Deploying FortiSASE in your environment

In today’s rapidly evolving network landscape, securing users everywhere — whether they’re in the office, at home, or on the go — has become a top priority. Fortinet’s Secure Access Service Edge (FortiSASE) provides a comprehensive cloud-delivered security platform that extends enterprise-grade security to users no matter where they are located. Let’s walk through the initial deployment steps to get your FortiSASE environment up and running.

As of the writing of  this article, there are four licensing options for FortiSASE; Standard, Advanced, Professional and Comprehensive.

Regarding Professional vs Comprehensive, with the Comprehensive you utilize the Edge Nodes whereas the Professional we are using the Compute Nodes.  Obviously if you are looking for the performance enhancements, Comprehensive is the way to go.  Professional works well if you want a local POP where Fortinet does NOT have a Fortinet POP.

Here is a link for the Fortinet POPs.

Secure Private Access (SPA) License. This is a per FortiGate license priced by model.  In an HA environment, you will need to license both FortiGates.  What this allows you to do is to “advertise” resources behind the SPA FortiGate into the FortiSASE environment.  This is ideal for datacenters or public cloud front-ending.  Another example for SPA is third-party VPNs.  Some banks, as an example, have VPN connections to The Federal Reserve.  Usually this is via a Fed provided device at the bank’s DC.  This could be made available to the FortiSASE environment.

FortiSASE Deployment Checklist

Phase 1: Pre-Deployment Preparation

• Obtain FortiSASE subscription license.  (See above)
• Validate Fortinet Support Portal account access.  This is the support site.
• Confirm Single Sign-On (SSO) credentials for FortiSASE portal access.  NOTE: When you deploy FortiSASE, the root account you used will be the only user that can access the FortiSASE environment.  To give others access, you will need to create IAM accounts for them or associate their IAM accounts with the FortiSASE deployment. 

Phase 2: FortiSASE Portal Initial Setup

• Log into FortiSASE portal.
• Create tenant account.
• Configure organization details and administrators.
• Identify existing Identity Provider (IdP): Azure AD, Okta, etc.
• Verify endpoint inventory (devices that will run FortiClient).
• Validate public DNS domain ownership (for SASE user access).
• Upload and verify domain name (optional for IdP integration).
• Integrate Identity Provider (SAML, LDAP or RADIUS)

Phase 3: Policy Configuration

• Create initial firewall policy rules.
• Enable Web Filtering profiles.
• Configure CASB policies for SaaS applications.
• Apply DLP policies where required.
• Activate Advanced Threat Protection (FortiGuard/Sandbox integration).
• Apply default security profiles to user groups.
• Test policies using pilot users/devices.

Phase 4: Security Fabric Integration (Optional)

• Connect FortiSASE to on-premises FortiGate.
• Share ZTNA tags and telemetry.
• Synchronize Fabric devices and settings.

Phase 5: Monitoring and Validation

• Verify user connections via FortiSASE dashboards.
• Confirm security logs are generated and forwarded.
• Integrate FortiAnalyzer for advanced logging (optional).
• Set up alerting for critical events.

Phase 6: Go-Live

• Expand deployment to production endpoints.
• Conduct user awareness training (access changes, client install, MFA).
• Monitor post-deployment logs for anomalies.
• Schedule periodic policy reviews.

This checklist gives your IT team a clear, phased approach to ensure nothing is missed

How to connect:

FortiClient – (Agent-Based) One option is using FortiClient on the device.  This will be Windows, macOS, Linux, Android or IOS.  This is perfect for on-the-go users (e.g. home healthcare givers).  You can configure the clients to Always on so that anytime there is an internet connection, the device will connect.  Today, you cannot have web content follow the user when they are off-line.  However you can configure Network Lockdown.  When network lockdown is configured, and FortiSASE determines an endpoint to be off-net based on on-net detection rule sets used in endpoint profile, a timer starts for configurable grace period during which off-net endpoints can access their network without any restrictions. The grace period provides some time for users to attempt connecting to FortiSASE SIA VPN or an alternate or personal VPN tunnel to regain its on-net status. Any VPN connection attempts made during grace period resets grace period for respective endpoint. During grace period, users can retry authenticating to VPN, up to a configurable maximum VPN authentication limit, beyond which, endpoints must be rebooted to refresh its VPN authentication attempts limits.

Agent-less – With this method, you will deploy a PAC file on user devices (via browser settings, GPO, MDM, etc.).  The client will use FortiSASE as a proxy.  In the PAC file, you can add domains and IP address you want to bypass the proxy.   The configuration pushed to the device will be customer-id.proxy.sase.fortinet.com:8080 To authenticate the user, you can use SAML (e.g. Azure AD/ Microsoft EntraID, Okta, etc), Captive Portal, or Client Certificate.  The full security stack applies (Web Filtering, CASB, DLP, SSL Inspection, etc.) with this method.  Identity-based policies can be enforced and Logging and monitoring via FortiSASE portal is available.  Use case for agent-less are BYOD devices, No control over endpoint installation, Third-party contractors, Temporary access, Guest users, Browser-only access.

Site-Based FortiGate When connected to FortiSASE, FortiGate devices automatically route branch traffic through the SASE cloud. This provides comprehensive security inspection — including firewall, web filtering, intrusion prevention, and malware protection — without the need for complex backhauls or separate VPNs. FortiGate’s native support for SD-WAN further optimizes traffic paths, ensuring reliable performance while enforcing consistent security policies across sites.

Site-Based – FortiExtender – FortiExtender offers 4G/5G cellular connectivity for locations where wired internet is limited or unavailable. By acting as a backup or primary WAN link, FortiExtender devices ensure continuous connectivity to FortiSASE. Branch traffic can securely traverse the cellular link directly into Fortinet’s cloud security services, maintaining protection even during primary link outages or in mobile/temporary site scenarios

Site-Based AP – FortiAP extends secure wireless access to remote locations while integrating directly with FortiSASE. With FortiAP, users connecting to Wi-Fi networks at branch sites are automatically protected by the full FortiSASE security stack. This integration simplifies wireless deployment without compromising security, offering consistent policy enforcement and visibility regardless of where users connect.

I will be working on some FortiSASE specific posts.