Fortinet black logo

ZTNA Architecture

Home FortiGate / FortiOS 7.0.0 ZTNA Architecture
7.0.0
7.0.0

Design components

Design components

Consider the requirements of a ZTNA solution, and align that to the existing network and security infrastructure. Contemplate any changes that may be necessary to prepare for the zero-trust implementation:

ZTNA solution

Existing infrastructure

FortiClient 7.0

For deployment, you can use existing software tools (such as SCCM and so on), native deployment through FortiClient EMS (Windows only), or an accessible, manual download location for outliers.

FortiClient Endpoint Management Server (EMS) 7.0

Ensure endpoints with FortiClient can access FortiClient EMS from everywhere. Consider a location in the DMZ with a VIP. Active Directory (AD) integration with FortiClient EMS may also be necessary for FortiClient deployment and ease of applying different endpoint profiles to corresponding groups in AD.

FortiOS ZTNA access proxy 7.0

Review FortiGate performance requirements, and ensure existing FortiGates meet those requirements. Placement of FortiGate(s) allows physical or virtual access to protect resources from the edge.

FortiOS identity service provider (SP)

FortiGate will act as an SP. What existing identity providers (IdPs) exist? Do appropriate groups exist in the IdP that will align to the identity and role-based security goals?

FortiAuthenticator Identity and Access Management (IAM)

If multiple FortiGates are deployed, FortiAuthenticator may be desirable to consolidate and manage connections to IdPs, including Active Directory, LDAP, RADIUS, and SAML providers.

FortiToken

Multi-factor Authentication (MFA)

The ZTNA solution provides for certificate-based authentication in addition to user-based credentials that are usually integrated with an IdP. In many cases, another factor of authentication that utilizes one-time passwords (OTP) is recommended. An existing OTP product can be integrated through SAML, or you can apply FortiToken to users on FortiAuthenticator. In smaller, single FortiGate organizations, FortiToken can be managed directly on the FortiGate.

FortiAnalyzer

FortiAnalyzer is recommended for gathering logs and generating reports and analytics for Fortinet devices. FortiAnalyzer should be available from everywhere. FortiClient ZTNA sends logs directly to FortiAnalyzer.
Previous
Next

Design components

Consider the requirements of a ZTNA solution, and align that to the existing network and security infrastructure. Contemplate any changes that may be necessary to prepare for the zero-trust implementation:

ZTNA solution

Existing infrastructure

FortiClient 7.0

For deployment, you can use existing software tools (such as SCCM and so on), native deployment through FortiClient EMS (Windows only), or an accessible, manual download location for outliers.

FortiClient Endpoint Management Server (EMS) 7.0

Ensure endpoints with FortiClient can access FortiClient EMS from everywhere. Consider a location in the DMZ with a VIP. Active Directory (AD) integration with FortiClient EMS may also be necessary for FortiClient deployment and ease of applying different endpoint profiles to corresponding groups in AD.

FortiOS ZTNA access proxy 7.0

Review FortiGate performance requirements, and ensure existing FortiGates meet those requirements. Placement of FortiGate(s) allows physical or virtual access to protect resources from the edge.

FortiOS identity service provider (SP)

FortiGate will act as an SP. What existing identity providers (IdPs) exist? Do appropriate groups exist in the IdP that will align to the identity and role-based security goals?

FortiAuthenticator Identity and Access Management (IAM)

If multiple FortiGates are deployed, FortiAuthenticator may be desirable to consolidate and manage connections to IdPs, including Active Directory, LDAP, RADIUS, and SAML providers.

FortiToken

Multi-factor Authentication (MFA)

The ZTNA solution provides for certificate-based authentication in addition to user-based credentials that are usually integrated with an IdP. In many cases, another factor of authentication that utilizes one-time passwords (OTP) is recommended. An existing OTP product can be integrated through SAML, or you can apply FortiToken to users on FortiAuthenticator. In smaller, single FortiGate organizations, FortiToken can be managed directly on the FortiGate.

FortiAnalyzer

FortiAnalyzer is recommended for gathering logs and generating reports and analytics for Fortinet devices. FortiAnalyzer should be available from everywhere. FortiClient ZTNA sends logs directly to FortiAnalyzer.
Previous
Next