In the FortiSASE architecture, Network Lockdown is a security feature designed to prevent off-net (off-fabric) endpoints from accessing the internet or local network without the protection of the SASE security stack.

Triggering Lockdown: When an endpoint is determined to be "off-net"—meaning it does not satisfy the on-net rule sets defined in its endpoint profile—a timer starts for a configurable grace period.

Function of the Grace Period: During this period, the endpoint maintains full access to the LAN and the internet.4 The specific purpose of this grace period is to provide the user with a window of time to attempt a connection to the FortiSASE VPN tunnel or an alternate corporate tunnel.5 This ensures that users can authenticate and regain a secure "on-net" status before any connectivity restrictions are enforced.

Enforcement: If the grace period expires and the endpoint has failed to establish a VPN connection, FortiClient enforces a strict lockdown.7 In this state, the device cannot reach the LAN or the internet, except for specifically defined "Exempt Destinations" (such as captive portal login pages or the FortiSASE portal itself).

Resetting the Timer: Any attempt to connect to the tunnel during the grace period resets the timer, providing additional opportunities for the user to remediate their connection status.8

According to the FortiSASE 25 Administrator Study Guide, the grace period is an essential user-experience setting that balances strict "zero-trust" security with the practical need for users to access the network briefly to establish their secure tunnel.