Overall is it just simpler to use individual certs with forticlient to ZTNA resources/groups? Or use something like FSSO or say an external IDP/SAML?
If I read correctly we could use our external SAML to give further MFA to an internal resource. However seems somewhat redundant to me if for instance user is already MFA’d on the VPN to begin with.
We’ve found sort of an essential use case for ZTNA v. configuring and setting up traditional methods or policies and wondering if this should be the case to configure it and get it off the ground or if the effort is going to be same long run is it worth it.
The idea of dropping a user/s or devices into a tag into a policy appeals to me over remembering to add X Y and Z to another interface or say you only want one vlan to have said rule but it’s in a zone and thus you’d have to zone the rule and then add Src and dst.
But I don’t know a lot of about forti ZTNA and the level of effort v. the older methods.
Overall is it just simpler to use individual certs with forticlient to ZTNA resources/groups? Or use something like FSSO or say an external IDP/SAML?
Depends on your use case. What are you trying to accomplish? One of the main benefits of ZTNA with certificates allows you to do is incorporate “device posture” to understand the state of the endpoint prior to granting access to the specific resource. If you do not require that, then there’s no need for ZTNA if you just want to grant access based on identity.
If I read correctly we could use our external SAML to give further MFA to an internal resource. However seems somewhat redundant to me if for instance user is already MFA’d on the VPN to begin with.
ZTNA is to limit the amount of access a user has specifically down to the application or resource on a per session basis. With VPN, after the initial authentication/authorization, the user is free to access whatever is granted to them by policy.
We’ve found sort of an essential use case for ZTNA v. configuring and setting up traditional methods or policies and wondering if this should be the case to configure it and get it off the ground or if the effort is going to be same long run is it worth it.
What is the essential use case you are referring to? Ultimately, you have to decide whether or not the additional functionality added with ZTNA warrants the effort of deploying it in your environment.
The idea of dropping a user/s or devices into a tag into a policy appeals to me over remembering to add X Y and Z to another interface or say you only want one vlan to have said rule but it’s in a zone and thus you’d have to zone the rule and then add Src and dst.
Yes, it’s a great benefit to leverage FortiClient Zero Trust tags to gain more information about the endpoint prior to connecting in to the application. There’s still a bit of overhead creating the ZTNA objects for each level of access.
But I don’t know a lot of about forti ZTNA and the level of effort v. the older methods.
Fortinet ZTNA is well documented. A lot of the details around this is defined in the following links:
Basically, I was seeing ZTNA as a more flexible (and in the end state less man hours) auth and access tool v traditional SSLVPN and network security approach. Caveat with the ability to more easily put SAAS stuff with it.
The current use case we have is. A select few users (remote). Need to get access to another internal resource that the current VPN pool shouldn’t have. (Given it’s DHCP)
That resource also then needs other resources, that are segregated away from the bulk of other things.
So this leaves a lot of re configuration to do and test for a very very small group of people probably temporary. Then rinse and repeat to the other redundant VPNS.
Not a hard task, minus tracing the lines and double checking the security config… But a nuisance.
ZTNA was also in our projects to explore later anyway given our drive for more SAAS and plan for larger cloud foot print in the up coming years.
Piggy backing on this, can 1 ztna server with it’s own public IP have multiple resources with different fqdns on the same service port? Or is it mapped 1 to 1
yes, one ZTNA server with its own IP address can map to different resources with different FQDNs on the exact same service port. See figure 4 in the linked blog article below: