In a FortiSASE environment, the Unified FortiClient agent is the critical component that fulfills the requirement for "always-on" connectivity and security for remote users.

Persistent Encrypted Tunnels: The Unified FortiClient maintains a persistent, always-on connection to the FortiSASE infrastructure.4 This is typically achieved through an auto-connect VPN tunnel (SSL or IPsec) that initiates as soon as the user logs into their device and has internet access.

Continuous Security Enforcement: By staying connected to a nearby FortiSASE Point of Presence (PoP), the endpoint ensures that all traffic is inspected. This allows the organization to enforce a consistent security posture—including Web Filtering, Antivirus, and Application Control—regardless of whether the user is at home, in a coffee shop, or traveling.

Zero-Trust Integration: Beyond simple connectivity, the unified agent supports Universal ZTNA. It continuously verifies the identity of the user and the security posture of the device before granting access to specific applications, thereby satisfying modern zero-trust security mandates.

Comparison of Other Components:

SD-WAN on-ramp (B): Used primarily to integrate existing branch office SD-WAN networks with the SASE cloud for private application access.

Secure Web Gateway (C): While a feature of the SASE PoP, the agentless SWG deployment (using PAC files) does not provide the same level of "always-on" persistent tunnel protection as the FortiClient agent.

Thin-branch SASE extension (D): Focused on securing small branch locations (using FortiAP or FortiExtender) where individual client agents may not be deployed on every device.