Hacker's Corner: How Fortinet Ditched VPN Headaches with ZTNA

If anyone knows cybersecurity inside and out, it’s Fortinet. As one of the top names in enterprise network security, they’ve spent decades helping organizations secure their infrastructure from evolving threats. But even the best in the business face internal challenges—especially when it comes to remote access.

During the pandemic, Fortinet employees (like many of us) relied heavily on virtual private networks (VPNs) to work from home. And while VPNs were a lifesaver at the time, they quickly became a bottleneck. As James Gu, Fortinet’s Senior Director of Information Systems, put it: “Sometimes launching the VPN in the middle of a Microsoft Teams call—say to access an ERP application—would break the connection.”

Remote users were at a disadvantage, performance was suffering, and IT teams were swamped managing access policies across multiple firewall layers. Fortinet realized it was time for a change—and that change came in the form of Zero Trust Network Access (ZTNA).

From VPN Tunnel Vision to ZTNA Clarity

The old VPN model gave users broad access once they connected, which posed security risks and performance issues. ZTNA flips the script. It assumes nothing and no one can be trusted by default. Instead of granting blanket access, ZTNA creates secure, application-specific tunnels for authorized users on verified devices.

For Fortinet, this wasn’t just a theoretical improvement—it was a tangible upgrade. Rather than buying more VPN hardware to ease bandwidth issues, they reimagined access altogether. Now, users access each internal application through its own tunnel, initiated automatically and silently in the background. And if your device doesn’t meet company standards (e.g., antivirus enabled, disk encryption, patched vulnerabilities), access is denied—regardless of your login.

A Surprisingly Smooth Rollout

Despite initial concerns about complexity, Fortinet’s IT team was pleasantly surprised by how easy ZTNA was to implement—especially since they were already using components of the Fortinet Security Fabric. Their existing tools—FortiClient, FortiGate Next-Generation Firewalls, FortiAuthenticator, and FortiToken—were ready to support ZTNA with just a few configuration changes.

They didn’t need to install anything new. FortiClient already included both VPN and ZTNA agents. IT simply enabled ZTNA, used FortiClient EMS to assign access tags, and let FortiGate firewalls handle the rest. And since the ZTNA policies were tied to users—not network locations—they didn’t have to be reconfigured every time someone moved to a different office or worked from home.

Cutting Down Policy Sprawl

Previously, creating VPN access meant building firewall rules layer by layer—sometimes taking days for each application or user group. Sean Zhang, a Senior Software Engineer, explained that the global nature of Fortinet’s infrastructure made VPN policy management a huge lift: “We were creating specific policies for each of the FortiGate firewalls in each of our regions.”

ZTNA made this process way more efficient. Instead of mapping access through multiple firewalls, Fortinet created a single policy per application that applied regardless of where the user was. That meant fewer headaches for admins, faster onboarding for users, and a big drop in potential security gaps caused by outdated or overly permissive rules.

Better Access Control (Without the Hassle)

One major bonus of Fortinet’s ZTNA setup is its tight integration with Microsoft Active Directory. That means when someone’s job role changes—say they move from engineering to marketing—their application access updates automatically. No more risky situations where people keep access to systems they no longer need.

And for employees, the transition felt seamless. No new software. No retraining. FortiClient handled everything behind the scenes. Users could still fall back on VPN if needed, but most didn’t have to. ZTNA even saved them time—logging into an app directly was faster than firing up a VPN and then logging into the app separately.

Security That Doesn’t Get in the Way

Fortinet didn’t just stop at verifying user credentials. With ZTNA, they built in continuous device posture checks—ensuring that every laptop, desktop, or phone was compliant before granting access. That means checking for antivirus, patch status, disk encryption, and more. If the device didn’t pass, access was blocked—even if the user was legit.

Plus, every connection is protected with two-factor authentication using FortiToken and FortiAuthenticator. Even apps that don’t normally require MFA are now backed by that extra layer of protection, thanks to the way ZTNA wraps around them.

A VPN-less Future?

Fortinet’s internal migration started with 15 key web-based applications—especially DevOps tools critical to protecting IP. They prioritized apps that would relieve VPN bottlenecks or benefit from granular access control. The plan is to expand this to their SaaS apps like GitHub and GitLab, bringing the same ZTNA benefits to cloud workloads.

The ultimate goal? A fully VPN-less world for Fortinet employees.

As Gu put it, “We are looking forward to a totally VPN-less world for all our users, giving them an easy and secure way to connect to all those applications.”

What Can We Learn?

Fortinet’s story is a great reminder that ZTNA isn’t just for the security elite. If done right, it can simplify access, boost security, and reduce IT workload all at once. And for companies already using modern endpoint and firewall solutions, it might be just a few steps away.

ZTNA doesn’t need to be disruptive—it can be the smoothest move your security team makes.