FortiGate ZTNA service portal support
In FortiOS 7.2.1, the ZTNA service portal was added to allow the FortiGate to publish ZTNA services directly to FortiClients. This allows the FortiClient to retrieve the list of ZTNA services directly through the service portal without them being pushed from the FortiClient EMS.
The following demonstrates how EMS can provision a ZTNA service portal gateway list to FortiClient, which consists of the address to the FortiGate access portal(s). Once the FortiClient connects to the service portal gateway, it can retrieve the ZTNA service list containing a list of applications being published by the FortiGate.
To configure the ZTNA service portal in FortiOS:
config firewall vip
edit "ztna_proxy"
set type access-proxy
set extip 192.168.3.101
set extintf "port2"
set server-type https
set extport 4443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "Ztna_SaaS"
set vip "ztna_proxy"
set log-blocked-traffic enable
config api-gateway
edit 1
set url-map "/tcp"
set service tcp-forwarding
config realservers
edit 1
set address "smb_rdp_servers_range"
set mappedport 445 3389-3390
next
edit 2
set address "ssh server"
set mappedport 22
next
end
next
edit 2
set url-map "saas"
set service saas
set application "dropbox" "zoom" "Google"
next
end
next
end
config firewall proxy-policy
edit 2
set uuid b680d4a6-4fdc-51ed-8fd7-c6f19c3b39c5
set name "deny"
set proxy access-proxy
set access-proxy "Ztna_SaaS"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "EMS1_ZTNA_subnet1"
set schedule "always"
set logtraffic disable
next
edit 1
set uuid 7aa5d142-45b0-51ed-1c02-b2c78813cd31
set name "ZTNA_Rule_SaaS"
set proxy access-proxy
set access-proxy "Ztna_SaaS"
set srcintf "port2"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "EMS1_ZTNA_subnet2"
set action accept
set schedule "always"
set logtraffic all
next
end
The FortiGate ZTNA access portal is reachable on 192.168.3.101:4443, and it publishes a set of TCP forwarding services to SMB, RDP and SSH servers as well as SaaS applications in the Cloud. The ZTNA policies block endpoints with ZTNA tag belonging to subnet1, while allow endpoints with ZTNA tag belonging to subnet2 to access the services and applications.
To configure EMS to push the ZTNA access portal gateway to managed endpoints:
- In EMS, go to Endpoint Profiles > ZTNA Destinations.
- Select an existing profile and click Edit or add a new profile.
- Switch the view from Basic to XML. Click Edit to edit the XML content.
- Configure the ZTNA access portal gateway settings as follows. This example adds a second portal for demonstration purposes.
<?xml version="1.0" ?> <forticlient_configuration> <ztna> <enabled>1</enabled> <allow_personal_rules>1</allow_personal_rules> <rules/> <portals> <portal> <addr>192.168.3.101:4443</addr> <query_interval_m>3</query_interval_m> </portal> <portal> <addr>172.17.80.3:8443</addr> <query_interval_m>3</query_interval_m> </portal> </portals> </ztna> <endpoint_control> <ui> <display_ztna>0</display_ztna> </ui> </endpoint_control> </forticlient_configuration>
- Save the profile. EMS automatically pushes the service portal addresses to managed FortiClient endpoints.
To verify FortiClient received the service portal and retrieved a list of ZTNA services:
- On the PC, open FortiClient. On the ZTNA Destination tab, confirm that there is no destination added for the service portal or ZTNA services and applications.
- Open the computer’s registry, and go to
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\FA_ZTNA. The ZTNA access portal addresses are added as portal1 and portal2. When multiple portals are configured, FortiClient selects the portal with lower latency to learn the ZTNA services.
- Using FortiClient’s Fortitcs logs, further verify that FortiClient retrieved the list of ZTNA services from the FortiGate service portal. This set of ZTNA rules are stored in memory and refreshes each time FortiClient queries the service portal:
"vips": [ { "gateways": [ { "path": "/tcp", "path-pattern": "sub-string", "servers": [ { "address": { "type": "ip-range", "value": [ { "end": "172.16.1.10", "start": "172.16.1.1" } ] }, "mappedport": [ { "end": "445", "start": "445" }, { "end": "3390", "start": "3389" } ] }, { "address": { "type": "ip", "value": [ { "ip": "172.16.1.3", "mask": "255.255.255.255" } ] }, "mappedport": [ { "end": "22", "start": "22" } ] } ], "type": "tcp-fwd", "virtual-host": "" }, { "applications": [ { "app": "dropbox" }, { "app": "zoom" }, { "grp": "Google" } ], "path": "saas", "path-pattern": "sub-string", "type": "saas", "virtual-host": "" } ], "vip": "192.168.3.101:4443" } ] }
Users can now access the ZTNA destination services and applications.