configure security ztna-profile
Use this command to create a ZTNA profile.
The ZTNA profile is the ZTNA policy used to enforce access control to Layer 7 HTTPS and TCPS virtual servers. ZTNA profiles consist of one or more ZTNA rule that determine the Source IP and ZTNA tags that are allowed access, and the resulting action to take.
After you have created a ZTNA profile, you can apply the Security ZTNA profile to a Layer 7 HTTPS or TCPS virtual server to activate ZTNA for server load balancing. Ensure the corresponding Client SSL profile is enabled for client certificate verification. For details, see config load-balance virtual-server and config load-balance client-ssl-profile.
The ZTNA profile is an integral part of the Zero Trust Network Access (ZTNA) functionality. For more information, see the FortiADC Handbook on ZTNA.
Before you begin:
- You must have registered the FortiADC device through the FortiClient EMS connector. This can be done through CLI (for details, see config endpoint-control fctems and execute fctems). However, it is recommended to configure the FortiClient EMS connector from the GUI. For more information, see the FortiADC Handbook on the FortiClient EMS Connector.
- You must have Read-Write permission for System settings.
Syntax
configure security ztna-profile
edit <name>
set log {enable|disable}
config rule-list
edit <id>
set source-ip <address1> <address2> … <addressn>
set ztna-tags <tags-name1> <tags-name2> … <tags-name3>
set action {pass|deny}
next
end
next
end
|
log |
Enable/disable logging. |
|
config rule-list |
|
|
source-ip |
Specify the source IPs. |
|
ztna-tags |
Specify the ZTNA tags. |
|
action |
Select either of the following actions:
The default action is deny. |
Example
config security ztna profile
edit "low-pass"
set log enable
config rule-list
edit 1
set source-ip Any
set ztna-tags FCTEMS8822003242_Low
set action pass
next
end
next
end