Panorama to ZTNA Configuration Pipeline

Data Mapping Flow: From Palo Alto Application Object to Fortinet ZTNA

1. Panorama App Object (Extracted Data) App Name AD Access Groups Dest IP → FQDN Ports & Protocols 2. Fortinet EMS Create Security Posture Tag (using imported AD Groups) 3. FortiGate (FGT 3980) Create Address Objects (FQDN) Firewall Policy (Ports/Protocols) Proxy Policy Setup Apply Tag to Proxy

1 Panorama Discovery & Extraction

Identify the application within your existing Palo Alto Panorama setup.

  • Look under Panorama policies Security/Pre Rules inside the cust-shared-prisenen_dg device group.
  • Extract the application data object elements:
    • AD Access Group(s)
    • Destination addresses/subnets/Range (Enrich IP with FQDN from DNS)
    • Ports/protocols
Transcript Insight: Often, apps in Panorama are defined by IP. Once you find the IP and the restricted AD groups (e.g., BLM QC QEM app restricted to specific Sassy groups), use an nslookup or equivalent to reverse-engineer the FQDN.

2 Fortinet EMS Prerequisites

Prepare the Endpoint Management Server (EMS) to recognize the AD groups.

  • Ensure the AD Access Group(s) mapped from Panorama are imported.
  • Create a Security Posture Tag per Application tied to these groups.
  • The naming convention should be: App Name + All groups.
Transcript Insight: Navigate to "Endpoint Profiles" -> "Manage Domains" to import the specific AD group. Once synced, navigate to "Security Posture Tags" to create a new tag tying that AD group to the application.

3 FortiGate (FGT) Objects & Firewall Policies

Define the network objects and lay the foundational firewall rules in the gateway.

  • Navigate to FGT 3980 under the EMS VDOM → Policies & Objects.
  • Create names for each FQDN+IP as Address groups. (Keep separate entries for FQDN and IP).
  • Ensure the Firewall policy defines all required Ports/protocols manually.
Transcript Insight: Create an Address Object using the resolved FQDN. Group these logical apps into broader categories if needed, or keep them strictly 1-to-1 for restricted apps.

4 FortiGate Proxy Policy Setup

Bind the destinations and the security posture logic into a unified Proxy Policy.

  • In the Proxy policy, populate the destinations using the newly created Address Objects.
  • Add it to the DOI-Global-App-FQDNS overarching group.
  • Apply the Security Posture Tag (from EMS) to ensure restricted access.
Transcript Insight: Open the ZTNA Proxy Policy. Select the Destination as the Address Object. Apply the Security Posture Tag so that only users hitting that specific tag check are allowed through.

5 EMS ZTNA Destination Finalization

Verify auto-population back to the client profiles.

  • Under Endpoints Profiles, manage the ZTNA Destinations.
  • Verify that Destinations are auto-detected from FGT 3980.
  • Add the finalized application to the DOI Default profile.
Transcript Insight: Navigate to "Fabric Connectors" > "ZTNA Applications Catalog" in EMS. The app defined in the FortiGate proxy should appear here as "auto-detected". Then add it to your specific endpoint policy so it pushes to the FortiClient endpoints.