How to Setup Fortinet Firewall for Zero Trust Server Security
I’m currently nursing my third coffee of the morning (which I probably should switch to water, but you know) and I keep thinking about how companies STILL screw-up server security. It’s 2024 and people are still treating perimeter firewalls like the 90s — put up a wall and hope for the best. That doesn’t work anymore. Enter Zero Trust, which is why Fortinet firewalls are one of my top three solutions that I deploy for Zero Trust.
I’ve spent the past three months assisting three different banks to overhaul their Zero Trust architecture, and I can tell you the difference between the two is like night and day. So, let’s break it down. Pay attention if you care about server security, firewall access control, securing the IT infrastructure.
What is Zero Trust?
Here’s the thing: Trust but verify is dead. The new paradigm for cybersecurity is trust nothing, verify everything. Even if a request originates from within your network? Doesn’t matter. Verify it. Are you still with an employee who has been with you for 20 years? Doesn’t matter. Verify them.
Traditional security models more or less operate under the presumption that once you’re inside the network, nothing to worry about. Zero Trust Security turns that premise on its head and says all users—everything—need to demonstrate that they have a right to be on the network every time they try to access it.
A quick take: Zero Trust is:
- No implicit trust — just because a device is on the network doesn’t mean it’s safe.
- Always assume breach — attackers are inside most networks already.
- Least privilege access – users, devices, applications get only what they need, and nothing more.
And if you’re only maintaining open access policies because it’s much easier that way — well, good luck. Because it’s going to blow up in your face.
Fortinet Zero Trust | How to Implement Zero Trust with Fortinet
So, how do you really start? Fortinet has the best firewalls and security solutions that I have seen hands down for the right reason, and they are ideal against Zero Trust framework when done correctly.
This is how I do that while creating policies for Zero Trust firewalls:
Step 1: Segment Everything
In the late 90s when I dealt with networking over PSTN, segmentation was the least concern. We just wanted things to work. Nowadays? If you don’t segment your estate properly, you’re effectively giving attackers free rein over your infrastructure.
- Logically isolate your network into multiple segments. For example:
- Server Critical (databases, authentication)
- Endpoints used for data entry (i.e., laptops, desktops)
- IoT devices (if you really want to have one, at least isolate them)
- Domain with guests & external partners
Step 2: Implement Fortinet’s Implicit Deny Model
I always default to deny-all at every level and explicitly allow only the traffic I need. No one wants to add rules manually — but it’s important. That’s where FortiGate comes in:
- Inspect All Traffic—Yes, Even Internal With FortiGate NGFW
- Enable DPI to catch abnormal traffic.
- Utilize Fortinet’s user identity policies, access based on WHO rather than just an IP
If your firewall rules are still written solely based on source/destination IPs, you need to reconsider your security strategy—quickly.
Never Stop Training: Force MFA on All Users
I don’t care how powerful your passwords are — without MFA you’re only a phishing email away from a pwn3d network. I find at least one privileged account with no MFA at every security audit that I perform. Always.
Fortinet allows you to enforce MFA via:
- FortiAuthenticator (central user identity & SSO)
- FortiToken for one-time password (OTP) authentication
- Integrations with Duo, Google Authenticator, or physical keys
Bottom line? No MFA, no access. No excuses.
Firebase Cloud Messaging Integration with Server
I am going to tell you a short story. One of the banks we worked with had every department on one VLAN. One misconfigured device could reach anything — customer data, payment processing, HR files. Insane.
We then segmented everything with FortiGate firewalls and implemented strict policies:
- Server Micro-Segmentation
- We brought application-specific perimeter service (DBs aren’t in the same network with the web app).
- Internal systems can only communicate with services the firewall permits—and that’s enforced at the firewall level.
- Role-Based Access
- Developers have limited subnet access — no live queries on the database — no exceptions.
- Financial data approved by explicit or identity-based policies can be accessed by Finance.
- The Future of Safe Remote Access: Zero-Trust VPN
- FortiClient Zero-Trust prevents access from compromised endpoints.
- No tagged-on remote access (leverage posture checks (clean OS, clean AV, no VC, etc.)
Segmentation isn’t new. It’s something people talk about all the time. But doing it, you know, well? That’s where most companies drop the ball. Don’t be one of them.
Zero Trust Deployment (PJ Networks)
Last month, my team at PJ Networks Onboarding deployed Fortinet-based Zero Trust security for three of the top banks. Prior to our work, their state was a complete shambles—overly permissive firewall configurations, no user identity verification, and in one instance, a single service account owned complete admin access to every system.
Here’s how we changed that:
- All user accounts have been locked and legacy permissions removed.
- Identity-based firewall rules with verification even if the machine is trusted (user validation every time).
- Limited lateral movement — prevents attackers from propagating once breached.
- Integrated FortiSIEM so you can have real-time threat detection—because logs are worthless if you’re not actually analyzing them.
Now? They have their networks locked down tight. The best part? Employees hardly noticed (other than some grumbling about MFA, which, you know, they’ll get used to).
Conclusion
Now Shied packages everything into “Look, Zero Trust Security not negotiable anymore. Still using firewall access control to protect you? You’re rolling out the welcome mat for attackers.
If you set them up correctly, though, Fortinet firewalls help facilitate Zero Trust. Implement strong segmentation and use identity-based policies; trust no workloads in your network. It’s the only way forward.
And if your IT team tells you, oh, we don’t need to worry about internal traffic, ask them this: When was the last time you looked for internal threats? How do you know for sure that your network has not already been compromised?
Because—believe me—it likely is.