Fortinet ZTNA: Zero Trust access on FortiGate, the right way

Fortinet's ZTNA isn't a separate product — it's a feature of FortiGate + FortiClient EMS. That makes it cheap to roll out and cheaper to operate.

Components

• FortiClient with EMS-managed posture.
• FortiGate as ZTNA proxy with TLS termination.
• ZTNA tags drive policy.

Per-app access

• Each app gets its own DNS name and TLS cert.
• Users authenticate per session, not per network.

Posture

• AV, OS patch, disk encryption checked continuously.
• Quarantine on drift.

Migration

• Start with web apps; SSH/RDP via ZTNA TCP forwarding.
• Decommission VPN per app, not big bang.

Pitfalls

• Cert lifecycle automation is mandatory.
• Plan EMS HA early.

Train ZTNA architecture in a TechLeague tournament.