FortiGate ZTNA · FortiSASE · Per-App Access · Zero Trust

Replace Legacy VPN with Zero Trust Network Access

Migrate from SSL/IPSec VPN to FortiGate ZTNA or FortiSASE. Per-application tunnels, identity and posture verification, no lateral movement risk. Deployed by NSE7-certified Fortinet engineers.

See ZTNA Architecture

Why Legacy VPN Is a Security Liability

SSL VPN and IPSec VPN were designed for a different era — when 10% of your workforce was remote and 90% of applications ran on-premises. They authenticate once at the tunnel level and then grant broad network access.

Once inside the VPN tunnel, a compromised user or device can move laterally across your entire network. There is no per-application access control, no continuous posture verification, and no way to limit blast radius.

VPN concentrators are also performance bottlenecks. When your entire remote workforce tunnels traffic through a single appliance, latency spikes and bandwidth constraints degrade user experience and productivity.

Implicit Trust — Full Network Access After Auth
Lateral Movement — No Micro-Segmentation
Performance Bottleneck at VPN Concentrator
Split-Tunnel Exposes Corp Network

ZTNA Architecture — How It Works

Identity Verification

Every access request verifies user identity through SAML/OIDC integration with your IdP (Entra ID, Okta, FortiAuthenticator). MFA is enforced per session, not just at tunnel setup.

Device Posture Check

FortiClient EMS continuously validates device posture — OS patches, AV/EDR status, disk encryption, firewall, domain join, and custom checks. Non-compliant devices are blocked or given limited access.

Per-Application Tunnels

ZTNA creates encrypted micro-tunnels to specific applications only. No network-level access. No lateral movement. Users can only reach the applications they are authorised for — nothing else.

FortiGate ZTNA vs FortiSASE ZTNA

FortiGate ZTNA (On-Prem Proxy)

Your FortiGate acts as the ZTNA access proxy. Applications behind the FortiGate are published as ZTNA destinations.

  • No additional infrastructure — uses existing FortiGate
  • Ideal for on-premises applications
  • ZTNA rules in FortiGate firewall policy
  • Supports both agent and agentless modes
  • Integrated with FortiOS security fabric
  • Low latency for on-prem application access

Best for: Organisations with significant on-prem infrastructure and existing FortiGate deployment.

FortiSASE ZTNA (Cloud-Delivered)

ZTNA gateway runs in Fortinet's global cloud PoPs. Users connect to the nearest PoP for optimal performance.

  • Cloud-delivered — no on-prem gateway needed
  • Global PoPs for low-latency access worldwide
  • Integrated SWG, CASB, and FWaaS
  • Ideal for distributed/remote workforces
  • Thin edge or FortiExtender for branch offices
  • Unified management via FortiSASE portal

Best for: Cloud-first organisations with distributed workforce and cloud-hosted applications.

FortiClient EMS — The ZTNA Agent

Posture Assessment

Continuous checks — OS version, AV status, disk encryption, firewall, domain join, certificate validity, and custom rules.

Encrypted Tunnels

Per-application HTTPS tunnels. Traffic is encrypted end-to-end. No network-level tunnel — only application-specific connections.

Multi-Platform

Supports Windows, macOS, Linux, iOS, and Android. Centrally managed via FortiClient EMS console. Deployable via Intune, SCCM, or GPO.

Fabric Integration

Shares telemetry with FortiGate, FortiAnalyzer, and FortiSIEM. Posture tags drive dynamic firewall policies across the Security Fabric.

Phased Migration — Coexist, Expand, Complete

1

Coexist (Weeks 1-3)

  • Deploy FortiClient EMS alongside existing VPN client
  • Configure ZTNA access proxy on FortiGate or FortiSASE
  • Onboard 5-10 pilot applications to ZTNA
  • Pilot group of 20-50 users tests ZTNA access
  • VPN remains active for all other applications
  • Monitor and tune posture check rules
2

Expand (Weeks 4-8)

  • Migrate all critical applications to ZTNA
  • Expand user base to all departments
  • Configure ZTNA tags and posture profiles
  • Set up agentless ZTNA for web applications
  • Integrate with IdP for SSO + MFA
  • Document application access policies
3

Complete (Weeks 9-12)

  • Migrate remaining legacy applications
  • Disable VPN for all users
  • Decommission VPN concentrator or reallocate
  • Enable advanced posture checks (EDR telemetry)
  • Continuous compliance monitoring dashboards
  • Handover to operations team with runbooks

VPN vs ZTNA — Head to Head

Why ZTNA is the clear successor to legacy VPN

Capability Legacy VPN ZTNA
Access model Network-level Per-application
Trust model Implicit (once authenticated) Continuous verification
Device posture Login-time only (if any) Continuous real-time
Lateral movement Possible (full network) Impossible (app-only)
Performance Concentrator bottleneck Direct-to-app tunnels
User experience Full tunnel / split tunnel trade-off Seamless per-app access

Application Tagging & Posture Profiles

ZTNA Tags

FortiClient EMS assigns posture tags to devices based on compliance rules. FortiGate ZTNA policies reference these tags.

  • Compliant — all posture checks pass
  • Warning — minor issues (e.g., pending patches)
  • Non-Compliant — critical posture failures
  • Unmanaged — no FortiClient agent (agentless mode only)

Posture Check Rules

Customisable posture rules determine device compliance before and during application access.

  • OS version and patch level (minimum version required)
  • Antivirus/EDR running and up-to-date
  • Disk encryption enabled (BitLocker/FileVault)
  • Host firewall enabled
  • Valid device certificate from corporate CA
  • Custom software presence checks

Why Choose Ogma for ZTNA Migration

NSE7-Certified Fortinet Engineers

Our engineers hold NSE7 certifications and deploy FortiGate ZTNA and FortiSASE for enterprises across India. Deep expertise in ZTNA access proxy, FortiClient EMS, and Security Fabric integration.

Authorised Fortinet Partner

As an authorised Fortinet reseller, we provide FortiGate hardware, FortiClient EMS licenses, and FortiSASE subscriptions at competitive pricing with full warranty and support.

Phased Migration — No Downtime

Our coexist-expand-complete approach means VPN and ZTNA run in parallel. Users never lose access. Applications are migrated one at a time with validation at every step.

Security Validation (VA + BAS)

After ZTNA deployment, we validate the configuration with vulnerability assessment and breach & attack simulation. We prove that lateral movement is blocked and that the ZTNA policies enforce least-privilege access.

Frequently Asked Questions

ZTNA is a security model that provides per-application access based on user identity and device posture — not network-level connectivity. Unlike VPN which grants access to an entire network segment, ZTNA creates secure tunnels to specific applications only. Each access request is verified individually: who is the user, what device are they on, does it meet security requirements, and should they access this specific application.

Legacy VPN operates on implicit trust — once authenticated, users get broad network access. This enables lateral movement if credentials are compromised. Split-tunnel configurations expose the corporate network through the user's home network. Full-tunnel VPN creates performance bottlenecks by routing all traffic through the VPN concentrator. VPN also lacks per-session posture checks — a device that was compliant during VPN setup may become non-compliant during the session.

Yes, and this is our recommended approach. We deploy ZTNA alongside your existing VPN infrastructure. New applications and high-security apps move to ZTNA first while legacy apps continue on VPN. Users gradually transition as applications are onboarded to ZTNA. This eliminates the risk of a big-bang cutover and lets you validate ZTNA for each application before decommissioning VPN.

FortiGate ZTNA is an on-premises proxy mode — the FortiGate acts as the ZTNA gateway for applications behind it. Best for organisations with significant on-prem infrastructure. FortiSASE ZTNA is cloud-delivered — the ZTNA gateway runs in Fortinet's cloud PoPs. Best for organisations with distributed workforces and cloud-hosted applications. Both use FortiClient EMS as the endpoint agent.

Yes, FortiClient EMS agent is required on endpoints. The agent performs device posture checks (OS version, antivirus status, disk encryption, certificate validity) and establishes encrypted tunnels to specific applications. FortiClient supports Windows, macOS, Linux, iOS, and Android. The agent is lightweight and integrates with your existing endpoint management (Intune, SCCM).

FortiClient EMS performs continuous posture assessment including OS version and patch level, running antivirus and EDR status, disk encryption enabled, firewall enabled, valid device certificate, domain join status, and custom checks (specific software installed, registry keys). If a device falls out of compliance mid-session, access can be revoked or restricted in real-time.

Web applications can use ZTNA in agentless mode through a ZTNA access proxy. Users authenticate via a browser, and the FortiGate or FortiSASE proxy validates identity and basic posture before granting access. No agent required. This is ideal for contractor access, BYOD devices, and SaaS applications that need an additional layer of access control.

A typical migration takes 8-12 weeks for organisations with 20-50 applications. Phase 1 (pilot with 5-10 apps) takes 2-3 weeks. Phase 2 (expand to all critical apps) takes 4-6 weeks. Phase 3 (legacy app migration and VPN decommission) takes 2-3 weeks. The timeline depends on application complexity, number of users, and the extent of posture check customisation required.

Ready to Replace Legacy VPN with Zero Trust?

Get a free ZTNA readiness assessment. We audit your current VPN, inventory your applications, and deliver a phased migration plan — no obligation.

View All Solutions