Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

ZTNA

ZTNA

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification, authentication, and Zero Trust tags to provide role-based application access. It gives administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after device verification, authenticating the user’s identity, authorizing the user, and then performing context based posture checks using Zero Trust tags.

Traditionally, a user and a device have different sets of rules for on-net access and off-net VPN access to company resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing the rules can become complex. User experience is also affected when multiple VPNs are needed to get to various resources.

Full ZTNA and IP/MAC filtering

ZTNA has two modes: Full ZTNA and IP/MAC filtering:

  • Full ZTNA allows users to securely access resources through a SSL encrypted access proxy. This simplifies remote access by eliminating the use of VPNs.
  • IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to implement role-based zero trust access.

ZTNA telemetry, tags, and policy enforcement

When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information, log on user information, and security posture are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing request to obtain a client certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).

Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the client certificate information, are synchronized with the FortiProxy unit in real-time. This allows the FortiProxy unit to verify the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.

EMS ZTNA and endpoint tags are displayed in the Device Inventory widget, FortiClient widget, and the Asset Identity Center page. In the backend, EMS ZTNA tags, endpoint tags, and EMS serial numbers are in the user device query API and response.

Note

The ZTNA tag name can be used as a search criterion in the Asset view of the Asset Identity Center page.

Access proxy

The FortiProxy access proxy can proxy HTTP and TCP traffic over secure HTTPS connections with the client. This enables seamless access from the client to the protected servers, without needing to form IPsec or SSL VPN tunnels.

HTTPS access proxy

The FortiProxy HTTPS access proxy works as a reverse proxy for the HTTP server. When a client connects to a webpage hosted by the protected server, the address resolves to the FortiProxy unitʼs access proxy VIP. The FortiProxy unit proxies the connection and takes steps to authenticate the user. It prompts the user for their certificate on the browser, and verifies this against the ZTNA endpoint record that is synchronized from the EMS. If an authentication scheme, such as SAML authentication, is configured, the client is redirected to a captive portal for sign-on. If this passes, traffic is allowed based on the ZTNA rules, and the FortiProxy unit returns the webpage to the client.

TCP forwarding access proxy (TFAP)

TCP forwarding access proxy works as a special type of HTTPS reverse proxy. Instead of proxying traffic to a web server, TCP traffic is tunneled between the client and the access proxy over HTTPS, and forwarded to the protected resource. The FortiClient endpoint configures the ZTNA connection by pointing to the proxy gateway, and then specifying the destination host that it wants to reach. An HTTPS connection is made to the FortiProxy unitʼs access proxy VIP, where the client certificate is verified and access is granted based on the ZTNA rules. TCP traffic is forwarded from the FortiProxy to the protected resource, and an end-to-end connection is established.

Basic requirements for ZTNA configuration

The following are the basic requirements for configuring full ZTNA on the FortiProxy unit:

  • FortiClient EMS fabric connector and ZTNA tags.
  • FortiClient EMS running version 7.0.0 or later.
  • FortiClient running 7.0.0 or later.
  • ZTNA server
  • ZTNA rule
  • Firewall policy

For configuration details, see Basic ZTNA configuration.

Previous
Next

ZTNA

Zero Trust Network Access (ZTNA) is an access control method that uses client device identification, authentication, and Zero Trust tags to provide role-based application access. It gives administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after device verification, authenticating the user’s identity, authorizing the user, and then performing context based posture checks using Zero Trust tags.

Traditionally, a user and a device have different sets of rules for on-net access and off-net VPN access to company resources. With a distributed workforce and access that spans company networks, data centers, and cloud, managing the rules can become complex. User experience is also affected when multiple VPNs are needed to get to various resources.

Full ZTNA and IP/MAC filtering

ZTNA has two modes: Full ZTNA and IP/MAC filtering:

  • Full ZTNA allows users to securely access resources through a SSL encrypted access proxy. This simplifies remote access by eliminating the use of VPNs.
  • IP/MAC filtering uses ZTNA tags to provide an additional factor for identification and security posture check to implement role-based zero trust access.

ZTNA telemetry, tags, and policy enforcement

When On-net and Off-net FortiClient endpoints register to FortiClient EMS, device information, log on user information, and security posture are all shared over ZTNA telemetry with the EMS server. Clients also make a certificate signing request to obtain a client certificate from the EMS that is acting as the ZTNA Certificate Authority (CA).

Based on the client information, EMS applies matching Zero Trust tagging rules to tag the clients. These tags, and the client certificate information, are synchronized with the FortiProxy unit in real-time. This allows the FortiProxy unit to verify the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA rule.

EMS ZTNA and endpoint tags are displayed in the Device Inventory widget, FortiClient widget, and the Asset Identity Center page. In the backend, EMS ZTNA tags, endpoint tags, and EMS serial numbers are in the user device query API and response.

Note

The ZTNA tag name can be used as a search criterion in the Asset view of the Asset Identity Center page.

Access proxy

The FortiProxy access proxy can proxy HTTP and TCP traffic over secure HTTPS connections with the client. This enables seamless access from the client to the protected servers, without needing to form IPsec or SSL VPN tunnels.

HTTPS access proxy

The FortiProxy HTTPS access proxy works as a reverse proxy for the HTTP server. When a client connects to a webpage hosted by the protected server, the address resolves to the FortiProxy unitʼs access proxy VIP. The FortiProxy unit proxies the connection and takes steps to authenticate the user. It prompts the user for their certificate on the browser, and verifies this against the ZTNA endpoint record that is synchronized from the EMS. If an authentication scheme, such as SAML authentication, is configured, the client is redirected to a captive portal for sign-on. If this passes, traffic is allowed based on the ZTNA rules, and the FortiProxy unit returns the webpage to the client.

TCP forwarding access proxy (TFAP)

TCP forwarding access proxy works as a special type of HTTPS reverse proxy. Instead of proxying traffic to a web server, TCP traffic is tunneled between the client and the access proxy over HTTPS, and forwarded to the protected resource. The FortiClient endpoint configures the ZTNA connection by pointing to the proxy gateway, and then specifying the destination host that it wants to reach. An HTTPS connection is made to the FortiProxy unitʼs access proxy VIP, where the client certificate is verified and access is granted based on the ZTNA rules. TCP traffic is forwarded from the FortiProxy to the protected resource, and an end-to-end connection is established.

Basic requirements for ZTNA configuration

The following are the basic requirements for configuring full ZTNA on the FortiProxy unit:

  • FortiClient EMS fabric connector and ZTNA tags.
  • FortiClient EMS running version 7.0.0 or later.
  • FortiClient running 7.0.0 or later.
  • ZTNA server
  • ZTNA rule
  • Firewall policy

For configuration details, see Basic ZTNA configuration.

Previous
Next