Zero Trust Access – Fortinet vs Palo Alto

Now that Zero Trust Access is such a buzzword in the IT security field, it’s good to know just what it is. Learn more about the basics here. Now, we are going to compare Fortinet’s approach to ZTNA with Palo Alto’s.

Fortinet and Palo Alto Networks are both major IT security innovators and leaders in the market for them. Now the network security industry is moving into Zero Trust Access and Fortinet and Palo Alto Networks are both vying for leadership in this new area of security.

What is Zero Trust Access?

It is important to note that ZTA (or ZTNA) is a concept or capability rather than a specific product. Several IT, networking and security suppliers implement ZTA in different ways. Over time, they will implement ZTA to replace aging VPN infrastructure and as part of an overall Secure Access Service Edge architecture.

ZTA is a product or service that creates an identity/context-based, logical access boundary around applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. This broker verifies the identity, context and policy adherence of the specified participants before allowing access to them. They also prohibit lateral movement in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.

Simply put, ZTA solutions default to deny. They provide only the access the user has been explicitly granted. It is important to understand the security gaps and benefits ZTA can provide as more remote users join the network. This is unlike VPNs, which grant complete access by default.

In short, ZTA requires strong, regular authentication and authorization of devices and users.


Fortinet has a large line of products and services, but they started with hardware firewalls, called FortiGate. The company’s advantage comes from its design for the FortiGate firewall. It has a custom-designed architecture that speeds up data processing. The entire FortiGate family slots together into what it calls the Fortinet Security Fabric.

Now, Fortinet has moved into edge services, which center on a cloud-based firewall. This took them one step closer to ZTA. The edge services offered include a Firewall-as-a-Service, a secure web gateway, A SASE system, network access control, a secure SD-WAN, DDoS protection, a cloud access security broker, cloud workload security, cloud security posture management, email security, a SIEM, and load balancing.

These services can be implemented on the cloud or a FortiGate appliance. They all combine well because they involve processing data as it passes across the boundary of a network. Fortinet’s ZTA system is created through a combination of services.

Fortinet’s ZTA solution is an add-on for the FortiGate firewall. The group of services that make up Fortinet ZTA includes FortiSASE Secure access system, which provides a secure web gateway. It also includes FortiClient Endpoint agent. This provides secure connections and controlled access to the Fabric. Then there’s FortiAuthenticator, which is an identity and access management service that creates a single sign-on environment. FortiNAC Network access control protects communications with IoT devices and can also be used to secure BYOD access.

These services slot together via FortiClient, which locks the remote devices of WFH employees into the FortiSASE system. Essentially, this is a VPN.

Palo Alto

Palo Alto uses the cloud for its main delivery model. However, it also offers its firewall software as a virtual or a physical appliance. The firewall is still Palo Alto’s main product. But they have branched out to offer edge services that can be offered in combination with the firewall.

They offer a SASE, an SD-WAN system, and a Firewall-as-a-Service package. Thy also offer a secure web gateway, cloud workload protection, cloud security posture management, and a cloud access security broker. They have so many modules available that several different package combinations will assemble a ZTA strategy.

Palo Alto groups its ZTA systems under the umbrella, Zero Trust Enterprise. Each of these products is available individually. The Palo Alto list of services is quite long and there is a degree of overlap between its products. This means that there are several paths to assembling a Zero Trust system with Palo Alto products.

Palo Alto recommends different combinations of products depending on what type of system you want to protect. The paths available are Zero Trust for Users, Zero Trust for Applications, and Zero Trust for Infrastructure. For the sake of simplicity and ease-of-comparison, you could condense things down to two services. These are: Prisma Access SASE system that connects sites, integrates remote devices, and can also be used to protect IoT and BYOD devices

And Enterprise IAM, which is not delivered by Palo Alto but is your existing access rights manager. It will likely be either Active Directory or Open LDAP.

Prisma Access combines an SD-WAN for inter-site and site-to-cloud connection protection, a cloud-based firewall to protect traffic outside the WAN, a secure web gateway to manage the inclusion of remote computers of WFH employees, and a next-gen CASB to provide authentication services into SaaS systems.


Neither company specifically offers a ZTA product. You will assemble it from their respective offerings.

With Fortinet, you would order a FortiGate and add on FortiSASE, Fortinet ZTNA, FortiNAC, and FortiAuthenticator. FortiClient is a free download that you get access to with the FortiSASE. The FortiGate will be delivered with all of the ordered products pre-loaded.

Palo Alto can coordinate with your existing access rights management system to manage access control. It also enhances that for SaaS access through the CASB element in Prisma Access. Palo Alto presents a range of solutions, but just getting the Prisma Access system will provide you with a ZTA service. You can buy the Prisma Access system pre-loaded onto a PA-series firewall or just subscribe to the cloud-hosted version.

Both Fortinet and Palo Alto have impeccable reputations in the IT Network Security field. Palo Alto is known for being pricey, but their Prisma Access offers a very simple, basically one-stop ZTA solution.

The one big drawback for Prisma Access is its lack of an integrated access rights manager. But, unless you are provisioning your system from scratch, you probably already have an identity and access manager, such as Active Directory.

These are can’t miss options, and Corporate Armor would be happy to answer your questions and make either one a simple, secure process for your organization. Just reach out to us here, or call 877-449-0458.

What Zero Trust Network Access does

Controls whether network traffic is allowed to flow based on policy
Treats policy as dynamic in real time
Defaults to blocking all traffic
Allows a traffic flow only when a policy explicitly allows it
Verifies the identities of all parties to a network flow before allowing it
Verifies, as best it can, that endpoints are still secure