N/A - This is a configuration question, not an error report.
What is the error message?
N/A - No error message, seeking configuration guidance.
What is the issue you’re encountering
I would like to implement Cloudflare ZTNA and Warp to protect our web application (example.com) while maintaining our existing Fortinet firewall in the traffic flow. I’ve been advised by a consultant that using Cloudflare Access without Tunnels may not work, but I want to confirm if there’s a way to achieve both authentication and traffic protection without bypassing our firewall.
What steps have you taken to resolve the issue?
I’ve researched Cloudflare Zero Trust implementation options, consulted with our IT team, and spoken with a consultant who expressed concerns about implementing ZTNA without Tunnels.
What are the steps to reproduce the issue?
N/A - This is a configuration question about implementing Cloudflare ZTNA while maintaining specific security requirements, not a reproducible issue.
May I ask if the web application is running locally, behind Fortinet, meaning you’d have to use cloudflared tunnel in such case to have it accessible over a public hostname e.g. example.com?
In the Firewall policy, you can specify the Policy object and add Cloudflare IPs to access your local server or local IP address, or port/interface over a specific port, if so.
Therefrom, you expose it only to the Cloudflare and noone else on the public Internet. Meaning, you can then proxy it and no need to use Cloudflared tunnel.
You can also generate Cloudflare Origin CA Certificate and install it on the local machine for your web application as well with the Full (Strict) SSL setup.
Followed by the above, you could create a Custom WAF Rule to block access to everyone except e.g. your own public Fortinet (ISP) IP address or some other kind, if you’re using mTLS (Client Certificates) and even more.
So, at least two ways to securly expose it to the public Internet.
Safest, via cloudflared tunnel if it’s running locally.
What kind of app is it, or rather is it running only locally and you want to achieve what kind of a security here, or rather keep while running behind Fortinet?
it and no need to use Cloudflared tunnel.