Was able to achieve the goal. Integration of FortiSASE (SPA) to On-prem FortiGate. An endpoint device was able to access the local resources through SPA. Endpoint internet access was also hitting the SIA policy and profile.
Maybe I wasn't clear about the goal I wanted to achieve. Again, not sure if this is achievable with the current FSASE version.
Through a series of simulations with regard to the SIA use case. I was able to gain knowledge of how it really works. Now, I am getting into a bit complex part which is exploring the SPA. SASE and my FG (On-prem) integrated via IPSec VPN and BGP. Thanks to some video tutorials found online and sase admin guide.
Since the endpoint is being managed by the SASE cloud, is it possible that endpoint internet access would pass through SASE and then to my On-prem FG with SDWAN configured? I am exploring that endpoint restriction would be handling FG on-prem and playing around with its internet access thru FG on-prem SDWAN.
Definetly if remote endpoint is virtual (ssl/ipsec) or directly connected with on-prem FG I can achieve above goal.
It sounds like this is what you are trying to achieve:
User - > FSS -> SPA HUB -> [SDWAN] Internet.
However, it would be more efficient to configure the following:
User -> FSS -> Internet
From what I understand, SSE already covers everything you would need the SPA HUB for. As a result, you would likely be better served by having only FSS as the connection intermediary i.e. we recommend against what you're trying to accomplish.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.