ZTNA Proxy Policy config needs for tcp-forwarding

Forum|Forum|1 year ago
May 9, 2025
2 replies
669 views

In all the examples I have seen on how to create a tcp-forwarding proxy policy for ZTNA I always see the following config parts:

config firewall access-proxy

config firewall proxy-policy

Some times they do include:

config firewall policy

In my testing I have noticed that a firewall policy config is not required. I am sure there is a good reason for having a firewall policy regardless. Can some one tell me what benefits you can get from including the firewall policy?

AEK

SuperUser

For internal-to-internal traffic I use firewall rules only (regular rule with ZTNA tags).

For external-to-internal traffic (ZTNA server config) I use proxy rules only (type ZTNA).

And it works always fine.

AEK

vokelmo4

New Member

Do you run a terminal services gateway. I was able to get this working without too much issue over 443. The main thing i found is I had to use the hostname rather than IP for the mapped server and also needed to make sure the FortiGate was using internal DNS servers for its resolvers to resolve the hostname internally.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded