Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jfelix09
Staff
Staff

Created on ‎01-07-2026 09:05 AM

Article Id 425644

Technical Tip: ZTNA Agentless web portal with multi-factor authentication

Description This article describes how to configure a Zero Trust Network Access (ZTNA) agentless web portal with multi-factor authentication (MFA). In this example, a FortiGate firewall is configured to authenticate users from the local user database using FortiToken as the MFA method.
Scope FortiGate 7.6.1+.
Solution

This guide provides a step-by-step procedure to configure a ZTNA agentless web portal secured with FortiToken-based MFA. The ZTNA agentless web portal enables users to securely access protected internal resources using only a standard web browser, without installing a ZTNA agent on the client device.

 

ztna-agentless-diagram.png

 

Step 1: Create a local user named 'localtoken', enable FortiToken as the second authentication factor, and add the user to a firewall user group named 'local-fgt-users'.

 

config user local
    edit "localtoken"
        set type password
        set two-factor fortitoken
        set fortitoken "FTKMOBXXXXXXX"
        set email-to "user.email@contoso.com"
        set passwd <PASSWORD>
    next
end

 

config user group
    edit "local-fgt-users"
        set member "localtoken"
    next
end

 

Step 2: Create a VIP of type access-proxy to handle incoming ZTNA agentless web portal connections on TCP/2587.

 

config firewall vip
    edit "ZTNA-agentless"
        set type access-proxy
        set server-type https
        set extip 10.5.147.78
        set extintf "port1"
        set client-cert disable
        set extport 2587
        set ssl-certificate "Fortinet_Factory"
    next
end

 

Step 3: Define a virtual host that represents the FQDN ('ztna.fortilab.local') used to access the ZTNA web portal.

 

config firewall access-proxy-virtual-host
    edit "ztna-web-portal-fqdn"
        set ssl-certificate "Fortinet_Factory"
        set host "ztna.fortilab.local"
        set client-cert disable
    next
end

 

Note: It is recommended to use a trusted certificate matching the FQDN 'ztna.fortilab.local' instead of the default 'Fortinet_Factory' certificate.

 

Step 4: An authentication scheme with the method "form" is mandatory to support FortiToken MFA. The option "require-tfa" should also be enabled in order to include a token prompt in the firewall authentication login. Configure an authentication scheme and rule as in the example below:

 

config authentication scheme
    edit "ztna-web-portal-form"
        set method form
        set require-tfa enable
        set user-database "local-user-db"
    next
end

 

config authentication rule
    edit "ztna-web-portal-rule"
        set protocol ztna-portal
        set ip-based disable
        set active-auth-method "ztna-web-portal-form"
        set web-auth-cookie enable
    next
end

 

Step 5: Configure the ZTNA web portal using the previously configured VIP, virtual host, and authentication rule.

To trigger the authentication portal, ensure that the 'auth-portal' option is enabled.

 

config ztna web-portal
    edit "ztna-web-portal"
        set vip "ZTNA-agentless"
        set host "ztna-web-portal-fqdn"
        set auth-portal enable
        set auth-virtual-host "ztna-web-portal-fqdn"
        set auth-rule "ztna-web-portal-rule"
    next
end

 

Step 6: Define the bookmarks for internal resources, such as web servers, SSH, or RDP:

 

config ztna web-portal-bookmark
    edit "bookmarks"
        set groups "local-fgt-users" <----- Configure the group that contains the users with FortiToken assigned.
            config bookmarks

                edit "ssh"

                    set apptype ssh
                    set host "10.15.19.81"
                next
            end

        next

    end

 

Step 7: Configure a proxy policy to allow access to the ZTNA web portal:

 

config firewall proxy-policy
    edit 0
        set name "ZTNA-web-portal"
        set proxy ztna-proxy
        set ztna-proxy "ztna-web-portal"
        set srcintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

 

Testing and validation:

  1. From a remote client, open a web browser and navigate to 'https://ztna.fortilab.local:2587'.
  2. The ZTNA web portal login page is displayed.
  3. Click Login.
  4. Enter the local username, password, and FortiToken OTP code.
  5. Upon successful authentication, the ZTNA web portal is displayed with the configured bookmarks.

 

ztna-portal-login.png

 

image.png

 

Related articles:

FortiOS 7.6.5 > ZTNA agentless web-based application access 

Technical Tip: How to configure ZTNA Session Based Authentication with MFA token 
67
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.