Before FortiOS v7.2.4 and v7.4.0, a ZTNA configuration in the FortiOS required configuring:

• A FortiClient EMS connection and FortiClient EMS tags,

• A ZTNA server configuration,

• ZTNA rules,

• An authentication scheme and rules (optional).

In these settings, ZTNA rules were special proxy policies that controlled access to the ZTNA servers, and they could be configured from the Policy & Objects -> ZTNA -> ZTNA Rules tab.

From FortiOS v7.2.4 and v7.4.0 onwards, a configuration enhancement was introduced to provide a simplified ZTNA user experience. This enhancement allows ZTNA rules to be configured directly within firewall policies, without the requirement to use proxy-based ZTNA rules.

This new feature is introduced in below document:

Introduce simplified ZTNA rules within firewall policies 

An example GUI configuration is shown below:

ZTNA server 'ztna_test' is added as the destination in a firewall policy:

The corresponding CLI configuration can be found below:

Spoke2 (ztna_test) # show
config firewall access-proxy
    edit "ztna_test"
        set vip "ztna_test"
            config api-gateway
                edit 1
                    set url-map "/tcp"
                    set service tcp-forwarding
                        config realservers
                            edit 1
                                set address "10.24.0.0/20"
                                set mappedport 3389
                            next
                        end
                next
            end
    next
end

Spoke2 (9) # show
config firewall policy
    edit 9
        set name "ztna"
        set uuid 1ccadfb2-d94c-51f0-611e-7ba0d019a7e4
        set srcintf "port1"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ztna_test"
        set ztna-ems-tag "EMS1_ZTNA_all_registered_clients"
        set schedule "always"
        set logtraffic all
        set nat enable
    next
end

It is interesting to note that the reference count of the ZTNA server object 'ztna_test' is 0, even though it appears to be in use by the firewall policy.

When checking the reference count of 'ztna_test' in the CLI using the following command, the result is empty as well:

diagnose sys cmdb refcnt show firewall.access-proxy.name ztna_test

This behavior is not observed when a proxy policy is used. For example, if the ZTNA server 'ztna_test' is referenced by the following proxy policy:

The reference can be seen in both the GUI and CLI:

Spoke2 # diagnose sys cmdb refcnt show firewall.access-proxy.name ztna_test
entry used in table firewall.proxy-policy:policyid '1' entry access-proxy:name 'ztna_test' (From VDOM: 'root')

The reason the reference count of the ZTNA server object remains 0 when a firewall policy is used is that the firewall policy does not directly reference the object 'ztna_test' under 'config firewall access-proxy'. Instead, it references an object with the same name under 'config firewall vip'. This VIP object is created automatically when the ZTNA server object is configured in the GUI. It is not visible in the GUI and can only be seen from the CLI.

config firewall vip

    edit "ztna_test"
        set uuid 0bf209c2-d94c-51f0-7274-5625af1fcdc0
        set type access-proxy
        set server-type https
        set extip 10.56.242.224
        set extintf "port1"
        set extport 443
        set ssl-certificate "Fortinet_Factory"
    next

end

This behavior is by design in FortiOS and will not affect the functionality of ZTNA.