Fortinet black logo

ZTNA Architecture

Home FortiGate / FortiOS 7.0.0 ZTNA Architecture
7.0.0
7.0.0

Design topology

Design topology

In the example topology, minor changes to the existing physical infrastructure were necessary. FortiGates replaced existing firewalls at headquarters (HQ) and a regional office. A FortiGate VM was added to Azure to provide NGFW protection for the cloud datacenter, and to mirror existing IPsec VPN services.

The internal application servers stayed in place with the same IP scheme in the server VLAN. For remote clients to reach the application servers, no dial-up VPN is required.

A DMZ was created to host Fortinet services that must always be accessible from the internet.

An internal client VLAN was created for client access, and it requires all endpoints to pass through the FortiGate. The NGFW feature and ZTNA secure access protects the server VLAN. For internal network users, ZTNA secure access is used. For remote users, no access is provided directly to the internal network; ZTNA access proxy is used. To gain access to the server VLAN the following is required:

ZTNA component

Functional description

FortiClient

Installs device certificates from the FortiClient EMS CA service

Performs ZTNA checks required by the following ZTNA rules:

  • Active Directory domain login
  • Active Directory domain group
  • Vulnerability status
  • MFA challenge and response
  • TCP forward-access proxy certificate exchange

Provides dial-up VPN services during the ZTNA migration period

FortiClient EMS Server
  • Connects FortiClient endpoints to the FortiGate(s) through the fabric connector
  • Acts as a certificate authority (CA) and delivers certificates to FortiClient endpoints for device authentication
  • Centrally manages ZTNA tagging and delivers posture check requirements to FortiClient
  • Passes endpoint certificates and ZTNA tagging information to the FortiGates for use in ZTNA rules and firewall policies

FortiGate ZTNA access proxy
  • Provides an HTTPS access-proxy for web applications as well as TCP forwarding access-proxy for the RDP requirement
  • In this design, no access is granted unless an endpoint passes the checks executed by FortiClient as outlined above

FortiGate ZTNA secure access

For internal users, it was decided not to use a full access-proxy, but ZTNA posture and identity checks are required to gain access to the server VLAN

FortiAuthenticator and FortiToken

Because more than one FortiGate is in the topology, it was decided to implement FortiAuthenticator to:

  • Centrally configure and manage connections to IdPs, which is currently Active Directory
  • Centrally manage FortiToken for OTP as part of the MFA requirement
  • Act as a SAML IdP and provide a captive portal for authentication and token challenge

FortiAnalyzer

Logging, reporting, and analytics for all the Fortinet devices. In the future, SOC features will be enabled to help the company manage security events and incidents as well as automate response and remediation
Previous
Next

Design topology

In the example topology, minor changes to the existing physical infrastructure were necessary. FortiGates replaced existing firewalls at headquarters (HQ) and a regional office. A FortiGate VM was added to Azure to provide NGFW protection for the cloud datacenter, and to mirror existing IPsec VPN services.

The internal application servers stayed in place with the same IP scheme in the server VLAN. For remote clients to reach the application servers, no dial-up VPN is required.

A DMZ was created to host Fortinet services that must always be accessible from the internet.

An internal client VLAN was created for client access, and it requires all endpoints to pass through the FortiGate. The NGFW feature and ZTNA secure access protects the server VLAN. For internal network users, ZTNA secure access is used. For remote users, no access is provided directly to the internal network; ZTNA access proxy is used. To gain access to the server VLAN the following is required:

ZTNA component

Functional description

FortiClient

Installs device certificates from the FortiClient EMS CA service

Performs ZTNA checks required by the following ZTNA rules:

  • Active Directory domain login
  • Active Directory domain group
  • Vulnerability status
  • MFA challenge and response
  • TCP forward-access proxy certificate exchange

Provides dial-up VPN services during the ZTNA migration period

FortiClient EMS Server
  • Connects FortiClient endpoints to the FortiGate(s) through the fabric connector
  • Acts as a certificate authority (CA) and delivers certificates to FortiClient endpoints for device authentication
  • Centrally manages ZTNA tagging and delivers posture check requirements to FortiClient
  • Passes endpoint certificates and ZTNA tagging information to the FortiGates for use in ZTNA rules and firewall policies

FortiGate ZTNA access proxy
  • Provides an HTTPS access-proxy for web applications as well as TCP forwarding access-proxy for the RDP requirement
  • In this design, no access is granted unless an endpoint passes the checks executed by FortiClient as outlined above

FortiGate ZTNA secure access

For internal users, it was decided not to use a full access-proxy, but ZTNA posture and identity checks are required to gain access to the server VLAN

FortiAuthenticator and FortiToken

Because more than one FortiGate is in the topology, it was decided to implement FortiAuthenticator to:

  • Centrally configure and manage connections to IdPs, which is currently Active Directory
  • Centrally manage FortiToken for OTP as part of the MFA requirement
  • Act as a SAML IdP and provide a captive portal for authentication and token challenge

FortiAnalyzer

Logging, reporting, and analytics for all the Fortinet devices. In the future, SOC features will be enabled to help the company manage security events and incidents as well as automate response and remediation
Previous
Next