Hi Alex, Really appreciate for your explanation, could you please confirm where 208.59.51.196 this was configured? was it NATTED Public IP of the FGT wan?

Good video, but it would be helpful if you described why you were making those additional changes on the CLI. Fortinet is goofy and not always straight forward, so you have to explain why you're doing things, otherwise you're just another demo video.

Tkx Alex!! This video saved me today!

FortiClient is the worst VPN Client I have ever used. It constantly crashes. Just try telling them that though and they'll block you.

Is it possible to use SSO with ZTNA destinations? I mean not to type again the user/pass when establishing the RDP connection.

Quite useful, appreciate the content

Bro love your videos. Could you provide me training session ?

Had conversation with Fortinet. They said that 2.4Ghz is recommended for backhaul as it travels better the 5Ghz. Specially through objects and structure. They found that majority of APs in a Mesh configuration are in different rooms/areas and rare that they are in same open space. As users are connecting in same space to 1 of the APs then don't have to worry about going through walls as an example has worked out better. After change we notice better performance for sure on non cabled APs using mesh. Again it would depend on situation... A house with drywall instead of concreate filled block walls in office spaces probably better to go opposite or something like large venue halls, gyms definitely want to go backplane on 5Ghz.

If we add ztna tag in sase for spa using sdwan, and then user moved to on-premise (on-net), how ztna will work in this scenario?

Hey Alex have you set SASE up with ZTNA? I am trying to get it setup.

I did the same, but my status is offline. Directly the router is working good. Can you help me? Thanks in advance

can you a fortiswitch behind the leaf AP and authorize it?

Great job Alex! 🎉

Nice.. but at 33:33, you said bridge mode does not use capwap? Isn't the fortiap itself managed by capwap to begin with? This is the security fabric connection checkbox that must be enabled on the fortigate interface that the ap connects to in order to be authorized. Formerly known as capwap in older fgt os.

How do I setup a remote FortiAP

Hey, how do I setup a remote fortiAP

Have a nice day! Mr Alex. Could you help to share the topology in this video ? ( Fortinet and Meraki MX ). Thank you so much.

Nice brother, i really used this case in my lab, and it works perfect. :)

Could you please do a video on FortiLAN FortiSwitch? Like how to configure, apply VLAN interface IP with gateway, etc.

on the deployment network, what is the deploy monitor IP?

Can i use the same tunel for fortisase and the spokes?

What are the pre-requiesties for this configuration?

One of this was “simplified.” Clearly needed more rehearsing and constantly talked over each other. Also, way way way too long. Simple = better.

Good job Alex! This is a very good introduction to ZTNA and EMS.

What settings do you have for long distance mesh?

Thank you

Cool, learned something new, thank you

how do you make them statics? cant see this in any the settings so dumb vs cisco meraki

I've set up 2 FortiAPs via FortiCloud. However, after a few days, clients connected to the second AP are unable to access the internet. Both APs are connected to the same network. Can you please provide any suggestions to resolve this issue?

Great video! Thank you very much.

Did you pre-configure the 'ZTNA Destinations' in FortiClient before configuring the 'ZTNA Destination' in FC-EMS? That's a step you don't show, and my destinations from EMS aren't synchronized to FortiClient. Thanks, E

Thank you for a great video!

Thanks for the video Alex...I have few doubts, the connection from the forticlient to fortigate to access ZTNA server is through the SSL VPN only right, you told that the packet will be wrapped in Https and send to fortigate, getting confused 😕....One more doubt is that the ZTNA rules will be applied after decrypting the SSL packet right, in this case the normal firewall policy will not be applied after decryption????

very interesting video! Nicely done

If a computer does not have Forticlient, how can I prevent it from connecting to my network?

Does it work for other use cases beside RDP for example certain system based user account is used for powershell or other protocol access to corp server?

Lets say, currently, there is one big trust envoirnment that has all items user needs and users use forticlient to connect back using ipsec vpn. and channel all traffic back in including internet, which then gets inspected via security profiles using only one primary fortigate corporate firewall. Isnt this doing the exact same thing?

Thanks for the video Alex but just to point out that on prem EMS is an app on a windows server and not a VM image.

Is the FortiClient Cloud/EMS a subscription based service?

Thanks for your sharing. I have a question, Is the ZTNA function helpful for on-net users?

Nicely done! I am a network engineer at an enterprise company, and we have Meraki at all the plant locations but have FortiGate in the cloud. I personally dislike Meraki for multiple reasons. Hoping to move to Fortinet in the future. Meraki is great for an SMB, but not enterprise.

Hi. You mentioned Proxy IP is your wan interface IP which is setup on VIP. then what IP you are using on ZTNA server? please explain a bit.

Hi. Do I need to put my on-prem EMS server on DMZ and allow port? Because when I am going off fabric the forticlient shows disconnected.

Thanks for the video, it did help, but I had to contact Fortigate because the tunnel would not come up. It turned out that the Fortigate was advertising the FQDN and not the public IP. We had to enter the command "set localid-type address" and then both ends came up.

is there a way to setup ZTNA just on a fortigate without EMS and such?

Great demo. you rock

great !!!!!

How do ZTNA rules interact with regular firewall policy?

Is there any configuration needed in the firewall policy? I followed the steps, but I am unable to RDP to my server using the local IP address.

I was wondering - we have a Meraki Mesh ( Auto hub ) of 6 units in various states. Got the Fortigate to establish a tunnel from one of the Merakis in the mesh, but how would you go about creating the rest of the tunnels on the fortigate side, any tricks because we have tried duplicating what is working for the first, and no dice every time.