ZTNA Application Definition Flow

A visual guide to the manual order of operations for defining ZTNA applications, preparing the environment for future automation.

The Complete Workflow

1

Prerequisites (Tags)

Must exist before configuring policies.

  • Posture Tags (AV, Cert, FW)
  • OS Tags (Windows, Mac)
  • Group/Bureau Tags
2

EMS Configuration

Define services and grant global access.

  • 1. Create Gateways (Ports)
  • 2. Define Applications
  • 3. Assign to "All Apps" Profile
3

FortiGate (Enforcement)

Where access control actually happens.

  • 1. Create Address Objects
  • 2. Group into Containers
  • 3. Build Proxy Policies

Step 2 Detailed: FortiClient EMS Setup

A. Gateways & Port Mapping

Create gateways to map the external proxy ports the client connects to, to the internal service listening ports.

External (Proxy) Internal (Service)
2443 443 (HTTPS)
2022 22 (SSH)
2025 25 (SMTP Ex.)
Goal: Transition to a single FQDN/URL eventually to avoid duplicate entries (currently showing up to 4 instances due to individual IPs).

B. Applications & Profiles

  • Define the specific application.
  • Link it: Associate the application with the Gateway/Service port created in Step A.
CRITICAL RULE: Enforcement Point

Under Endpoint Profiles (ZTNA Destinations) -> DOI Default, everyone is granted access to ALL applications. EMS is not the policy enforcement point. Enforcement happens at the FortiGate proxy policy level.

Step 3 Detailed: FortiGate Proxy Policies

A. Address Objects & Containers

Create destinations on the FortiGate.

Naming Convention

Prefix by Bureau/Role (e.g., OCIO management, FAZ, FortiManager) to keep track of who needs what.

Containers (Groups)

Group related objects into logical containers. Unique one-off objects go into a general container.

IP vs. FQDN

Separate FQDNs and IPs. "However the user is getting to it is how we want to build the apps, because that's how FortiClient will proxy them."

B. Building Proxy Policies

Append the ZTNA server configuration to the firewall policy and map the server port (e.g., 2443) to the proxy policy.

The "AND" Logic Rule

FortiGate applies AND logic to security posture tags within a policy. Therefore, a single policy cannot require both a Windows tag AND a Mac tag (a machine cannot be both).

Policy 1: Windows Users
Tag: Win_OS + Tag: AV_On
Policy 2: Mac Users
Tag: Mac_OS + Tag: AV_On

Result: You must build 2 proxy policy entries per application/service.