Business & Technology

Why FortiClient Delivers Better ZTNA

By Peter Newton | January 04, 2023

Recently, IT executives from a major technology company paid a visit to the Fortinet corporate offices in Sunnyvale, California. As is typical for prospective customers or partners, the visitors were given demonstrations of our products and solutions in action at our executive briefing center (EBC).

Because our visitors use a competitor’s product, they naturally compared experiences with their existing cybersecurity against ours. Happily, we all learned a few things from the exchange of information. As we laid out our architecture for our EBC visitors, one important revelation came to the forefront that we all agreed upon: FortiClient enables the seamless deployment, operation, and architecture of zero-trust network access (ZTNA).

While customers may be purchasing FortiClient for its Universal ZTNA capability, there are additional features that make FortiClient a very powerful solution—and significantly stronger than other ZTNA offerings on the market.

VPN and ZTNA in a Single Agent

A highly valued capability of FortiClient that needs to be acknowledged when discussing the solution’s benefits is that FortiClient is both a VPN and a ZTNA agent. The Fortinet ZTNA architecture mirrors the VPN infrastructure. This is important because companies are frequently turning to ZTNA as a means of improving their remote-access situation. Many are shifting from using a VPN network to a ZTNA network.

With FortiClient, having both these capabilities in a single agent simplifies the tasks for the IT team in several ways. First, there’s less complexity—IT folks only need to deal with a single agent. Second, this means that if the customer starts with just VPN usage for remote access, they're able to move application coverage, one application at a time, over to ZTNA, using VPN for the remaining access requirements. Therefore, throughout deployment, the organization can shift to using ZTNA through a very controlled, very careful, and very easy transition.

A Smooth Transition from VPN to ZTNA

There are no significant changes within the architecture. Fortinet uses the same basic concepts of an agent coming back to an on-premises or cloud-based concentrator for both VPN and ZTNA. As each application moves over, users experience the simplicity of accessing their application via this ZTNA process versus a VPN process. And, if anything negative should happen with the ZTNA, it's very simple to roll back to the VPN approach, iron out any wrinkles that may have come up, and then proceed along with the ZTNA.

Making a smooth transition from VPN to ZTNA with FortiClient ensures that the company stays productive and that this evolution to a better security posture and a better architecture does not impede the company from meeting its goals—nor endanger the jobs or reputations of IT decision-makers.

Additional Capabilities: URL Filtering

The combined VPN agent and ZTNA agent with similar architecture is certainly one big FortiClient advantage, but the solution also has additional capabilities. One of the key features is the ability to enforce URL filtering policies on an agent or a laptop—even when it's not on the network. This is a basic FortiClient attribute: giving the CISO/CIO the ability to enforce company policies at all locations on a managed device.

Competitor solutions typically have a ZTNA architecture based on a cloud solution, such that all traffic from the endpoint gets pushed to a cloud to be processed, sorted, and then handled. With FortiClient, the agent handles some of that processing down at the local level and reduces the traffic that's actually going to the cloud. It's only allowing the appropriate traffic to pass through. URL filtering improves performance because now the cloud only deals with a subset of the traffic. All of an organization’s traffic is not being funneled through a SASE POP. Only the appropriate traffic is being processed.

Additional Capabilities: Encrypted Tunnels

Another unique capability within FortiClient is the encryption method. FortiClient creates TLS1.3 tunnels versus the TLS1.2 tunnels that are used by most of our competitors. The importance of the difference is that the TLS1.3 version was created to speed up the whole process of getting a tunnel in place. TLS is the common encryption technology around SSL VPN tunnels. TLS1.2 tunnels have to do a lot of information trading back and forth—and it can take a while to get one of those TLS1.2 tunnels established.

The primary advantage of TLS1.3 is that it speeds up the process with the goal of getting users connected faster. FortiClient customers get encryption tunnels created and established faster, providing users with quicker access to applications as compared to competitive solutions that are still using TLS1.2 tunnels. In short, FortiClient delivers a better user experience.

"Because FortiClient features the advantages that come with being designed on a client-initiated architecture and is both a VPN and a ZTNA agent that enables a smooth transition from one service to the other, it is a very powerful solution and significantly stronger than other ZTNA offerings on the market."

Advantages of a Client-Initiated Approach

FortiClient and its client-initiated ZTNA architecture offer other advantages—like having the client already loaded onto the user's device before the individual even tries to start or access an application. This is unlike the experience with cloud-initiated architecture, which is used by some cloud ZTNA providers. Cloud-initiated ZTNA requires users to go to a website, download a browser plug-in, go through the posture assessment and any vulnerability assessments, and then it begins with the user authentications.

With the client-initiated architecture, the client is already on the device, eliminating the need to download anything. Because FortiClient has already completed the assessment of the state of that device, it's already done half the work even before the user goes to access an application. Of course, this speeds up the time to access that application, because the TLS1.3 tunnel gets created very quickly. The agent in FortiClient already reports on this state of the device and moves directly into the user authentication and the rest of the checks. There’s no question the client-initiated model provides faster access to applications and a better user experience.

Because FortiClient features the advantages that come with being designed on a client-initiated architecture and is both a VPN and a ZTNA agent that enables a smooth transition from one service to the other, it is a very powerful solution and significantly stronger than other ZTNA offerings on the market. To learn more about FortiClient, download the data sheet.

Learn more about how Fortinet Universal ZTNA improves secure access to applications anywhere for remote users.