Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GeorgeZhong
Staff & Editor
Staff & Editor

Created on ‎06-24-2024 12:59 AM Edited on ‎06-24-2024 04:45 AM By Community Manager

Article Id 322094

Technical Tip: Introducing the ZTNA virtual host feature

Description

This article introduces the ZTNA virtual host feature.
Scope FortiGate.
Solution

In the ZTNA configuration, a Virtual Host is introduced in the Server Mapping to match the ZTNA request from the host, which is the ZTNA Proxy Gateway the host is trying to access.

 

For example:

GeorgeZhong_0-1719215275026.png

 

The FortiGate has 10.56.240.210 and the port 443 is configured as the external IP in the ZTNA proxy gateway. The Server IP 10.24.1.15 is configured as the real server IP in the server mapping.

 

GeorgeZhong_1-1719215275028.png

 

Assume the endpoint host is connected to the EMS and has the correct tag assigned. When it accesses the Server behind the FortiGate via ZTNA, it needs to send the ZTNA request to the ZTNA proxy gateway, which will further initiate the HTTP or TCP traffic to the real server depending on the service type.

 

The endpoint host can access the ZTNA proxy gateway either via the IP address 10.56.240.210 or the FQDN address which can be resolved to this IP.

 

The Virtual Host in the ZTNA Server Mapping is to match the IP or FQDN. There are two options:

  • Any Host: If the IP address or the resolved FQDN address that the endpoint host is trying to access matches the external IP address (access proxy VIP), the ZTNA request can be mapped to the real server.
  • Specify: The IP or the FQDN address that the endpoint host is trying to access must be matched with the value here (it can be the IP or FQDN).

In this example, since the ZTNA proxy gateway address endpoint user is trying to connect is 10.56.240.210, the host needs to be the IP address 10.56.240.210 if the Virtual Host needs to be specified. Otherwise ‘Any Host’ can be chosen as well.

 

GeorgeZhong_2-1719215275029.png

 

If the Proxy Gateway IP end user is trying to access fails to match with the specified Virtual Host here, the following error will appear in the ZTNA traffic log. From the message, it is clear to see what the ZTNA request looks like, and its head part needs to be matched with the specified virtual host here.

 

GeorgeZhong_3-1719215275030.png

 

If the endpoint user has multiple FQDN addresses and all of them can be resolved to the Proxy VIP IP 10.56.240.210, a particular FQDN address can be specified in the Virtual Host to match the Proxy gateway FQDN user is trying to access and map to the real server.

It is not necessary to configure the Virtual Host when there is only one FQDN address that can be resolved to the external IP or the user is accessing the IP address straight away.

 

The common use case for the ZTNA Virtual Host is when there is only one public IP on the FortiGate but multiple real servers need to be mapped. In this case, the user needs to have multiple FQDN addresses that can be resolved to the External IP of the ZTNA server while each FQDN should be mapped to a different real server.

 

This use case is based on Technical Tip: Accessing multiple web servers hosted via single ZTNA Server - Access Proxy (HTTP/HTT....


Related documents:
2466
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.