ZTNA

The following lists zero trust network access (ZTNA) general attributes:

<forticlient_configuration>

<ztna>

<allow_personal_rules>1</allow_personal_rules>

<gateways_enabled>1</gateways_enabled>

<notify_on_error>1</notify_on_error>

<disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<save_password>1</save_password>

<proxy_mode>4<proxy_mode/>

<fqdn_exceptions>www.example.com</fqdn_exceptions>

<azure_auto_login>

<azure_app>

<client_id>997e.....400b5ca</client_id>

<tenant_name>f794ab...3866d1</tenant_name>

</azure_app>

</azure_auto_login>

<rules>

<rule>

<mode>transparent</mode>

<local_port>7788</local_port>

<enable_udp>1</enable_udp>

</rule>

</rules>

<web_proxy_rules>

<web_proxy_rule>

<gateway>example.com:80</gateway>

<gateway_ip>192.158.1.38</gateway_ip>

</web_proxy_rule>

</web_proxy_rules>

</ztna>

</forticlient_configuration>

The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable:

XML tag	Description	Default value
<enabled>	Enable ZTNA. You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements. Boolean value: `[0 \| 1]`	1
<allow_personal_rules>	Allow end users to configure personal ZTNA destinations. Boolean value: `[0 \| 1]`	1
<gateways_enabled>	Allow EMS-pushed ZTNA rules. When disabled, user can only configure local ZTNA rules. Boolean value: `[0 \| 1]`	1
<notify_on_error>	Enable or disable browser error message for ZTNA TCP forwarding failures. Boolean value: `[0 \| 1]`	1
<disallow_invalid_server_certificate>	When this setting is disabled and an invalid server certificate is used, FortiClient allows the user to continue with the invalid certificate. When this setting is enabled and an invalid server certificate is used, FortiClient rejects the invalid certificate and stops the connection. Boolean value: `[0 \| 1]`	0
<warn_invalid_server_certificate>	When `<disallow_invalid_server_certificate>` is disabled: If `<warn_invalid_server_certificate>` is enabled, an invalid server certificate is used, and FortiClient uses the built-in browser for SAML authentication, FortiClient displays a security warning to the user that installing the certificate may result in a security risk. If `<warn_invalid_server_certificate>` is disabled, FortiClient does not display a security warning to the user that installing the certificate may result in a security risk. When `<disallow_invalid_server_certificate>` is enabled and an invalid server certificate is used, FortiClient does not display a popup and stops the connection. Boolean value: `[0 \| 1]`
<save_password>	Enable or disable ZTNA SAML authentication browser to save SAML identity provider cookies. Boolean value: `[0 \| 1]`	0
<proxy_mode>	Configure one of the following for ZTNA on FortiClient (macOS) to use for network traffic interception and redirection: `4`: use the FortiClient (macOS) proxy extension. Otherwise, ZTNA uses macOS packet filter (pf). This is the solution that Apple officially recommends. `0`: use the macOS pf.	0
<fqdn_exceptions>	Define exceptions for wildcard domains in ZTNA destinations. Separate multiple domains with a semicolon. For example, `<fqdn_exceptions>www.example.com;www.test.com</fqdn_exceptions>`.
`<azure_auto_login>` elements	Enable ZTNA automatic login using Microsoft Entra ID by specifying the tenant name and client ID. When configured, users logged in to an Entra ID domain on an endpoint are automatically authenticated with the FortiGate (7.6.1 or later) using Entra ID credentials when they attempt to access zero trust network access (ZTNA) TCP-forwarding traffic. See ZTNA automatic login using Microsoft Entra ID for more details about FortiOS configuration.
<enabled>	Enable or disable ZTNA automatic login using Microsoft Entra ID. Boolean value: `[0 \| 1]`
`<azure_app>` elements
<client_id>	Enter the client ID of the application used to connect with EMS that you collected from the Azure management console.
<tenant_name>	Enter the tenant name of the application used to connect with EMS that you collected from the Azure management console.
`<rules><rule>` elements
<name>	Enter the desired rule name.
<destination>	Enter the IP address or FQDN and port of the destination host in the format <IP address or FQDN>:<port>. This field does not support entering only a hostname.
<gateway>	Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.
<mode>	Enter `transparent`. This element only supports transparent mode.
<encryption>	Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted. Boolean value: `[0 \| 1]`
<enable_udp>	Enable ZTNA for UDP traffic. FortiClient applies ZTNA is for UDP and TCP traffic. Boolean value: `[0 \| 1]`
<redirect>	Enable to use the default external browser for ZTNA SAML authentication. Disable to use the FortiClient embedded browser for ZTNA SAML authentication. Boolean value: `[0 \| 1]`	0
`<web_proxy_rules><web_proxy_rule>` elements	Configure ZTNA rule for web applications.
<gateway>	Enter the web application IP address and port in the format <IP address or FQDN>:<port>. You must enter a port value.
<gateway_ip>	If you enter an FQDN in `<gateway>`, FortiClient populates `<gateway_ip>`with the IP address. This element mainly ensures that FortiClient retains data during profile import and export.

ZTNA

The following lists zero trust network access (ZTNA) general attributes:

<forticlient_configuration>

<ztna>

<allow_personal_rules>1</allow_personal_rules>

<gateways_enabled>1</gateways_enabled>

<notify_on_error>1</notify_on_error>

<disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>

<warn_invalid_server_certificate>1</warn_invalid_server_certificate>

<save_password>1</save_password>

<proxy_mode>4<proxy_mode/>

<fqdn_exceptions>www.example.com</fqdn_exceptions>

<azure_auto_login>

<azure_app>

<client_id>997e.....400b5ca</client_id>

<tenant_name>f794ab...3866d1</tenant_name>

</azure_app>

</azure_auto_login>

<rules>

<rule>

<mode>transparent</mode>

<local_port>7788</local_port>

<enable_udp>1</enable_udp>

</rule>

</rules>

<web_proxy_rules>

<web_proxy_rule>

<gateway>example.com:80</gateway>

<gateway_ip>192.158.1.38</gateway_ip>

</web_proxy_rule>

</web_proxy_rules>

</ztna>

</forticlient_configuration>

The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable:

XML tag	Description	Default value
<enabled>	Enable ZTNA. You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable. For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements. Boolean value: `[0 \| 1]`	1
<allow_personal_rules>	Allow end users to configure personal ZTNA destinations. Boolean value: `[0 \| 1]`	1
<gateways_enabled>	Allow EMS-pushed ZTNA rules. When disabled, user can only configure local ZTNA rules. Boolean value: `[0 \| 1]`	1
<notify_on_error>	Enable or disable browser error message for ZTNA TCP forwarding failures. Boolean value: `[0 \| 1]`	1
<disallow_invalid_server_certificate>	When this setting is disabled and an invalid server certificate is used, FortiClient allows the user to continue with the invalid certificate. When this setting is enabled and an invalid server certificate is used, FortiClient rejects the invalid certificate and stops the connection. Boolean value: `[0 \| 1]`	0
<warn_invalid_server_certificate>	When `<disallow_invalid_server_certificate>` is disabled: If `<warn_invalid_server_certificate>` is enabled, an invalid server certificate is used, and FortiClient uses the built-in browser for SAML authentication, FortiClient displays a security warning to the user that installing the certificate may result in a security risk. If `<warn_invalid_server_certificate>` is disabled, FortiClient does not display a security warning to the user that installing the certificate may result in a security risk. When `<disallow_invalid_server_certificate>` is enabled and an invalid server certificate is used, FortiClient does not display a popup and stops the connection. Boolean value: `[0 \| 1]`
<save_password>	Enable or disable ZTNA SAML authentication browser to save SAML identity provider cookies. Boolean value: `[0 \| 1]`	0
<proxy_mode>	Configure one of the following for ZTNA on FortiClient (macOS) to use for network traffic interception and redirection: `4`: use the FortiClient (macOS) proxy extension. Otherwise, ZTNA uses macOS packet filter (pf). This is the solution that Apple officially recommends. `0`: use the macOS pf.	0
<fqdn_exceptions>	Define exceptions for wildcard domains in ZTNA destinations. Separate multiple domains with a semicolon. For example, `<fqdn_exceptions>www.example.com;www.test.com</fqdn_exceptions>`.
`<azure_auto_login>` elements	Enable ZTNA automatic login using Microsoft Entra ID by specifying the tenant name and client ID. When configured, users logged in to an Entra ID domain on an endpoint are automatically authenticated with the FortiGate (7.6.1 or later) using Entra ID credentials when they attempt to access zero trust network access (ZTNA) TCP-forwarding traffic. See ZTNA automatic login using Microsoft Entra ID for more details about FortiOS configuration.
<enabled>	Enable or disable ZTNA automatic login using Microsoft Entra ID. Boolean value: `[0 \| 1]`
`<azure_app>` elements
<client_id>	Enter the client ID of the application used to connect with EMS that you collected from the Azure management console.
<tenant_name>	Enter the tenant name of the application used to connect with EMS that you collected from the Azure management console.
`<rules><rule>` elements
<name>	Enter the desired rule name.
<destination>	Enter the IP address or FQDN and port of the destination host in the format <IP address or FQDN>:<port>. This field does not support entering only a hostname.
<gateway>	Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.
<mode>	Enter `transparent`. This element only supports transparent mode.
<encryption>	Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted. Boolean value: `[0 \| 1]`
<enable_udp>	Enable ZTNA for UDP traffic. FortiClient applies ZTNA is for UDP and TCP traffic. Boolean value: `[0 \| 1]`
<redirect>	Enable to use the default external browser for ZTNA SAML authentication. Disable to use the FortiClient embedded browser for ZTNA SAML authentication. Boolean value: `[0 \| 1]`	0
`<web_proxy_rules><web_proxy_rule>` elements	Configure ZTNA rule for web applications.
<gateway>	Enter the web application IP address and port in the format <IP address or FQDN>:<port>. You must enter a port value.
<gateway_ip>	If you enter an FQDN in `<gateway>`, FortiClient populates `<gateway_ip>`with the IP address. This element mainly ensures that FortiClient retains data during profile import and export.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

XML Reference Guide

ZTNA

ZTNA

ZTNA

ZTNA