Wildcard support for ZTNA FQDN rules
This feature requires FortiOS 7.2.2 or a later version.
This example uses external browser-based SAML authentication for the zero trust network access (ZTNA) policy. This configuration requires the following:
- A Security Fabric connector is established between FortiOS and EMS.
- FortiOS ZTNA settings are configured.
- FortiClient is registered to EMS
In the example topology, the EMS IP address is 172.17.60.8. The FortiGate acts as an access proxy, with virtual IP address 172.17.60.19 and port 8445. You can use one of the following methods to configure a ZTNA rule that supports wildcard FQDNs:
- Configuring a ZTNA rule in EMS
- Configuring FortiClient to pull SaaS application information from FortiOS
To configure a ZTNA rule for an FQDN in wildcard format using method 1:
- In EMS, go to Endpoint Profiles > ZTNA Destinations.
- Click Add Destination. Configure the following:
- In the Destination Host field, enter *.dropbox.com:443.
- In the Proxy Gateway field, enter the FortiGate IP address and port. In this example, the value is 172.17.60.19:8445.
- Configure other fields as desired.
- Click Save.
- Click XML.
- Confirm that the
<ztna><portals>element is empty.
- On an endpoint with the profile applied, attempt to access Dropbox in a browser. The browser displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.
- To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1.log) to confirm that all traffic requests to *.dropbox.com, such as to aem.dropbox.com or consent.dropbox.com, go through the ZTNA tunnel. You can also use the log to verify that FortiClient handles the request to *.dropbox.com.
Consider that it may be difficult to configure all URLs embedded in a website, such as *.dropbox.com.
To configure a ZTNA rule for an FQDN in wildcard format using method 2:
For this method, you do not need to configure a ZTNA rule as in the previous method. This method assumes that SSH and RDP TCP forwarding are configured on the FortiGate and continue to work. FortiClient pulls SSH and RDP rules from the FortiGate based on the EMS portal settings mapped to the FortiGate virtual access proxy server.
FortiClient actively queries FortiGate for ZTNA setting changes every 30 seconds, and pulls changes as needed.
Configure the following in the FortiOS CLI:
config firewall access-proxy
set vip "ZTNA-tcp-server"
set auth-portal enable
set url-map "/saas"
set service saas
set application "dropbox"
On the endpoint, clear the browser cache and FortiClient SAML cookies, then attempt to access Dropbox. The browser displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.
To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1_111.log). FortiClient prints all related FQDNs for a defined application, in this case dropbox.com, and all related URLs contained in the website based on the ICDB signature to the ZTNA debug log. The ICDB signature file is in the FortiClient installation directory vir_sig\icdb in JSON format. FortiClient reads the related parts from the ICDB signature file-based SaaS/application settings in FortiOS and updates them if there are updates on the FortiOS side.
In this configuration, FortiClient depends on ICDB signatures being updated properly. In the case, FortiClient automatically and dynamically updates and refreshes the FQDNs if there are any changes in the SaaS applications as defined in FortiOS. FortiClient also pulls SSH/RDP/SMBA settings and specific FQDNs including rules using wildcard formats from FortiOS, if available.