FortiSASE and Zero Trust
Introduction
FortiSASE and Zero Trust extend the corporate perimeter to secure data to/from all endpoints, and enable secure access to the Internet, private applications, and SaaS applications. With the rise of hybrid work and application migration to cloud and SaaS, organizations must now secure employees accessing networks and applications from anywhere. This shift has expanded the attack surface, increasing the complexity of network, application, and data security. Companies with existing Fortinet deployments can seamlessly expand their network to include SASE locations that join natively with their SD-WAN, NGFW, or DCFW segments. This enables SASE adoption without impact to NOC/SOC teams and eliminates the need to architect and maintain complex routing configurations. Zero Trust is included with all FortiSASE deployments.
How it Works
Once deployed, all users or thin branch traffic is automatically inspected by FortiSASE (with optional zero trust enforcement) before allowing access to the Internet, private networks, or corporate SaaS applications. Deployed SASE points of presence (POPs) seamlessly connect to existing FortiGate NGFW, SD-WAN, or DCFW deployments. With FortiOS everywhere, existing NOC/SOC processes can easily manage new SASE locations.
The Zero Trust Security Posture diagram illustrates the integration of SASE components. It shows a central security posture connecting ZTNA Gateway, Remote Users, Thin Edge, Branch/Campus, Data Center, and NGFW to various security services like Secure Internet Access, Secure SaaS Access, Secure Private Access, CASB, DLP, SWG, and FWaaS. Supporting elements include AI-powered security, User Experience, Unified Management, and NOC/SOC integration, facilitating secure access across diverse environments.
Remote User Subscriptions
Cloud-based firewall and secure web proxy providing security (FortiGuard Labs) for remote users regardless of location when accessing the Internet.
| Feature | STANDARD | REMOTE USERS ADVANCED | COMPREHENSIVE |
| Secure Internet Access (SIA) | ✔️ | ✔️ | ✔️ |
| SSL Inspection | ✔️ | ✔️ | ✔️ |
| Inline Anti-virus (AV) and Sandbox | ✔️ | ✔️ | ✔️ |
| Intrusion Prevention | ✔️ | ✔️ | ✔️ |
| Web and DNS Filtering | ✔️ | ✔️ | ✔️ |
| Botnet C&C Filtering | ✔️ | ✔️ | ✔️ |
| Secure SaaS Access (SSA) | ✔️ | ✔️ | ✔️ |
| Inline CASB | ✔️ | ✔️ | ✔️ |
| Inline DLP | License Included | License Included | License Included |
| Cloud API CASB & DLP | Add-on | Add-on | Add-on |
| Secure Private Access (SPA) | ✔️ | ✔️ | ✔️ |
| FortiGate Private Access | ✔️ | ✔️ | ✔️ |
| Zero Trust Network Access (ZTNA) | ✔️ | ✔️ | ✔️ |
| Agentless ZTNA | Coming Soon | Coming Soon | Coming Soon |
| Devices per User | Up to 3 | Up to 3 | Up to 3 |
| Dedicated Public IPs | Add-on | Add-on | Add-on |
| Endpoint Security | ✔️ | ✔️ | ✔️ |
| Vulnerability Management | ✔️ | ✔️ | ✔️ |
| Endpoint Protection Platform | ✔️ | ✔️ | ✔️ |
| OS Support | Windows, MacOS, Linux, iOS, Android | Windows, MacOS, Linux, iOS, Android | Windows, MacOS, Linux, iOS, Android |
| NOC / SOC Integration | ✔️ | ✔️ | ✔️ |
| SASE Cloud Management | ✔️ | ✔️ | ✔️ |
| REST API | ✔️ | ✔️ | ✔️ |
| SASE Cloud Logging, Reporting & Log Forwarding | ✔️ | ✔️ | ✔️ |
| Digital Experience Monitoring | ✔️ | ✔️ | ✔️ |
| SOC-as-a-Service Integration | ✔️ | ✔️ | ✔️ |
| FortiGuard Forensics (Response) Service | ✔️ | ✔️ | ✔️ |
| Data Center Locations | Fortinet Cloud Locations | Fortinet Cloud Locations | Fortinet & Public Cloud Locations |
| Customer Support Services | |||
| 24x7 Premium Support | ✔️ | ✔️ | ✔️ |
| Assisted On-boarding | ✔️ | ✔️ | ✔️ |
Note: FortiGate SD-WAN Hub requires SPA License. Each user can use up to three devices, which can be a combination of agent-based and/or proxy-based. Applicability to agent-based only.
Ordering Information
Remote Users
| USER BANDS | STANDARD | ADVANCED | COMPREHENSIVE |
| 50 - 499 | FC2-10-EMS05-547-02-DD | FC2-10-EMS05-676-02-DD | FC2-10-EMS05-759-02-DD |
| 500 - 1,999 | FC3-10-EMS05-547-02-DD | FC3-10-EMS05-676-02-DD | FC3-10-EMS05-759-02-DD |
| 2,000 - 9,999 | FC4-10-EMS05-547-02-DD | FC4-10-EMS05-676-02-DD | FC4-10-EMS05-759-02-DD |
| 10,000+ | FC5-10-EMS05-547-02-DD | FC5-10-EMS05-676-02-DD | FC5-10-EMS05-759-02-DD |
Comprehensive subscriptions of less than 200 users have limited POP availability. Refer to the FAQ.
Branch Locations
Easily connect branch locations directly to the FortiSASE network.
| Feature | THIN EDGE STANDARD/ADVANCED | THIN EDGE COMPREHENSIVE | SD-WAN ON-RAMP ADVANCED | SD-WAN ON-RAMP COMPREHENSIVE |
| Secure Internet Access (SIA) | ✔️ | ✔️ | ✔️ | ✔️ |
| SSL Inspection | ✔️ | ✔️ | ✔️ | ✔️ |
| Inline Anti-virus (AV) and Sandbox | ✔️ | ✔️ | ✔️ | ✔️ |
| Intrusion Prevention | ✔️ | ✔️ | ✔️ | ✔️ |
| Web and DNS Filtering | ✔️ | ✔️ | ✔️ | ✔️ |
| Botnet C&C Filtering | ✔️ | ✔️ | ✔️ | ✔️ |
| Secure SaaS Access (SSA) | ✔️ | ✔️ | ✔️ | ✔️ |
| Inline CASB | ✔️ | ✔️ | ✔️ | ✔️ |
| Inline DLP | Add-on | Add-on | Add-on | Add-on |
| Cloud API CASB & DLP | ✔️ | ✔️ | ✔️ | ✔️ |
| Secure Private Access (SPA) | ✔️ | ✔️ | ✔️ | ✔️ |
| FortiGate SD-WAN Integration | ✔️ | ✔️ | ✔️ | ✔️ |
| NOC / SOC Integration | ✔️ | ✔️ | ✔️ | ✔️ |
| SASE Cloud Management | ✔️ | ✔️ | ✔️ | ✔️ |
| Thin Edge Device Management | ✔️ | ✔️ | ||
| REST API | ✔️ | ✔️ | ✔️ | ✔️ |
| SASE Cloud Logging, Reporting & Log Forwarding | ✔️ | ✔️ | ✔️ | ✔️ |
| Data Center Locations | Fortinet Cloud Locations | Public Cloud Locations | Fortinet Cloud Locations | Fortinet & Public Cloud Locations |
| Customer Support Services | ||||
| 24x7 Premium Support | ✔️ | ✔️ | ✔️ | ✔️ |
| Assisted On-boarding | ✔️ | ✔️ | ✔️ | ✔️ |
Note: FortiGate SD-WAN Hub requires SPA License.
Ordering Information
SD-WAN On-Ramp
Connect FortiGate SD-WAN and 3rd party SD-WAN locations to FortiSASE using IPsec.
| HARDWARE | ADVANCED | COMPREHENSIVE |
| SD-WAN On-Ramp Location (1 Gbps node) | FC1-10-EMS05-769-02-DD | FC1-10-EMS05-770-02-DD |
FortiExtender Thin Edge
| HARDWARE | STANDARD/ADVANCED | COMPREHENSIVE |
| FEX-200F | FC-10-X200F-595-02-DD | FC-10-X200F-758-02-DD |
FortiAP Thin Edge
| HARDWARE | STANDARD/ADVANCED | COMPREHENSIVE |
| FAP-231F | FC-10-F231F-595-02-DD | FC-10-F231F-758-02-DD |
| FAP-431F | FC-10-F431F-595-02-DD | FC-10-F431F-758-02-DD |
| Coming soon (roadmap) |
Account Add-ons
Network Add-ons
Add bandwidth, public IP addresses, and additional locations to your deployment.
| OPTION | QUANTITY | SKU |
| Bandwidth Add-on | 25 Mbps | FC1-10-FSASE-471-01-DD |
| Dedicated Public IP Address | 4 x Public IP Addresses | FC1-10-EMS05-658-02-DD |
| FortiGate SPA | License required per FortiGate | FC-10-XXXXX-662-02-DD |
| Fortinet Location Add-on | 1-16 Locations | FC1-10-EMS05-752-02-DD |
| Public Cloud Location Add-on | 1-16 Locations | FC1-10-EMS05-766-02-DD |
Fortinet Training and Certification
FCSS - FortiSASE Administrator Training and Certification
Learn how to use FortiSASE features, including policy types and security profiles. Explore FortiSASE deployment, user authentication, use cases, and monitoring. Also learn how to protect your web traffic and SaaS applications using content inspection, such as antivirus, web filtering, application control, and logging.
Ordering Information
| SKU | DESCRIPTION |
| FT-SASE | Instructor-led Training - 2 days |
| NSE-EX-FTE2 | Certification Exam |
Course Description
For more information about prerequisites, agenda topics, and learning objectives, please refer to the course description at https://training.fortinet.com/local/staticpage/view.php?page=library_fortisase-administrator
FortiSASE Support Services
Fortinet offers comprehensive Support options tailored to streamline onboarding and provide technical assistance for your FortiSASE deployment. Support services are designed to seamlessly adapt to the evolving needs of your organization's SASE requirements, whether you have standard deployments, advanced capabilities, or configurations with increasing complexity and customizations. You can confidently leverage Fortinet's technical expertise and best practices knowledge throughout your FortiSASE journey.
Features
Self-Service with Technical Support: Self-led learning using straightforward best practices. 24x7x365 Technical assistance with FortiSASE questions and issues. Publicly available resources. Technical support included with all FortiSASE Subscriptions.
Assisted Onboarding: Dedicated support queue for direct access to specialists who can advise on enterprise integrations. Included with FortiSASE Advanced and Comprehensive Subscriptions.
Advanced Deployment Service: Consultant-led Professional Services based on predefined best-practice modules, combined with a Service Delivery Manager. 3 months. Service Proposal. Consultant-led Professional Services based on predefined best-practice modules, combined with a Service Delivery Manager.
Custom: Fully customized onboarding engagements with Professional Services and enhanced service level agreements with Advanced Support. Custom Scope. Please contact Fortinet for details.
| SUPPORT | SUMMARY | HOW TO ORDER |
| Self-Service with Technical Support | Self-led learning using straightforward best practices. 24x7x365 Technical assistance with FortiSASE questions and issues. | Publicly available resources. Technical support included with all FortiSASE Subscriptions. |
| Assisted Onboarding | Dedicated support queue for direct access to specialists who can advise on enterprise integrations. | Included with FortiSASE Advanced and Comprehensive Subscriptions. |
| Advanced Deployment Service | Consultant-led Professional Services based on predefined best-practice modules, combined with a Service Delivery Manager. 3 months. | Service Proposal |
| Custom | Complex enterprise deployments requiring fully customized onboarding and advanced dedicated 24x7x365 technical support. | Custom Scope |
Frequently Asked Questions
How do I get started with FortiSASE?
All new customers should purchase a User-based license to get started. All other SKUs are registered on top of the initial deployment.
How many locations are included with the User Subscription?
FortiSASE Standard and Advanced user subscriptions include up to 4 locations, selected during activation. FortiSASE Comprehensive subscriptions of less than 200 users include access to 1-2 locations. Refer to https://links.fortinet.com/fortisase/dcs-per-license for details.
How many locations can be supported with the Location Add-on license?
Up to 16 additional locations can be purchased for a maximum of 20 total locations.
What locations are supported in Standard, Advanced and Comprehensive?
Refer to: https://links.fortinet.com/fortisase/global-data-centers.
Can I mix Standard, Advanced and Comprehensive together in the same account?
No - all components in the account must use the same type. Comprehensive subscriptions can now use both Fortinet and Public Cloud locations. Multiple accounts can be used for different types.
What FortiGate platforms does the SPA Service connection support?
All platforms are supported, but for SD-WAN deployments the FortiGate-100F and above is strongly recommended. Desktop platforms may be used for single NGFW connections.
Is the SPA license required for every FortiGate in an SD-WAN deployment?
No, the SPA license is only required for the Hub locations.
If the Hub or single NGFW location is an HA Cluster, is a license needed for each member?
Yes.
I already purchased the FortiClient ZTNA/VPN or EPP/APT options. Can I upgrade them to SASE?
Yes. Refer to the following documentation: https://links.fortinet.com/fortisase/faqs.
I have an existing customer with a registered FortiSASE device-based license who wants to purchase the FortiTrust Standard, Advanced or Comprehensive. What should I do?
The device-based and user-based licenses cannot be combined or directly converted. Please contact customer support to review conversion options.
How is bandwidth pooled and enforced?
Account level bandwidth is calculated by adding up the entitlement for all purchased contracts. Bandwidth is enforced at the 95th percentile, allowing for burst traffic. For example, a subscription for 1000 users would be entitled for 1.5 Gbps globally.
How many dedicated IPs can I add to a single location?
Each FortiSASE location can support up to 7 dedicated IPs for source IP anchoring rules.
How many connections can an SD-WAN On-Ramp Location support?
Each SD-WAN On-Ramp Location includes 1 Gbps of shared bandwidth for up to 10 supported devices. Bandwidth is dedicated to the Location and not shared with Remote Users or Edge Devices. Multiple On-Ramp Locations can be provisioned in the same FortiSASE Region. Each location has a Standalone bandwidth limit.
What SD-WAN devices can connect to an SD-WAN On-Ramp Location?
For a full list of supported device types refer to: https://links.fortinet.com/fortisase/sd-wan-on-ramp
How many Locations can be supported with the SD-WAN On-Ramp License?
Up to 8 SD-WAN On-Ramp Locations can be purchased for a single account. A minimum of 2 locations are required for redundancy.
Visit www.fortinet.com for more details.
Global Leader of Cybersecurity Solutions and Services | Fortinet
Welcome to the Fortinet Community!
4-D Resources
Fortinet Videos - Products
