Basic Private SASE

Deployment Guide

Version 7.2.5
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO LIBRARY

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification

FORTINET TRAINING INSTITUTE

https://training.fortinet.com

FORTIGUARD LABS
https://www.fortiguard.com

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

October 27, 2023

Basic Private SASE 7.2.5 Deployment Guide
01-725-944997-20231027
 TABLE OF CONTENTS

Change Log 4
Deployment overview 5
Intended audience 6
Design concept and considerations 6
FortiClient EMS 6
FortiClient onboarding 6
Full tunnel VPN 6
VPN auto-connect 7
SSL deep packet inspection 7
Authentication methods 7
Posture checks using ZTNA Tags 7
Product prerequisites 8
Deployment plan 8
Deployment procedures 9
Configuring FortiClient EMS 9
FortiClient EMS system settings 9
FortiClient onboarding 11
Endpoint Profile configuration 12
Zero Trust Tags 15
On-Fabric detection rules 16
Deploying endpoint policy 17
Configuring FortiGate 19
Configuring address objects 19
Configuring authentication sources 19
Configuring user groups 20
Configuring FortiClient EMS connector 20
Configuring full tunnel VPN 21
Testing Private SASE deployment 23
Network Topology 23
Network Description 23
Viewing FortiClient user details 24
Connecting to the full tunnel VPN and accessing services 26
Running vulnerability scan 29
More information 32
Appendix A: Products used in this guide 32
Appendix B: Documentation references 32
Feature documentation 32

Basic Private SASE 7.2.5 Deployment Guide 3

Fortinet Inc.
Change Log

Date Change Description

2023-10-27 Initial release.

Basic Private SASE 7.2.5 Deployment Guide 4

Fortinet Inc.
Deployment overview

Deployment overview

Private SASE, short for Private Secure Access Service Edge, is a tailored method of implementing the SASE framework.
It involves customizing and fine-tuning crucial configurations by utilizing various Fortinet solutions such as FortiGate,
FortiClient EMS, FortiAuthenticator, FortiClient and more, in a coordinated manner to provide a solution akin to
FortiSASE. FortiSASE, on the other hand, is cloud based Software as a Service (SaaS) networking solution seamlessly
integrating both networking and security services within a unified platform hosted in the Fortinet Cloud.
This basic deployment guide illustrates the process of setting up a next-generation FortiGate firewall as a Point of
Presence. Remote users use agent-based FortiClient application for user onboarding. After user onboarding,
FortiClient's auto-connect feature enables them to automatically establish a full tunnel VPN (Virtual Private Network)
connection thereby securing remote user’s traffic. VPNs allows users to establish a secure and encrypted connection to
a private network or internal resources over the public Internet. A full tunnel VPN (Virtual Private Network) is a type of
VPN configuration in which all of the network traffic from a user's device is routed through the VPN connection to a
remote VPN server that in our case is FortiGate. The FortiGate then forwards the traffic to the destination on the internet
or within the private network. Subsequently, FortiGate is configured to inspect the encrypted traffic of remote users
thoroughly by using deep packet inspection. FortiClient EMS Server is used to centrally manage the FortiClient
application as an Endpoint Protection Platform (EPP) using endpoint profiles, endpoint posture assessments and access
control using ZTNA tags that are utilized by the FortiGate to allow or deny access to network resources. Below are the
typical scenarios where Private SASE finds practical application.

The common use cases of Private SASE are:

1. Secure Internet Access (SIA): This use case facilitates secure Internet access using the FortiClient application with
all endpoint traffic undergoing rigorous deep packet inspection at the Point of Presence.
2. Secure Private Access (SPA): This use case enables secure access to company-hosted applications within a
private network protected by the FortiGate Next-Generation Firewall (NGFW). It can also extend to safeguard other
private networks reachable via VPN (like ADVPN or Hub & Spoke VPN) through the FortiGate Point of Presence.
3. Secure SaaS Access (SSA): This use case provides more control mechanism while endpoint accesses SaaS
application on Internet.

Basic Private SASE 7.2.5 Deployment Guide 5

Fortinet Inc.
 Deployment overview

These basic use cases above can extend to use multiple FortiGate to act as multiple Point of Presence such that
endpoints to connect to the nearest one by using products that use DNS based load-balancing thereby reducing traffic
latency. Deployment of Multiple Point of Presence is out of scope of this deployment guide.

Intended audience

Mid-level network and security architects, engineers, and administrators in companies of all sizes and verticals looking to
understand and deploy a basic Private SASE solution using Fortinet products should find this guide helpful. A working
knowledge of Fortinet products like FortiGate, FortiClient EMS Server, FortiClient and FortiAuthenticator is helpful.

Design concept and considerations

The following are some design concepts and considerations that are pre-requisites to deploy the Private SASE solution.

FortiClient EMS

The FortiClient EMS is used to ease and scale the configuring, management, and upgrading of FortiClient endpoints. In
the Private SASE deployment, the FortiClient EMS is used to configure endpoint profiles, install CA certificates for SSL
Deep inspection, configure ZTNA tagging rules, and evaluate endpoint security posture. If you choose to position the
FortiClient EMS Server behind a NAT device, it becomes imperative to ensure that the essential communication ports
are accessible to facilitate seamless interaction between FortiClient endpoints and the FortiClient EMS. See Required
services and ports for up to date information regarding opening essential ports.

FortiClient onboarding

FortiClient Onboarding involves the installation of FortiClients on remote endpoints and configuring them to establish a
connection with FortiClient EMS, to enable centralized management. Installation of FortiClient application is done by
different methods like Microsoft System Center Configuration Manager (SCCM), group policy object (GPO), Mobile
device management (MDM) or by sending FortiClient installer link to end users. Once FortiClient is installed, users that
connect to FortiClient EMS can be authenticated using local, LDAP, SAML authentication. The FortiClient onboarding on
page 11 topic discusses this in detail.

Full tunnel VPN

In a full tunnel VPN, all network traffic from the user endpoint is routed through the VPN connection to the remote
network or Internet to effectively examine all traffic initiated by remote users. It is essential that this traffic traverses
through the FortiGate once it establishes a connection with the Point of Presence i.e FortiGate, for inspection. Therefore,
a full VPN tunnel is required for Private SASE deployment. Ensure you have an ample amount of bandwidth from your
FortiGate's internet service provider to accommodate the bandwidth requirements of all your remote users. There are
two types of full VPN tunnels that are widely used, namely, IPSec or SSLVPN. This deployment guide discusses full
tunnel SSL VPN in detail.

Basic Private SASE 7.2.5 Deployment Guide 6

Fortinet Inc.
 Deployment overview

VPN auto-connect

The VPN auto-connect feature in FortiClient is designed for seamless VPN connectivity. When this feature is enabled,
FortiClient running in the background automatically initiates a VPN connection to the configured VPN server. It enables
the remote users to connect to the VPN automatically without their manual intervention thus securing their traffic as soon
as their device boots up. Once the endpoint connects to VPN, all of the user’s traffic starts to flow through the FortiGate
for inspection. For more information, see VPN autoconnect.

SSL deep packet inspection

Once the remote endpoints connect to VPN and begin to send encrypted traffic through the VPN tunnel, it is mandatory
to decrypt the encrypted user traffic first in order to inspect the traffic for malicious content. This requires deep packet
inspection by the FortiGate where it needs to act as Man-in-the-middle to perform such inspection. Deep packet
inspection is a CPU intensive task, so ensure you choose a FortiGate model that has enough CPU cores to handle the
volume of endpoint user traffic.

Authentication methods

Different authentication methods are available during FortiClient Onboarding i.e. when it connects to the FortiClient
EMS, and when a FortiClient user initiates a connection to establish a full tunnel VPN. For authentication of FortiClient
user when it connects to FortiClient EMS, the user authentication is configured on FortiClient EMS whereas for full tunnel
VPN the user authentication is configured on FortiGate. The common authentication mechanisms used in both situations
are:
1. Different authentication methods on FortiGate to authenticate to full tunnel VPN are:
a. Local authentication
b. LDAP authentication
c. Radius authentication
d. PKI authentication
e. SAML authentication
For more information, see SSL VPN Authentication.
2. Different authentication methods on FortiClient EMS for FortiClient user verification are:
a. None
b. Local authentication
c. LDAP Authentication
d. SAML Authentication
For more information, see User Management.

Posture checks using ZTNA Tags

Posture checks using Zero Trust Tags are used to continuously evaluate the security posture of an endpoint. You can
create Zero Trust tagging rules for endpoints based on their operating system versions, logged in domains, running
processes, and other criteria on the FortiClient EMS. ZTNA tags are shared with FortiGate continuously using FortiClient
EMS Security Fabric connector. FortiGate can then utilize these ZTNA tags for role based access control to allow or
deny access to the user traffic.

Basic Private SASE 7.2.5 Deployment Guide 7

Fortinet Inc.
Deployment overview

Optionally, to improve VPN security ZTNA Tags are also used to allow or deny remote users to connect to VPN tunnel
depending on the ZTNA tag the endpoints are assigned, see VPN connection based on ZTNA tag.

Product prerequisites

The Private SASE solution adopts the use of FortiGate, FortiClient EMS, FortiClient and FortiAuthenticator and other
Fortinet products to deliver a Private SASE solution. The major use case of these products to deploy Private SASE
solution are as follows:
1. FortiGate: Used as a SASE Point of Presence.
2. FortiClient EMS: Used as a central endpoint management server to deploy endpoint profiles, installing CA
certificates for SSL Deep inspection, configuring ZTNA tagging rules, evaluating endpoint security posture and
other EPP functions.
3. FortiClient: Agent-based endpoint solution to connect to geographically nearest FortiGate or Point of Presence.
4. FortiAuthenticator (Optional): Used as a central authentication server.

These products must be licensed with the respective service contracts of the features that are used in the deployment.
For more information about licensing of the above individual products, See Ordering Guides.

Deployment plan

The deployment guide assumes that FortiGate, FortiClient EMS, and FortiAuthenticator are configured with the essential
network connectivity settings so that they can be managed by an Administrator using the Graphical User Interface.
The steps below outline the general steps involved to deploy the basic Private SASE solution.
1. Configuring FortiClient EMS on page 9
a. FortiClient EMS system settings on page 9
b. FortiClient onboarding on page 11
c. Endpoint Profile configuration on page 12
d. Zero Trust Tags on page 15
e. On-Fabric detection rules on page 16
f. Deploying endpoint policy on page 17
2. Configuring FortiGate on page 19
a. Configuring address objects on page 19
b. Configuring authentication sources on page 19
c. Configuring user groups on page 20
d. Configuring FortiClient EMS connector on page 20
e. Configuring full tunnel VPN on page 21
3. Testing Private SASE deployment on page 23
a. Viewing FortiClient user details on page 24
b. Connecting to the full tunnel VPN and accessing services on page 26
c. Running vulnerability scan on page 29

Basic Private SASE 7.2.5 Deployment Guide 8

Fortinet Inc.
 Deployment procedures

Deployment procedures

The deployment process outlines every step of the deployment plan comprehensively, catering to a diverse audience
with different requirements and implementation feasibility. The guide discusses the different available configurations that
one can use to deploy the SASE framework as per their need and network design. In the Testing Private SASE
deployment on page 23 topic, practical implementation of an example is discussed.

Configuring FortiClient EMS

FortiClient EMS system settings

FortiClient EMS installs with a default IP address and port. Below are the essential FortiClient EMS system settings that
are configured to manage FortiClient application on the endpoints for Private SASE deployment.

To configure FortiClient EMS System Settings:

1. Go to System Settings > EMS Settings.

2. Configure the following options under Shared Settings. EMS uses these settings for FortiClient EMS managing
Windows, macOS, and Linux endpoints, and FortiClient EMS managing Chromebook endpoints.

Hostname Displays the hostname of FortiClient EMS.

Listen on IP Displays the IP addresses for the FortiClient EMS. FortiClient connects to
FortiClient EMS on the specified IP address. You can generate a QR code for
the specified IP address. See Generating a QR code for centrally managing
FortiClient (Android) and (iOS) endpoints.

Use FQDN Specify a fully qualified domain name (FQDN) for the FortiClient EMS.
FortiClient's connection to EMS is critical to managing endpoint security.
Managing this is relatively easy for internal devices. For external devices or
devices that may leave the internal network, you must consider how to
maintain this connection. FortiClient can connect to EMS using an IP address
or FQDN. An FQDN is preferable for the following reasons:
l Easy to migrate EMS to a different IP address

l Easy to migrate to a different EMS instance

l Flexible to dynamically resolve the FQDN

Basic Private SASE 7.2.5 Deployment Guide 9

Fortinet Inc.
Deployment procedures
FQDN
Remote HTTPS access
HTTPS port
Management IP and Port
Redirect HTTP request to
HTTPS
Webserver certificate
Use Webserver certificate for
Endpoint Control
Endpoint Control certificate
Basic Private SASE 7.2.5 Deployment Guide
Fortinet Inc.
The third reason is particularly valuable for environments where devices may
be internal or external from day to day. When using an FQDN, you can
configure your internal DNS servers to resolve the FQDN to the EMS internal
IP address and register your external IP address with public DNS servers. You
must then configure the device with your external IP address to forward
communication received on port 8013 to your EMS internal IP address. This
allows your external clients to leverage a virtual IP address on the FortiGate so
that they can reach EMS, while allowing internal clients to use the same FQDN
to reach EMS directly.
Alternatively, you can use a private IP address for the connection. This
configuration requires external clients to establish a VPN connection to reach
the EMS (VPN policies permitting). This configuration can be problematic if all
endpoints need an urgent update but some are disconnected from VPN at that
time.
Enter the FortiClient EMS FQDN. FortiClient can connect using the specified
IP address in the Listen on IP Addresses option or the specified FQDN.
Specify settings for remote administration access to FortiClient EMS.
Turn remote HTTPS access to FortiClient EMS on and off. When enabled,
enter a hostname in the Custom hostname field to let administrators use a
browser and HTTPS to log into FortiClient EMS. When disabled,
administrators can only log into FortiClient EMS on the server.
Available when Remote HTTPS Access is enabled. Displays the predefined
HTTPS port. You cannot change the port.
Available when Remote HTTPS Access is turned on. If the EMS has an IP
address that is usually not publicly reachable but the FortiGate could reach,
specify this IP address. In most cases, this is an internal IP address. The
FortiOS administrator can use this IP address to connect the FortiGate to the
EMS using a Fabric connector.
Available when Remote HTTPS Access is turned on. If this option is enabled, if
you attempt to remotely access FortiClient EMS at http://<server_name>, this
automatically redirects to https://<server_name>.
Displays the SSL certificate currently used for the Apache service and the
Notify (websockets) daemon. If desired, you can select another certificate from
the dropdown list. See Server Certificates.
Enable to use the certificate uploaded in the Webserver certificate field for
endpoint control.
Displays the SSL certificate currently used on port 8013 for the Endpoint
Control daemon. If desired, you can select another certificate from the
dropdown list. See Server Certificates.
When this option is enabled and FortiClient tries to connect to EMS using the
endpoint control protocol, EMS sends the SSL certificate so that FortiClient
can use the certificate to verify the connection.
If the SSL certificate is from a publicly signed certificate authority, only
endpoints with the following FortiClient versions can connect to EMS:
10
 Deployment procedures

l 6.4.7 and later

l 7.0.2 and later

3. Configure the following options under EMS Settings. FortiClient EMS uses these settings when managing
Windows, macOS, and Linux endpoints.

Listen on port Displays default port of FortiClient EMS. You can change the port by typing a
new port number. FortiClient connects using the specified port number.

Enforce User Verification Enforce user verification for endpoints. Users must log in to verified user
accounts to register to EMS. See Invitations.

4. For more granular options for your deployment, See Configuring EMS settings.

FortiClient onboarding

FortiClient Onboarding is a process of installing FortiClient application on the endpoints and configuring different
authentication mechanism for connecting FortiClient endpoint to connect to FortiClient EMS. Following is an overview of
different ways to initially install FortiClient application to endpoints and then configure authentication of FortiClient
application to connect to FortiClient EMS.

Installing FortiClient application

You can use one of the following methods for installing FortiClient application:

Deployment method Description

Microsoft System Center
Configuration Manager (SCCM)
or group policy object (GPO)
1. Create a custom deployment package (MSI file) on EMS. See Adding a
FortiClient deployment package.
2. Deploy the FortiClient deployment package to desired endpoints using one of
the following:
l SCCM: Deploy applications with Configuration Manager.
l GPO: Use Group Policy to remotely install software.

Mobile device management Use an MDM application to initially deploy FortiClient to the desired endpoints.
(MDM) FortiClient supports the following MDM applications. See the guide for each MDM
application:
l Intune

l Workspace ONE (macOS only)

Sending installer link to end Create a custom deployment package on EMS. See Adding a FortiClient
users deployment package.
Create an invitation on EMS, configuring the invitation to be sent to all desired end
users. See Invitations.
The end user receives an email or SMS notification that includes the configured
invitation code and installer. They install FortiClient on their devices using the
included installer and enter the invitation code to connect their FortiClient to EMS.

Basic Private SASE 7.2.5 Deployment Guide 11

Fortinet Inc.
 Deployment procedures

Authenticating FortiClient Endpoints to connect to FortiClient EMS

You can use one of the following authentication methods for authenticating the FortiClient endpoints to connect to the
FortiClient EMS:

Deployment method Description

None End user does not need to provide any credentials to connect to EMS.

Local End user must provide credentials that match a local user configured in User
Management > Local Users to connect to EMS.
You must create a local user to configure this option. See Local users.

LDAP End user must provide their domain credentials to connect to EMS.
You must configure an LDAP domain to configure this option. See Adding
endpoints using an AD domain server.

SAML End user must provide their credentials for an SAML identity provider, such as
Azure Active Directory (AD), to connect to EMS.
You must configure SAML settings to configure this option. See SAML
Configuration.

For more information regarding different authentication mechanism, see User Management.

Connecting FortiClient Endpoints to FortiClient EMS using Telemetry

After FortiClient application installation completes on an endpoint, you can connect FortiClient to FortiClient EMS
automatically or manually depending on the type of the installation methods used. See Connecting FortiClient Telemetry
after installation to connect FortiClient to FortiClient EMS.

Endpoint Profile configuration

Once the FortiClient endpoints are onboarded, meaning that FortiClient application is installed and is connected to EMS
Server, FortiClient EMS can now be used to manage these FortiClient endpoints by pushing configurations necessary
for Private SASE deployment.

Deploying configurations from FortiClient EMS to FortiClient endpoints

FortiClient EMS can push endpoint configurations to FortiClient by configuring an endpoint profile and it in an endpoint
policy.
1. First, we can either edit an existing endpoint profile or create a new endpoint profile. See Creating a new profile.
2. Edit an existing endpoint policy or create a new endpoint policy that is configured with the desired profile. Configure
the endpoint policy to apply to the desired domains and work groups. See Adding an endpoint policy.
3. After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next
Telemetry communication.
4. Monitor the update using the Endpoints pane. See Viewing the Endpoints pane.

Basic Private SASE 7.2.5 Deployment Guide 12

Fortinet Inc.
Deployment procedures

For the Private SASE deployment, we will be configuring Remote Access and System Settings Endpoint profiles as
these profiles enable us to achieve the design goals of Private SASE. For this deployment, we assume these two profiles
are not yet configured in your environment. If they are already configured, please make the following additional required
changes.

To configure the remote access endpoint profile:

1. On the FortiClient EMS go to Endpoint Profiles > Remote Access > Add.
2. Enter the desired Name for this profile.
3. Click on the Advanced tab to see more granular configuration.
4. In the Remote Access Profile tab, enable the eye icon to show this feature from the end user in FortiClient. This
setting is enabled by default.
5. Scroll down to the VPN Tunnels section at the bottom, click on Add Tunnel.
6. Create an SSL VPN tunnel using manual configuration or XML. For details on configuring a VPN tunnel using XML,
see VPN. The following are the important options that needs to be configured for this VPN tunnel:

Configuration Description

Basic Settings

Name Enter a VPN name. Use only standard alphanumeric characters. Do not use
symbols or accented characters.

Type Select SSL VPN or IPSec VPN.

Remote Gateway Enter the remote gateway IP address/hostname of the FortiGate or Point of
Presence to which FortiClient endpoint will connect. You can configure
multiple remote gateways by clicking the + button. If one gateway is not
available, the tunnel connects to the next configured gateway.

Port Enter the access port. The default port is 443.

Advanced Settings

Save Username Enable this setting to save your username.

Enable SAML Login Enable this setting to enable SAML SSO login for this VPN tunnel. See SAML
SSO.

Use External Browser as Use if you wish to display the SAML authentication prompt in an external
User-agent for SAML Login browser instead of in the FortiClient GUI. See Using a browser as an external
(Optional) user-agent for SAML authentication in an SSL VPN connection.

Show "Reminder Password" Enable this option to have the VPN tunnel remember the password. You will
Option also need to enable this option on FortiGate discussed later.

Show "Always Up" Option Enable this option to have the VPN tunnel always up. You will also need to
enable this option on FortiGate discussed later.

Show "Auto Connect" Option Enable this option to automatically connect to the VPN tunnel. You will also
need to enable this option on FortiGate discussed later.

7. Click on Save.
8. Scroll up to the General settings, enable the following important settings:

Basic Private SASE 7.2.5 Deployment Guide 13

Fortinet Inc.
Deployment procedures

Configuration Description

General

Current Connection Select the current VPN tunnel created in the previous step.

Auto Connect Select a VPN tunnel for endpoints to automatically connect to when the end
user logs into the endpoint. The end user must have established VPN
connection manually at least once from FortiClient GUI.

Disable Connect/Disconnect Disable the Connect/Disconnect button when using Auto Connect with VPN.
By default, this setting is set to Disabled.

For more optional configuration parameters, see SSL VPN.

To configure the system settings profile:

1. On the FortiClient EMS go to Endpoint Profiles > System Settings > Add.
2. Enter the desired Name for this profile.
3. Click on the Advanced tab to see more granular settings for configuration.
4. Enable the following settings:

Configuration Description

UI Specify how the FortiClient user interface appears when installed on

endpoints.

Show Host Tag on FortiClient Enable this to see the applied host tags on the FortiClient endpoint’s GUI. See
GUI Zero Trust Tags.

Endpoint Control

Disable Disconnect Enable this setting to forbid users from disconnecting FortiClient from
FortiClient EMS.

Other

Install CA Certificate on Turn on to select and install a CA certificate on the FortiClient endpoint. The
Client default root CA certificates from your FortiGate will show up automatically
once the FortiGate is authorized on the EMS. To connect the FortiGate to the
EMS, see Configuring FortiClient EMS connector on page 20.
You can also add custom root CA certificates by going to Endpoint Policy &
Components > CA Certificates.

Do not select the Untrusted CA certificate to be installed on

the endpoints.

For more optional configuration parameters, see System Settings. To install a custom CA certificate used for deep
inspection on the endpoints, see CA Certificates.
For configuring other optional endpoint profiles as per your security requirements, see Endpoint Profiles. Once the
endpoint profiles are configured they can be used in endpoint policy to be deployed on the endpoints.

Basic Private SASE 7.2.5 Deployment Guide 14

Fortinet Inc.
 Deployment procedures

Zero Trust Tags

Zero trust network access (ZTNA) is an access control method that uses client device identification, authentication, and
Zero Trust tags to provide role-based network access. It gives administrators the flexibility to manage network access for
On-net users and Off-net users. However, for the Private SASE deployment, we use context based posture checks using
Zero Trust Tags.
You can create Zero Trust tagging rules for endpoints based on their operating system versions, logged in domains,
running processes, and other criteria. EMS uses the rules to dynamically group endpoints. FortiOS can use the dynamic
endpoint groups to build dynamic policy rules.

To add a Zero Trust tagging rule set:

1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

2. Click Add.
3. In the Name field, enter the rule name as desired.
4. In the Tag Endpoint As dropdown list, select an existing tag or enter a new tag. EMS uses this tag to dynamically
group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.
5. Toggle Enabled on or off to enable or disable the rule.
6. (Optional) In the Comments field, enter any desired comments.
7. Click Add Rule.
8. Configure the rules:
a. For OS, select the desired OS. This affects what rule types are available.
b. From the Rule Type dropdown list, select the rule type and configure the related options. Ensure that you click
the + button after entering each criterion. See Zero Trust tagging rule types for descriptions of the rule types.
c. Click Save.
d. Configure additional rules as desired.
9. By default, an endpoint must satisfy all configured rules to be eligible for the rule set. You may want to apply the tag
to endpoints that satisfy some, but not all, of the configured rules. In this case, you can modify the rule set logic. For
example, consider that you want to apply the same tag to endpoints that fulfill one of the following criteria:
l Running Windows 10
l Running Windows 7 and antivirus (AV) software is installed and running
With the default rule set logic, an endpoint would be eligible for the rule set if it is running Windows 7 or 10 and has
AV software installed and running. To modify the rule set logic, do the following:
a. Click Edit Logic.
b. Clicking Edit Logic assigns numerical values to each configured rule. In the Rule Logic field, enter the desired
logic for the rule set using the numerical values. You can use and and or to define the rule logic. You cannot
use not when defining the rule logic. You can also use parentheses to group rules. For this example, you would
enter (1 and 3) or 2, to indicate that endpoints that satisfy both the AV and Windows 7 rules (rules 1 and 3) or

Basic Private SASE 7.2.5 Deployment Guide 15

Fortinet Inc.
 Deployment procedures

only the Windows 10 rule (rule 2) satisfy the rule set. To restore the default logic, you can click Default Logic.

10. Click Save.

For more information on editing, deleting a tag, and so on, see Zero Trust Tags.

On-Fabric detection rules

You can configure on-fabric detection rules for endpoints. EMS uses the On-Fabric detection rules to determine if the
endpoint is On-fabric or Off-fabric. Depending on the endpoint's on-fabric status, EMS may apply a different profile to the
endpoint, as configured in the endpoint policy.
For Private SASE deployment, the endpoints that connect to full tunnel VPN must be categorized as On-fabric and other
devices that are not connected to full tunnel VPN must be categorized as Off-fabric. To determine the On-fabric nature of
the device, we can use one or multiple specific rules given below:

To add an on-fabric detection rule set:

1. Go to Endpoint Policy & Components > On-fabric Detection Rules.

2. Click Add.
3. In the Name field, enter the desired name.
4. Enable or disable the rule set by toggling Enabled on or off.
5. Click Add Rule.
6. In the Add New Rule dialog, from the Detection Type dropdown list, select and configure the desired rule detection
type such that the rule can differentiate users that are On-Fabric ( connected to full tunnel VPN) and Off-Fabric (not
connected to full tunnel VPN). If you configure rules of multiple detection types for a rule set, the endpoint must
satisfy all configured rules to satisfy the entire rule set. Below are a few detection types that are used for Private
SASE deployment.

Detection type Description

DNS Server Configure at least one IP address for the desired DNS server. EMS considers

Basic Private SASE 7.2.5 Deployment Guide 16

Fortinet Inc.
 Deployment procedures

Detection type Description

the endpoint as satisfying the rule if it is connected to a DNS server that

matches the specified configuration. You can configure multiple IP addresses
using the + button.

Local IP/Subnet In the IP Range field, enter a range of IP addresses. In the Default Gateway
MAC Address field, optionally enter the default gateway MAC address. EMS
considers the endpoint as satisfying the rule if its Ethernet or wireless IP
address is within the range specified and if its default gateway MAC address
matches the one specified, if it is configured. Configuring the MAC address is
optional. You can configure multiple addresses using the + button.
This is the only detection type that applies to endpoints running FortiClient
6.4.0 and earlier versions. Other detection types do not apply to these
endpoints.
For Private SASE use case, you can configure the local IP address/subnet to
be the SASE subnet reserved to be assigned to the endpoints connecting to
full tunnel VPN.

VPN Tunnel In the Name field, enter an SSL or IPsec VPN tunnel name. EMS considers the
endpoint as satisfying the rule if it is connected to a VPN tunnel with a
matching name. You can configure tunnels using the + button.

7. Click Add Rule.

8. Click Save.

For more information on On-Fabric detection rule set options, see On-Fabric Detection Rules.
Ideally, the Off-net devices, meaning devices not connected to the full tunnel VPN, should be granted limited access to
the Internet so that the remote users are bound to connect to the full tunnel VPN to get full access to Internet services.
This can be achieved with FortiClient EPP by creating a more restrictive Web Filter endpoint profile and then applying it
to the endpoint policy. Once the endpoint connects to the full tunnel VPN and is categorized as On-net, then a user’s
traffic can be inspected and subjected to various security policies and posture checks on the FortiGate ensuring
complete security.

Deploying endpoint policy

To deploy the endpoint profiles on the managed FortiClient endpoints and to apply the On-fabric detection rules created
earlier we need to configure endpoint policy.

To add an endpoint policy:

1. Go to Endpoint Policy & Components > Manage Policies.

2. Click Add.
3. Complete the following fields:

Endpoint Policy Name Enter the desired name for the endpoint policy.

Basic Private SASE 7.2.5 Deployment Guide 17

Fortinet Inc.
Deployment procedures
Profile (Off-Fabric)
Profile
On-Fabric Detection Rules
Enable the Policy
4. Click Save. You can view the newly created policy in Endpoint Policy & Components > Manage Policies.
Basic Private SASE 7.2.5 Deployment Guide
Fortinet Inc.
Configure the desired endpoint profiles to apply to the endpoint when it is off-
fabric according to the on-fabric detection rules configured in this policy. For
example, you may want to apply more restrictive profiles to the endpoint when
it is determined to be off-fabric. From the dropdown list, select the desired
endpoint profiles.
If including an off-fabric profile in a policy, also including on-fabric detection
rules in the policy is recommended. Otherwise, EMS may not apply on-fabric
and off-fabric profiles as desired.
When you enable this toggle, the Profile field displays two sets of endpoint
profile dropdown lists. You can configure the desired endpoint profiles for an
off-fabric endpoint using the dropdown lists on the right.
From the dropdown lists, configure the desired endpoint profiles to apply to
endpoints that EMS has applied the policy to. FortiClient EMS displays
enabled endpoint profiles with a green circle and disabled endpoint profiles
with a gray circle.
Select the on-fabric detection rules to include in the policy. You can select
multiple rules. You must have already created on-fabric detection rules to
include them in an endpoint policy. See On-fabric Detection Rules.
Toggle to enable or disable the endpoint policy. You can enable or disable the
policy at a later time from Endpoint Policy & Components > Manage Policies.
18
 Deployment procedures

FortiClient EMS pushes these settings to the FortiClient endpoint with the next Telemetry communication.

Configuring FortiGate

Configuring address objects

The address objects define sources and destinations of network traffic and can be used to control access such as in the
firewall policies, SSL VPN configuration, and so on.

To configure address objects.

1. On the FortiGate, go to Policy & Objects > Addresses > Create New > Address.
2. Enter the Name.
3. Enter the Type as Subnet and specify the IP/Netmask.
4. Click OK.

Repeat the same steps as above to configure multiple address for your LAN, full tunnel SSL VPN subnet (SASE
Subnet), DMZ, and so on as per your network and requirement. SASE Subnet is the IP address range dedicated to
FortiClient users when they connect to full tunnel VPN.

Configuring authentication sources

Different authentication methods are available to authenticate the FortiClient endpoint users when they initiate a
connection to full tunnel VPN. The Private SASE’s full tunnel VPN terminates on the FortiGate, thus authentication
sources need to be defined on the FortiGate. FortiGate can be configured with the following authentication sources:

Configuring Authentication Sources

Local Authentication Authentication is performed using Local user account (username/password)

stored on the FortiGate. See Local User in Users to configure local authentication.

Basic Private SASE 7.2.5 Deployment Guide 19

Fortinet Inc.
 Deployment procedures

LDAP Authentication The authentication is performed using the LDAP Server. See LDAP servers to
connect FortiGate to LDAP server.

Radius Authentication The authentication is performed using the Radius Server. See Radius servers to
connect FortiGate to Radius server.

PKI Authentication is performed using PKI i.e. user certificates. See PKI for more
information.

SAML Authentication Authentication is performed using SAML. See SAML for more information.

FortiGate also supports two-factor authentication methods along with the primary authentication methods discussed
above. With two-factor authentication enabled, users must provide an additional authentication code or token along with
their username and password for added security. To set up two factor authentication, see Applying multi-factor
authentication.
In the implementation of the example discussed under Testing Private SASE deployment on page 23, SAML
authentication is used where FortiGate is the Service Provider (SP) and FortiAuthenticator is the Identity Provider (IdP).
See FortiGate SSL VPN with FortiAuthenticator as SAML IdP.

Configuring user groups

Once authentication method is selected and configured, we can create user groups that reference the authentication
methods thereby using authentication sources like LDAP, Radius, SAML. See User groups to configure user groups.
The user groups can then be used in the VPN configuration and firewall policies to authenticate the FortiClient endpoint
when remote users initiates a full tunnel VPN connection to the FortiGate.

To add the remote authentication server inside a user group:

1. Go to User & Authentication > User Groups.

2. Click Create New.
3. Set Name as per your choice.
4. Under Remote Groups, click Add.
5. In the pane, set Remote Server to the authentication server that you wish to authenticate against.
6. Click OK.

For more information on configuring user groups, see User groups.

Configuring FortiClient EMS connector

The FortiGate can connect to the FortiClient EMS using Security Fabric connector. Up to seven EMS servers can be
added to the Security Fabric, including a FortiClient EMS Cloud server. Once the FortiGate is authorized and connected
to the FortiClient EMS, ZTNA Tags configured on the EMS Server are shared with FortiGate. The FortiGate also shares
its CA certificates used for SSL Deep inspection with the EMS server.

To add an on-premise FortiClient EMS to the Security Fabric in the GUI:

1. On the FortiGate, go to System > Feature Visibility.

2. Enable Endpoint Control.

Basic Private SASE 7.2.5 Deployment Guide 20

Fortinet Inc.
 Deployment procedures

3. Go to Security Fabric > Fabric Connectors and double-click the FortiClient EMS card.
4. Enable an EMS, and set Type to FortiClient EMS.
5. Enter a name and IP address or FQDN.
When connecting to a multitenancy-enabled EMS, Fabric connectors must use an FQDN to connect to EMS, where
the FQDN hostname matches a site name in EMS (including "Default"). The following are examples of FQDNs to
provide when configuring the connector to connect to the default site and to a site named SiteA, respectively:
default.ems.yourcompany.com, sitea.ems.yourcompany.com. See Multitenancy.
6. Optionally, enable EMS threat feed. See Malware threat feed from EMS for more information about using this
setting in an AV profile.
7. Click OK. A window appears to verify the EMS server certificate:
8. Click Accept.
9. Click Accept. The Connection status is now Connected.
10. If the device is not authorized, log in to the FortiClient EMS to authorize the FortiGate under Administration > Fabric
Devices.
For more information on EMS Fabric connector, see Configuring FortiClient EMS.

Configuring full tunnel VPN

The full tunnel VPN can be an IPsec tunnel or an SSL VPN tunnel. For this deployment, we assume the basic networking
i.e. IP addressing, routing of the FortiGate is already configured, and will create a full tunnel VPN using SSL.

To configure SSL VPN using the GUI:

1. Enable SSL VPN feature visibility:

a. Go to System > Feature Visibility.
b. In the Core Features section, enable VPN.
c. Click Apply.
2. Configure SSL VPN portal:
a. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal.
b. Click on Create New.
c. Set the Name to SASE tunnel.
d. Disable Split Tunneling.
e. In the Source IP Pools, select the address object from which you want the endpoint users should be assigned
an IP from (SASE subnet).
f. Enable the following options Allow client to save password, Allow client to connect automatically, and Allow
client to keep connections alive.
g. Disable Web Mode.
h. Disable FortiClient Download.
i. Click OK.
j. Verify if another default portal named no-access is present with no tunnel mode and no web mode access. If
not, then create a new portal named no-access and disable Tunnel Mode, Web Mode, and FortiClient
Download.
3. Configure SSL VPN settings:

Basic Private SASE 7.2.5 Deployment Guide 21

Fortinet Inc.
Deployment procedures

a. Go to VPN > SSL-VPN Settings.

b. For Listen on Interface(s), select your Internet facing interface (typically wan interface). The FQDN that was
configured when configuring Remote Access Endpoint profile, should resolve to the IP address of this
interface.
c. Set Listen on Port to the port of your choice (typically 443 or 10443). Must be the same when as that of the port
configured in Remote Access Endpoint profile.
d. Choose a certificate for Server Certificate. The default is Fortinet_Factory. You can choose certificate of your
choice signed by a public CA. For importing Server certificates to FortiGate, see Import a certificate.
e. In Authentication/Portal Mapping for All Other Users/Groups, set the Portal to no-access created in the
previous step.
f. Create new Authentication/Portal Mapping.
g. Select the User Group created earlier for authenticating the FortiClient endpoints and select the portal as SASE
tunnel.
h. Click OK.
i. Click Apply to save changes.
4. Configure SSL/SSH Inspection Profile:
a. Go to Security Profiles > SSL/SSH Inspection > Create New.
b. Set Name to the name of your choice.
c. Set Inspection method as Full SSL Inspection and the CA certificate as Fortinet_CA_SSL. Please note that this
CA certificate is the same certificate that is imported by FortiClient EMS to the FortiClient endpoints by enabling
Install CA Certificate on Client in the System Setting Endpoint Profile.
d. Select OK to save changes.
e. For additional settings available under the profile, see Deep Inspection.
5. Configure SSL VPN firewall policies to allow remote user to access the required networks:
a. Go to Policy & Objects > Firewall Policy.
b. Click Create New.
c. Set Name to SASE Secure Private Access.
d. Set Incoming Interface to SSL-VPN tunnel interface (ssl.root).
e. Set Outgoing Interface to the interface you want to allow access to.
f. Set the Source to the SASE subnet address object and for the user select the user group configured for
authentication.
g. For the IP/MAC Based Access Control, select the ZTNA Tag that you desire that should have access to
resources allowed by this firewall policy.
h. Set Destination to the desired address object.
i. Set Schedule to always.
j. Set Service to ALL.
k. Set Action to Accept.
l. Enable the desired Security Profiles. See Security Profiles for more details.
m. In the SSL Inspection, select the Deep Inspection SSL/SSH Inspection profile created earlier.
n. Click OK.
o. Click Create New.
p. Set Name to SASE Secure Internet Access.
q. Configure the same settings as the previous policy, except set Outgoing Interface to the interface that has
internet access.

Basic Private SASE 7.2.5 Deployment Guide 22

Fortinet Inc.
 Deployment procedures

r. Click OK.
s. Similarly create a new policy for the SASE Secure SaaS Application use case.

These firewall policies ensures that only authenticated FortiClient endpoints with the specified ZTNA tag are allowed
access to the network resources, thus allowing for role based network access control for SIA, SPA and SSA. The user
traffic is also undergoing Deep Packet Inspection and scanning using configured security profiles.
Additionally, see the SSL VPN Best Practices to enhance SSL VPN security.

Testing Private SASE deployment

The Private SASE deployment is tested by employing a sample scenario based on the following network topology and
description below.

Network Topology

Network Description

In the example, Enterprise Core is the FortiGate firewall acting as the Point of Presence. FortiAuthenticator (FAC) is
acting as centralized authentication server. FortiClient EMS is the FortiClient endpoint management server. Both FAC
and FortiClient EMS connect to the FortiGate’s ISFW interface. Critical Assets is a web server connected to DMZ
interface. The Off-net Client is a domain-joined endpoint on the Internet with FortiClient onboarded, meaning that it is
installed and connected to FortiClient EMS through FortiGate using a virtual IP (port forward).
Remote user authentication is performed on the FortiGate using SAML with FAC as IdP. The FortiClient application on
the endpoint is configured with a restrictive Web Filter Endpoint Profile when its Off-Fabric, meaning it is not connected

Basic Private SASE 7.2.5 Deployment Guide 23

Fortinet Inc.
 Deployment procedures

to the full tunnel VPN and the Auto-connect VPN feature is enabled in the Remote Access Endpoint Profile. The endpoint
user’s traffic will undergo deep packet inspection on the FortiGate after it connects to the full tunnel SSL VPN. The
endpoint is installed with the required CA certificate used for Deep packet inspection using the System Setting Endpoint
profile.
Two ZTNA tagging rule configured on FortiClient EMS to tag the endpoint with tags listed below:

ZTNA Tag ZTNA Tagging Rule

IT If remote user is part of IT Active Directory group.

Critical-Vulnerability If remote user has Critical vulnerable applications installed.

The endpoint will be granted complete network access if it is tagged with IT tag, and it will be denied access to resources
if it is tagged with Critical-Vulnerability tag.

Viewing FortiClient user details

After the FortiClient onboarding is completed (FortiClient is installed and connected to the FortiClient EMS), to verify the
user details click the user avatar in the upper left corner of FortiClient to view the following information:

Full name Displays the endpoint user's name if added by the endpoint user.

Phone Displays the endpoint user's phone number if added by the endpoint user. See
Retrieving user details from cloud applications and Adding your phone number
and email address manually.

Email Displays the endpoint user's email address if added by the endpoint user. See
Retrieving user details from cloud applications and Adding your phone number
and email address manually.

Get personal info from
Displays the source of the endpoint user's personal information and the last time
the information was updated. The options are user-specified, from the OS, and
from cloud applications: LinkedIn, Google, and Salesforce. Depending on the
EMS configuration, not all options may be available.
You can click User Input to select an image or take a webcam photo to use as the
user avatar.
You can provide information to FortiClient from an account for a cloud application,
such as a LinkedIn, Google, or Salesforce account. After the endpoint user logs
into the account, FortiClient attempts to retrieve the following information when
available: name, avatar, phone number, and email address. See Retrieving user
details from cloud applications.
By default, FortiClient displays user details from the endpoint OS and sends this
information to EMS. If you provide details using one of the methods above,
FortiClient displays those details and sends that information to EMS instead.

Status Displays whether the endpoint is online or offline, on- or off-fabric. See On-/off-
fabric status with EMS.

Hostname Displays the hostname of the endpoint where FortiClient is installed.

Domain Displays the name of the domain to which the endpoint is connected, if applicable.

Basic Private SASE 7.2.5 Deployment Guide 24

Fortinet Inc.
Deployment procedures

Zero Trust Tags Displays the tags that have been applied to the endpoint depending on the Zero
Trust tagging rules configured in EMS.

In the User avatar screenshot, notice the Status section of the user information that displays that the user is Off-fabric.
This is because as per the On-Fabric Detection rules in the example, if the FortiClient endpoint is not connected to the
full tunnel VPN its status is set as Off-fabric.

The FortiClient endpoint’s status can also be confirmed from the FortiClient EMS by viewing the Endpoints pane. See
Viewing the Endpoints pane.
Ideally, a more restrictive endpoint profile must be configured if the user is Off-Fabric (not connected to the full tunnel
VPN). This will force the remote users to connect to the full tunnel VPN to be categorized as On-Fabric by the On-Fabric
Detection rules.
In our example, if the user is Off-fabric all Internet access to HTTP/HTTPS websites are blocked by Off-fabric Web Filter
Endpoint profile if the endpoint user tries to access the Internet as shown below.

Basic Private SASE 7.2.5 Deployment Guide 25

Fortinet Inc.
 Deployment procedures

Connecting to the full tunnel VPN and accessing services

To connect to the full tunnel VPN:

1. As the Internet access is restricted by the endpoint profile because the user is Off-fabric, the remote user now
connects to the full tunnel VPN, so that they can start accessing network services.
2. As auto-connect VPN feature is enabled, FortiClient tries to connect to the VPN server prompting for username and
password. Manually open the FortiClient application, and on the Remote Access tab, select the VPN connection
from the dropdown list. Optionally, you can right-click the FortiTray icon in the system tray and select a VPN
configuration to connect.

Basic Private SASE 7.2.5 Deployment Guide 26

Fortinet Inc.
Deployment procedures

3. Enter your username and password. Click the Connect button. If SAML SSO for authentication is configured click on
SAML Login and enter the username and password. When connected, FortiClient displays the connection status,
duration, and other relevant information, as shown below. You can also verify the same on FortiGate by using the
SSL VPN monitor Dashboard, see SSL-VPN monitor.

4. Verify the user information once the user is connected to the full tunnel SSL VPN. It should change the status to be
On-Fabric as per the On-Fabric Detection rules and should be tagged with the Zero Trust tags as per the Zero Trust
Tagging Rules created.
In the given example, it should be tagged with a tag of IT as the user Mark Gilbert is part of IT AD group.

Basic Private SASE 7.2.5 Deployment Guide 27

Fortinet Inc.
Deployment procedures

5. You can browse to your corporate LAN, DMZ and access the Internet depending on the FortiGate firewall policies
configured. The endpoint users are granted access to the resources based on the ZTNA tags that are associated to
the individual endpoints.
In our example, after the endpoint connects to the full tunnel VPN and gets the ZTNA Tag of IT, it is allowed to
access critical Asset HTTP webserver hosted on http://10.100.77.200 connected behind the DMZ interface of the
FortiGate.

The endpoint is now also able to access the Internet.

6. Because of a full tunnel VPN user’s traffic to Internet flows through the FortiGate, where the FortiGate performing
deep packet inspection. This can be confirmed by checking the Issuer of the server certificate of the website that the
user connects to, which indicates FortiGate acts as a Certificate Authority and signed the Certificate on the fly. See

Basic Private SASE 7.2.5 Deployment Guide 28

Fortinet Inc.
 Deployment procedures

Deep inspection.

Running vulnerability scan

To run a vulnerability scan:

1. Open FortiClient console and go to Vulnerability Scan.

2. Click on Scan Now. The scan will run for few minutes.

Once the vulnerability scan is finished, FortiClient endpoint will show the detected vulnerabilities.

Basic Private SASE 7.2.5 Deployment Guide 29

Fortinet Inc.
Deployment procedures

3. After the endpoint has detected the vulnerability, click on the User Avatar to see if it’s tagged with the Critical-
Vulnerability Tag as per the ZTNA Tagging Rules.

4. After being tagged with Critical-Vulnerability, the endpoint will now not be able to access any resources because the
firewall policies are configured to explicitly deny any traffic coming from an endpoint with a Critical-Vulnerability
ZTNA tag as seen from FortiGate’s Forward Traffic logs under Log and Report.

Basic Private SASE 7.2.5 Deployment Guide 30

Fortinet Inc.
Deployment procedures

Basic Private SASE 7.2.5 Deployment Guide 31

Fortinet Inc.
 More information

More information

Appendix A: Products used in this guide

The following product models and firmware were used in this guide.

Product Model Firmware

FortiClient EMS v7.2.0

FortiClient v7.2.0

FortiOS v7.2.5

FortiAuthenticator v6.4.6

Appendix B: Documentation references

Feature documentation

Product document Specific chapter

FortiGate Admin Guide l User & Authentication

l SSL & SSH Inspection > Deep inspection
l VPN > SSL VPN
l Fortinet Security Fabric > Security Fabric connectors > Configuring
FortiClient EMS

FortiClient EMS Admin Guide l System Settings > Configuring EMS settings
l User Management
l Endpoint Policy & Components > Manage Policies > Adding an endpoint
Policy

FortiClient Admin Guide l Zero Trust Telemetry > FortiClient Telemetry > Connecting FortiClient
Telemetry after installation

FortiAuthenticator Admin Guide l Authentication > SAML IdP

Basic Private SASE 7.2.5 Deployment Guide 32

Fortinet Inc.
 www.fortinet.com

Copyright© 2023 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.