Fortinet
October 13, 2023

Building Single-Vendor SASE with FortiSASE and Fortinet SD-WAN

Jon Kraft
Founder, Managing Director

If you work in the IT industry, you have likely heard of SASE. SASE is probably the most talked about topic in the network security space right now. Recently, Gartner introduced “Single Vendor SASE” as an evaluation category for their Peer-Insights and Magic Quadrants. Ever since Gartner defined this new category, vendors have been quickly developing and solidifying their Single-Vendor SASE offerings. This blog post will explore Fortinet’s Single Vendor SASE offering.

While this article is not meant to introduce SASE as a technology, I do want to offer a quick refresher on the components and characteristics that make up a SASE solution. SASE combines converged networking and security in a cloud-centric architecture. This allows organizations to securely interconnect their users, offices, and applications no matter where they are located. The typical components and characteristics we find in SASE solutions include next-gen firewall (NGFW), secure web gateway (SWG), software-defined WAN (SD-WAN), zero-trust network access (ZTNA), cloud access security broker (CASB), to name a few. You may have already figured this out, but in a Single Vendor SASE solution, all of the aforementioned components are provided by the same vendor.

SASE architectures will vary based on organizational requirements, but the following diagram gives you a general idea of what one may look like.We will utilize this diagram to build out a Fortinet Single-Vendor SASE solution throughout the rest of this article.

Fortinet Single-Vendor SASE: Components

Let’s take a look at the Fortinet components that can be used to build the SASE Architecture in the diagram above.

FortiSASE

FortiSASE provides the cloud-delivered network and security component of Fortinet’s SASE offering. You can think of FortiSASE as a FortiGate running in the cloud, although it includes additional capabilities such as endpoint management. FortiSASE is sold as a user-based subscription model.

FortiGate

FortiGate provides the SD-WAN component of Fortinet’s SASE offering. FortiGate can also provide NGFW services for physical locations that have direct access to the public internet. In Fortinet’s SASE architecture, you will typically find FortiGate at the data center edge, in public clouds, and at larger branch offices that require high-performance connectivity to private applications.

FortiGate Secure Private Access (SPA) License

The FortiGate SPA license is required on all FortiGates that will act as SD-WAN hubs. The SPA license permits the FortiGate SD-WAN hub to form IPsec tunnels and exchange routing information with FortiSASE POPs.

FortiClient

FortiClient is an agent that gets installed on endpoints in a Fortinet SASE solution. FortiClient can be used by remote users to connect to FortiSASE via SSLVPN tunnels. FortiClient is also leveraged in the ZTNA component of FortiSASE as it is responsible for posturing endpoints and collecting user identity. FortiClient entitlement is included in the FortiSASE user-based subscription licensing.

Fortinet Thin-Branch Appliance

Fortinet Thin-Branch appliances are lightweight devices that can provide connectivity for a group of users to FortiSASE. Thin-Branch is geared towards smaller branch locations, retail stores, or even power users working from home.

FortiManager & FortiAnalyzer (Optional)

I’m not going to spend much time on FortiManager or FortiAnalyzer in this blog post. Both are optional in Fortinet’s SASE offering but I would personally recommend them. FortiManager will make managing Fortinet SD-WAN much easier through central management and templating. FortiAnalyzer will aggregate logs from FortiSASE & FortiGate which simplifies troubleshooting in large deployments.

Fortinet Single-Vendor SASE – Putting it all together

It Starts with SD-WAN

The first thing that needs to happen when deploying our Fortinet SASE solution is to build out SD-WAN. The SD-WAN fabric will allow the physical locations, public cloud instances, and FortiSASE POPs to communicate with each other. The diagram below consists of two hubs (Headquarters & Public Cloud) as well as two spokes (Branch 1 & FortiSASE). However, Fortinet SD-WAN fabrics can scale up to thousands of sites.

It may seem odd that I am calling FortiSASE an SD-WAN spoke, but that is exactly how it fits into a Fortinet SD-WAN environment. FortiSASE will connect to both SD-WAN hubs using SPA tunnels. When remote users or Thin-Branch sites connect to FortiSASE, they will be able to access networks at the hub sites across the SPA tunnels. If these same users or sites need to communicate with networks at spoke locations, dynamic tunnels are formed between FortiSASE and the spoke as depicted by the dotted line in the diagram below.

Adding in Remote Users and Thin-Branch Sites

Now that our SD-WAN fabric is deployed, we can continue building our Fortinet SASE environment by connecting our Thin-Branch sites and remote users.

In our diagram below, Branch 2 is connecting as aThin-Branch site. Remember that Thin-Branch is geared towards small branches or retail locations where minimal network requirements exist. For all intents and purposes, a Thin-Branch site is a LAN extension from FortiSASE. All traffic from the Thin-Branch site is delivered to the nearest FortiSASE POP across an IPsec tunnel. From there, FortiSASE is responsible for policy enforcement, inspection of traffic, and routing to the destination. Thin-Branch devices are lightweight and do not provide any localized security.

At the time of this writing, the following Fortinet appliances can be converted to a Thin-Branch device, FortiExtender, FortiAP, FortiGate.

There are two methods that can be used to connect remote users to FortiSASE; Endpoint Mode and SWG Mode. We will start by describing Endpoint Mode as it is the preferred method.

Endpoint Mode requires endpoints to have the FortiClient agent installed. Once installed and connected to FortiSASE, FortiClient will establish an always-on SSLVPN tunnel to the nearest FortiSASE POP. Just like Thin-Branches, all traffic from the remote user’s device will be tunneled to FortiSASE. FortiSASE will then inspect the traffic and forward to the destination if permitted by security policies. In addition to establishing connectivity to FortiSASE, FortiClient is responsible for collecting user identity and performing device posturing. This contextual information is then shared with FortiSASE and used as an additional component in policy enforcement. This process, known as ZTNA tagging, is critical to the ZTNA component of Fortinet’s SASE solution.

While Endpoint Mode is the preferred method for connecting remote users to FortiSASE, there may be situations where SWG Mode is required. SWG Mode is agentless and uses Explicit Proxy configuration within the host OS or browser to direct HTTP/HTTPS traffic to the nearest FortiSASE POP. SWG Mode is desirable in situations where agents cannot be deployed to remote user endpoints but web traffic inspection is still required. That said, there are some downsides to SWG Mode. First, SWG Mode can only process and inspect web traffic. That means any application traffic that does not use the HTTP/HTTPS protocol cannot be forwarded to FortiSASE. Additionally, you lose out on many of the ZTNA capabilities as FortiClient is not installed on the endpoint. This means that a device that does not meet corporate requirements could potentially still access sanctioned applications.

Connecting to SaaS Apps and the Public Internet

The last component to add into our Fortinet SASE solution is SaaS applications and public internet access.

In most situations, locations that are protected by FortiGate firewalls will access SaaS apps and the public internet through its respective direct internet access. FortiGate firewalls can operate as SD-WAN appliances and internet edge NGFWs simultaneously so there is no reason to tunnel internet-bound traffic through FortiSASE for those locations.

Remote Users and Thin-Branch sites, however, will tunnel all web traffic through FortiSASE for inspection and policy enforcement. FortiSASE can provide the same level of enforcement as the on-premises FortiGate firewalls. Security policies in FortiSASE should be configured similarly to the on-premises FortiGate firewall to maintain a consistent user-experience across the organization.

With that, we have a real-world example of a Fortinet Single-Vendor SASE solution. While this example architecture introduces key concepts of Fortinet’s SASE offering, every organization will have different requirements which could result in a very different looking topology. If you would like to discuss how Fortinet SASE could fit into your organization, please contact Trustlink Technologies at info@trustlink.tech.

Related blog