- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: endpoint internet access FortiSASE (SIA and SP...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
endpoint internet access FortiSASE (SIA and SPA)
Was able to achieve the goal. Integration of FortiSASE (SPA) to On-prem FortiGate. An endpoint device was able to access the local resources through SPA. Endpoint internet access was also hitting the SIA policy and profile.
Is it possible that endpoint internet access may be redirected to FG (SPA HUB) so that I could use the SDWAN rule to redirect the internet access of my endpoint devices? Looking at the SASE SPA Overview (https://docs.fortinet.com/document/fortisase/23.2.32/spa-with-a-fortigate-sd-wan-deployment-guide/89... it did not give much info aside from allowing remote devices to access the local resources.
any advise from the expert is much appreciated.
Labels:
- Labels:
-
FortiClient
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello R_F,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Stephen - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again R_F,
It looks like this article may be relevant to what you're after. I'll keep looking for someone who can help you directly in the meantime, but let me know if this helps.
Stephen - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the swift revert @Stephen_G .
Maybe I wasn't clear about the goal I wanted to achieve. Again, not sure if this is achievable with the current FSASE version.
Through a series of simulations with regard to the SIA use case. I was able to gain knowledge of how it really works. Now, I am getting into a bit complex part which is exploring the SPA. SASE and my FG (On-prem) integrated via IPSec VPN and BGP. Thanks to some video tutorials found online and sase admin guide.
Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN.
Definetly if remote endpoint is virtual (ssl/ipsec) or directly connected with on-prem FG I can achieve above goal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi R_F,
I'm really sorry, but I have so far been unable to find anyone who can help. FortiSASE is still a very recent solution with a few specialists.
Hopefully someone can reply to this topic with their insight. If you have any support queries, you're welcome to get in touch with our support team. I'll keep looking in the meantime.
Kind regards,
Stephen - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello again R_F,
I talked with one of our experts.
It sounds like this is what you are trying to achieve:
User - > FSS -> SPA HUB -> [SDWAN] Internet.
However, it would be more efficient to configure the following:
User -> FSS -> Internet
From what I understand, SSE already covers everything you would need the SPA HUB for. As a result, you would likely be better served by having only FSS as the connection intermediary i.e. we recommend against what you're trying to accomplish.
I hope that helps!
Kind regards,
Stephen - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for your insights @Stephen_G
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello R_F
i was checking this post and wanted to provide an answer to your following question:
"Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN"
You can actually do this by configurint your FortiGate as a ZTNA access proxy in FortiSASE.
Documentation: https://docs.fortinet.com/document/fortisase/latest/administration-guide/247982/ztna-access-proxies
In this case the ZTNA Tags will be configured in FortiSASE who will perform compliance and push TAGs to FortiGate.
However the ZTNA Server configuration and ZTNA policies will be configured in FortiGate who will intercept any endpoint traffic toward any internal Sever by acting as a ZTNA access proxy and handly it internally.
In this case you will see all private access logs in the FortiGate and no logs for this traffic in FortiSASE since it is now FortiGATE that handles the traffic internally.
Regards
sx11
Related Posts
- FortiClient 7.2 - will not connect... 907 Views
- FortiClient certificate warning on Linux 689 Views
- For the first time I'm trying... 480 Views
- ZTNA Virtual Host not working 468 Views
- Why does my new tunnel interface... 3501 Views
Labels
-
FortiGate
6,615 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
340 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
74 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
SD-WAN
27 -
Firewall policy
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.