Fortinet NSE7_SSE_AD-25 Exam - Topic 1 Question 7 Discussion

FortiSASE Secure Private Access (SPA) offers two distinct architectural methods for connecting remote users to private applications: SD-WAN-based SPA and ZTNA-based SPA. Each utilizes a different traffic flow to balance security and performance requirements.

SD-WAN Private Access (Hub-and-Spoke): In this model, the FortiSASE Security Points of Presence (PoPs) act as spokes in a traditional hub-and-spoke VPN topology. When a remote user attempts to access a private network, the traffic is first steered to the closest FortiSASE PoP. The PoP then routes that traffic over a persistent IPsec tunnel to the corporate FortiGate hub (or SPA hub). This ensures that all traffic, regardless of protocol (TCP/UDP), can be inspected by the SASE security stack before entering the private network.

Zero Trust Network Access (ZTNA): Unlike the SD-WAN approach, ZTNA is designed for a 'shortest path' connection. While FortiSASE manages the endpoint's posture and issues certificates, the actual application traffic (the data plane) bypasses the FortiSASE PoP. Instead, the FortiClient agent on the endpoint establishes a direct HTTPS or TCP-forwarding connection to the ZTNA Access Proxy configured on the corporate FortiGate. This significantly reduces latency and is ideal for high-performance TCP-based applications.

According to the FortiSASE 25 Secure Internet Access Architecture Guide, 'In FortiSASE, ZTNA refers to traffic that is destined directly to private resources using the FortiGate ZTNA access proxy traffic flow,' whereas for SD-WAN SPA, the PoPs 'rely on IPsec overlays... to secure and route traffic between PoPs and the networks behind an organization's SD-WAN hubs.'