If you've spent any time configuring user authentication on... Full Story
By Manny Fernandez
June 9, 2025
Deploying FortiSASE in your environment
In today’s rapidly evolving network landscape, securing users everywhere — whether they’re in the office, at home, or on the go — has become a top priority. Fortinet’s Secure Access Service Edge (FortiSASE) provides a comprehensive cloud-delivered security platform that extends enterprise-grade security to users no matter where they are located. Let’s walk through the initial deployment steps to get your FortiSASE environment up and running.
As of the writing of this article, there are four licensing options for FortiSASE; Standard, Advanced, Professional and Comprehensive.

Regarding Professional vs Comprehensive, with the Comprehensive you utilize the Edge Nodes whereas the Professional we are using the Compute Nodes. Obviously if you are looking for the performance enhancements, Comprehensive is the way to go. Professional works well if you want a local POP where Fortinet does NOT have a Fortinet POP.

Here is a link for the Fortinet POPs.
Secure Private Access (SPA) License. This is a per FortiGate license priced by model. In an HA environment, you will need to license both FortiGates. What this allows you to do is to “advertise” resources behind the SPA FortiGate into the FortiSASE environment. This is ideal for datacenters or public cloud front-ending. Another example for SPA is third-party VPNs. Some banks, as an example, have VPN connections to The Federal Reserve. Usually this is via a Fed provided device at the bank’s DC. This could be made available to the FortiSASE environment.
FortiSASE Deployment Checklist
Phase 1: Pre-Deployment Preparation
- Obtain FortiSASE subscription license. (See above)
- Validate Fortinet Support Portal account access. This is the support site.
- Confirm Single Sign-On (SSO) credentials for FortiSASE portal access. NOTE: When you deploy FortiSASE, the root account you used will be the only user that can access the FortiSASE environment. To give others access, you will need to create IAM accounts for them or associate their IAM accounts with the FortiSASE deployment.
Phase 2: FortiSASE Portal Initial Setup
- Log into FortiSASE portal.
- Create tenant account.
- Configure organization details and administrators.
- Identify existing Identity Provider (IdP): Azure AD, Okta, etc.
- Verify endpoint inventory (devices that will run FortiClient).
- Validate public DNS domain ownership (for SASE user access).
- Upload and verify domain name (optional for IdP integration).
- Integrate Identity Provider (SAML, LDAP or RADIUS)
Phase 3: Policy Configuration
- Create initial firewall policy rules.
- Enable Web Filtering profiles.
- Configure CASB policies for SaaS applications.
- Apply DLP policies where required.
- Activate Advanced Threat Protection (FortiGuard/Sandbox integration).
- Apply default security profiles to user groups.
- Test policies using pilot users/devices.
Phase 4: Security Fabric Integration (Optional)
- Connect FortiSASE to on-premises FortiGate.
- Share ZTNA tags and telemetry.
- Synchronize Fabric devices and settings.
Phase 5: Monitoring and Validation
- Verify user connections via FortiSASE dashboards.
- Confirm security logs are generated and forwarded.
- Integrate FortiAnalyzer for advanced logging (optional).
- Set up alerting for critical events.
Phase 6: Go-Live
- Expand deployment to production endpoints.
- Conduct user awareness training (access changes, client install, MFA).
- Monitor post-deployment logs for anomalies.
- Schedule periodic policy reviews.
This checklist gives your IT team a clear, phased approach to ensure nothing is missed
How to connect:
FortiClient – (Agent-Based) One option is using FortiClient on the device. This will be Windows, macOS, Linux, Android or IOS. This is perfect for on-the-go users (e.g. home healthcare givers). You can configure the clients to Always on so that anytime there is an internet connection, the device will connect. Today, you cannot have web content follow the user when they are off-line. However you can configure Network Lockdown. When network lockdown is configured, and FortiSASE determines an endpoint to be off-net based on on-net detection rule sets used in endpoint profile, a timer starts for configurable grace period during which off-net endpoints can access their network without any restrictions. The grace period provides some time for users to attempt connecting to FortiSASE SIA VPN or an alternate or personal VPN tunnel to regain its on-net status. Any VPN connection attempts made during grace period resets grace period for respective endpoint. During grace period, users can retry authenticating to VPN, up to a configurable maximum VPN authentication limit, beyond which, endpoints must be rebooted to refresh its VPN authentication attempts limits.
Agent-less – With this method, you will deploy a PAC file on user devices (via browser settings, GPO, MDM, etc.). The client will use FortiSASE as a proxy. In the PAC file, you can add domains and IP address you want to bypass the proxy. The configuration pushed to the device will be customer-id.proxy.sase.fortinet.com:8080 To authenticate the user, you can use SAML (e.g. Azure AD/ Microsoft EntraID, Okta, etc), Captive Portal, or Client Certificate. The full security stack applies (Web Filtering, CASB, DLP, SSL Inspection, etc.) with this method. Identity-based policies can be enforced and Logging and monitoring via FortiSASE portal is available. Use case for agent-less are BYOD devices, No control over endpoint installation, Third-party contractors, Temporary access, Guest users, Browser-only access.
Site-Based FortiGate When connected to FortiSASE, FortiGate devices automatically route branch traffic through the SASE cloud. This provides comprehensive security inspection — including firewall, web filtering, intrusion prevention, and malware protection — without the need for complex backhauls or separate VPNs. FortiGate’s native support for SD-WAN further optimizes traffic paths, ensuring reliable performance while enforcing consistent security policies across sites.
Site-Based – FortiExtender – FortiExtender offers 4G/5G cellular connectivity for locations where wired internet is limited or unavailable. By acting as a backup or primary WAN link, FortiExtender devices ensure continuous connectivity to FortiSASE. Branch traffic can securely traverse the cellular link directly into Fortinet’s cloud security services, maintaining protection even during primary link outages or in mobile/temporary site scenarios
Site-Based AP – FortiAP extends secure wireless access to remote locations while integrating directly with FortiSASE. With FortiAP, users connecting to Wi-Fi networks at branch sites are automatically protected by the full FortiSASE security stack. This integration simplifies wireless deployment without compromising security, offering consistent policy enforcement and visibility regardless of where users connect.
I will be working on some FortiSASE specific posts.
Recent posts
-
-
DNS is one of those technologies that quietly underpins... Full Story
-
BGP issues on FortiGate firewalls usually trace back to... Full Story
-
Every time your laptop talks to your router, a... Full Story
-
If you've spent any time configuring NAT on a... Full Story
-
If you have spent any time configuring firewall policies... Full Story
-
High availability on FortiGate is one of those features... Full Story
-
If you've configured SD-WAN on a FortiGate, you've almost... Full Story
-
FortiLink is the management protocol that turns a FortiSwitch... Full Story
-
FortiSwitches are pretty rock solid from Mean Time Between... Full Story
-
This is a quicky tip. Have you ever gone... Full Story
-
DNS is one of those quiet pieces of internet... Full Story
-
This article is an updated version of the previous... Full Story
-
You will add ns2 as a secondary (slave) BIND9... Full Story
-
In the process of deploying my lab, I needed... Full Story
-
RFC 8805, used to be known as Self-Correcting IP... Full Story
-
Years back, I wrote an article about certificate pinning. ... Full Story
-
FortiGates have the ability to send alerts to Microsoft... Full Story
-
In this post, I am going to walk through... Full Story
-
Troubleshooting VoIP on a FortiGate can feel like trying... Full Story
-
Prior to FortiOS 7.0, there were three commands to... Full Story
-
In this post, I am going to go over... Full Story
-
What we are going to do: We are going... Full Story
-
Choosing between FGCP (FortiGate Clustering Protocol) and FGSP (FortiGate... Full Story
-
Creating a VLAN on macOS (The "Pro" Move) A... Full Story
-
This blog post explores the logic behind how macOS... Full Story
-
Pretty Fly for a Wi-Fi Tell My Wi-Fi Love... Full Story
-
Part of my daily gig is creating BoMs (Bill-of-Materials)... Full Story
-
ICMP introduces several security risks, but careful filtering, rate... Full Story
-
The command diag debug application dhcps -1 enables full... Full Story
-
In the world of FortiOS, execute tac report is... Full Story
-
LLDP; What is it The Link Layer Discovery Protocol... Full Story
-
What it actually does When you run diagnose fdsm... Full Story
-
Monkey Bites are bite-sized, high-impact security insights designed for... Full Story
-
I have run macOS in macOS with Parallels but... Full Story
-
Don't be confused with my other FortiNAC posts where... Full Story
-
This is the third session in a multi-part article... Full Story
-
Today I was configuring key-based authentication on a FortiGate... Full Story
-
Netcat, often called the "Swiss Army knife" of networking,... Full Story
-
At its core, IEEE 802.1X is a network layer... Full Story
-
In case you did not see the previous FortiNAC... Full Story
-
This is our 5th session where we are going... Full Story
-
Now that we have Wireshark installed and somewhat configured,... Full Story
-
The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story
-
Have you ever wanted to do some testing on... Full Story
-
Ask ten engineers to define "a network" and you... Full Story
-
1. Executive Summary Objective: This guide turns a FortiAuthenticator... Full Story