Fortinet black logo

Administration Guide

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA)

Protect your applications with the FortiWeb Zero Trust Network Access (ZTNA) access control method that uses client device identification and Zero Trust tags to provide role-based application access. It provides administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after verifying the device and user identity, and then performing context-based posture checks using Zero Trust tags.

ZTNA telemetry, tags, and policy enforcement

  1. When On-net and Off-net FortiClient endpoints register to FortiClient EMS, the device information, logged on user information, and security posture are all shared over ZTNA telemetry with the FortiClient EMS server.
  2. Clients make a certificate signing request to obtain a client certificate from the FortiClient EMS that is acting as the ZTNA Certificate Authority (CA).
  3. FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. Then it applies matching Zero Trust tagging rules to tag the clients for role-based application access. These tags and the client certificate information are synchronized with the FortiWeb in real-time.
  4. FortiWeb verifies the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA profile.

Prerequisites

Before you begin to configure ZTNA on the FortiWeb unit, you must have the following:

  • FortiClient EMS running version 7.0.4 or later

  • FortiClient running 7.0.2 or later

  • The operation mode is Reverse Proxy.

  • The protocol is HTTPS.

  • Ports on the Windows server on which FortiClient EMS is installed:

    • 443: for FortiWeb fabric connection.

    • 8013: for FortiClient connection.

  • Ports on FortiWeb:

    • No interface allow access options are required by ZTNA.

    • Communication with FortiClientEMS will be allowed automatically after EMS Fabric Connector is added and connected.

  • FortiWeb hardware, VM, or cloud platform that support FortiClient EMS.

    Supported hardware models (platforms that support certificates signed by CA2):

    • FortiWeb 100E
    • FortiWeb 400E
    • FortiWeb 600E
    • FortiWeb 2000F

    • FortiWeb 3000F

    • FortiWeb 4000F

    Supported cloud platforms with BYOL (PAYG FortiWeb does not support FortiClient EMS):

    • AWS (Amazon Web Services)

    • Microsoft Azure

    • GCP (Google Cloud Platform)

    • OCI (Oracle Cloud Infrastructure)

    Supported VM environments:

    • VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0
    • Citrix XenServer 6.2/6.5/7.1
    • Open source Xen Project (Hypervisor) 4.9 and higher versions
    • Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server 2012/2016/2019)
    • KVM (Linux kernel 2.6, 3.0, or 3.1)
    • OpenStack Wallaby
    • Nutanix AHV

Basic ZTNA configuration

To deploy ZTNA, follow the basic workflow below:

  1. Configure a FortiClient EMS connector to register your FortiWeb device as a Fabric Device in the FortiClient EMS. For details, see Configuring FortiClient EMS Connector for ZTNA.
  2. Verify the information synchronized to FortiWeb from FortiClient EMS. For details, see Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS.
  3. Configure a ZTNA profile to define the ZTNA rules. For details, see Configuring a ZTNA Profile
  4. Apply the ZTNA profile to a server policy. For details, see Referencing ZTNA profile in a server policy

For troubleshooting information, see ZTNA troubleshooting and debugging.

Zero Trust Network Access (ZTNA)

Protect your applications with the FortiWeb Zero Trust Network Access (ZTNA) access control method that uses client device identification and Zero Trust tags to provide role-based application access. It provides administrators the flexibility to manage network access for On-net local users and Off-net remote users. Access to applications is granted only after verifying the device and user identity, and then performing context-based posture checks using Zero Trust tags.

ZTNA telemetry, tags, and policy enforcement

  1. When On-net and Off-net FortiClient endpoints register to FortiClient EMS, the device information, logged on user information, and security posture are all shared over ZTNA telemetry with the FortiClient EMS server.
  2. Clients make a certificate signing request to obtain a client certificate from the FortiClient EMS that is acting as the ZTNA Certificate Authority (CA).
  3. FortiClient EMS issues and signs the client certificate with the FortiClient UID, certificate serial number, and EMS serial number. Then it applies matching Zero Trust tagging rules to tag the clients for role-based application access. These tags and the client certificate information are synchronized with the FortiWeb in real-time.
  4. FortiWeb verifies the client's identity using the client certificate, and grant access based on the ZTNA tags applied in the ZTNA profile.

Prerequisites

Before you begin to configure ZTNA on the FortiWeb unit, you must have the following:

  • FortiClient EMS running version 7.0.4 or later

  • FortiClient running 7.0.2 or later

  • The operation mode is Reverse Proxy.

  • The protocol is HTTPS.

  • Ports on the Windows server on which FortiClient EMS is installed:

    • 443: for FortiWeb fabric connection.

    • 8013: for FortiClient connection.

  • Ports on FortiWeb:

    • No interface allow access options are required by ZTNA.

    • Communication with FortiClientEMS will be allowed automatically after EMS Fabric Connector is added and connected.

  • FortiWeb hardware, VM, or cloud platform that support FortiClient EMS.

    Supported hardware models (platforms that support certificates signed by CA2):

    • FortiWeb 100E
    • FortiWeb 400E
    • FortiWeb 600E
    • FortiWeb 2000F

    • FortiWeb 3000F

    • FortiWeb 4000F

    Supported cloud platforms with BYOL (PAYG FortiWeb does not support FortiClient EMS):

    • AWS (Amazon Web Services)

    • Microsoft Azure

    • GCP (Google Cloud Platform)

    • OCI (Oracle Cloud Infrastructure)

    Supported VM environments:

    • VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0
    • Citrix XenServer 6.2/6.5/7.1
    • Open source Xen Project (Hypervisor) 4.9 and higher versions
    • Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server 2012/2016/2019)
    • KVM (Linux kernel 2.6, 3.0, or 3.1)
    • OpenStack Wallaby
    • Nutanix AHV

Basic ZTNA configuration

To deploy ZTNA, follow the basic workflow below:

  1. Configure a FortiClient EMS connector to register your FortiWeb device as a Fabric Device in the FortiClient EMS. For details, see Configuring FortiClient EMS Connector for ZTNA.
  2. Verify the information synchronized to FortiWeb from FortiClient EMS. For details, see Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS.
  3. Configure a ZTNA profile to define the ZTNA rules. For details, see Configuring a ZTNA Profile
  4. Apply the ZTNA profile to a server policy. For details, see Referencing ZTNA profile in a server policy

For troubleshooting information, see ZTNA troubleshooting and debugging.