Panorama to ZTNA Configuration Pipeline

Data Mapping Flow: From Palo Alto Application Object to Fortinet ZTNA

1. Panorama App Object (Extracted Data) App Name AD Access Groups Dest IP → FQDN Ports & Protocols 2. Fortinet EMS Create Security Posture Tag (using imported AD Groups) 3. FortiGate (FGT 3980) Create Address Objects (FQDN) Firewall Policy (Ports/Protocols) Proxy Policy Setup Apply Tag to Proxy

1 Panorama Discovery & Extraction

Identify the application within your existing Palo Alto Panorama setup.

  • Look under Panorama policies Security/Pre Rules inside the cust-shared-prisenen_dg device group.
  • Extract the application data object elements:
    • AD Access Group(s)
    • Destination addresses/subnets/Range (Enrich IP with FQDN from DNS)
    • Ports/protocols
Note: Often, apps in Panorama are defined by IP. Once you find the IP and the restricted AD groups, use an nslookup or equivalent to reverse-engineer the FQDN.

2 Fortinet EMS Prerequisites

Prepare the Endpoint Management Server (EMS) to recognize the AD groups.

  • Ensure the AD Access Group(s) mapped from Panorama are imported.
  • Create a Security Posture Tag per Application tied to these groups.
  • The naming convention should be: App Name + All groups.
Note: Navigate to "Endpoint Profiles" -> "Manage Domains" to import the specific AD group. Once synced, navigate to "Security Posture Tags" to create a new tag tying that AD group to the application.

3 FortiGate (FGT) Objects & Firewall Policies

Define the network objects and lay the foundational firewall rules in the gateway.

  • Navigate to FGT 3980 under the EMS VDOM → Policies & Objects.
  • Create names for each FQDN+IP as Address groups. (Keep separate entries for FQDN and IP).
  • Ensure the Firewall policy defines all required Ports/protocols manually.
Note: Create an Address Object using the resolved FQDN. Group these logical apps into broader categories if needed, or keep them strictly 1-to-1 for restricted apps.

4 FortiGate Proxy Policy Setup

Bind the destinations and the security posture logic into a unified Proxy Policy.

  • In the Proxy policy, populate the destinations using the newly created Address Objects.
  • Add it to the DOI-Global-App-FQDNS overarching group.
  • Apply the Security Posture Tag (from EMS) to ensure restricted access.
Note: Open the ZTNA Proxy Policy. Select the Destination as the Address Object. Apply the Security Posture Tag so that only users hitting that specific tag check are allowed through.

5 EMS ZTNA Destination Finalization

Verify auto-population back to the client profiles.

  • Under Endpoints Profiles, manage the ZTNA Destinations.
  • Verify that Destinations are auto-detected from FGT 3980.
  • Add the finalized application to the DOI Default profile.
Note: Navigate to "Fabric Connectors" > "ZTNA Applications Catalog" in EMS. The app defined in the FortiGate proxy should appear here as "auto-detected". Then add it to your specific endpoint policy so it pushes to the FortiClient endpoints.