A general high-level view of ZTNA and its components:

A security model that defines how to access resources in a network anytime, anyplace using principles of segmentation, least-privilege access, monitoring, and verification.

The implementation of ZTNA in Fortinet requires 3 elements:

•    A next-generation firewall (FortiGate with proxy functions enabled) for FortiProxy.
•    FortiClient (paid version).
•    FortiClient EMS server.

Optional elements:

•   Identity provider.

How does Fortinet implement ZTNA:

Using Proxy or Static Address Translation principles when the firewall receives a connection request. The FortiGate intercepts the connection and either makes the connection or translates the connection. The functionality a regular Proxy would execute. ZTNA takes this and adds the principles of authentication to the right privilege level access in 2 simple steps.

• EMS associates tags with the endpoints it manages; these tags are then pushed to security fabric devices like the FortiGate to use as policy-matching criteria.

• When the user accesses a protected resource, FortiClient makes the connection. Then, FortiGate receives it and verifies the assigned TAGs against the policy to determine if the connection is approved. If approved, it completes the connection to the protected resource.

A configuration using the principles of NAT is called a Simple ZTNA configuration, while a configuration using Proxy principles is a full configuration.

Components roles:

FortiClient:

Acts as the ZTNA agent on endpoints, providing secure access to applications without traditional VPN. When a user attempts to access a protected resource, FortiClient creates a secure ZTNA tunnel specific to that application. It handles initial and continuous device posture assessment, ensuring the endpoint meets security requirements before and during access. It communicates with EMS to receive tags and with FortiGate for access verification.

FortiClientEMS:

EMS is a core component for ZTNA that manages endpoint tags and access policies. It assigns ZTNA tags based on device posture, user identity, and security compliance. These tags are dynamically updated and synchronized with FortiGate to enforce access policies. EMS also deploys ZTNA configurations to FortiClient, including protected resource definitions and connection settings.

IDP/Identity Providers:

Provide identity verification for ZTNA access decisions. When integrated with Fortinet's ZTNA solution, IDPs validate user credentials before granting access to protected resources. Fortinet supports integration with multiple tools such as FortiAuthenticator, Cisco ISE, Microsoft Azure, and Okta over various protocols such as SSO/SAML, RADIUS, TACACs, etc.

FortiGate:

Acts as the ZTNA Controller and Policy Enforcement Point in the Zero Trust architecture. When receiving connection requests from FortiClient, FortiGate verifies both the user identity and device tags received from EMS before granting access to protected resources. It supports two ZTNA deployment modes:

• Proxy-based (Full ZTNA): This type intercepts and terminates connections, providing complete application inspection and control. It is ideal for web-based applications and detailed traffic analysis and supports enhanced configuration with SD-WAN.

• Simple ZTNA (NAT-based): This type of ZTNA uses address translation to provide access to applications (like RDP and SSH). It is more lightweight but has limited inspection capabilities.

FortiGate continuously verifies ZTNA sessions, monitoring tag updates from EMS and user authentication status. It can immediately revoke access if device posture or user credentials become non-compliant. Through Security Fabric integration, ZTNA telemetry is shared with other Fortinet security components for comprehensive security visibility and control.

A configuration sample can be seen in the following document:

Basic ZTNA configuration