Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FNT_Learner
New Contributor III

Created on ‎12-19-2023 02:06 AM Edited on ‎02-26-2024 05:14 AM By Community Manager

fortinet ZTNA licensing

Hello everyone!

Please help me if anyone has experience or worked with implementing Fortinet ZTNA. I want to implement ZTNA in my network. but I don't know which subscription is necessary for that. Do I need valid subscription on my FortiGate? which subscription should I purchase for Endpoints or Forti Client EMS? 

Any of Fortinet Support Can help me? I need a Comprehensive guide, please.

Thanks. 

Labels:
1287
0 Kudos
1 Solution
ozkanaltas
Contributor III
In response to FNT_Learner

Created on ‎12-19-2023 06:02 AM

My advice is; to first install FortiClient EMS with a trial license on your lab or prod environment. Try some scenarios related to your request. After that purchase a prod license.

 

In the installation stage, you can follow this document. Especially, be careful installing Windows server. Language, time, and currency format settings it should be "English (United States)". Based on my past experience, do not install anything on this server. When different programs are installed, EMS may sometimes cause errors during installation.

 

https://docs.fortinet.com/document/forticlient/7.2.3/ems-administration-guide/358374/system-requirem...

 

If my answer provided a solution for you. Please do not forget to mark it as a solution so that others can benefit from it.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1223
8 REPLIES 8
ozkanaltas
Contributor III

Created on ‎12-19-2023 02:31 AM Edited on ‎12-19-2023 02:34 AM

Hello @FNT_Learner ,

 

You don't need an additional Fortigate license for ZTNA. But You should buy a FortiClientEMS VPN/ZTNA license for endpoints. If you want to use additional features on FortiClient. You can review this table and you can select the license best for you. 

 

If you want to try ZTNA. You can install FortiClientEMS with your support account. FortiClientEMS provides always a free trial for 3 clients. 

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1278
FNT_Learner
New Contributor III
In response to ozkanaltas

Created on ‎12-19-2023 02:43 AM

Hi ozkanaltas thank you for your quick response. so the only license that is needed is FortiClientEMS VPN/ZTNA license and this just should be applied on EMS, not clients. is it correct? and what about the clients, do they need any license for enabling ZTNA functionality on them? As I know we need a license for endpoints and another license for EMS to manage them. is it right?

1271
0 Kudos
ozkanaltas
Contributor III
In response to FNT_Learner

Created on ‎12-19-2023 02:56 AM Edited on ‎12-19-2023 02:59 AM

Hi @FNT_Learner ,

 

Actually, you should buy a FortiClientEMS license up to your client count. If you look at the FortiClientEMS data sheet. You can see the client package up to your client count. Your client will get their licenses from FortiClientEMS.

 

FortiClientEMS is the only management console for FortiClient. Also, EMS shares your client's ZTNA tag and Client certificate with Fortigate. In this way, trust is established between Fortigate and the Client.

 

Also, you have two options for the FortiClientEMS deployment method. Cloud and Self-Hosted. If you select a Cloud-based license, this license type is user-based. You can install 3 machines (computer, cell phone, tablet) with the same username. But if you choose self-hosted, this license device-based. You should buy up to your device count.

 

These licenses are stackable. For example, if you need 100 client licenses. You can buy 25 packs x 4.

 

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/forticlient.pdf

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1267
FNT_Learner
New Contributor III
In response to ozkanaltas

Created on ‎12-19-2023 05:46 AM

Thank you. I plan to deploy EMS server on-prem. is there any additional tips that you want tell me?

1228
0 Kudos
ozkanaltas
Contributor III
In response to FNT_Learner

Created on ‎12-19-2023 06:02 AM

My advice is; to first install FortiClient EMS with a trial license on your lab or prod environment. Try some scenarios related to your request. After that purchase a prod license.

 

In the installation stage, you can follow this document. Especially, be careful installing Windows server. Language, time, and currency format settings it should be "English (United States)". Based on my past experience, do not install anything on this server. When different programs are installed, EMS may sometimes cause errors during installation.

 

https://docs.fortinet.com/document/forticlient/7.2.3/ems-administration-guide/358374/system-requirem...

 

If my answer provided a solution for you. Please do not forget to mark it as a solution so that others can benefit from it.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
1224
FNT_Learner
New Contributor III
In response to ozkanaltas

Created on ‎12-19-2023 09:50 PM

Thank you ozkanaltas.

1188
FNT_Learner
New Contributor III
In response to ozkanaltas

Created on ‎01-01-2024 03:22 AM

Hello ozkanaltas,

would you please tell me about licensing for EPP/APT? if I want to have subscription for this product, what licenses should I purchase? and which device is responsible for distributing updates to client? FortiGate or EMS? if FortiGate is responsible for that, does it need license too?

902
0 Kudos
ozkanaltas
Contributor III
In response to FNT_Learner

Created on ‎01-01-2024 05:16 AM

Hello @FNT_Learner ,

 

EMS is responsible for the updates. 

 

If you want to use the ztna feature, you can buy only the ztna license. If you want additional features, for example, antivirus, USB device control, ransomware protection.  You should buy EPP/APT license. You can see the difference between these licenses in the screenshot. 

 

image.png

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
882
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.