Hello Team,

Referring to:

Introduce simplified ZTNA rules within firewall policies | FortiGate / FortiOS 7.4.0 | Fortinet Docu...

I found some points that I need to digest regarding the two modes (simple,full) of ZTNA policies:

1- what cases exactly do I need to choose full mode against the simple mode

2- in the above doc, quoted:

I understood the "destination interface" part, but how the full policy controls access based to real destination address?

3- regarding authentication, quoted:

Authentication for ZTNA policies

Authentication remains largely the same between both ZTNA policy configuration modes. You can specify user groups under Source to define the groups in which the access control applies to. However, the underlying authentication schemes and rules must still be in place to direct the traffic to the ZTNA application gateway.

So the authentication scheme must be in place as mentioned above. However, in the next paragraph, quoting:

"Authentication for regular firewall policies is traditionally handled by authd, which does not require an authentication scheme and rules to be configured in order to function"

So, in simple mode, is an authentication scheme and rule required or not?

4- For SAML authentication, what is the difference between adding SAML groups into the source of a simple policy vs enabling the SAML option in the policy and selecting the idp?