Feature Introduction
AWS Cloud WAN
AWS Cloud WAN provides a central dashboard for making connections between your branch offices, data centers, and Amazon Virtual Private Clouds (Amazon VPCs)—building a global network with only a few clicks. You use network policies to automate network management and security tasks in one location. Cloud WAN generates a complete view of your on-premises and AWS networks to help you monitor network health, security, and performance.
Fortinet SD-WAN
Fortinet SDWAN (software-defined wide-area network) solution enables enterprises to transform and secure all WAN edges. Leveraging the Security-driven Networking approach that uses one operating system and one centralized management console, enterprises realize superior user experience, enhanced security posture effectiveness with converged networking and security, and achieve operational continuity and efficiency. Fortinet FortiGate delivers fast, scalable, and flexible Secure SD-WAN for cloud-first, security-sensitive, and global enterprises. Our Security-Driven Networking approach consolidates SD-WAN, next-generation firewall (NGFW), and advanced routing.
Zero Trust Network Access(ZTNA)
ZTNA is a capability within Zero Trust Access (ZTA) that controls access to applications. It extends the principles of ZTA to verify users and devices before every application session. ZTNA confirms that they meet the organization’s policy to access that application. Our unique approach, delivering Universal ZTNA as part of our FortiGate makes it uniquely flexible, covering users when they are remote or in the office.
Example Description
In the previous example, we use the integration of AWS Cloud-WAN and Fortinet SD-WAN to achieve cloud-network convergence of enterprise services, so that enterprise employees can quickly access internal applications deployed on AWS in any branch office.
For details, see:
https://fusecommunity.fortinet.com/blogs/alan/2022/10/08/aws-cloud-wan-integration-fortinet-sd-wan-1
In this example, many employees are working remotely due to COVID-19 and need anytime, anywhere access to business systems in Frankfurt, and the security department wants to meet demand while protecting business systems with a Zero Trust architecture that only allows users and compliance to use zero trust Policy devices access business system applications.
Architecture:
Configuration Instructions
1、Deploy FortiClient EMS and configuration Zero Trust rules
- Login to FortiCloud and enable FortiClient EMS Cloud in the Services menu
- Configure Zero Trust policy rules through FortiClient EMS Cloud, and according to the business requirements of this example, we add a configuration of a Zero Trust tag [Business_ZTNA_Trust]. Detailed description of the reference documentation: Zero Trust Tagging Rules
2、Configure FortiGate for Fortinet-VPC and enable ZTNA
- Configure FortiClient EMS in Fabric Connectors to connect to the FortiClient EMS Cloud
- Configure Zero Trust to protect Frankfurt's business system applications with ZTNA Server
- Configure Zero Trust access rules in ZTNA Rules to allow only users and devices with both [Employee] and [Business_ZTNA_Trust] two ZTNA Tags to access the protected Frankfurt's business system applications.
3、Install FortiClient on the user device and connect to FortiClient EMS to obtain the Zero Trust policy identity
- Install FortiClient and enter Code on the ZERO Trust Telemetry page to connect to the FortiClient EMS Cloud. Detailed description of the reference documentation: Installing FortiClient on an endpoint and registering to FortiClient Cloud
- Click the avatar to enter the user information page and confirm the identity status of the Zero Trust policy of the current user device
Verify
1、When users and devices comply with the Zero Trust rules, Frankfurt's business system applications can be accessed from anywhere.
2、When users and devices don't comply with the Zero Trust rules, they can't access Frankfurt's business system applications.
3、When users and devices don't comply with the Zero Trust rules, Frankfurt's business system applications are not accessible even in the office.
