FortiSASE-24.1-SPA Using ZTNA Deployment Guide
FortiSASE-24.1-SPA Using ZTNA Deployment Guide
Version 24.1
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
FORTIGUARD LABS
https://www.fortiguard.com
FEEDBACK
Email: [email protected]
Change log 5
Introduction 6
Executive summary 6
Intended audience 7
About this guide 7
Solution overview 8
FortiSASE with ZTNA architecture 8
Zero trust 8
FortiClient, FortiSASE, and FortiGate architecture 9
FortiClient 9
FortiSASE 9
FortiGate 9
Design overview 10
Use cases and topology 10
Teleworking via SSL VPN 10
FortiSASE with ZTNA 10
Design concept and considerations 11
FortiSASE endpoint license and configurations 11
FortiGate to FortiSASE connection 11
FortiClient to FortiSASE connection 11
User management and onboarding 12
ZTNA: Client and server CA certificates 12
ZTNA: Posture check 13
ZTNA: Application list/connection rules 13
FortiClient: split tunneling destinations 13
Deployment overview 15
Product prerequisites 15
Deployment plan 15
Deployment procedures 16
Provisioning your FortiSASE instance 16
Configuring remote authentication and onboarding users 17
Configuring security profiles and policies 18
Configuring ZTNA tags and tagging rules 19
Connecting the FortiGate to FortiSASE 20
Configuring authentication on the FortiGate access proxy 21
Configuring ZTNA servers 22
Configuring ZTNA policies 23
Configuring ZTNA connection rules on FortiSASE 24
Configuring a split tunneling destination on FortiSASE 25
Testing and monitoring 25
This document describes Fortinet's recommended approach to configuring our secure private access (SPA) solution for
FortiSASE using zero trust network access (ZTNA). It covers configuration of the solution.
Executive summary
In today's remote workforce, a remote worker requires secure access to the following primary locations: the corporate
network, applications in the cloud, and the rest of the Internet. Secure access service edge (SASE) solutions such as
FortiSASE provide the means to secure the cloud and the Internet, but most corporations want a seamless integration
between securing the public network and their private network.
This guide examines how FortiSASE can integrate with FortiGate ZTNA to provide a seamless experience for end users
while securing your most important corporate assets behind the FortiGate application gateway. Unlike traditional SSL
and IPsec VPN, FortiSASE SPA using ZTNA offers direct connections to protected resources without requiring
establishment of a persistent tunnel. The key to ZTNA is verifying the connecting device's and user's identities and
ensuring the device's security posture before admitting it to the protected network. These security checks happen
instantly and transparently thanks to the integration between FortiSASE, FortiGate, and the FortiClient endpoint. If a
device cannot pass these security checks, it is considered untrusted and the connection is rejected.
The following illustrates the architecture of the FortiSASE, FortiGate, and FortiClient integration.
This guide explores the setup between FortiSASE and your corporate FortiGate firewall in detail to cover the SPA using
ZTNA use case. It first reviews the components in this solution to understand more about the inner workings, then dives
into design concepts and considerations. Finally, it steps through a deployment scenario to build a working FortiSASE
and ZTNA environment.
Intended audience
This guide is intended for a technical audience, including system and network architects, design engineers, network
engineers, and security engineers who want to deploy FortiSASE to secure their remote workers while integrating with
their FortiGate ZTNA solution to remotely access their network with the goal of providing SPA.
The solution in this guide is targeted at small- and medium-sized organizations and enterprises.
This guide assumes that the reader is familiar with basic concepts of applications, networking, routing, security, and
proxies, and has a basic understanding of network and data center architectures.
For comments and feedback about this document, visit the FortiSASE Endpoint with ZTNA Shortcuts Deployment on
community.fortinet.com.
The deployment guide serves the purpose of going through the design and deployment steps involved in deploying a
specific architecture. Readers should first evaluate their environments to determine whether the architecture and design
that this guide outlines is suitable for them.
Where appropriate, reviewing supplementary material in product admin guides, example guides, cookbooks, release
notes, and other documents is recommended.
You are likely familiar with the FortiSASE endpoint solution. FortiSASE provides secure Internet access to end users
who are registered and connected to FortiSASE. With further integration, FortiSASE can also share endpoint information
with a FortiGate. This allows the corporate FortiGate to implement zero trust network access (ZTNA) for remote users
who are already registered to FortiSASE, which, therefore, provides them with secure private access to private
applications behind the corporate FortiGate. The following diagram outlines the high-level communication between
FortiSASE, FortiGate, and FortiClient to deliver an integrated FortiSASE and ZTNA solution.
Zero trust
Trust is at the core of the ZTNA solution. Traditionally, organizations allow remote users to access corporate resources
through VPNs based on their user identity. Once authentication succeeds, the users are trusted to access any resources
allowed for their user group for the duration of their VPN connection.
Zero trust, on the other hand, does not solely rely on user identity but also verifies other attributes in real time. These
attributes include the endpoint's device identity and security posture. A client certificate that a trusted certificate authority
(CA) generated uniquely identifies an endpoint that the certificate is assigned to. The FortiGate uses the certificate to
verify device identity. The FortiGate determines the device's security posture using security attributes called ZTNA tags,
which the endpoint shares with FortiSASE and the FortiGate. Examples include detecting any of the following:
l Whether a device has antivirus installed
l Whether a device has critical vulnerabilities patched
l Whether FortiClient detects any malware on the device
A Zero Trust security device, the FortiGate in this case, must establish a trust context with the endpoint based on these
attributes. The FortiGate continues to evaluate this trust context when allowing the device to access protected
resources. If any of the attributes change and the device becomes untrusted, the FortiGate terminates the sessions.
To understand how real-time ZTNA functions in the FortiSASE with ZTNA solution, the following breaks down the roles
that each component plays in this architecture:
FortiClient
When a FortiSASE endpoint registers to FortiSASE, it provides device information, such as network details, operating
system, and logged-on user to FortiSASE. It also synchronizes the endpoint profile from FortiSASE and provides
information about its current security posture. When FortiClient detects changes to an attribute, such as detecting a
critical vulnerability, it reports the status to FortiSASE.
Upon initial registration, FortiClient requests and obtains a client device certificate from the FortiSASE ZTNA certificate
authority. The client device uses this certificate to identify itself to the FortiGate.
FortiSASE
FortiSASE issues and signs the client certificate with the FortiClient UID, certificate serial number, and the Endpoint
Management Service's serial number. FortiSASE synchronizes the certificate details to the FortiGate. FortiSASE shares
its own ZTNA CA certificate with the FortiGate, so that the FortiGate can use it to validate client certificates that the same
CA has signed.
FortiSASE defines endpoint tagging rules for tagging each endpoint's important security attributes. FortiSASE pushes
the rules through the endpoint profile to FortiClient. Once synchronized, FortiSASE shares these tags and each client's
status with the FortiGate. See Endpoint posture check for a list of attributes that FortiSASE can configure.
FortiGate
The FortiGate maintains a continuous connection to FortiSASE to synchronize endpoint device information and security
tags. When a device's information changes, FortiClient passes the changes to FortiSASE, which then updates to the
FortiGate. The FortiGate can use this information when processing connections from the end user to establish the trust
context with the endpoint. If an endpoint's security posture change causes it to no longer match the ZTNA policy criteria
on an existing session, the FortiGate terminates the session.
In a typical teleworking scenario, an organization may use SSL VPN tunneling mode to tunnel all traffic through the
FortiGate, including access to the Internet and cloud applications. Users may access corporate and web resources
based on their user identity for their VPN connection's duration.
The VPN solution can use security vendors other than Fortinet.
To offload security for remote workers' direct Internet connection to web and cloud resources, you can use FortiSASE.
On the other hand, to access corporate resources behind the FortiGate for the secure private access use case, remote
users connecting through Zero Trust Network Access (ZTNA) are subject to device identity check, user authentication,
and security posture check to ensure that the user and device are trusted.
In FortiSASE endpoint mode, a remote computer has the FortiClient agent installed and registered to FortiSASE. When
ZTNA integration with the corporate FortiGate is enabled, FortiSASE assigns the FortiClient endpoint a client certificate.
You do not need to install an additional application or agent on the remote computer. FortiSASE, FortiClient, and FortiOS
transparently synchronize certificates and tags in the background.
When the remote endpoint connects to corporates resources, FortiClient makes an encrypted TCP connection to the
FortiGate access proxy. The FortiGate acts as a reverse proxy to serve the requested content. The client-to-FortiGate
connection is always encrypted and secured.
This solution's design uses FortiSASE endpoint mode to leverage the use of FortiClient for endpoint registration,
SSL VPN, and Zero Trust Network Access (ZTNA). Therefore, this solution does not require Secure Web Gateway
(SWG) licenses or enabling SWG configuration. This solution only requires endpoint entitlements. Obtain enough
FortiSASE endpoint seats to support the number of remote endpoints that will use this service.
To perform ZTNA, you must register the corporate FortiGate to the same FortiCloud account as the FortiSASE instance.
This allows the FortiGate's FortiClient EMS Fabric connector to connect to FortiSASE to synchronize endpoint
information.
This solution does not support deploying ZTNA with an existing on-premise EMS or FortiClient Cloud instance. You must
first provision FortiSASE to allow the FortiGate access proxy to integrate with the FortiSASE Endpoint Management
Service.
You must register FortiClient to FortiSASE and maintain this connection to connect to corporate resources through the
FortiGate access proxy. When FortiClient disconnects, FortiSASE removes the client certificate from the endpoint, and
does not synchronize the client information. The endpoint will not pass client certificate and security posture check
against ZTNA.
You configure users on FortiSASE for endpoints to authenticate and connect to the FortiSASE gateway. Ideally, users
use the same credentials to authenticate to the FortiGate ZTNA access proxy. When designing the solution, consider
where users are defined in your organization and use the same authentication source for FortiSASE and FortiGate user
configurations. Using local users on either platform is not recommended.
FortiSASE and FortiGate support the following authentication methods:
Method Description
LDAP user Configure an LDAP connection and import users and groups from an
LDAP server.
RADIUS user Configure a RADIUS connection and import users and groups from a RADIUS
server.
Single sign on (SSO) Configure a SAML identity provider (IdP) to perform user authentication.
FortiSASE and FortiGate act as the SAML service provider (SP).
When you deploy LDAP or RADIUS users for VPN authentication on FortiSASE, you cannot
use SSO, and vice-versa.
When using SSO/SAML authentication, your remote endpoint must be able to reach the SAML IdP since the
SP redirects users to the IdP to authenticate.
When onboarding remote users, use the Onboard Users button to send the invitation code to all remote users. Remote
users must install the FortiClient application to use VPN and ZTNA. In larger environments, you should consider using
group policy management for Windows or other centralized management systems like mobile device management to
centrally manage their FortiClient endpoint deployment.
When FortiClient registers to FortiSASE, it requests a client certificate to use for device identification. The ZTNA CA
installed on the FortiSASE instance issues the certificate.
1. In the Windows Start menu, search for and select Manage user certificates.
2. In Certificate Manager, go to Personal > Certificates to view the FortiClient certificate.
The FortiGate access proxy performs posture check by verifying the presence or absence of ZTNA tags on a FortiClient
endpoint. You define these tags on FortiSASE using tagging rules that specify attributes that can be checked on the
FortiClient endpoint. You should configure these tags and tagging rules carefully, as they determine the basic device
security requirements for an endpoint to connect to ZTNA. Design your ZTNA policies with ZTNA tags in mind. You can
view synchronized tags in FortiOS in Policy & Objects > ZTNA > ZTNA Tags.
See Endpoint posture check for a list of attributes that FortiSASE can configure.
ZTNA connection rules define resources that remote users can access through the ZTNA TCP forwarding access proxy.
FortiSASE can push the rules through endpoint profile updates to each FortiClient endpoint. On the endpoint device,
when a client tries to access a network resource from these rules, FortiClient listens for connections to the destination
resource, namely, the destination address and port, and forwards the connection requests to the FortiGate access
proxy. Traffic is encrypted through SSL/TLS between the client and FortiGate, with the underlying traffic to the
destination encapsulated within it. In other words, TCP forwarding rules allow the FortiClient to intercept the requests to
the destination address and port and forward them to the access proxy.
The encryption option provides encryption between client and FortiGate access proxy for underlying connections that
are insecure, like HTTP, FTP, and Telnet. Disabling the encryption option reduces the SSL/TLS encryption overhead for
protocols like HTTPS, SSH, and RDP.
FortiGate's HTTP/HTTPS access proxy can allow direct access to a web resource without
configuring ZTNA connection rules.
FortiClient establishes a secure connection using SSL VPN to FortiSASE and forwards all traffic to FortiSASE, namely,
establishing full tunneling. However, this full tunneling setup poses a challenge with ZTNA TCP forwarding because it
means that ZTNA traffic will go to FortiSASE even when a ZTNA destination is being accessed.
Therefore, in FortiSASE, you must configure a split tunneling destination corresponding to the IP or FQDN of the
FortiGate ZTNA access proxy to ensure that traffic destined for the ZTNA destination directly uses the Internet
connection of the endpoint instead of being forwarded to FortiSASE, which is the desired behaviour for ZTNA access.
Product prerequisites
Customers should obtain enough FortiSASE endpoint seats to support the number of remote endpoints that will use this
service.
You must register the FortiGate acting as the Zero Trust Network Access (ZTNA) proxy to the same FortiCloud account
as the FortiSASE instance. The FortiGate must be running FortiOS 7.0.5 or a later version to support the latest
ZTNA features.
FortiClient endpoints must be running FortiClient 7.0.3 to support ZTNA features.
Deployment plan
This outlines the major steps to deploy this solution. Go to Deployment procedures on page 16 for detailed configuration
steps:
1. Provision your FortiSASE instance and select the regions where your users will be located. Input licenses as
needed. See Provisioning your FortiSASE instance on page 16.
2. Configure remote authentication and onboard users. See Configuring remote authentication and onboarding users
on page 17.
3. Configure VPN policies to apply desired scanning and filtering for your users. See Configuring security profiles and
policies on page 18.
4. Configure ZTNA tags and tagging rules. See Configuring ZTNA tags and tagging rules on page 19.
5. Connect the FortiGate to FortiSASE over the FortiClient Cloud Fabric connector. Authorize the FortiGate on
FortiSASE. FortiSASE automatically synchronizes the tags to the FortiGate. See Connecting the FortiGate to
FortiSASE on page 20.
6. On the FortiGate, configure remote authentication servers, authentication schemes, and rules. See Configuring
authentication on the FortiGate access proxy on page 21.
7. Configure ZTNA servers. See Configuring ZTNA servers on page 22.
8. Configure ZTNA policies and use user groups and ZTNA tags for access control. See Configuring ZTNA policies on
page 23.
9. In FortiSASE, configure ZTNA connection rules to push to clients. See Configuring ZTNA connection rules on
FortiSASE on page 24.
10. In FortiSASE, configure a split tunneling destination for the FortiGate ZTNA access proxy to push to clients. See
Configuring a split tunneling destination on FortiSASE on page 25.
11. Test and monitor the configuration using a remote device. See Testing and monitoring on page 25.
In this sample topology, a FortiSASE instance is deployed and licensed for endpoint mode. A FortiGate is configured
with Zero Trust Network Access and acts as the access proxy to protect corporate network resources. The FortiGate is
registered to the same FortiCloud account as the FortiSASE instance, and receives endpoint information and tags from
FortiSASE. The FortiGate is configured with ZTNA policies to allow remote endpoints to access corporate resources.
The remote FortiClient endpoint is registered to FortiSASE and synchronizes ZTNA connection rules from it.
The topology displays two authentication sources. When using RADIUS, FortiSASE and FortiGate should point to the
same RADIUS server for authentication. When using SAML, you should configure FortiSASE and FortiGate with single
sign on and to point to the same SAML identity provider.
You can use the following procedures to provision the aforementioned environment.
3. When provisioning, select the geographic location for your security sites and logging.
4. Once provisioned, the FortiSASE dashboard displays your entitlement in the Remote User Management widget.
The number of endpoints that the widget lists is the number of VPN users that are entitled to use this service.
Depending on the authentication source, the user configuration steps differ. The example shows configuring a
RADIUS server and user groups. For configuring other authentication sources, see Authentication Sources and Access.
4. Click OK.
5. Click OK again.
6. A slide-in appears with instructions on how to onboard an end user. Follow the steps under Managed Endpoint
Users > Invite Users to send invite emails to potential users. Click Send. You can also copy the invitation code to
share with potential users.
7. Click Close.
FortiSASE has a default security profile configured, which is applied to the Allow-All VPN policy. When all users,
sources, and destinations require the same scanning and protection, maintaining only one default security profile
suffices. However, if different users, sources, or destinations require different protection, create different profile groups
for each group of users.
The default VPN policies block any traffic destined for Botnet and C&C servers but allow the rest. Consider your user
base and design your VPN policies carefully. FortiSASE matches policies from top down, so add more restrictive policies
at the top and less restrictive policies at the bottom.
Zero Trust Network Access (ZTNA) tags and tagging rules help identify attributes on the endpoints used for posture
check on the FortiGate. This example creates two tags: HighSeverity and WinDefender. The goal is to identify whether a
Windows endpoint has a high or higher vulnerability status, and whether it has Windows Defender enabled. You will use
these tags in the ZTNA policy definition on the FortiGate.
1. Go to Configuration > Endpoints > ZTNA Tagging > ZTNA Tags. Click Create.
2. In the Name field, enter HighSeverity. Click OK.
3. Go to the ZTNA Tagging Rules tab. Click Create, and configure the rule:
a. In the Name field, enter HighSeverity.
b. Under When the following rules match, click Create.
c. For Operating System, select Windows.
d. From the Rule Type dropdown list, select Severity Level.
e. From the Severity Level dropdown list, select High or Higher.
f. Click OK.
g. Under Apply the following tag, from the Tag Name dropdown list, select HighSeverity.
h. Click OK.
1. Go to Configuration > Endpoints > ZTNA Tagging > ZTNA Tags. Click Create.
2. In the Name field, enter WinDefender. Click OK.
3. Go to the ZTNA Tagging Rules tab. Click Create, and configure the rule:
a. In the Name field, enter WinDefender.
b. Under When the following rules match, click Create.
c. For Operating System, select Windows.
d. From the Rule Type dropdown list, select Windows Security.
e. From the Severity Level dropdown list, select Windows Defender is enabled.
f. Click OK.
g. Under Apply the following tag, from the Tag Name dropdown list, select WinDefender.
h. Click OK.
The FortiGate must connect to and be authorized by FortiSASE to synchronize endpoint and tag information.
1. Verify that the FortiGate is registered to FortiCloud on the same account as FortiSASE:
a. Go to System > FortiGuard.
b. Under License Information, verify that FortiCare Support shows the status as registered. Expanding the entry
shows the FortiCloud account. Confirm that this account is the account used for FortiSASE.
c. If the FortiGate is not registered, register now using your FortiCloud account.
2. Go to Security Fabric > Fabric Connectors.
a. Click FortiClient EMS Cloud.
b. Ensure that the type is set to FortiClient EMS Cloud.
c. Enter a name for this connection.
d. Click OK. A slide-in appears to verify the server certificate. Accept the certificate.
You should configure the FortiGate with the same remote authentication server as FortiSASE. This example uses
RADIUS. To configure other authentication methods, see the FortiOS Admin Guide:
l ZTNA HTTPS access proxy with basic authentication example
l ZTNA proxy access with SAML authentication example
1. Go to System > Feature Visibility. Ensure that the Zero Trust Network Access option is enabled.
2. Configure an authentication scheme:
a. Go to Policy & Objects > Authentication Rules.
b. Click Create New, then Authentication Scheme.
c. Enter the desired name.
d. For Method, select Basic for configuring Local/RADIUS/LDAP authentication.
e. For database, select Other. Select the RADIUS server created earlier.
f. Click OK.
ZTNA servers define the resources that you want ZTNA to allow access to. These resources are usually servers and
applications that your FortiGate protects that you want to expose to your end users. ZTNA supports various TCP
applications by creating TCP forwarding servers to map to. Alternatively, you can apply HTTP/HTTPS server mapping
and use the HTTPS access proxy to directly map web requests to the web server without adding ZTNA connection rules
This example creates a ZTNA server mapping for connecting RDP to a server behind the FortiGate. For other
ZTNA example configurations, see the FortiOS Administration Guide.
ZTNA policies define who can access what resources, and the security posture requirements for the device to be
allowed access. You can select ZTNA tags that you created on FortiSASE here. You can view the tags in Policy
& Objects > ZTNA > ZTNA Tags.
This example denies access to a device that has a high or higher security vulnerability by detecting the presence of the
HighSeverity tag. The example creates a second policy to grant access to devices that are secured with Windows
Defender by detecting the presence of the WinDefender tag.
When Zero Trust Network Access (ZTNA) TCP forwarding is used to map a server or application, you must add a
corresponding ZTNA connection rule to the FortiClient endpoint to forward traffic to the FortiGate access proxy. You can
create these rules on FortiSASE and push them to all managed endpoints.
An endpoint can access private resources using zero trust network access (ZTNA) TCP forwarding when it has
established a secure connection to FortiSASE. For FortiClient to forward this traffic directly to the FortiGate ZTNA
access proxy without passing through FortiSASE, you must add a split tunneling destination corresponding to the IP or
FQDN of the FortiGate. You can create this split tunneling destination on FortiSASE and push it to all managed
endpoints.
You cannot create subnet destinations in a custom endpoint profile. Therefore, subnet
destinations defined in the Default profile also apply to all custom profiles.
3. On the Access tab, under Bypass FortiSASE, configure Split tunneling destinations by clicking Create. Configure
the following:
a. In the Type field, select FQDN or Subnet depending on whether you defined the ZTNA Access Proxy fields in
the ZTNA connection rules using an FQDN or IP address.
b. From the Match dropdown list, do one of the following:
i. Select the FQDN host for the FQDN type.
ii. Select the subnet host for the subnet type.
If you have not created the FQDN or subnet host yet, click + to create a new FQDN or subnet host
corresponding to the ZTNA access proxy.
FortiSASE does not support wildcard FQDNs when configuring an FQDN split
tunneling destination.
c. Click OK.
4. Configure additional split tunneling destinations corresponding to the ZTNA connection rules.
5. Click Apply. FortiSASE pushes the split tunnel destinations to managed endpoints via an endpoint profile update.
1. Ensure that the end user received the onboarding email sent while configuring user authentication on FortiSASE.
2. After completing user activation, the user accesses the FortiSASE portal to download the appropriate FortiClient
software.
3. Install the FortiClient software. During installation, select the Zero Trust Network Access (ZTNA) component.
4. After FortiClient launches, go to ZERO TRUST TELEMETRY and enter the invitation code. This triggers FortiClient
to register to FortiSASE.
5. In FortiSASE, verify that the endpoint displays in Configuration > Endpoints > Monitor.
To verify the endpoint profile has been updated on the endpoint device:
Use the following steps to verify that the default endpoint profile configured in FortiSASE, which includes the ZTNA
connection rules and split tunnel destination has been updated on the endpoint device.
1. In FortiClient, go to the ZTNA DESTINATION tab.
2. Ensure that the corresponding ZTNA connection rules configured in FortiSASE have been updated on the endpoint.
3. Open a Windows Command Prompt or PowerShell window with Administrator access.
4. In the Windows Command Prompt or PowerShell window, enter the following commands to confirm the split tunnel
destination configured in FortiSASE has been updated on the endpoint:
a. ping access.ztnaproxy.com, replacing access.ztnaproxy.com with your FortiGate ZTNA access
proxy FQDN or IP address.
b. route print
In this output, you should find a route entry corresponding to the IP address of the FortiGate ZTNA access
proxy determined in the previous command. For example, if the FortiGate ZTNA access proxy has an IP
address of 1.1.1.1, and the endpoint has a FortiSASE VPN IP address of 10.212.128.1 and a private IP
address to the Internet router of 192.168.1.102 then you should see the following output:
C:\Users\Administrator> route print
...
1. In FortiClient, go to the ZTNA CONNECTION RULES tab to view the list of servers and applications available
through ZTNA TCP forwarding.
2. These instructions use RDP as an example. Open your Remote Desktop Connection console.
3. Enter the destination IP address or FQDN and port listed as the rule's destination host in the Remote Desktop
Connection dialog. Click Connect.
4. FortiGate performs a device certificate check to verify the certificate validity and that the device is registered with
FortiSASE.
5. If this is the first connection to the FortiGate access proxy, FortiClient prompts for user authentication. Enter your
credentials to log in.
6. FortiGate performs security posture check by checking the endpoint's ZTNA tags and matching them against ZTNA
policies. The first matching policy from the top determines whether this user and device is allowed access.
7. If everything passes, the user's traffic is forwarded to the RDP server. The user is prompted by the RDP to log in and
continue with the connection.
To verify the ZTNA traffic logs on the FortiGate ZTNA access proxy:
The following product models and firmware were used in this guide:
FortiGate VM 7.0.5
FortiSASE
FortiGate
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.