we recommend against what you're trying to accomplish.
I hope that helps!
Kind regards,
thank you for your insights @Stephen_G
Hello R_F
i was checking this post and wanted to provide an answer to your following question:
"Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN"
You can actually do this by configurint your FortiGate as a ZTNA access proxy in FortiSASE.
Documentation: https://docs.fortinet.com/document/fortisase/latest/administration-guide/247982/ztna-access-proxies
In this case the ZTNA Tags will be configured in FortiSASE who will perform compliance and push TAGs to FortiGate.
However the ZTNA Server configuration and ZTNA policies will be configured in FortiGate who will intercept any endpoint traffic toward any internal Sever by acting as a ZTNA access proxy and handly it internally.
In this case you will see all private access logs in the FortiGate and no logs for this traffic in FortiSASE since it is now FortiGATE that handles the traffic internally.
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.