GUI support for configuring ZTNA portals and SaaS applications in ZTNA Destination profiles 7.2.1
EMS includes the following GUI enhancements in ZTNA Destinations profiles:
- New Portals section where you can add zero trust network access (ZTNA) portal details
- EMS downloads a list of supported software-as-a-service (SaaS) applications from FortiGuard, and you can select the desired application from the list for which to configure ZTNA destination rules to provide cloud access security broker support.
To configure a ZTNA portal in EMS:
- Go to Endpoint Profiles > ZTNA Destinations.
- Create a new profile or select the desired profile.
- Enable Portals.
- Click Add.
- In the Add New Portal dialog, in the Gateway field, enter the gateway FortiGate IP address and port in <IP address>:<port> format. Configure other fields as desired.
- Click Save.
After FortiClient receives the profile changes from EMS, you can confirm that the endpoint registry lists portal details and that FortiClient learns ZTNA destination rules from the FortiGate service portal.
To configure a SaaS application in a ZTNA Destination profile:
- Go to Endpoint Profiles > ZTNA Destinations.
- Under Destinations, add a gateway.
- Configure gateway details as desired, then click Next.
- Configure private applications as desired, then click Next.
- Search for and select the desired SaaS applications. Click Finish.
After FortiClient receives the profile updates from EMS, it shows the rules on the ZTNA Destination tab.
- To test this configuration, attempt to access Dropbox from the endpoint. You should be able to access Dropbox.
- To view the logs in FortiOS, do one of the following:
- Go to Log & Report > ZTNA Traffic.
- In the CLI, run the following commands:
execute log filter field accessproxy ZTNA_1
execute log display
The following shows the expected output:
327 logs found.
10 logs returned.
1: date=2023-04-10 time=12:37:40 eventtime=1681155460324139872 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=172.17.81.142 srcport=54187 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=157.240.3.35 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=164175186 service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="f09a2dca-a29a-51ed-417a-46b4c7e41670" policyname="external_rule" duration=3 gatewayid=2 vip="ZTNA_1" accessproxy="ZTNA_1" clientdeviceid="40EA01AB6CEC4C9CA42D8679049F10C7" clientdevicemanageable="manageable" saasname="dropbox" clientdevicetags="MAC_EMS3_ZTNA_ems_connected/MAC_EMS3_ZTNA_all_registered_clients/EMS3_ZTNA_all_registered_clients/EMS3_ZTNA_ems_connected" emsconnection="online" wanin=2969 rcvdbyte=2969 wanout=1410 lanin=3406 sentbyte=3406 lanout=4919 fctuid="40EA01AB6CEC4C9CA42D8679049F10C7" appcat="unscanned"
- Go to Log & Report > ZTNA Traffic.
This example assumes that FortiOS was configured as follows:
config firewall vip
edit "ztna_proxy"
set uuid 572e53be-7040-51ed-7532-69d18034798c
set type access-proxy
set extip 172.17.80.207
set extintf "port1"
set server-type https
set extport 8443
set ssl-certificate "Fortinet_SSL"
next
end
config firewall access-proxy
edit "Ztna_1"
set vip "ztna_proxy"
set auth-portal enable
set log-blocked-traffic enable
config api-gateway
edit 1
set url-map "saas"
set service saas
set application "dropbox" "google"
next
end
end
config firewall proxy-policy
edit 3
set name "external_rule"
set proxy access-proxy
set access-proxy "Ztna_1"
set srcintf "port1"
set srcaddr "all"
set dstaddr "all"
set ztna-ems-tag "EMS3_ZTNA_ems_connected"
set action accept
set schedule "always"
next
end