ZTNA provides role-based application access for both on-fabric and off-fabric users.
ZTNA can operate in the following modes:
ZTNA access proxy
IP/MAC-based access control
With ZTNA, identifying and trusting devices is essential for ZTNA.
Digital certificates can be used to verify their identity
Trust can be establish between a device and FortiGate using: FortiClient, FortiClient EMS and FortiGate.
The FortiClient is used to collect endpoint information and retrieves the digital certificate from FortiClient EMS.
The FortiClient EMS issues a digital certificate to the client and synchronizes the certificate with the FortiGate.
FortiGate establishes an active connection to FortiClient EMS and the endpoint. In addition, whenever system information is modified on the client, the FortiClient EMS provides updates to the FortiGate. Furthermore, the FortiGate WAD daemon uses the collected information when handling ZTNA traffic.
The FortiClient provide network security for endpoints, visibility and control over end devices on a network.
FortiClient enables you manage devices that are local, remote and mobile using the FortiClient EMS.
FortiClient requires FortiClient EMS and its licensed.
FortiClient provides secure remote access.
Provides FortiClient EMS provides security management for managing multiple computers.
Provides comprehensive visibility over a network.
Uses the default root Certificate Authority (CA) certificate, System Settings > EMS Settings.
The EMS certificate is not the same as the SSL Certificate which is used for web filter.
The EMS certificate is automatically installed by FortiClient on a Windows system within its certificate store (Certificates > Personal > Certificates)
To connect the FortiGate EMS to FortiGate, use the following:
On FortiGate, go to Security Fabric > Fabric Connectors
Administration > Fabric Devices
Enables you create tags for Windows, macOS, Linux, iOS and Android operating systems.
Create, edit and delete tag rules.
To create a Tagging rule, go to, Zero-Trust Tags > Zero-Trust Tagging Rules
To create a tagging monitor, go to Zero-Trust Tags > Zero-Trust Tagging Monitor.
Tagging Rules with FortiClient and FortiClient EMS:
Send zero-trust rules to clients
Checks endpoints using rules, then sends the results to FortiClient EMS
FortiGate operates as a reverse proxy to enable internet users to access internal servers without revealing the internal addresses to anyone on the internet.
This features enables the FortiGate to verify users, devices, trust before providing access to resources.
The following components are required for ZTNA:
FortiGate configured as an HTTPS access proxy
FortiClient endpoint
FortiClient EMS
It's important to enable ZTNA via System > Feature Visibility > enable Zero Trust Network Access.
Configure ZTNA Server, go to: Policy & Objects > ZTNA > ZTNA Servers > Create New
Set a name for the server
Under Network, set the public IP address and port number.
Under Servers, set the internal IP address and port number.
Next, create the ZTNA rule, go to: Policy & Objects > ZTNA > ZTNA Rules > Create New
(Optional) configure basic authentication using LDP, RADIUS or Local via a remote authentication server.
This feature TCP forwards traffic to the destination.
The remote user on the internet makes an HTTPS connection to the FortiGate, then FortiGate traffic using TCP to the internal resource.
Improves security when the endpoints are connected onto a physical, corporate network.
Provides access control for remote users.
Does not require the ZTNA Access Proxy.
Uses the ZTNA Tags.
Session-based tunnel
Supports: Browser – FortiGate, FortiClient – FortiGate
Login using HTTPS hostname or IP and port number / FortiClient with TCP forwarding access
Does not require installation