Download
Share
Print this page
Fortinet FortiSASE Deployment Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Network Hardware
  5. FortiSASE
  6. Deployment manual

Fortinet FortiSASE Deployment Manual

Sia site-based
Hide thumbs

Advertisement

Quick Links

Download this manual
SIA Site-based
Deployment Guide
FortiSASE

Advertisement

loading
Need help?

Need help?

Do you have a question about the FortiSASE and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Fortinet FortiSASE

Summary of Contents for Fortinet FortiSASE

  • Page 1 SIA Site-based Deployment Guide FortiSASE...

  • Page 2: Table Of Contents

    Troubleshooting a FortiExtender that FortiSASE does not see Viewing and authorizing the FortiExtender in FortiSASE Configuring a policy to allow traffic from the thin-edge LAN to FortiSASE for secure Internet access Configuring security settings and security profile groups in FortiSASE...

  • Page 3: Change Log

    Change log Date Change description 2024-08-09 Initial release. SIA Site-based Deployment Guide...

  • Page 4: Deployment Overview

    VXLAN-over-IPsec tunnel between the FortiExtender and FortiSASE. This creates a Layer 2 network between FortiSASE and the network behind the remote FortiExtender. In this SIA use case, because the FortiExtender is responsible for centralizing site connectivity to the FortiSASE firewall-as-a-service, you only need to configure the endpoints in their IP address settings to forward traffic to the FortiExtender as the default gateway.

  • Page 5: Intended Audience

    Mid-level network and security architects, engineers, and administrators in companies of all sizes and verticals looking to deploy FortiSASE SIA for site-based remote users should find this guide helpful. A working knowledge of FortiOS, FortiGate, and FortiExtender configuration is helpful.

  • Page 6: Bandwidth Requirements For Branch Site

    PRODUCT PREREQUISITES You should connect the FortiExtender’s discovery interface to the Internet. FortiExtender uses this interface for communication with FortiSASE. You can configure this interface to use DHCP or static IP addressing from the GUI or CLI. For the FortiExtender 200F, specifically, note the following: Connecting the local network devices to port4 or port5 within the LAN switch interface is recommended.
  • Page 7 View notifications for a new FortiExtender. b. Authorize the FortiExtender. 5. Configure a policy to allow traffic from the thin-edge LAN to FortiSASE for secure Internet access. 6. Configure security settings and security profile groups in FortiSASE. This includes installing the FortiSASE CA certificate when deep inspection is enabled.

  • Page 8: Deployment Procedures

    Fortinet Support site, register your FortiSASE contract. 2. Once registered, go to Services > Cloud Services > FortiSASE to provision your FortiSASE instance. 3. W hen provisioning, select the geographic location for your security sites and logging. 4. Once provisioned, the FortiSASE dashboard displays your entitlement in the Thin-Edge widget, when you select Entitlements from the dropdown menu.

  • Page 9: Registering The Fortiextender And Fortisase Thin Edge License To The Same Forticloud Account As Fortisase

    4. In the username and password fields, enter admin, then press Enter . Connecting FortiExtender to FortiSASE using FortiZTP Prior to connecting a FortiExtender to FortiSASE, you can view the instructions in the Connect FEXTs dialog in FortiSASE. SIA Site-based Deployment Guide...
  • Page 10 In addition to the instructions in the Connect FEXTs dialog, you generally must perform these preliminary steps to ensure proper connectivity: 1. Upgrade the FortiExtender to the latest firmware version known to work with FortiSASE. See SIA for site- based remote users.
  • Page 11 FortiExtender serial number. Ensure that Entitlement lists FortiSASE ThinEdge License. To provision a FortiExtender to FortiSASE using FortiZTP: 1. In FortiSASE, click Services . Under Cloud Services , click FortiZTP . The remaining steps are performed in FortiZTP. 2. Click the Provisioning Settings button on the right.

  • Page 12: Troubleshooting A Fortiextender That Fortisase Does Not See

    To provision multiple FortiExtenders, select the checkboxes for the desired FortiExtenders, then click the PROVISION button. 6. Under TARGET LOCATION in the Provision devices dialog, select FortiSASE. Only options that you have configured in Provisioning Settings appear in this dialog.

  • Page 13: Viewing And Authorizing The Fortiextender In Fortisase

    Until then, traffic traverses your local Internet connection. Viewing and authorizing the FortiExtender in FortiSASE Once the FortiExtender is properly configured to connect to FortiSASE, you can view and authorize the FortiExtender from within the FortiSASE portal. To view notifications for a new FortiExtender: W hen a new FortiExtender powers on, the bell icon in the header displays a notification about the new device.

  • Page 14: Configuring A Policy To Allow Traffic From The Thin-Edge Lan To Fortisase For Secure Internet Access

    CONFIGURING A POLICY TO ALLOW TRAFFIC FROM THE THIN-EDGE LAN TO FORTISASE FOR SECURE INTERNET ACCESS Configuring a policy to allow traffic from the thin-edge LAN to FortiSASE for secure Internet access To configure a thin-edge LAN policy: 1. Go to Configuration > Policies .

  • Page 15: Configuring Dhcp On Lan Devices To Use Fortisase As The Internet Gateway

    Configuring DHCP on LAN devices to use FortiSASE as the Internet gateway LAN devices must be configured to use DHCP. The FortiExtender controller on FortiSASE will listen for DHCP requests and then will dynamically assign an IP address, default gateway, and public DNS server to any LAN device connected through to the FortiExtender’s LAN switch interface.

  • Page 16: Testing Sia Using A Test Device

    Reply from 8.8.8.8: bytes=32 time=84ms TTL=62 Verifying thin edge traffic in FortiSASE In the FortiSASE portal, you can verify traffic from devices behind the FortiExtender thin-edge device has reached Internet destinations through these methods: To verify thin edge traffic in FortiSASE: 1.
  • Page 17 VERIFYING THIN EDGE TRAFFIC IN FORTISASE Following is an example of the Analytics > Logs > Traffic > Internet Access Traffic page: 3. Go to Dashboard > FortiView Thin-Edge . Following is an example of the Dashboard > FortiView Thin- Edge dashboard: 4.
  • Page 18 VERIFYING THIN EDGE TRAFFIC IN FORTISASE SIA Site-based Deployment Guide...

  • Page 19: More Information

    Appendix B: Documentation references Feature documentation Product document Specific chapter if available FortiExtender as FortiSASE LAN extension Thin-Edge FortiSASE Admin Guide Configuring a policy to allow traffic from the thin-edge LAN to FortiSASE for secure Internet access 4-D resources: SASE https://docs.fortinet.com/4d-resources/SASE...
  • Page 20 Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s SVP Legal and above, with a purchaser that expressly warrants that the identified product will perform according to certain expressly- identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet.