Fortinet white logo
Fortinet white logo

EMS Administration Guide

Wildcard support for ZTNA FQDN rules

Wildcard support for ZTNA FQDN rules

This feature requires FortiOS 7.2.2 or a later version.

This example uses external browser-based SAML authentication for the zero trust network access (ZTNA) policy. This configuration requires the following:

  • A Fortinet Security Fabric connector is established between FortiOS and EMS.
  • FortiOS ZTNA settings are configured.
  • FortiClient is registered to EMS

In the example topology, the EMS IP address is 172.17.60.8. The FortiGate acts as an access proxy, with virtual IP address 172.17.60.19 and port 8445. You can use one of the following methods to configure a ZTNA rule that supports wildcard FQDNs:

  • Configuring a ZTNA rule in EMS
  • Configuring FortiClient to pull SaaS application information from FortiOS
To configure a ZTNA rule for an FQDN in wildcard format using method 1:
  1. In EMS, go to Fabric & Connectors > ZTNA Applications Catalog.
  2. Click Add. Configure the following:
    1. Select Wildcard FQDN.
    2. Enter *.dropbox.com.
    3. Select Port, then enter 443.
    4. Beside the Select Gateways dropdown list, click Add Gateway.
    5. In the Address and Port fields, enter the FortiGate IP address and port. In this example, the value is 172.17.60.19:8445.
    6. Configure other fields as desired.
    7. Click Finish.
  3. Go to Endpoint Profiles > ZTNA Destinations.

  4. Select an existing profile or create a new one.

  5. Under Rules, click Add.

  6. Click Create.

  7. Select the destination that you configured. Click Finish.

  8. On an endpoint with the profile applied, attempt to access Dropbox in a browser. The browser displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.

  9. To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1.log) to confirm that all traffic requests to *.dropbox.com, such as to aem.dropbox.com or consent.dropbox.com, go through the ZTNA tunnel. You can also use the log to verify that FortiClient handles the request to *.dropbox.com.

Consider that it may be difficult to configure all URLs embedded in a website, such as *.dropbox.com.

To configure a ZTNA rule for an FQDN in wildcard format using method 2:

For this method, you do not need to configure a ZTNA rule as in the previous method. This method assumes that SSH and RDP TCP forwarding are configured on the FortiGate and continue to work. FortiClient pulls SSH and RDP rules from the FortiGate based on the EMS portal settings mapped to the FortiGate virtual access proxy server.

FortiClient actively queries FortiGate for ZTNA setting changes every 30 seconds and pulls changes as needed.

Configure the following in the FortiOS CLI:

config firewall access-proxy

edit "ZTNA-tcp-server"

set vip "ZTNA-tcp-server"

set auth-portal enable

config api-gateway

edit 5

set url-map "/saas"

set service saas

set application "dropbox"

next

end

next

end

On the endpoint, clear the browser cache and FortiClient SAML cookies, then attempt to access Dropbox. The browser displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.

To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1_111.log). FortiClient prints all related FQDNs for a defined application, in this case dropbox.com, and all related URLs contained in the website based on the ICDB signature to the ZTNA debug log. The ICDB signature file is in the FortiClient installation directory vir_sig\icdb in JSON format. FortiClient reads the related parts from the ICDB signature file-based SaaS/application settings in FortiOS and updates them if there are updates on the FortiOS side.

In this configuration, FortiClient depends on ICDB signatures being updated properly. In the case, FortiClient automatically and dynamically updates and refreshes the FQDNs if there are any changes in the SaaS applications as defined in FortiOS. FortiClient also pulls SSH/RDP/SMBA settings and specific FQDNs including rules using wildcard formats from FortiOS, if available.

Wildcard support for ZTNA FQDN rules

Wildcard support for ZTNA FQDN rules

This feature requires FortiOS 7.2.2 or a later version.

This example uses external browser-based SAML authentication for the zero trust network access (ZTNA) policy. This configuration requires the following:

  • A Fortinet Security Fabric connector is established between FortiOS and EMS.
  • FortiOS ZTNA settings are configured.
  • FortiClient is registered to EMS

In the example topology, the EMS IP address is 172.17.60.8. The FortiGate acts as an access proxy, with virtual IP address 172.17.60.19 and port 8445. You can use one of the following methods to configure a ZTNA rule that supports wildcard FQDNs:

  • Configuring a ZTNA rule in EMS
  • Configuring FortiClient to pull SaaS application information from FortiOS
To configure a ZTNA rule for an FQDN in wildcard format using method 1:
  1. In EMS, go to Fabric & Connectors > ZTNA Applications Catalog.
  2. Click Add. Configure the following:
    1. Select Wildcard FQDN.
    2. Enter *.dropbox.com.
    3. Select Port, then enter 443.
    4. Beside the Select Gateways dropdown list, click Add Gateway.
    5. In the Address and Port fields, enter the FortiGate IP address and port. In this example, the value is 172.17.60.19:8445.
    6. Configure other fields as desired.
    7. Click Finish.
  3. Go to Endpoint Profiles > ZTNA Destinations.

  4. Select an existing profile or create a new one.

  5. Under Rules, click Add.

  6. Click Create.

  7. Select the destination that you configured. Click Finish.

  8. On an endpoint with the profile applied, attempt to access Dropbox in a browser. The browser displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.

  9. To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1.log) to confirm that all traffic requests to *.dropbox.com, such as to aem.dropbox.com or consent.dropbox.com, go through the ZTNA tunnel. You can also use the log to verify that FortiClient handles the request to *.dropbox.com.

Consider that it may be difficult to configure all URLs embedded in a website, such as *.dropbox.com.

To configure a ZTNA rule for an FQDN in wildcard format using method 2:

For this method, you do not need to configure a ZTNA rule as in the previous method. This method assumes that SSH and RDP TCP forwarding are configured on the FortiGate and continue to work. FortiClient pulls SSH and RDP rules from the FortiGate based on the EMS portal settings mapped to the FortiGate virtual access proxy server.

FortiClient actively queries FortiGate for ZTNA setting changes every 30 seconds and pulls changes as needed.

Configure the following in the FortiOS CLI:

config firewall access-proxy

edit "ZTNA-tcp-server"

set vip "ZTNA-tcp-server"

set auth-portal enable

config api-gateway

edit 5

set url-map "/saas"

set service saas

set application "dropbox"

next

end

next

end

On the endpoint, clear the browser cache and FortiClient SAML cookies, then attempt to access Dropbox. The browser displays a SAML authentication prompt. Provide the appropriate credentials to proceed to access Dropbox.

To troubleshoot this configuration, you can view the ZTNA debug log file (fortitcs_1_111.log). FortiClient prints all related FQDNs for a defined application, in this case dropbox.com, and all related URLs contained in the website based on the ICDB signature to the ZTNA debug log. The ICDB signature file is in the FortiClient installation directory vir_sig\icdb in JSON format. FortiClient reads the related parts from the ICDB signature file-based SaaS/application settings in FortiOS and updates them if there are updates on the FortiOS side.

In this configuration, FortiClient depends on ICDB signatures being updated properly. In the case, FortiClient automatically and dynamically updates and refreshes the FQDNs if there are any changes in the SaaS applications as defined in FortiOS. FortiClient also pulls SSH/RDP/SMBA settings and specific FQDNs including rules using wildcard formats from FortiOS, if available.