How does ZTNA work?

Hello everybody,

ZTNA is not clear at all for me.

I'm working from remote and in my Forticlient I've been assigned a tag:

ZTNA_DEV

I'm not connected to any VPN.

On fortigate, there is a ZTNA Rule:

Screenshot 2024-10-11 alle 08.59.48.png

192.168.1.4 is a ZTNA server that manages a Virtual Machine.

I've also a Firewall policy:

Screenshot 2024-10-11 alle 09.01.17.png

This policy says that all users that whose destination is ZTNA_DEV (192.168.1.4) and have the tags ZTNA_DEV are allowed.

But there is one thing I don't understand.

I'm working from remote, so I'm not in the enterprise network. How can reach that server?

The firewall policy is saying that the incoming interface is wan1, but how can I reach it?

I know I have the tags, but how is possible that with these tags I should reach the internal network?

Where am I wrong?

Thank you so much!

Best answer by Hatibi

ZTNA has different deployment methods.

Off-net (remote) clients can still connect and traffic is intercepted by FGT who acts as a Access proxy.

This deployment method is called "ZTNA access proxy"

Staff & Editor

ZTNA has different deployment methods.

Off-net (remote) clients can still connect and traffic is intercepted by FGT who acts as a Access proxy.

This deployment method is called "ZTNA access proxy"

Sign up