This article describes that ZTNA configurations no longer require a firewall policy to forward traffic to the access proxy VIP.
This is implicitly generated based on the ZTNA rule configuration.
- Firewall policies no longer have the ZTNA toggle for switching between Full ZTNA and IP/MAC filtering.
- If an access-proxy type proxy-policy does not have a srcintf, then after upgrading it will be set to any.
Before 7.0.2, firewall policy is required to matche and redirect client requests to the access proxy VIP
To configure a firewall policy for full ZTNA in the CLI:
For 7.0.2, firewall policy to forward traffic to the access proxy VIP is implicitly generated based on the ZTNA rule configuration, and does not need to be manually created.
For version before 7.0.2 and upgrading to FortiOS 7.0.2, the ZTNA rule source interface will be set to any and all full ZTNA firewall policies will automatically be removed.