FortiSASE SASE Solution Review

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

FortSASE builds on Fortinet’s strong portfolio of security and networking tools to deliver a powerful option for secure access service edge (SASE) needs. Customers with existing Fortinet Gateways and other security products will benefit from the existing investment in appliances, configurations, and training.

For more details, explore the following sections of this review:

To compare FortiSASE against their competition, see our complete list of top secure access service edge (SASE) solutions.

Who is Fortinet?

Founded in 2000, Fortinet began producing physical firewall appliances and soon expanded into other security categories. More than two decades later, the company is a cybersecurity market leader with more than $5 billion in annual revenue.


Fortinet’s FortiSASE solution, recognized as a Challenger in Gartner’s 2023 Magic Quadrant for Single-Vendor SASE, delivers the key SASE capabilities of:

  1. Centralized control through an integrated FortiManager console that provides a single interface to manage security policies and software defined wide area network (SD-WAN) deployments
  2. Monitored network status pulled from built-in SD-WAN capabilities and integrated FortiAnalyzer capabilities that provide reports, analytics and control over network operations performance and security 
  3. Monitored user activity and data loss prevention (DLP) analysis through the incorporated access controls and secure web gateway (SWG) capabilities using FortiGate technologies
  4. Inspected and decrypted traffic that blocks malware and malicious URLs through artificial intelligence (AI) enhanced security and filtering through built-in SWG, intrusion prevention system (IPS), and Firewall-as-a-Service (FWaaS) capabilities
  5. Controlled access to data and resources based upon user, device, and permissions through incorporated zero trust network access (ZTNA), SD-WAN, cloud access security broker (CASB), and domain name service (DNS) security capabilities
  6. Secured cloud-based assets such as applications, websites, and Software-as-a-Service (SaaS) resources through SWG and FWaaS capabilities or FortiSASE secure private access appliances.

Fortinet provides an ordering guide for the FortiSASE product to help clients understand the types of licenses required for basic and add-on options. In summary, the client will need to consider:

  • FortiSASE User Subscriptions
  • FortiSASE Thin Branch (AKA: Thin Agent) Appliances and Subscriptions
  • FortiSASE Secure Private Access Appliances and Subscriptions

Each user account and appliance subscription will provide a maximum bandwidth associated with the subscription. However, the bandwidth is pooled for the entire organization.

FortiSASE User Subscriptions

The basic user subscription for the FortiSASE product provides secure internet access through SSL inspection, inline antivirus, inline sandbox, intrusion prevention systems (IPS), botnet command and control protection, inline CASB, inline DLP, website filtering, and DNS address filtering.

Users may have up to 3 devices and consume up to 1.5 Mbps of bandwidth. Optional 25 Mpbs and dedicated public IP address can be purchased as well.

Installing the local device agent will add access to a cloud sandbox, vulnerability management, and endpoint protection. The agent currently supports Windows, macOS, Linux, iOS, and Android.

FortiSASE Thin Branch Secure Internet Access

When neither agent-based or agentless solutions are appropriate, customers can install a Thin Branch appliance. Fortinet offers three solutions: FortiExtender (WAN extender), FortiAP (wireless access point), or FortiGate (secure LAN edge connector).

All three solutions provide the same functionality as the endpoint user agent for Secure Internet Access (SIA): SSL inspection, inline antivirus, inline sandbox, intrusion prevention systems (IPS), botnet command and control protection, inline CASB, inline DLP, website filtering, and DNS address filtering. Thin Branch solutions include 2 Mbps of bandwidth, ZTNA Agents for private applications, and secure private access agents. All devices are managed and logged by the SASE Cloud and come with 24/7 support.

FortiSASE Secure Private Access

Fortinet uses physical or virtual FortiGate appliances to create Secure Private Access (SPA) and also deliver the SD-WAN capabilities for FortiSASE. SPA provides ZTNA and SD-WAN private access to on-premises and cloud applications from all supported FortiSASE connectors (agent-based, agentless, thin branch).

Pricing & Delivery

Fortinet publishes the types of user licenses required to implement FortiSASE and offers flexible licensing options billed annually in 1, 3, and 5-year subscriptions. Customers can contact Fortinet or their partners for specific quotes, and published Fortinet partner pricing can enable some estimates of the approximate costs:

  • FortiSASE User Subscription
    • Billing by user for agent or agentless connections for multiple devices in tiers
    • 50-499 users, under $100 / user
    • 500-1.999 users, under, under $90 / user
    • 2.000-9.999 users, under $65 / user 
    • 10,000+ users, under $45 / user 
    • $1,000 Optional 25 Mbps bandwidth add-on 
    • $5,000 Optional add-on for up to 4 dedicated IP addresses
  • Thin Branch (AKA: Thin Edge)
    • Billed by appliance connecting branch offices
    • Appliances start at $400
    • Require $150 annual FortiSASE connector subscription
  • FortiSASE Secure Private Access (SPA)
    • Billed by physical or virtual SPA appliance
    • $700 -$2,500 for appliance purchase
    • Required $450 annual FortiSASE connector subscription

Standard product support is included with subscriptions and provides 24/7 FortiCare Support. Optional premium support subscriptions are also available for all appliances to provide rapid appliance replacement, onsite support, secure remote management, and advanced support engineers. Additionally, existing FortiClient (ZTNA/VPN, EPP/APT) subscribers can upgrade to FortiSASE for additional fees.


  • Full SASE Features: centralized control, monitored user activity, inspected and decrypted traffic, controlled access, secured cloud-based assets, and monitored network status and operations control
  • Endpoint agent available for Windows, macOS, Linux, iOS, and Android devices
  • Agentless connections available through web browsers
  • AI-enhanced security analysis and response
  • Secure Edge options for either local FortiGate appliance traffic inspection or cloud-hosted FortiGate capabilities built into FortiSASE
  • Robust security and network options supported on Fortinet’s well-established firewall, gateway, ZTNA, CASB, and SD-WAN technology


  • SASE Challenger was recognized by Gartner in the 2023 Single Vendor SASE Magic Quadrant
  • Established, proven, and trusted technology for firewalls and gateways incorporated into the FortiSASE product
  • Well defined options for FortiSASE connections and associated billing
  • Service organization control (SOC 2) certified for FortiSASE cloud-hosted services
  • Sandboxing available to investigate suspicious files
  • Accelerated hardware using application specific integrated circuit (ASIC) designs for SD-WAN hardware for higher throughputs


  • No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers
  • No UDP support for agentless connections because access proxy technology used only supports HTTP, HTTPS, or other TCP traffic
  • Manual PoP selection may lead to non-optimized connections
  • Manual update and patch management appears to be required for each locally installed appliance
  • Recent integration of various Fortinet components can lead to potential issues with the unified FortiSASE controller
  • More limited PoP than competitors, with no access in South America, or Africa
  • Not yet FIPS-validated, although several integrated components (FortiOS, FortiManager, etc.) all possess FIPS-140-2 certification
  • More complex options from Fortinet’s well-established component technology can create longer and a more complex setup and possible unintended gaps or conflicts in security policies

Alternatives to FortiSASE

Buyers attracted to FortiSASE will likely seek reliable brands with established track records and the rich features to support the transition of complex existing network and security configurations. Buyers seeking similar capabilities will likely also be interested in:

  • Cisco+ Secure Connect: offers similar capabilities and uses existing Cisco SD-WAN infrastructure and security tools to deliver SASE
  • Palo Alto Prisma SASE: offers top-notch security performance, multi-tenancy options, and similar customization options
  • Versa Universal SASE offers a fully-onsite SASE solution in which a customer can install the SASE controller within their own environment and also offers a private backbone for SD-WAN traffic acceleration for organizations that prefer to buy a hosted solution

How We Evaluated FortiSASE 

FortiSASE is rated and ranked against seven other SASE competition in our top SASE providers article. That article explains the overall ranking and here we provide details specific to FortiSASE:

  • Overall Rating: 3.42 / 5 (#6)
  • Licensing Information: 2.55  out of  5 possible criteria
  • Monitoring and Managing: 5.6 out of 7 possible criteria
  • Asset Control: 4 out of 4 possible criteria (tie for #1)
  • Implementation and Administration: 2.65 out of  5 possible criteria
  • Customer Support: 2.32 out of  4 possible criteria

FortiSASE is the only vendor with ASIC-accelerated hardware to accelerate their SASE solution and the Fortinet solution also appears to have a full range of networking and security options. Larger organizations will not be intimidated by the more complicated licensing, installation, and configuration of FortiSASE because their large teams of experts will be looking to replicate current specialized configurations.

Bottom Line: Best for Fortinet Upgrades

Return on investment (ROI) will always be heavily influenced by the investment portion. Any existing investment in Fortinet appliances, configuration, and training will heavily influence the perceived value of FortiSASE.

Fortinet gateway and SD-WAN appliances offer many options for customization that take time and experience to implement correctly. Even if these hardware appliances require upgrade or replacement, trained employees will be able to make adjustments more quickly than if they also had to learn new technologies.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis