Fortinet black logo

ZTNA

ZTNA

The following lists zero trust network access (ZTNA) general attributes:

<forticlient_configuration>

<ztna>

<enabled>1</enabled>

<allow_personal_rules>1</allow_personal_rules>

<rules>

<rule>

<name>ssh</name>

<destination>10.100.77.8:22</destination>

<gateway>172.17.80.79:443</gateway>

<mode>transparent</mode>

<local_port>7788</local_port>

<encryption>1</encryption>

</rule>

</rules>

<portals>

<portal>

<addr>192.168.3.101:4443</addr>

<query_interval_m>3</query_interval_m>

</portal>

<portal>

<addr>172.17.80.3:8443</addr>

<query_interval_m>3</query_interval_m>

</portal>

</portals>

</ztna>

</forticlient_configuration>

The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable ZTNA.

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable.

For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements.

Boolean value: [0 | 1]

<allow_personal_rules>

Allow end users to configure personal ZTNA destinations.

Boolean value: [0 | 1]

<rules><rule> elements

<name>

Enter the desired rule name.

<destination>

Enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>.

<gateway>

Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.

<mode>

Enter transparent. This element only supports transparent mode.

<encryption>

Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.

Boolean value: [0 | 1]

<portals> elements

In FortiOS 7.2.1, the ZTNA service portal was added to allow the FortiGate to publish ZTNA services directly to FortiClients. This allows the FortiClient to retrieve the list of ZTNA services directly through the service portal without them being pushed from the FortiClient EMS.

You can use the following elements to provision a ZTNA service portal gateway list to FortiClient, which consists of the address to the FortiGate access portal(s). Once the FortiClient connects to the service portal gateway, it can retrieve the ZTNA service list containing a list of applications being published by the FortiGate.

<portal><addr>

Configure the address of the FortiGate ZTNA access portal in <IP address>:<port> format.

<portal><query_interval_m>

Configure the number of minutes for the interval at which FortiClient queries the ZTNA service portal.

ZTNA

The following lists zero trust network access (ZTNA) general attributes:

<forticlient_configuration>

<ztna>

<enabled>1</enabled>

<allow_personal_rules>1</allow_personal_rules>

<rules>

<rule>

<name>ssh</name>

<destination>10.100.77.8:22</destination>

<gateway>172.17.80.79:443</gateway>

<mode>transparent</mode>

<local_port>7788</local_port>

<encryption>1</encryption>

</rule>

</rules>

<portals>

<portal>

<addr>192.168.3.101:4443</addr>

<query_interval_m>3</query_interval_m>

</portal>

<portal>

<addr>172.17.80.3:8443</addr>

<query_interval_m>3</query_interval_m>

</portal>

</portals>

</ztna>

</forticlient_configuration>

The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable ZTNA.

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable.

For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements.

Boolean value: [0 | 1]

<allow_personal_rules>

Allow end users to configure personal ZTNA destinations.

Boolean value: [0 | 1]

<rules><rule> elements

<name>

Enter the desired rule name.

<destination>

Enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>.

<gateway>

Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.

<mode>

Enter transparent. This element only supports transparent mode.

<encryption>

Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.

Boolean value: [0 | 1]

<portals> elements

In FortiOS 7.2.1, the ZTNA service portal was added to allow the FortiGate to publish ZTNA services directly to FortiClients. This allows the FortiClient to retrieve the list of ZTNA services directly through the service portal without them being pushed from the FortiClient EMS.

You can use the following elements to provision a ZTNA service portal gateway list to FortiClient, which consists of the address to the FortiGate access portal(s). Once the FortiClient connects to the service portal gateway, it can retrieve the ZTNA service list containing a list of applications being published by the FortiGate.

<portal><addr>

Configure the address of the FortiGate ZTNA access portal in <IP address>:<port> format.

<portal><query_interval_m>

Configure the number of minutes for the interval at which FortiClient queries the ZTNA service portal.