When configuring ZTNA access proxy with the TCP Forwarding type, a ZTNA destination rule is required. In some cases, these destination rules must be delivered only to certain users connected through FortiSASE.

FortiSASE allows the application of destination rules based on specific profiles. This enables targeting destination rules to particular user groups, with each profile determining the appropriate destination rule and corresponding application gateway to utilize.

1. Create the profile that will be assigned to a specific user group. 
   
   
   
   
2. Then, go to Agent-Based ZTNA, create and authorize the FortiGate Gateway to sync the tags between On Prem FortiGate and FortiSASE.
3. To create the ZTNA Destination rules, follow the steps below:

1. Go to Configuration -> Agent-Based ZTNA TAB.

As shown in the screenshot below, configure the real IP address of the Server/Application and select the application gateway needed.

2. Then go to the profiles TAB. In this example, the profile name is DomainJoinedUsers.
   Go to ZTNA TAB as shown below:

3. Select the ZTNA Application which was created in step a and assign it to the profile.
                                                         

After the above configuration. FortiSASE should push the destination rules to FortiClient that belongs to this profile 'DomainJoinedUsers' only. While users who belong to other profiles will not contain this destination Rule.