Fortinet black logo

Zero Trust Network Access

Zero Trust Network Access

The following lists Zero Trust Network Access (ZTNA) general attributes:

<forticlient_configuration>

<ztna>

<enabled>1</enabled>

<rules>

<rule>

<name>ssh</name>

<destination>10.100.77.8:22</destination>

<gateway>172.17.80.79:443</gateway>

<mode>transparent</mode>

<local_port>7788</local_port>

<encryption>1</encryption>

</rule>

</rules>

</ztna>

</forticlient_configuration>

The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable ZTNA.

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable.

For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements.

Boolean value: [0 | 1]

<rules><rule> elements

<name>

Enter the desired rule name.

<destination>

Enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>.

<gateway>

Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.

<mode>

Enter transparent. This element only supports transparent mode.

<encryption>

Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.

Boolean value: [0 | 1]

Zero Trust Network Access

The following lists Zero Trust Network Access (ZTNA) general attributes:

<forticlient_configuration>

<ztna>

<enabled>1</enabled>

<rules>

<rule>

<name>ssh</name>

<destination>10.100.77.8:22</destination>

<gateway>172.17.80.79:443</gateway>

<mode>transparent</mode>

<local_port>7788</local_port>

<encryption>1</encryption>

</rule>

</rules>

</ztna>

</forticlient_configuration>

The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable.

XML tag

Description

Default value

<enabled>

Enable ZTNA.

You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable.

For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements.

Boolean value: [0 | 1]

<rules><rule> elements

<name>

Enter the desired rule name.

<destination>

Enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>.

<gateway>

Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.

<mode>

Enter transparent. This element only supports transparent mode.

<encryption>

Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.

Boolean value: [0 | 1]