Fortinet black logo

Handbook

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA)

Protect your virtual server resources with the FortiADC Zero Trust Network Access (ZTNA) access control method that uses client device identification and Zero Trust tags to provide role-based application access. It provides administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after verifying the device and user identity, and then performing context-based posture checks using Zero Trust tags.

ZTNA telemetry, tags, and policy enforcement

When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information, logged on user information, and security posture are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing request to obtain a client certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).

Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the FortiClient endpoint information (including the device information, logged on user information, and security posture) are synchronized with the FortiADC in real-time. This allows the FortiADC to verify the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA security rule.

For more information, see How device identity and trust context is established with FortiClient EMS.

ZTNA in FortiADC server load balancing

The FortiADC ZTNA is a network security feature that allows users to securely access Layer 7 HTTPS and TCPS virtual server resources for server load balancing. Once the ZTNA security rule has been configured it can be referenced by Layer 7 HTTPS and TCPS virtual servers to implement role-based zero trust access by using the client certificate and ZTNA tags for identification and security posture check.

The chart below illustrates the FortiADC ZTNA logic flow.

Prerequisites

Before you begin to configure ZTNA on the FortiADC unit, you must have the following:

  • FortiClient EMS running version 7.0.3 or later

  • FortiClient running 7.0.1 or later

  • FortiADC hardware, VM, or cloud platform that support FortiClient EMS.

    Supported hardware models:

    • FAD-120F

    • FAD-220F

    • FAD-300F

    • FAD-400F

    • FAD-1200F

    • FAD-2200F

    • FAD-4200F

    • FAD-5000F

    Supported cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):

    • AWS (Amazon Web Services)

    • Microsoft Azure

    • GCP (Google Cloud Platform)

    • OCI (Oracle Cloud Infrastructure)

    • Alibaba Cloud

    Supported VM environments:

    • VMware — ESXi 3.5, 4.x, 5.0, 5.1, 5.5, 6.0, 6.5, 6.7, 7.0

    • Microsoft Hyper-V — Windows Server 2012 R2, 2016 and 2019

    • KVM — Linux version 3.19.0 qemu-img v2.0.0, qemu-img v2.2

    • Citrix Xen — XenServer 6.5.0

    • Xen Project Hypervisor — 4.4.2, 4.5

    Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.

  • Read-Write access permission for FortiADC Systems settings

Basic ZTNA configuration

To deploy FortiADC ZTNA, follow the basic workflow below:

  1. Configure a FortiClient EMS connector to register your FortiADC device as a Fabric Device in the FortiClient EMS. For details, see Configuring FortiClient EMS Connector for ZTNA.
  2. Verify the information synchronized to FortiADC from FortiClient EMS. For details, see Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS.
  3. Configure a ZTNA profile to define the ZTNA rules. For details, see Configuring a ZTNA Profile
  4. Apply the Security ZTNA profile to a Layer 7 HTTPS or TCPS virtual server to activate ZTNA for server load balancing. Ensure the corresponding Client SSL profile is enabled for client certificate verification. For details, see Configuring virtual servers and Configuring client SSL profiles.
  5. Enable security logging for ZTNA. This is optional.

Zero Trust Network Access (ZTNA)

Protect your virtual server resources with the FortiADC Zero Trust Network Access (ZTNA) access control method that uses client device identification and Zero Trust tags to provide role-based application access. It provides administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after verifying the device and user identity, and then performing context-based posture checks using Zero Trust tags.

ZTNA telemetry, tags, and policy enforcement

When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information, logged on user information, and security posture are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing request to obtain a client certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).

Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the FortiClient endpoint information (including the device information, logged on user information, and security posture) are synchronized with the FortiADC in real-time. This allows the FortiADC to verify the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA security rule.

For more information, see How device identity and trust context is established with FortiClient EMS.

ZTNA in FortiADC server load balancing

The FortiADC ZTNA is a network security feature that allows users to securely access Layer 7 HTTPS and TCPS virtual server resources for server load balancing. Once the ZTNA security rule has been configured it can be referenced by Layer 7 HTTPS and TCPS virtual servers to implement role-based zero trust access by using the client certificate and ZTNA tags for identification and security posture check.

The chart below illustrates the FortiADC ZTNA logic flow.

Prerequisites

Before you begin to configure ZTNA on the FortiADC unit, you must have the following:

  • FortiClient EMS running version 7.0.3 or later

  • FortiClient running 7.0.1 or later

  • FortiADC hardware, VM, or cloud platform that support FortiClient EMS.

    Supported hardware models:

    • FAD-120F

    • FAD-220F

    • FAD-300F

    • FAD-400F

    • FAD-1200F

    • FAD-2200F

    • FAD-4200F

    • FAD-5000F

    Supported cloud platforms with BYOL (PAYG FortiADC does not support FortiClient EMS):

    • AWS (Amazon Web Services)

    • Microsoft Azure

    • GCP (Google Cloud Platform)

    • OCI (Oracle Cloud Infrastructure)

    • Alibaba Cloud

    Supported VM environments:

    • VMware — ESXi 3.5, 4.x, 5.0, 5.1, 5.5, 6.0, 6.5, 6.7, 7.0

    • Microsoft Hyper-V — Windows Server 2012 R2, 2016 and 2019

    • KVM — Linux version 3.19.0 qemu-img v2.0.0, qemu-img v2.2

    • Citrix Xen — XenServer 6.5.0

    • Xen Project Hypervisor — 4.4.2, 4.5

    Note: The most recent certificate embedded license is required. If your license was issued prior to April 2021, please obtain a new certificate embedded license for your VM through Fortinet Customer Service & Support.

  • Read-Write access permission for FortiADC Systems settings

Basic ZTNA configuration

To deploy FortiADC ZTNA, follow the basic workflow below:

  1. Configure a FortiClient EMS connector to register your FortiADC device as a Fabric Device in the FortiClient EMS. For details, see Configuring FortiClient EMS Connector for ZTNA.
  2. Verify the information synchronized to FortiADC from FortiClient EMS. For details, see Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS.
  3. Configure a ZTNA profile to define the ZTNA rules. For details, see Configuring a ZTNA Profile
  4. Apply the Security ZTNA profile to a Layer 7 HTTPS or TCPS virtual server to activate ZTNA for server load balancing. Ensure the corresponding Client SSL profile is enabled for client certificate verification. For details, see Configuring virtual servers and Configuring client SSL profiles.
  5. Enable security logging for ZTNA. This is optional.