FortiSASE Endpoint with ZTNA Shortcuts Deployment

The following snippets summarize the FortiSASE Secure Private Access (SPA) using ZTNA (zero trust network access) agent-based deployment, which is also known as the FortiSASE endpoint with ZTNA shortcuts deployment. To view the complete guide, go to SPA Using ZTNA Deployment Guide.

FortiSASE Endpoint with ZTNA Shortcuts Deployment

This guide examines how FortiSASE can integrate with FortiGate ZTNA to provide a seamless experience for end users while securing your most important corporate assets behind the FortiGate application gateway. Unlike traditional SSL and IPsec VPN, FortiSASE SPA using ZTNA offers direct connections to protected resources without requiring establishment of a persistent tunnel. The key to ZTNA is verifying the connecting device's and user's identities and ensuring the device's security posture before admitting it to the protected network. These security checks happen instantly and transparently thanks to the integration between FortiSASE, FortiGate, and the FortiClient endpoint. If a device cannot pass these security checks, it is considered untrusted and the connection is rejected.

The following illustrates the architecture of the FortiSASE, FortiGate, and FortiClient integration.

This guide explores the setup between FortiSASE and your corporate FortiGate firewall in detail to cover the SPA using ZTNA use case. It first reviews the components in this solution to understand more about the inner workings, then dives into design concepts and considerations. Finally, it steps through a deployment scenario to build a working FortiSASE and ZTNA environment.

Deployment Plan

This outlines the major steps to deploy this solution. Go to Deployment procedures for detailed configuration steps:

1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as needed. See Provisioning your FortiSASE instance.
2. Configure remote authentication and onboard users. See Configuring remote authentication and onboarding users.
3. Configure VPN policies to apply desired scanning and filtering for your users. See Configuring security profiles and policies.
4. Configure ZTNA tags and tagging rules. See Configuring ZTNA tags and tagging rules.
5. Connect the FortiGate to FortiSASE over the FortiClient Cloud Fabric connector. Authorize the FortiGate on FortiSASE. FortiSASE automatically synchronizes the tags to the FortiGate. See Connecting the FortiGate to FortiSASE.
6. On the FortiGate, configure remote authentication servers, authentication schemes, and rules. See Configuring authentication on the FortiGate access proxy.
7. Configure ZTNA servers. See Configuring ZTNA servers.
8. Configure ZTNA policies and use user groups and ZTNA tags for access control. See Configuring ZTNA policies.
9. In FortiSASE, configure ZTNA connection rules to push to clients. See Configuring ZTNA connection rules on FortiSASE.
10. Test and monitor the configuration using a remote device. See Testing and monitoring.

For more information, go to SPA Using ZTNA Deployment Guide.