Skip to main content
aquab
aquab
New Member
October 6, 2025
Question

Authentication for backround Services in ZTNA?

  • October 6, 2025
  • 1 reply
  • 356 views

I wonder if there are ways to enable an authentication check for services other than HTTP, FTP or SSH.

Right now, ZTNA mostly checks the device identity with the ability to check the user trough ZTNA Tags or authentication Rules.
When I use other services like UDP etc, a login into my Windows machine is enough to enable access, as most compliance-based tags stay valid for long times.

Is there a way to force check user identity?
Like having a mandatory daily Entra Login through the EMS or something similar.

With VPN, you nearly always have to log in to prove your identity, even better when using MFA.
ZTNA feels like a "step back" on that front, or am I not seeing something clearly?
Maybe I misunderstood the goal that ZTNA has, but in my opinion it markets itself as an architecture that is a valid alternative to VPN. But while I have a login for VPN every time I want to establish a tunnel, I miss this check for ZTNA.

This makes it hard for me to see it as a valid alternative and recommend this solution to bigger clients.
Is there a way around this?

1 reply

funkylicious
SuperUser
funkylicious
SuperUser
October 6, 2025

compliance tags or security posture tags which are used for either ZTNA or normal firewall policies are sent via telemetry to EMS continously every X seconds to ensure that the client is still compliant.

it doesnt do a once verification at connection like VPN but it runs frequently, if a tag changes for a PC/user in FortiClient it will be sent to EMS and it will reflect on FGT and the rules applied.

"jack of all trades, master of none"
Terms & ConditionsAccessibility statement