The recommended way to provide temporary internet access to the contractor is to use Zero Trust Network Access (ZTNA) and tag the client as an unmanaged endpoint . ZTNA ensures that only authorized users and devices can access specific resources, while treating all endpoints as untrusted by default. By tagging the contractor's device as an unmanaged endpoint, you can apply strict access controls and ensure that the contractor has limited access to only the necessary resources (e.g., the web-based POS system) without exposing the internal network to unnecessary risks.
Here's why the other options are less suitable:
A . Use FortiClient on the endpoint to manage internet access: While FortiClient provides endpoint security and management, it requires installation and configuration on the contractor's device. This may not be feasible for temporary contractors or unmanaged devices.
B . Use a proxy auto-configuration (PAC) file and provide secure web gateway (SWG) service as an explicit web proxy: While this approach can control web traffic, it does not provide the granular access control and security posture validation offered by ZTNA. Additionally, managing PAC files can be cumbersome and less secure compared to ZTNA.
D . Configure a VPN policy on FortiSASE to provide access to the internet: Using a VPN policy would grant broader access to the network, which is not ideal for a temporary contractor. It increases the risk of unauthorized access to internal resources and does not align with the principle of least privilege.
Reference:
Fortinet FCSS FortiSASE Documentation - Zero Trust Network Access (ZTNA) Use Cases FortiSASE Administration Guide - Managing Unmanaged Endpoints