Fortinet NSE7_SSE_AD-25 Exam - Topic 1 Question 6 Discussion

FortiSASE Secure Private Access (SPA) is designed to provide remote users with seamless and secure access to private applications hosted behind an organization's FortiGate Next-Generation Firewall (NGFW) or SD-WAN hubs.2

Hub-and-Spoke Architecture: In this deployment model, the organization's FortiGate (either a standalone NGFW or an SD-WAN hub) acts as the hub, while the global FortiSASE Security Points of Presence (PoPs) act as spokes.3

IPsec and BGP Integration: The connectivity between the FortiSASE PoPs and the corporate hub is established via IPsec VPN tunnels. To manage routing and ensure that remote users can reach the correct internal subnets, Border Gateway Protocol (BGP) is used for dynamic route exchange.4 This allows the hub to advertise internal prefixes to FortiSASE, enabling the PoPs to route user traffic effectively without requiring complex static route management.

Simplified Configuration: To reduce administrative overhead and prevent manual configuration errors on the FortiOS side, Fortinet introduced the SPA easy configuration key (also known as an invitation code or simplified SPA setup). An administrator generates this key in the FortiSASE portal and enters it on the FortiGate hub. This triggers the Fabric Overlay Orchestrator to automatically provision the necessary IPsec tunnels, BGP peerings, and firewall policies required for SPA connectivity.

According to the FortiSASE 25 Architecture Guide, this method is preferred over legacy VPNs because it supports both TCP and UDP traffic, integrates natively with existing SD-WAN deployments, and automatically finds the shortest path to applications using ADVPN (Auto-Discovery VPN) shortcuts where applicable.