Virtual Private Networks (VPNs) are crucial for small and medium-sized businesses (SMBs) to secure remote access and protect sensitive data. Zero trust VPNs take security a step further by verifying every user and device before granting access, regardless of location. This approach minimizes the risk of unauthorized access, making it an ideal solution for SMBs with limited IT resources.
In this sense, FortiClient ZTNA is a solid solution for many. With this in mind, this piece compares FortiClient ZTNA with NetBird, a modern zero-trust peer-to-peer VPN platform. We'll explore aspects such as their architectures, usability, Kubernetes support, and features for day-to-day administration like access control, peer management, and network route definition.
By the end of this article, you'll clearly understand both solutions, allowing you to determine if NetBird is a viable alternative to FortiClient ZTNA for your organization's specific needs. This comparison aims to provide an objective analysis, highlighting each platform's strengths and potential limitations to support your decision-making process.
TL;DR: FortiClient ZTNA and NetBird Killer Features
 |  | |
|---|---|---|
| Open Source | No, it’s a proprietary solution developed by Fortinet. | Yes, both the client agent and the coordination server |
| Network Architecture | Centrally managed mesh architecture (hybrid mesh), combining Fortinet’s ecosystem components: FortiClient EMS, FortiGate, and FortiClient ZTNA among others. The VPN tunnel uses the Secure Socket Layer (SSL) VPN and IP Secure (IPSec) protocols. | Decentralized peer-to-peer (p2p) mesh architecture. Direct VPN tunnels via userspace or kernel WireGuard. |
| Kubernetes Support | No, it's primarily focused on endpoint security and access for individual devices and users. However, FortiOS now supports private cloud K8S through a K8S SDN connector . | Yes, using NetBird’s agent as a sidecar, a proxy, or a network router |
| UI/UX and Usability | Installing FortiClient ZTNA on an endpoint is easy. However, setting up the server-side components (FortiClient EMS, FortiGate, etc.) is more complex and requires networking expertise and careful planning for ZTNA policies. | Both the endpoint agents and the coordination server (whether self-hosted or SaaS) are easy to set up and use. |
| Encryption | All traffic, including RDP and SSH, is encrypted using an SSL VPN tunnel. | All traffic including RDP and SSH is end-to-end encrypted using the WireGuard protocol. |
| Access Control | Access Control is managed through FortiGate and FortiClient EMS. FortiGate acts as the ZTNA gateway and policy enforcement point, while FortiClient EMS helps manage endpoint policies.Administrators can manage users and groups and their access permissions through integration with existing identity providers. Groups are used in ZTNA policies to assign permissions. | Access control is done through NetBird’s admin console, which lets you create groups and policies that are easy to understand and manage. Similar to FortiClient, administrators can also use identity providers for user and group provisioning. Provisioned groups are used in access policies, with changes in IdP automatically reflected in NetBird. |
| Network Routes (subnet routing) | FortiGates authenticate users and devices and route traffic between secure networks and external resources, providing safe access to applications and services. The standard FortiClient ZTNA setup has no direct peer-to-peer connection between users or devices. Administrators use FortiClient EMS for endpoint management and configuration, while FortiGate ZTNA gateways are used to establish and enforce user/group access controls, routes, posture checks, and other security policies. | NetBird uses distribution groups to automate configuration settings for peer groups, which handle routing and exit nodes automatically. This simplifies network management and configuration, improving productivity. Furthermore, since NetBird uses a p2p mesh architecture, peers connect directly to each other, improving latency, throughput, and scalability. NetBird supports high availability mode out of the box, ensuring consistent and reliable network performance. NetBird also supports DNS routing . |
| DNS Management | FortiGate can act as a DNS server or forward DNS queries to internal DNS servers. FortiClient ZTNA supports split tunneling, allowing you to route only specific traffic through the ZTNA tunnel. In other words, you can configure FortiGate to access devices using their names instead of IP addresses and set up private DNS servers. | [Allows you to access devices using their names instead of IP addresses and set up private DNS servers using distribution groups to apply DNS settings for easier management. Additionally, NetBird supports match and search domains . NetBird also allows routing certain traffic to certain domains through network peers (machines). |
| Peer Management | Peer management is a collaborative effort between FortiClient EMS and FortiGate. EMS focuses on endpoint configuration and management, while FortiGate handles network-level policies and enforcement. | Offers automated peer configuration with groups. Besides basic information, NetBird also displays the geographical location of the connected machines as well as support for automated peer deployment with infrastructure-as-code software like Ansible, Cloudformation, or Terraform using pre-authentication setup keys |
| User Authentication | FortiClient ZTNA supports both Single Sign-On (SSO) and Multi-Factor Authentication (MFA). FortiGate acts as the primary authentication and policy enforcement point; however, FortiAuthenticator can be used for advanced authentication scenarios. | Out of the box, NetBird supports popular SSO providers and MFA in the free plan and advanced identity providers from the Team plan onwards—user and group provisioning available in the Team plan as well. |
| Activity Logging & Streaming | FortiClient ZTNA logs client-side activities and configurations, including VPN connection attempts, policy enforcement, and local security events. Also, you can send logs to FortiGate or FortiAnalyzer. The latter is optional but recommended for centralized log collection and analysis. | NetBird offers detailed network configuration and activity logging and can be integrated with multiple log streaming destinations, such as Datadog, AWS S3, and Firehose. |
| Enterprise-Level Support | Yes, it varies depending on the FortiGate appliance or VM license. | Yes, on the Enterprise plan. |
| EDR Integration and Posture Checks | FortiClient ZTNA agent performs local posture checks, FortiClient EMS manages local agent's configuration and policies, FortiGate enforces access policies based on posture check results, and (optionally) FortiEDR and FortiXDR provide advanced endpoint/network detection and response capabilities. | Supports CrowdStrike Falcon integration and different device security posture checks like OS version check or running processes check. The configuration is done using distribution groups and can be applied to different groups of machines or users.The CrowdStrike integration uses ZTA score to allow only machines that meet a specified threshold to join the network. |
| Pricing Model Differences | FortiClient ZTNA requires a per-user or per-device license, usually managed through FortiClient EMS, for which you also require a license. You also need FortiGate appliance(s) or FortiGate VM license(s). | Uses a SaaS model with unlimited users and support for advanced identity providers and groups with the Team plan ($5 per user per month). Highly available routes and exit nodes are available for all plans, including the free tier.Advanced security features like posture checks and EDR integrations are available in the Business plan ($12 per user per month). |
Self-Hosted Option
Both FortiClient ZTNA and its server-side components can be self-hosted. Likewise, you can self-host the NetBird coordination server on your own infrastructure.
The difference here is that the Fortinet ecosystem uses proprietary software and hardware, while NetBird is a fully open-source solution.
Network Architecture
FortiClient ZTNA uses a centrally managed hybrid mesh architecture, leveraging key components of the Fortinet ecosystem. FortiClient EMS serves as the central management platform, configuring and monitoring endpoints. FortiGate acts as the policy enforcement point and gateway, while FortiClient ZTNA software runs on endpoints.
Fortinet uses SSL VPN and IPSec protocols for VPN tunnels, providing secure encryption and flexibility. SSL VPN is a good option for web-based applications, while IPSec offers robust security for site-to-site connections. This hybrid approach allows FortiClient ZTNA to adapt to various network scenarios and security requirements.
However, while centralized management enables consistent policy application across all endpoints, this architecture may introduce a potential single point of failure if not properly designed with redundancy.
NetBird, on the other hand, uses a decentralized peer-to-peer mesh architecture, eliminating the need for central servers in day-to-day operations. This design allows direct node communication, reducing latency and potential bottlenecks associated with traffic routing through a central point. Moreover, NetBird's decentralized architecture enhances scalability and resilience, as there's no single point of failure in the network. Regarding encrypted communications, NetBird uses WireGuard for VPN tunnels, which can be implemented in either userspace or kernel mode.
UI/UX and Usability
FortiClient ZTNA offers a streamlined endpoint deployment process through FortiClient EMS. Users can easily install and configure the client software on their devices, with options for silent installation and automatic updates. The intuitive client interface allows users to connect to the ZTNA network with minimal effort.
However, the server-side setup requires a steeper learning curve. Configuring FortiClient EMS and FortiGate requires networking expertise and familiarity with Fortinet's ecosystem. Administrators need to carefully plan and implement ZTNA policies, which can be complex depending on the topology and organization security requirements. The management interface, while comprehensive, may be overwhelming for those new to Fortinet products.
For its part, NetBird prioritizes simplicity in both its endpoint agent and server setup. The endpoint software installation is straightforward, with clear instructions for various operating systems. Users can typically connect to the network with just a few clicks, making it accessible even for non-technical staff. Client software is shipped with options for silent installation, simple GUI running in the systray and CLI.
Whether self-hosted or used as a SaaS solution, the coordination server features a clean, modern interface that's easy to navigate. Setting up the server requires minimal configuration, with many processes automated. NetBird's management dashboard provides a clear overview of the network and connected devices. Overall, it strikes a balance between functionality and ease of use.
A key aspect of NetBird's simplicity is its extensive use of groups. NetBird’s group-based approach streamlines various aspects of network management, from access control to configuration distribution. Moreover, it simplifies everything from applying security policies to managing DNS settings, making complex network configurations more manageable.
In short, both solutions aim to simplify the ZTNA experience, but they cater to different levels of technical expertise and organizational complexity.
Remote Network Access
FortiClient ZTNA secures remote network access by encrypting all traffic within an SSL VPN tunnel, including RDP and SSH. This approach provides a high level of security, leveraging the well-established SSL protocol. The SSL VPN offers strong encryption and is widely compatible with various network configurations and firewalls.
Likewise, NetBird encrypts all remote network access traffic but uses the WireGuard protocol, which typically offers faster connection times and lower overhead compared to traditional VPN protocols like SSL. NetBird streamlines remote access management through its integrated SSH functionality. The client agent incorporates a built-in SSH server, which works in tandem with the central coordination server to automate SSH key distribution. This approach significantly simplifies the process of managing SSH access to remote servers, making it easier to grant or revoke permissions as needed.
To enhance user convenience, NetBird also includes an embedded SSH client. This feature allows users to establish connections to remote servers using a straightforward command-line syntax. By executing netbird ssh <server>, users can quickly initiate SSH sessions to their desired destinations.
Overall, both solutions provide robust encryption for remote network access, with FortiClient ZTNA relying on the widely adopted SSL protocol and NetBird leveraging the newer, performance-oriented WireGuard protocol. The choice between them may depend on specific performance requirements and existing infrastructure compatibility.
Access Control
Access control in FortiClient ZTNA is managed through a combination of FortiGate and FortiClient EMS. FortiGate serves as the ZTNA gateway and primary policy enforcement point, allowing for granular control over network access. It can enforce policies based on user identity, device posture, application, and other contextual factors. FortiClient EMS complements this by managing endpoint policies ensuring devices meet security requirements before gaining access. The system integrates with existing identity providers, supporting protocols like SAML and LDAP. This integration allows administrators to leverage existing user and group structures for access control. ZTNA policies can be created based on these groups, streamlining management for large organizations.
NetBird approaches access control through its admin console, focusing on simplicity and ease of management. The console allows administrators to create and manage groups and policies intuitively. That is, you can assign users to groups, and permissions are typically managed at the group level. The policy creation process in NetBird is designed to be straightforward, with a clear interface for defining who can access what resources. Administrators can create rules based on user identities, groups, and network segments. The system also supports integration with identity providers.
NetBird features user and group provisioning from popular identity providers like Google Workspace, Azure, and Okta. The provisioned groups can be used when creating access policies, simplifying the process of managing user access. Moreover, NetBird simplifies onboarding and offboarding of users by reflecting changes in the identity provider in near real-time. This ensures that access permissions are always up-to-date, enhancing security and reducing the risk of unauthorized access.
Network Routes (subnet routing)
FortiClient ZTNA's network routing is centralized through FortiGate devices, which act as authentication points and traffic routers between secure networks and external resources. This setup does not typically allow direct peer-to-peer connections between users or devices; instead, it routes all traffic through the FortiGate ZTNA gateways.
Administrators configure routing policies and access controls through FortiClient EMS and FortiGate. This allows for control over traffic flows, enabling the creation of complex routing scenarios based on user identity, device posture, and application requirements. The centralized approach facilitates security policy enforcement and traffic inspection. That is, FortiGate can be configured to handle subnet routing, allowing secure access to specific network segments based on user permissions. However, remember that reliance on central gateways may introduce additional latency.
As mentioned, NetBird employs a peer-to-peer mesh architecture for network routing, allowing direct connections between nodes where possible. This approach reduces latency and improves throughput for direct peer communications. The system uses distribution groups to automate configuration settings for peer groups, simplifying network management. Subnet routing in NetBird is handled automatically through these distribution groups, which can define routing rules and exit nodes. Additionally, NetBird supports DNS routing where appropriate, further enhancing its flexibility in network management. This automation reduces network configuration complexity, potentially improving IT teams' productivity. Moreover, the peer-to-peer nature of the network allows for greater scalability, as new nodes can be added without necessarily increasing the load on central servers.
Kubernetes Support
FortiClient ZTNA does not offer native Kubernetes support. The solution focuses on endpoint security and access control for individual devices and users rather than container orchestration environments. That said, FortiOS, the operating system on which FortiGate runs, offers a K8S SDN connector that allows updating dynamic addresses for Kubernetes.
On the other hand, NetBird provides Kubernetes support through multiple deployment options including sidecar, proxy, and network router. These deployment methods allow NetBird to integrate with Kubernetes environments, providing secure networking capabilities for containerized applications. This flexibility enables organizations to extend their zero trust networking approach to their Kubernetes infrastructure.
DNS Management
FortiClient ZTNA provides several DNS management options through FortiGate. The system can be configured to act as a DNS server or forward queries to internal DNS servers, allowing organizations to maintain control over their DNS infrastructure. This capability is particularly useful for accessing internal resources using simpler to remember domain names rather than IP addresses. Additionally, administrators can set up private DNS servers and manage them centrally, ensuring consistent name resolution across the organization.
NetBird also allows access to devices using their names instead of IP addresses. This feature enhances usability and reduces the need for users to remember IP addresses for network resources. It also supports setting up private DNS servers, which can be managed through distribution groups. These groups allow administrators to easily apply DNS settings across multiple nodes, streamlining the management process.
Furthermore, NetBird supports match and search domains, adding flexibility to DNS resolution. This feature allows administrators to define specific domain-matching rules and search paths, enhancing name resolution capabilities across the network. The combination of name-based access, private DNS servers, and support for match and search domains provides a robust and user-friendly DNS management solution within the NetBird ecosystem.
Peer Management
Peer management in FortiClient ZTNA is a coordinated effort between FortiClient EMS and FortiGate. As explained, FortiClient EMS handles endpoint configuration and provides capabilities for remote configuration, software distribution, and endpoint compliance checks.
FortiGate complements this by managing network-level policies and enforcement. It controls access policies, traffic routing, and security enforcement for peers connecting to the network. This dual-pronged approach allows for peer management, combining endpoint-specific controls with network-level policies. Administrators can define and enforce different policies for different peer groups, ensuring appropriate access levels and security measures for each category of user or device.
NetBird offers automated peer configuration through groups, streamlining the process of adding and managing peers in the network. Groups in NetBird allow administrators to define sets of peers that share common network configurations and access permissions. This group-based approach simplifies management tasks, especially in larger networks, by allowing bulk configuration changes and policy applications. That is, when new peers are added to a routing group, they automatically inherit the group's configurations and policies, facilitating rapid scaling and reducing the potential for configuration errors. Besides basic information, NetBird also displays the geographical location of the connected machines. NetBird supports automated deployment with infrastructure-as-code software like Ansible, Cloudformation, or Terraform through pre-authentication setup keys.
User Authentication
FortiClient ZTNA supports both Single Sign-On (SSO) and Multi-Factor Authentication (MFA). FortiGate serves as the primary authentication and policy enforcement point, handling user verification and access control. The system integrates with various identity providers, supporting protocols like SAML, LDAP, and OAuth. This allows organizations to use existing user directories and authentication systems. SSO capabilities streamline the user experience by reducing the number of separate logins required.
NetBird includes user authentication features in its free plan, offering out-of-the-box support for popular SSO providers and MFA. This allows organizations to implement secure authentication methods without additional costs. The system supports integration with well-known identity providers, enabling SSO functionality. This simplifies user access while maintaining security standards. MFA support further enhances security by requiring additional verification factors.
For organizations requiring more advanced authentication capabilities, NetBird's Team plan offers support for a wider range of identity providers. Moreover, the Team plan offers user and group provisioning features, allowing for more granular control over user access and permissions.
Notably, from the Team plan onwards, NetBird supports streamlined onboarding and offboarding processes through identity provider synchronization. This feature automatically reflects changes made in the connected identity provider, such as adding or removing users and groups, within NetBird's access management system. This synchronization ensures that access rights are always up-to-date, enhancing security and simplifying user lifecycle management for IT administrators.
Activity Logging & Streaming
FortiClient ZTNA provides client-side logging, covering various activities and configurations, including VPN connection attempts, policy enforcement, and local security events. This detailed logging allows for thorough monitoring and troubleshooting of endpoint activities. The system can be configured to send logs to FortiGate, which serves as a central collection point for network-wide logs. However, for more advanced log management and analysis, FortiAnalyzer can be integrated into the setup for centralized log collection, long-term storage, and advanced analytics.
NetBird provides detailed network configuration and activity logging. The system captures information about peer connections, policy changes, and network events, offering visibility into the network's operational state. One of NetBird's strengths is its integration capabilities with multiple log streaming destinations. It supports popular services like Datadog, AWS S3, and Amazon Kinesis Data Firehose. This flexibility allows organizations to integrate NetBird's logs into their existing log management and analysis workflows.
EDR Integration and Posture Checks
FortiClient ZTNA offers a multi-layered approach to Endpoint Detection and Response (EDR) integration and posture checks. The FortiClient ZTNA agent performs local posture checks on endpoints, assessing factors such as operating system version, patch status, antivirus definitions, and installed applications. FortiClient EMS manages the configuration and policies for local agents, allowing centralized control over posture check parameters and frequency. This centralized management enables consistent policy application across the organization. For its part, FortiGate enforces access policies based on the results of these posture checks. It can deny or restrict access for endpoints that don’t meet the defined security criteria, ensuring that only compliant devices can access network resources.
For advanced EDR capabilities, FortiEDR and FortiXDR can be integrated into the system. These optional components provide enhanced endpoint and network detection and response capabilities, offering features like real-time threat detection, automated response actions, and advanced analytics.
NetBird's Business plan and above offer advanced security features, including device approvals, device controls with Mobile Device Management (MDM), and EDR integrations. One notable integration is with CrowdStrike Falcon, allowing organizations to leverage advanced endpoint protection and EDR capabilities within their NetBird environment.
The Business plan also introduces posture checks, enhancing security by verifying device compliance before granting network access. These checks can include factors such as device health, software versions, and security configurations.
Configuration of these security features, including CrowdStrike Falcon integration and posture checks, is managed using distribution groups. This approach aligns with NetBird's overall design philosophy of simplifying network management tasks. By using distribution groups, administrators can apply settings to multiple nodes or user groups simultaneously, streamlining the process of implementing and updating security policies across the network.
Pricing Model Differences
FortiClient ZTNA uses a traditional licensing model. It requires: per-user or per-device license for FortiClient ZTNA, license for FortiClient EMS (which in turn, manages client licenses), and FortiGate appliance(s) or FortiGate VM license(s).
This structure allows for customization based on deployment size and needs. However, it may lead to more complex cost calculations, especially for large-scale implementations. Organizations must factor in all component costs when budgeting.
NetBird employs a SaaS pricing model that offers simplicity and predictability in pricing. The inclusion of advanced features across all tiers, even the free plan, provides value at each level. This structure may appeal to organizations preferring operational expenses over capital investments.
FortiClient ZTNA vs. NetBird: Which VPN Solution is Best for Your Business?
FortiClient ZTNA offers an integrated security approach within the Fortinet ecosystem. It combines endpoint protection, centralized management, and network security appliances to create a robust zero-trust environment. This multi-layered architecture provides strong security controls but may require more complex setup and management.
NetBird, on the other hand, employs a peer-to-peer architecture with a cloud-based or self-hosted admin console. This design allows for more straightforward deployment and management, especially in cloud-native and Kubernetes environments. Its SaaS model and integrations with third-party services offer flexibility and ease of use.
The choice between FortiClient ZTNA and NetBird depends on each organization's specific needs. Businesses that are deeply invested in the Fortinet ecosystem may prefer FortiClient ZTNA. Organizations prioritizing simplicity, cloud-native integration, and minimal risk of vendor lock-in might find NetBird more suitable. Ultimately, the best solution will align with your company's infrastructure, security requirements, and operational preferences.
