Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • XML Reference Guide

    Home FortiClient 7.4.1 XML Reference Guide
    7.4.1
    7.4.1
    7.4.0
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    ZTNA

    ZTNA

    The following lists zero trust network access (ZTNA) general attributes:

    <forticlient_configuration>

    <ztna>

    <enabled>1</enabled>

    <allow_personal_rules>1</allow_personal_rules>

    <notify_on_error>1</notify_on_error>

    <disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>

    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>

    <save_password>1</save_password>

    <rules>

    <rule>

    <name>ssh</name>

    <destination>10.100.77.8:22</destination>

    <gateway>172.17.80.79:443</gateway>

    <mode>transparent</mode>

    <local_port>7788</local_port>

    <encryption>1</encryption>

    <enable_udp>1</enable_udp>

    <redirect>0</redirect>

    </rule>

    </rules>

    <web_proxy_rules>

    <web_proxy_rule>

    <gateway>example.com:80</gateway>

    <gateway_ip>192.158.1.38</gateway_ip>

    </web_proxy_rule>

    </web_proxy_rules>

    </ztna>

    </forticlient_configuration>

    The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable.

    XML tag

    Description

    Default value

    <enabled>

    Enable ZTNA.

    You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable.

    For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements.

    Boolean value: [0 | 1]

    <allow_personal_rules>

    Allow end users to configure personal ZTNA destinations.

    Boolean value: [0 | 1]

    1

    <notify_on_error>

    Enable or disable browser error message for ZTNA TCP forwarding failures.

    Boolean value: [0 | 1]

    1

    <disallow_invalid_server_certificate>

    When this setting is disabled and an invalid server certificate is used, FortiClient allows the user to continue with the invalid certificate.

    When this setting is enabled and an invalid server certificate is used, FortiClient rejects the invalid certificate and stops the connection.

    Boolean value: [0 | 1]

    0

    <warn_invalid_server_certificate>

    When <disallow_invalid_server_certificate> is disabled:

    • If <warn_invalid_server_certificate> is enabled, an invalid server certificate is used, and FortiClient uses the built-in browser for SAML authentication, FortiClient displays a security warning to the user that installing the certificate may result in a security risk.
    • If <warn_invalid_server_certificate> is disabled, FortiClient does not display a security warning to the user that installing the certificate may result in a security risk.

    When <disallow_invalid_server_certificate> is enabled and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

    Boolean value: [0 | 1]

    <save_password>

    Enable or disable ZTNA SAML authentication browser to save SAML identity provider cookies.

    Boolean value: [0 | 1]

    0

    <rules><rule> elements

    <name>

    		 Enter the desired rule name.

    <destination>

    Enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>. This field does not support entering only a hostname.

    <gateway>

    Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.

    <mode>

    Enter transparent. This element only supports transparent mode.

    <encryption>

    Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.

    Boolean value: [0 | 1]

    <enable_udp>

    Enable ZTNA for UDP traffic. FortiClient applies ZTNA is for UDP and TCP traffic.

    Boolean value: [0 | 1]

    <redirect>

    Enable to use the default external browser for ZTNA SAML authentication.

    Disable to use the FortiClient embedded browser for ZTNA SAML authentication.

    Boolean value: [0 | 1]

    0

    <web_proxy_rules><web_proxy_rule> elements

    Configure ZTNA rule for web applications.

    <gateway>

    Enter the web application IP address and port in the format <IP address or FQDN>:<port>. You must enter a port value.

    <gateway_ip>

    If you enter an FQDN in <gateway>, FortiClient populates <gateway_ip>with the IP address. This element mainly ensures that FortiClient retains data during profile import and export.

    Previous
    Next

    ZTNA

    ZTNA

    The following lists zero trust network access (ZTNA) general attributes:

    <forticlient_configuration>

    <ztna>

    <enabled>1</enabled>

    <allow_personal_rules>1</allow_personal_rules>

    <notify_on_error>1</notify_on_error>

    <disallow_invalid_server_certificate>1</disallow_invalid_server_certificate>

    <warn_invalid_server_certificate>1</warn_invalid_server_certificate>

    <save_password>1</save_password>

    <rules>

    <rule>

    <name>ssh</name>

    <destination>10.100.77.8:22</destination>

    <gateway>172.17.80.79:443</gateway>

    <mode>transparent</mode>

    <local_port>7788</local_port>

    <encryption>1</encryption>

    <enable_udp>1</enable_udp>

    <redirect>0</redirect>

    </rule>

    </rules>

    <web_proxy_rules>

    <web_proxy_rule>

    <gateway>example.com:80</gateway>

    <gateway_ip>192.158.1.38</gateway_ip>

    </web_proxy_rule>

    </web_proxy_rules>

    </ztna>

    </forticlient_configuration>

    The following table provides the XML tags for ZTNA, as well as the descriptions and default values where applicable.

    XML tag

    Description

    Default value

    <enabled>

    Enable ZTNA.

    You can use FortiClient to create a secure encrypted connection to protected applications without using VPN. Acting as a local proxy gateway, FortiClient works with the FortiGate application proxy feature to create a secure connection via HTTPS using a certificate received from EMS that includes the FortiClient UID. The FortiGate retrieves the UID to identify the device and check other endpoint information that EMS provides to the FortiGate, which can include other identity and posture information. The FortiGate allows or denies the access as applicable.

    For TCP forwarding to non-web-based applications, you must define ZTNA connection rules using the following elements.

    Boolean value: [0 | 1]

    <allow_personal_rules>

    Allow end users to configure personal ZTNA destinations.

    Boolean value: [0 | 1]

    1

    <notify_on_error>

    Enable or disable browser error message for ZTNA TCP forwarding failures.

    Boolean value: [0 | 1]

    1

    <disallow_invalid_server_certificate>

    When this setting is disabled and an invalid server certificate is used, FortiClient allows the user to continue with the invalid certificate.

    When this setting is enabled and an invalid server certificate is used, FortiClient rejects the invalid certificate and stops the connection.

    Boolean value: [0 | 1]

    0

    <warn_invalid_server_certificate>

    When <disallow_invalid_server_certificate> is disabled:

    • If <warn_invalid_server_certificate> is enabled, an invalid server certificate is used, and FortiClient uses the built-in browser for SAML authentication, FortiClient displays a security warning to the user that installing the certificate may result in a security risk.
    • If <warn_invalid_server_certificate> is disabled, FortiClient does not display a security warning to the user that installing the certificate may result in a security risk.

    When <disallow_invalid_server_certificate> is enabled and an invalid server certificate is used, FortiClient does not display a popup and stops the connection.

    Boolean value: [0 | 1]

    <save_password>

    Enable or disable ZTNA SAML authentication browser to save SAML identity provider cookies.

    Boolean value: [0 | 1]

    0

    <rules><rule> elements

    <name>

    		 Enter the desired rule name.

    <destination>

    Enter the IP address/FQDN and port of the destination host in the format <IP address or FQDN>:<port>. This field does not support entering only a hostname.

    <gateway>

    Enter the FortiGate access IP address and port in the format <IP address or FQDN>:<port>.

    <mode>

    Enter transparent. This element only supports transparent mode.

    <encryption>

    Enable encryption. When encryption is enabled, traffic between FortiClient and the FortiGate is always encrypted, even if the original traffic has already been encrypted. When encryption is disabled, traffic between FortiClient and the FortiGate is not encrypted.

    Boolean value: [0 | 1]

    <enable_udp>

    Enable ZTNA for UDP traffic. FortiClient applies ZTNA is for UDP and TCP traffic.

    Boolean value: [0 | 1]

    <redirect>

    Enable to use the default external browser for ZTNA SAML authentication.

    Disable to use the FortiClient embedded browser for ZTNA SAML authentication.

    Boolean value: [0 | 1]

    0

    <web_proxy_rules><web_proxy_rule> elements

    Configure ZTNA rule for web applications.

    <gateway>

    Enter the web application IP address and port in the format <IP address or FQDN>:<port>. You must enter a port value.

    <gateway_ip>

    If you enter an FQDN in <gateway>, FortiClient populates <gateway_ip>with the IP address. This element mainly ensures that FortiClient retains data during profile import and export.

    Previous
    Next