Discovering ZTNA: Missing Loadbalancing Features and Missing ZTNA with default policies

Hi,

after playing around with ZTNA, some things are not clear to me and maybe, someone has the same struggles and / or "caps" in the head.

a) To reach out a certificate based authentication and to remove the VPN gateway, you have to work with full ZTNA servers which than, the Fortigate acts like a proxy for. What I am missing; you can do a kind of load balancing with the real servers behind a HTTPS ZTNA server, but there is no option to do a health check like you could do on a "normal" virtual server. Also, it would be interestesting, if real SSL offloading works and deep inspection is done in a correct manner, so IDP/IDS and all traffic is inspected well and no signifcant security risk will raise here. Same with encrypted traffic, like SSH over a TCP tunnel.

b) The most  - maybe stupid - issue I ran with the following issue:

- Let´s imagine you have a service like a git repository server on your site, behind a Fortigate. You can protect it using ZTNA, but you also may need access through the API and have to limit access not only by ZTNA tags, but also with the help of normal, oldschool, firewall policies, which limits access by ip addresses for example.

Maybe, you could now install the Forticlient on this server, which wants to access this service. But is not the way I prefer. So, I want to mix both, ZTNA policies, and normal firewall policies.

- Assume, you have www.example.com routed to IP 1.2.3.4 and Port 443. So you can only define this host and port combination once, as a Zerotrust Server, OR as a virtual server.

Does anyone has an brilliant idea, how to keep host *and* port, and mix up both, means, filter access by ZTNA, *AND* by the normal policies (means, filter by IP networks for example)?

Any ideas and help would be charming

Thanks

Ronny