Fortinet black logo

ZTNA Architecture

Home FortiGate / FortiOS 7.0.0 ZTNA Architecture
7.0.0
7.0.0

Design examples

Design examples

Let’s use an example architecture of a company that has multiple applications hosted internally and in a private, Azure cloud.

Currently remote users use VPN to gain access to the internal network, and then access the web-based applications by using a web browser. Non web-based applications are accessed by using remote desktop (RDP) over VPN to jump to locations that have the client-server applications installed.

The company recently had a malware outbreak that propagated from one point on the network to many endpoints connected to the internal network – including those connected over VPN. In its investigation, the company found that the malware originated from an unmanaged, unpatched device that was connected to the network over VPN. The company has mandated the implementation of a zero-trust architecture. The following success criteria was detailed:

  • Block unmanaged devices
  • Require multi-factor authentication
  • For remote users, limit direct access to the internal network for web applications or remote desktop services
  • Allow only identified user groups access to only the specific applications that they need
  • Dynamically deny access to devices with critical vulnerabilities both on the internal network and remote-access network
  • Dynamically allow access once the vulnerabilities are remediated
  • Reduce the reliance on dial-up VPN

To achieve the above goals, consider the following ZTNA solutions:

Security goals

ZTNA solutions

Block unmanaged devices

Use FortiClient

No direct access to internal networks for web applications or remote desktop

Use ZTNA HTTPS and TCP-forwarding access proxies

Allow only identified user groups access to only the specific applications that they need

Use ZTNA access proxies and ZTNA secure access posture checking with integration to existing IdP, FortiAuthenticator, or firewall users and groups

Dynamically deny access to compromised or vulnerable devices and dynamically allow devices after remediation

Use ZTNA secure access posture checking

Require multi-factor authentication (MFA)

Use ZTNA access proxies configured with IdP and FortiToken

Reduce the reliance on dial-up VPN

Permit only IT and security personnel to use VPN with ZTNA secure access posture checking and MFA
Previous
Next

Design examples

Let’s use an example architecture of a company that has multiple applications hosted internally and in a private, Azure cloud.

Currently remote users use VPN to gain access to the internal network, and then access the web-based applications by using a web browser. Non web-based applications are accessed by using remote desktop (RDP) over VPN to jump to locations that have the client-server applications installed.

The company recently had a malware outbreak that propagated from one point on the network to many endpoints connected to the internal network – including those connected over VPN. In its investigation, the company found that the malware originated from an unmanaged, unpatched device that was connected to the network over VPN. The company has mandated the implementation of a zero-trust architecture. The following success criteria was detailed:

  • Block unmanaged devices
  • Require multi-factor authentication
  • For remote users, limit direct access to the internal network for web applications or remote desktop services
  • Allow only identified user groups access to only the specific applications that they need
  • Dynamically deny access to devices with critical vulnerabilities both on the internal network and remote-access network
  • Dynamically allow access once the vulnerabilities are remediated
  • Reduce the reliance on dial-up VPN

To achieve the above goals, consider the following ZTNA solutions:

Security goals

ZTNA solutions

Block unmanaged devices

Use FortiClient

No direct access to internal networks for web applications or remote desktop

Use ZTNA HTTPS and TCP-forwarding access proxies

Allow only identified user groups access to only the specific applications that they need

Use ZTNA access proxies and ZTNA secure access posture checking with integration to existing IdP, FortiAuthenticator, or firewall users and groups

Dynamically deny access to compromised or vulnerable devices and dynamically allow devices after remediation

Use ZTNA secure access posture checking

Require multi-factor authentication (MFA)

Use ZTNA access proxies configured with IdP and FortiToken

Reduce the reliance on dial-up VPN

Permit only IT and security personnel to use VPN with ZTNA secure access posture checking and MFA
Previous
Next