Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Additional component information

Additional component information

ZTNA Solution

Licensing

Existing Infrastructure

FortiClient ZTNA client 7.0 and above

Review the FortiClient data sheet

Available deployment techniques include: an existing software deployment tool (for example, SCCM), native deployment through FortiClient EMS (Windows only), and a manual download location accessible for outliers.

FortiClient Endpoint Management Server (EMS) 7.0 and above

Included with FortiClient ZTNA license

FortiClient EMS must be accessible to clients from everywhere. In this design, FortiClient EMS is deployed in a DMZ. Active Directory integration to FortiClient EMS may also be necessary for client deployment and ease of applying different endpoint profiles to corresponding groups in AD.

FortiOS ZTNA Access Proxy 7.0 and above

Included with FortiOS

Minimum recommended bundle is Unified Threat Protection

Recommended bundle is Enterprise Protection

Review FortiGate performance requirements, and ensure existing FortiGates meet those requirements. In this simple deployment example, the FortiGate and Security Fabric are central to all traffic and to protect traffic flow to critical resources.

FortiOS Identity Service Provider (SP)

Included with FortiOS

The FortiGate acts as an SP and integrates with FortiAuthenticator as an IdP broker, providing integration to Active Directory and MFA services with SAML.

FortiAuthenticator Identity and Access Management (IAM)

Review FortiAuthenticator data sheet

When multiple FortiGates are deployed, FortiAuthenticator is desirable to consolidate and manage connections to IdPs, including Active Directory, LDAP, Radius, and SAML providers. In this use case, FortiAuthenticator is not strictly necessary, but is included in the deployment as an example for larger deployments.

FortiToken

Multi-factor Authentication (MFA)

Review FortiToken data sheet

MFA is recommended for connecting to any critical resources. In addition to device and user authentication, another factor of authentication that utilizes one-time passwords (OTP) is desirable to help protect against stolen credentials. An existing OTP product can be integrated through SAML. In this deployment, we apply FortiToken to users in FortiAuthenticator. In smaller, single FortiGate organizations, FortiToken can be managed directly on the FortiGate.

FortiAnalyzer

Review FortiAnalyzer data sheet. VM and hardware models available. License by anticipated log volume.

FortiAnalyzer is recommended for gathering logs, analyzing logs, and generating reports for Fortinet devices. FortiAnalyzer should be available from everywhere. FortiClient ZTNA sends logs directly to FortiAnalyzer.
Previous
Next

Additional component information

ZTNA Solution

Licensing

Existing Infrastructure

FortiClient ZTNA client 7.0 and above

Review the FortiClient data sheet

Available deployment techniques include: an existing software deployment tool (for example, SCCM), native deployment through FortiClient EMS (Windows only), and a manual download location accessible for outliers.

FortiClient Endpoint Management Server (EMS) 7.0 and above

Included with FortiClient ZTNA license

FortiClient EMS must be accessible to clients from everywhere. In this design, FortiClient EMS is deployed in a DMZ. Active Directory integration to FortiClient EMS may also be necessary for client deployment and ease of applying different endpoint profiles to corresponding groups in AD.

FortiOS ZTNA Access Proxy 7.0 and above

Included with FortiOS

Minimum recommended bundle is Unified Threat Protection

Recommended bundle is Enterprise Protection

Review FortiGate performance requirements, and ensure existing FortiGates meet those requirements. In this simple deployment example, the FortiGate and Security Fabric are central to all traffic and to protect traffic flow to critical resources.

FortiOS Identity Service Provider (SP)

Included with FortiOS

The FortiGate acts as an SP and integrates with FortiAuthenticator as an IdP broker, providing integration to Active Directory and MFA services with SAML.

FortiAuthenticator Identity and Access Management (IAM)

Review FortiAuthenticator data sheet

When multiple FortiGates are deployed, FortiAuthenticator is desirable to consolidate and manage connections to IdPs, including Active Directory, LDAP, Radius, and SAML providers. In this use case, FortiAuthenticator is not strictly necessary, but is included in the deployment as an example for larger deployments.

FortiToken

Multi-factor Authentication (MFA)

Review FortiToken data sheet

MFA is recommended for connecting to any critical resources. In addition to device and user authentication, another factor of authentication that utilizes one-time passwords (OTP) is desirable to help protect against stolen credentials. An existing OTP product can be integrated through SAML. In this deployment, we apply FortiToken to users in FortiAuthenticator. In smaller, single FortiGate organizations, FortiToken can be managed directly on the FortiGate.

FortiAnalyzer

Review FortiAnalyzer data sheet. VM and hardware models available. License by anticipated log volume.

FortiAnalyzer is recommended for gathering logs, analyzing logs, and generating reports for Fortinet devices. FortiAnalyzer should be available from everywhere. FortiClient ZTNA sends logs directly to FortiAnalyzer.
Previous
Next