ZTNA SaaS application access control with Inline CASB

The FortiGate ZTNA application gateway can be configured to act as an inline cloud access security broker (CASB) by providing access control to software-as-a-service (SaaS) traffic using ZTNA access control rules and an inline CASB profile. A CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources.

The following components are required to use the ZTNA inline CASB feature:

• The FortiGuard Inline CASB Database (ICDB) used by the FortiGate and FortiClient EMS.

  This database includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient.

• A FortiGate ZTNA TCP forwarding access proxy configuration that specifies SaaS application destinations using application names defined in the ICDB.

• ZTNA connection rules for SaaS traffic that are provisioned using FortiClient EMS (version 7.2.2 and later).

• FortiClient (version 7.2.0 and later) installed on the user's machine to receive the ZTNA connection rules for SaaS traffic from FortiClient EMS.

Syntax

Users can configure the ZTNA application gateway using the SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. This can be configured in the GUI or in the CLI.

To configure a ZTNA service/server mapping to use SaaS in the GUI:

To configure a ZTNA application gateway to use SaaS in the CLI:

config firewall access-proxy
    edit <name>
        config api-gateway
            edit <ID>
                set url-map "/saas"
                set service saas
                set application <app 1> [app 2] ...
            next
        end
    next
end

Example

In this example, the FortiGate is configured as a ZTNA application gateway with a VIP of 10.0.3.15 and uses the SaaS access proxy type. SaaS application Gmail is allowed, but the action of uploading an attachment on Gmail is blocked.

To configure the ZTNA server object in the GUI:

1. Go to Policy & Objects > ZTNA > Traffic Forwarding > Traffic Forwarding Server.

2. Click Create new.

3. Set Name to ZTNA-SaaS-Access.

4. Set Host to 10.0.3.15

5. Set ZTNA port to Create new and configure the following:

   Option	Value
   Interface	port3
   IP Address	10.0.3.15
   Port	443
   Default Certificate	This example uses a wildcard certificate with a Common Name (CN): *.ztnademo.com. This certificate is trusted by the endpoints which will access the ZTNA port.
   Name	SaaS:443

   Verify that the IP address and port do not conflict with management access to the interface. Otherwise, change the IP address to another address on that subnet.

6. Click OK.

7. Go to Policy & Objects > ZTNA > Traffic Forwarding > Destination.

8. Click Create new and configure the following:

   Option	Value
   Name	SaaS
   Type	SaaS
   SaaS Application	gmail
   Protocol	ALL

9. Click OK.

To configure the Inline CASB profile in the GUI:

1. Go to System > Feature Visibility.

2. Under Security Features, enable Inline-CASB.

3. Go to Security Profiles > Inline-CASB and click Create new.

4. Name the new profile Gmail-CASB.

5. In the SaaS Applications table, click Create new.

6. In Select application, select Gmail.

7. Click Next.

8. In Privilege control, right-click the entry and select Block.

9. Click OK.
   

10. Click OK.

To configure the ZTNA policy in the GUI:

1. Go to Policy & Objects > Firewall Policy.

2. Click Create new and configure the following:

   Option	Value
   Name	ZTNA-SaaS-Access
   Type	ZTNA
   Incoming Interface	WAN (port3)
   Source	All
   User/group	<include, if needed>
   Security posture tag	<include, if needed>
   ZTNA port	SaaS:443
   ZTNA destination	SaaS
   Inline-CASB	Gmail-CASB
   SSL inspection	custom-deep-inspection
   Log allowed traffic	All sessions

3. Click OK.

4. Click OK to confirm the use of full SSL Inspection. Ensure that your clients trust the CA that is used in the SSL Inspection profile.

Optionally, if user authentication is configured, the ZTNA rule (set users or set groups), configure the authentication scheme and rule (see Applying user authentication in the ZTNA Deployment guide).

Before connecting, the users must have corresponding ZTNA Destinations in FortiClient. In FortiClient EMS, configure SaaS applications in Endpoint Profiles > ZTNA Destinations and push application destinations to FortiClient.

To configure the FortiClient EMS:

This step assumes the FortiGate and FortiClient EMS connector has been configured. See Fabric devices in the EMS Administration Guide and Configuring FortiClient EMS.

1. On FortiClient EMS, go to Endpoint Profiles > ZTNA Destinations.

2. Edit the Default profile.

3. Next to Name, click Advanced.

4. Click the eye icon beside ZTNA Destination Profile to enable this profile to be viewed on the FortiClient.

5. Under Rules, click Add . The ZTNA applications dialog is displayed.

6. Select the gmail application as defined on the FortiGate.

   

7. Click Finish.

8. Click Save. The FortiClient endpoints will synchronize the destination from EMS.

Testing and results

Once connected, the FortiClient retrieves the list of hosted ZTNA services, including the SaaS service, and adds corresponding ZTNA connection rules for the configured SaaS applications.

Connect to Gmail from a browser. The traffic is allowed.

After closing the session, the corresponding traffic logs can be viewed from the FortiGate GUI or from the CLI.

# execute log filter field subtype ztna
# exec log display
1: date=2026-03-31 time=09:06:21 eventtime=1774973182173477239 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=55150 srcintf="port3" srcintfrole="wan" dstcountry="United States" srccountry="Reserved" dstip=142.251.186.95 dstport=443 dstintf="port3" dstintfrole="wan" sessionid=1956 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="HTTPS" proxyapptype="ztna-proxy" proto=6 action="accept" policyid=17 policytype="policy" poluuid="59192848-2d11-51f1-b37c-286a7f89f5af" policyname="ZTNA-SaaS-Access" appcat="unscanned" duration=1 vip="SaaS:443" vipincomingip=10.0.3.15 accessproxy="ZTNA-SaaS-Access" clientdevicemanageable="manageable" clientcert="yes" wanin=0 rcvdbyte=0 wanout=1509 lanin=3852 sentbyte=3852 lanout=3129

Connect to Gmail from a browser again. This time, compose an email and attach a file. This action will be blocked.

After closing the session, the corresponding UTM > CASB logs can be viewed from the FortiGate GUI or from the CLI.

# exec log filter reset
# exec log filter category utm-casb
# exec log display
1: date=2026-03-31 time=09:08:42 eventtime=1774973321505383780 tz="-0700" logid="2500010000" type="utm" subtype="casb" eventtype="casb" level="warning" vd="root" policyid=17 poluuid="59192848-2d11-51f1-b37c-286a7f89f5af" policytype="policy" sessionid=2007 srcip=10.0.3.2 dstip=142.251.116.19 srcport=55181 dstport=443 srcintf="port3" srcintfrole="wan" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstintf="port3" dstintfrole="wan" proto=6 url="https://mail.google.com/_/upload?authuser=0&dcp=asu-n" action="block" profile="Gmail-CASB" saasapp="google-gmail" useractivity="google-gmail-upload-local-file" subaction="monitor" tenantmatch="missed" activitycategory="activity-control" msg="CASB access was blocked because it contained banned activity."