Getting started with ZTNA: firewall policy only for managed FortiClient devices

Forum|Forum|1 year ago
January 14, 2025
1 reply
1132 views

Hello everyone,

Since we did move to FortiClient EMS end of last year I do want to start diving into ZTNA now:

I do have a VLAN that is not connected to my windows domain server (Domain Controller, File-Server, ...). This VLAN is for third party machines and computers (robotics, PLC, IOT devices, ...)

Now there is a use case that some of our plc programmers want to work in this specific VLAN for the ease of access to the robotics but also need to access e.g. windows File-Server.

What is the easiest way to set it up? Basically I was thinking about creating a policy that only allows FortiClient EMS managed devices.

I do see the ZTNA Tags created from EMS in the FortiGate. Should I go for the "IP/MAC Based Access Control" in a "standard" FortiGate policy where I can secelt the ZTNA tags? Or do I need a full ZTNA policy?

ZTNA policies documentation seems to often point into a kind of webserver scenario - that is not really needed here. So do I need a ZTNA server with access proxy setup?

Best answer by ebilcari

Basically since the segments are from the internal network (On-fabric), this is the easiest way. You may need to create other ZTNA tags (not using all) and allow access only for the hosts that are compliant and don't have any security concerns reported by EMS.

ebilcariAnswer

Staff

Basically since the segments are from the internal network (On-fabric), this is the easiest way. You may need to create other ZTNA tags (not using all) and allow access only for the hosts that are compliant and don't have any security concerns reported by EMS.

Emirjon

micitiAuthor

Visitor III

@ebilcariThank you very much! I did a test with one policy and it seems to work quite well so far :)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded