Additional component information
ZTNA Solution |
Licensing |
Existing Infrastructure |
---|---|---|
FortiClient ZTNA client 7.0 and above |
Review the FortiClient data sheet |
Available deployment techniques include: an existing software deployment tool (for example, SCCM), native deployment through FortiClient EMS (Windows only), and a manual download location accessible for outliers. |
FortiClient Endpoint Management Server (EMS) 7.0 and above |
Included with FortiClient ZTNA license |
FortiClient EMS must be accessible to clients from everywhere. In this design, FortiClient EMS is deployed in a DMZ. Active Directory integration to FortiClient EMS may also be necessary for client deployment and ease of applying different endpoint profiles to corresponding groups in AD. |
FortiOS ZTNA Access Proxy 7.0 and above |
Included with FortiOS Minimum recommended bundle is Unified Threat Protection Recommended bundle is Enterprise Protection |
Review FortiGate performance requirements, and ensure existing FortiGates meet those requirements. In this simple deployment example, the FortiGate and Security Fabric are central to all traffic and to protect traffic flow to critical resources. |
FortiOS Identity Service Provider (SP) |
Included with FortiOS |
The FortiGate acts as an SP and integrates with FortiAuthenticator as an IdP broker, providing integration to Active Directory and MFA services with SAML. |
FortiAuthenticator Identity and Access Management (IAM) |
Review FortiAuthenticator data sheet |
When multiple FortiGates are deployed, FortiAuthenticator is desirable to consolidate and manage connections to IdPs, including Active Directory, LDAP, Radius, and SAML providers. In this use case, FortiAuthenticator is not strictly necessary, but is included in the deployment as an example for larger deployments. |
FortiToken Multi-factor Authentication (MFA) |
Review FortiToken data sheet |
MFA is recommended for connecting to any critical resources. In addition to device and user authentication, another factor of authentication that utilizes one-time passwords (OTP) is desirable to help protect against stolen credentials. An existing OTP product can be integrated through SAML. In this deployment, we apply FortiToken to users in FortiAuthenticator. In smaller, single FortiGate organizations, FortiToken can be managed directly on the FortiGate. |
FortiAnalyzer |
Review FortiAnalyzer data sheet. VM and hardware models available. License by anticipated log volume. |
FortiAnalyzer is recommended for gathering logs, analyzing logs, and generating reports for Fortinet devices. FortiAnalyzer should be available from everywhere. FortiClient ZTNA sends logs directly to FortiAnalyzer. |