Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
R_F
Contributor

endpoint internet access FortiSASE (SIA and SPA)

Was able to achieve the goal. Integration of FortiSASE (SPA) to On-prem FortiGate. An endpoint device was able to access the local resources through SPA. Endpoint internet access was also hitting the SIA policy and profile.


Is it possible that endpoint internet access may be redirected to FG (SPA HUB) so that I could use the SDWAN rule to redirect the internet access of my endpoint devices? Looking at the SASE SPA Overview (https://docs.fortinet.com/document/fortisase/23.2.32/spa-with-a-fortigate-sd-wan-deployment-guide/89... it did not give much info aside from allowing remote devices to access the local resources.

 

any advise from the expert is much appreciated.

 

7 REPLIES 7
Stephen_G
Moderator
Moderator

Hello R_F, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks,

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hi again R_F,

 

It looks like this article may be relevant to what you're after. I'll keep looking for someone who can help you directly in the meantime, but let me know if this helps.

Stephen - Fortinet Community Team
R_F
Contributor

Thanks for the swift revert @Stephen_G .

Maybe I wasn't clear about the goal I wanted to achieve. Again, not sure if this is achievable with the current FSASE version.

Through a series of simulations with regard to the SIA use case. I was able to gain knowledge of how it really works. Now, I am getting into a bit complex part which is exploring the SPA. SASE and my FG (On-prem) integrated via IPSec VPN and BGP. Thanks to some video tutorials found online and sase admin guide.

Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN.

Definetly if remote endpoint is virtual (ssl/ipsec) or directly connected with on-prem FG I can achieve above goal.

 

 

 

Stephen_G
Moderator
Moderator

Hi R_F,

 

I'm really sorry, but I have so far been unable to find anyone who can help. FortiSASE is still a very recent solution with a few specialists.

 

Hopefully someone can reply to this topic with their insight. If you have any support queries, you're welcome to get in touch with our support team. I'll keep looking in the meantime.

 

Kind regards,

Stephen - Fortinet Community Team
Stephen_G
Moderator
Moderator

Hello again R_F,

 

I talked with one of our experts.

It sounds like this is what you are trying to achieve:

 

User - > FSS -> SPA HUB -> [SDWAN] Internet.

 

However, it would be more efficient to configure the following:

 

User -> FSS -> Internet

 

From what I understand, SSE already covers everything you would need the SPA HUB for. As a result, you would likely be better served by having only FSS as the connection intermediary i.e. we recommend against what you're trying to accomplish.

 

I hope that helps!

 

Kind regards,

Stephen - Fortinet Community Team
R_F
Contributor

thank you for your insights @Stephen_G 

Hatibi
Staff
Staff

Hello R_F

 

i was checking this post and wanted to provide an answer to your following question: 

"Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN"

 

You can actually do this by configurint your FortiGate as a ZTNA access proxy in FortiSASE.

Documentation: https://docs.fortinet.com/document/fortisase/latest/administration-guide/247982/ztna-access-proxies

 

In this case the ZTNA Tags will be configured in FortiSASE who will perform compliance and push TAGs to FortiGate.

However the ZTNA Server configuration and ZTNA policies will be configured in FortiGate who will intercept any endpoint traffic toward any internal Sever by acting as a ZTNA access proxy and handly it internally.

In this case you will see all private access logs in the FortiGate and no logs for this traffic in FortiSASE since it is now FortiGATE that handles the traffic internally.

 

Regards

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors