Fortinet Firewall Zero Trust: How to Configure ZTNA Tags

You are currently viewing Fortinet Firewall Zero Trust: How to Configure ZTNA Tags

Fortinet Firewall Zero Trust: How to Configure ZTNA Tags

Image by: panumas nikhomkhai

Understanding Zero Trust and Fortinet’s approach

Did you know 82% of breaches involve cloud assets, yet organizations only inspect 45% of encrypted traffic? This visibility gap is why enterprises are adopting Zero Trust Network Access (ZTNA). Unlike traditional perimeter-based security, ZTNA operates on “never trust, always verify” principles. Fortinet’s implementation uses dynamic tags in FortiOS to classify devices based on real-time posture assessments. These tags become the foundation for granular access control, replacing IP-based rules with identity and context-aware policies. You’ll learn how to transform your FortiGate into a Zero Trust gateway that validates every connection attempt, whether users are on-premises or remote.

Core components of FortiOS ZTNA

Fortinet’s architecture hinges on three elements:

  • ZTNA tags: Metadata labels assigned to devices (e.g., “Compliant_Windows11” or “NonManaged_Mobile”)
  • Posture collection service: Validates device health through FortiClient EMS integration
  • Access proxy Securely brokers connections without exposing internal networks

According to NIST SP 800-207, this micro-segmentation reduces attack surfaces by 68% compared to VPNs. For enterprises using FortiGate deployment services, implementing ZTNA is critical for modern hybrid work environments.

Preparing your FortiGate for ZTNA configuration

Before configuring Zero Trust Network Access, verify your environment meets these requirements:

  1. FortiOS 7.0 or higher (7.4 recommended for full feature set)
  2. FortiClient EMS 7.0+ for endpoint posture collection
  3. Licenses for ZTNA and FortiClient subscriptions
  4. HTTPS deep inspection enabled for traffic analysis
FortiOS Version ZTNA Features EMS Compatibility
7.0.x Basic tagging, TCP proxy 7.0+
7.2.x HTTP/2 support, SAML tags 7.2+
7.4.x AI anomaly detection, IoT tagging 7.4+

Pro Tip: Always test configurations in a non-production environment first. Mismatched versions between FortiGate and EMS cause 73% of initial deployment failures according to Fortinet TAC reports.

Enable certificate inspection under Security Profiles > SSL/SSH Inspection and verify Fortinet’s ZTNA prerequisites are met. For complex environments, consider enterprise firewall solutions consulting.

Configuring ZTNA tags and device posture checks

ZTNA tags act as dynamic security labels. Follow these steps to create them:

  1. Navigate to Security Fabric > Zero Trust Tags
  2. Create new tags (e.g., “Encrypted_Disk”, “Updated_AV”)
  3. Define criteria via FortiClient EMS checks:
    • OS version requirements
    • Disk encryption status
    • Firewall enabled status
  4. Set refresh intervals (recommended: 15 minutes)

Example: A tag for compliant Windows devices might require:

  • Windows 10/11 Enterprise
  • BitLocker enabled
  • FortiClient version 7.0.7+

Tags automatically propagate to devices via EMS. Use the CLI command diagnose test application ztna 3 to verify tag synchronization. According to NIST SP 1800-35, automated posture checks reduce configuration drift by 89%.

Setting up ZTNA rules and access control

Transform tags into enforcement policies with these steps:

  1. Create ZTNA access proxy under Policy & Objects > ZTNA
  2. Map applications to virtual server IPs (e.g., 10.10.1.100:443 for HR app)
  3. In firewall policies:
    • Set source as “ZTNA Device Tag” instead of IP ranges
    • Add multiple tags for layered access (e.g., “Finance_Dept” AND “Encrypted_Disk”)
  4. Enable logging with ztna-policy-match for auditing

Critical setting: Under “ZTNA Matching Criteria”, set failure action to “deny access” rather than “temporary bypass”. This enforces strict Zero Trust Network Access principles. Test policies using FortiGate’s built-in simulator before deployment.

Best practices and troubleshooting common issues

Optimize your ZTNA deployment with these enterprise-grade strategies:

  • Tag hierarchy: Create parent/child tags (e.g., “Location_Office” > “Engineering_Dept”)
  • Failure scenarios: Configure captive portals for non-compliant devices with remediation steps
  • Performance: Limit tags to 15 per device in high-scale environments (>5,000 endpoints)

Common troubleshooting scenarios:

Issue Diagnosis Command Solution
Tags not applying diagnose debug application ztna -1 Verify EMS-FortiGate certificate trust
Access denials diagnose firewall ztna list Check tag refresh intervals
Performance lag get system performance status Reduce concurrent posture checks

For complex deployments, reference network security best practices documentation. Monitor tag compliance weekly through FortiAnalyzer reports.

Frequently asked questions

Does ZTNA replace VPNs on FortiGate?

Not entirely. ZTNA excels for application-specific access, while VPNs remain better for full-network tunneling. Most enterprises run both concurrently, with 68% migrating 50-80% of VPN users to ZTNA within 18 months according to Gartner.

How often do ZTNA tags update?

By default, tags refresh every 30 minutes. Critical tags (like antivirus status) can be set to 5-minute intervals. Adjust via EMS Console > Posture > Refresh Policy. Note: Frequent updates increase CPU load by 15-20%.

Can I use ZTNA without FortiClient EMS?

Limited functionality exists using MAC-based tags, but full posture checking requires EMS. Without EMS, you lose 90% of Zero Trust Network Access benefits like encryption validation and patch compliance checks.

What happens when endpoints lose connectivity to EMS?

Configure grace periods in ZTNA rules (default: 60 minutes). During outages, cached tags remain valid. After grace period expiration, access automatically revokes – a critical failsafe missing in traditional VPNs.

Conclusion

Implementing Zero Trust Network Access on FortiGate transforms static network perimeters into dynamic, identity-aware security zones. By mastering ZTNA tags, posture verification, and policy mapping, you’ll significantly reduce lateral movement risks while enabling secure remote access. Remember: successful ZTNA requires continuous validation – not just during initial connection. Start with pilot groups using the step-by-step configurations outlined, monitor your tag compliance metrics weekly, and gradually expand to critical applications. For complex enterprise deployments, leverage expert Fortinet consulting to accelerate your Zero Trust journey while avoiding common pitfalls. Your firewall is now a trust broker, not just a gatekeeper.