To ensure that organizational SaaS applications (such as Microsoft 365, Salesforce, or AWS Console) are only accessible to users who are currently connected and protected by FortiSASE, administrators utilize Source IP Anchoring and IP-based access control.

Consistent Egress IPs: Every FortiSASE instance is assigned a set of dedicated public IP addresses (egress IPs) for each Security Point of Presence (PoP). Regardless of where a remote user is physically located, when they connect to a specific FortiSASE PoP, all their traffic destined for the internet or SaaS applications will appear to originate from that PoP's dedicated egress IP.

Whitelisting and Conditional Access: Administrators can retrieve the list of these dedicated egress IPs from the FortiSASE portal (typically found under the Support or Region IP list). These IPs are then configured as "Trusted Locations" or "Named Locations" within the SaaS provider's security settings (e.g., Microsoft Entra ID Conditional Access).

Enforcement Mechanism: Once the SaaS portal is configured to only permit logins from the FortiSASE egress IP ranges, any user attempting to access the application without being connected to the FortiSASE VPN will be denied access because their source IP will be their local ISP address rather than the trusted SASE IP. This effectively mandates the use of the SASE security stack for all corporate SaaS interactions.

Analysis of Incorrect Options:

Option A: CNAPP (Cloud-Native Application Protection Platform) is used for securing cloud-native applications and infrastructure, not for managing egress IP whitelisting for external SaaS providers.

Option B: While ZTNA is a secure access method, it is primarily used for Private Applications hosted by the organization, not for third-party public SaaS portals which rely on standard IP or identity-based conditional access.

Option C: SPA hubs are designed for Secure Private Access (connecting to a corporate data center), not for managing access to public SaaS applications.