Fortinet black logo

Administration Guide

ZTNA IP MAC filtering example

ZTNA IP MAC filtering example

In this example, firewall policies in ZTNA IP/MAC filtering mode are configured that use ZTNA tags to control access between on-net devices and an internal web server. This mode does not require the use of the access proxy, and only uses ZTNA tags for access control. Traffic is passed when the FortiClient endpoint is tagged as Low risk only. Traffic is denied when the FortiClient endpoint is tagged with Malicious-File-Detected.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

Note

To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust Network Access.

To configure a Zero Trust tagging rule on the FortiClient EMS:
  1. Log in to the FortiClient EMS.

  2. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.

  3. In the Name field, enter Malicious-File-Detected.

  4. In the Tag Endpoint As dropdown list, select Malicious-File-Detected.

    EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.

  5. Click Add Rule then configure the rule:

    1. For OS, select Windows.

    2. From the Rule Type dropdown list, select File and click the + button.

    3. Enter a file name, such as C:\virus.txt.

    4. Click Save.

  6. Click Save.

To configure a firewall policy in ZTNA IP/MAC filtering mode to block access in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set Name to block-internal-malicious-access.

  3. Enable ZTNA and select IP/MAC filtering.

  4. Set ZTNA Tag to Malicious-File-Detected.

  5. Set Incoming Interface to default.35.

  6. Set Outgoing Interface to port3.

  7. Set Source and Destination to all.

  8. Set Service to ALL.

  9. Set Action to DENY.

  10. Enable Log Violation Traffic.

  11. Configuring the remaining settings as needed.

  12. Click OK.

To configure a firewall policy in ZTNA IP/MAC filtering mode to allow access in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set Name to allow-internal-access.

  3. Enable ZTNA and select IP/MAC filtering.

  4. Set ZTNA Tag to Low.

  5. Set Incoming Interface to default.35.

  6. Set Outgoing Interface to port3.

  7. Set Source and Destination to all.

  8. Set Service to ALL.

  9. Set Action to ACCEPT.

  10. Enable Log Violation Traffic and set it to All Sessions.

  11. Configuring the remaining settings as needed.

  12. Click OK.

To configure a firewall policies in ZTNA IP/MAC filtering mode to block and allow access in the CLI:
config firewall policy
    edit 29
        set name "block-internal-malicious-access"
        set srcintf "default.35"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-status enable
        set ztna-ems-tag "FCTEMS0000109188_Malicious-File-Detected"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 30
        set name "allow-internal-access"
        set srcintf "default.35"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-status enable
        set ztna-ems-tag "FCTEMS0000109188_Low"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set nat enable
    next
end

Testing the access to the web server from the on-net client endpoint

Access allowed:
  1. On the remote Windows PC, open FortiClient.

  2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.

  3. Open a browser and enter the address of the server.

  4. The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding allow-internal-access firewall policy, and you are allowed access to the web server.

Access denied:
  1. On the remote Windows PC, trigger the Zero Trust Tagging Rule by creating the file in C:\virus.txt.

  2. Open a browser and enter the address of the server.

  3. FortiGate checks your security posture. Because EMS has tagged the PC with the Malicious-File-Detected tag, it matches the block-internal-malicious-access firewall policy.

  4. You are denied access to the web server.

Logs and debugs

Access allowed:
# diagnose endpoint record list
Record #1:
                IP Address = 192.168.40.8
                MAC Address = 24:b6:fd:fa:54:c1
                MAC list = 24:b6:fd:fa:54:c1;54:15:cd:3f:f8:30;9c:b7:0d:2d:5c:d1;
                VDOM = root (0)
                EMS serial number: FCTEMS0000109188
                Client cert SN: 563DA313367608678A3633E93C574F6F8BCB4A95
                Public IP address: 192.157.105.35
                Quarantined: no
                Online status: online
                Registration status: registered
                On-net status: on-net
                Gateway Interface: default.35
                FortiClient version: 7.0.0
                AVDB version: 0.0
                FortiClient app signature version: 0.0
                FortiClient vulnerability scan engine version: 2.30
                FortiClient UID: F4F3263AEBE54777A6509A8FCCDF9284
                ….
                Number of Routes: (1)
                        Gateway Route #0:
                                - IP:192.168.40.8, MAC: 24:b6:fd:fa:54:c1, Indirect: no
                                - Interface:default.35, VFID:0, SN: FGVM04TM21000144
online records: 1; offline records: 0; quarantined records: 0
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root
UID: F4F3263AEBE54777A6509A8FCCDF9284
        status code:ok
        Domain:
        User: keithli
        Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95
        EMS SN: FCTEMS0000109188
        Routes(1):
         - route[0]: IP=192.168.40.8, VDom=root
        Tags(2):
         - tag[0]: name=all_registered_clients
         - tag[1]: name=Low
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…

FCTEMS0000109188_Low: ID(78)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…

FCTEMS0000109188_Malicious-File-Detected: ID(190)
…
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "tags": [ "all_registered_clients", "Low" ], "user_name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188" }
# execute log display
49 logs found.
10 logs returned.
3.5% of logs has been searched.
38: date=2021-03-28 time=23:07:38 eventtime=1616998058790134389 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51056 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=161585 proto=6 action="close" policyid=30 policytype="policy" poluuid="8f6ea492-9034-51eb-f197-c00d803b7489" policyname="allow-internal-access" service="HTTPS" trandisp="snat" transip=192.168.20.5 transport=51056 duration=2 sentbyte=3374 rcvdbyte=107732 sentpkt=50 rcvdpkt=80 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10" masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0
Access denied:
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root
UID: F4F3263AEBE54777A6509A8FCCDF9284
        status code:ok
        Domain:
        User: keithli
        Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95
        EMS SN: FCTEMS0000109188
        Routes(1):
         - route[0]: IP=192.168.40.8, VDom=root
        Tags(3):
         - tag[0]: name=Malicious-File-Detected
         - tag[1]: name=all_registered_clients
         - tag[2]: name=Low
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "user_name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188", "tags": [ "Malicious-File-Detected", "all_registered_clients", "Low" ] }
# execute log display
49 logs found.
10 logs returned.
3.5% of logs has been searched.

11: date=2021-03-28 time=23:14:41 eventtime=1616998481409744928 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51140 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=162808 proto=6 action="deny" policyid=29 policytype="policy" poluuid="2835666c-9034-51eb-135d-2f56e5f0f7a2" policyname="block-internal-malicious-access" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" crscore=30 craction=131072 crlevel="high" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0

ZTNA IP MAC filtering example

In this example, firewall policies in ZTNA IP/MAC filtering mode are configured that use ZTNA tags to control access between on-net devices and an internal web server. This mode does not require the use of the access proxy, and only uses ZTNA tags for access control. Traffic is passed when the FortiClient endpoint is tagged as Low risk only. Traffic is denied when the FortiClient endpoint is tagged with Malicious-File-Detected.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

Note

To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust Network Access.

To configure a Zero Trust tagging rule on the FortiClient EMS:
  1. Log in to the FortiClient EMS.

  2. Go to Zero Trust Tags > Zero Trust Tagging Rules, and click Add.

  3. In the Name field, enter Malicious-File-Detected.

  4. In the Tag Endpoint As dropdown list, select Malicious-File-Detected.

    EMS uses this tag to dynamically group together endpoints that satisfy the rule, as well as any other rules that are configured to use this tag.

  5. Click Add Rule then configure the rule:

    1. For OS, select Windows.

    2. From the Rule Type dropdown list, select File and click the + button.

    3. Enter a file name, such as C:\virus.txt.

    4. Click Save.

  6. Click Save.

To configure a firewall policy in ZTNA IP/MAC filtering mode to block access in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set Name to block-internal-malicious-access.

  3. Enable ZTNA and select IP/MAC filtering.

  4. Set ZTNA Tag to Malicious-File-Detected.

  5. Set Incoming Interface to default.35.

  6. Set Outgoing Interface to port3.

  7. Set Source and Destination to all.

  8. Set Service to ALL.

  9. Set Action to DENY.

  10. Enable Log Violation Traffic.

  11. Configuring the remaining settings as needed.

  12. Click OK.

To configure a firewall policy in ZTNA IP/MAC filtering mode to allow access in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set Name to allow-internal-access.

  3. Enable ZTNA and select IP/MAC filtering.

  4. Set ZTNA Tag to Low.

  5. Set Incoming Interface to default.35.

  6. Set Outgoing Interface to port3.

  7. Set Source and Destination to all.

  8. Set Service to ALL.

  9. Set Action to ACCEPT.

  10. Enable Log Violation Traffic and set it to All Sessions.

  11. Configuring the remaining settings as needed.

  12. Click OK.

To configure a firewall policies in ZTNA IP/MAC filtering mode to block and allow access in the CLI:
config firewall policy
    edit 29
        set name "block-internal-malicious-access"
        set srcintf "default.35"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-status enable
        set ztna-ems-tag "FCTEMS0000109188_Malicious-File-Detected"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 30
        set name "allow-internal-access"
        set srcintf "default.35"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all"
        set ztna-status enable
        set ztna-ems-tag "FCTEMS0000109188_Low"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set nat enable
    next
end

Testing the access to the web server from the on-net client endpoint

Access allowed:
  1. On the remote Windows PC, open FortiClient.

  2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.

  3. Open a browser and enter the address of the server.

  4. The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding allow-internal-access firewall policy, and you are allowed access to the web server.

Access denied:
  1. On the remote Windows PC, trigger the Zero Trust Tagging Rule by creating the file in C:\virus.txt.

  2. Open a browser and enter the address of the server.

  3. FortiGate checks your security posture. Because EMS has tagged the PC with the Malicious-File-Detected tag, it matches the block-internal-malicious-access firewall policy.

  4. You are denied access to the web server.

Logs and debugs

Access allowed:
# diagnose endpoint record list
Record #1:
                IP Address = 192.168.40.8
                MAC Address = 24:b6:fd:fa:54:c1
                MAC list = 24:b6:fd:fa:54:c1;54:15:cd:3f:f8:30;9c:b7:0d:2d:5c:d1;
                VDOM = root (0)
                EMS serial number: FCTEMS0000109188
                Client cert SN: 563DA313367608678A3633E93C574F6F8BCB4A95
                Public IP address: 192.157.105.35
                Quarantined: no
                Online status: online
                Registration status: registered
                On-net status: on-net
                Gateway Interface: default.35
                FortiClient version: 7.0.0
                AVDB version: 0.0
                FortiClient app signature version: 0.0
                FortiClient vulnerability scan engine version: 2.30
                FortiClient UID: F4F3263AEBE54777A6509A8FCCDF9284
                ….
                Number of Routes: (1)
                        Gateway Route #0:
                                - IP:192.168.40.8, MAC: 24:b6:fd:fa:54:c1, Indirect: no
                                - Interface:default.35, VFID:0, SN: FGVM04TM21000144
online records: 1; offline records: 0; quarantined records: 0
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root
UID: F4F3263AEBE54777A6509A8FCCDF9284
        status code:ok
        Domain:
        User: keithli
        Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95
        EMS SN: FCTEMS0000109188
        Routes(1):
         - route[0]: IP=192.168.40.8, VDom=root
        Tags(2):
         - tag[0]: name=all_registered_clients
         - tag[1]: name=Low
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…

FCTEMS0000109188_Low: ID(78)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…

FCTEMS0000109188_Malicious-File-Detected: ID(190)
…
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "tags": [ "all_registered_clients", "Low" ], "user_name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188" }
# execute log display
49 logs found.
10 logs returned.
3.5% of logs has been searched.
38: date=2021-03-28 time=23:07:38 eventtime=1616998058790134389 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51056 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=161585 proto=6 action="close" policyid=30 policytype="policy" poluuid="8f6ea492-9034-51eb-f197-c00d803b7489" policyname="allow-internal-access" service="HTTPS" trandisp="snat" transip=192.168.20.5 transport=51056 duration=2 sentbyte=3374 rcvdbyte=107732 sentpkt=50 rcvdpkt=80 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10" masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0
Access denied:
# diagnose endpoint wad-comm find-by ip-vdom 192.168.40.8 root
UID: F4F3263AEBE54777A6509A8FCCDF9284
        status code:ok
        Domain:
        User: keithli
        Cert SN:563DA313367608678A3633E93C574F6F8BCB4A95
        EMS SN: FCTEMS0000109188
        Routes(1):
         - route[0]: IP=192.168.40.8, VDom=root
        Tags(3):
         - tag[0]: name=Malicious-File-Detected
         - tag[1]: name=all_registered_clients
         - tag[2]: name=Low
# diagnose firewall dynamic list
List all dynamic addresses:
FCTEMS0000109188_all_registered_clients: ID(51)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…
FCTEMS0000109188_Low: ID(78)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…
FCTEMS0000109188_Malicious-File-Detected: ID(190)
        ADDR(172.17.194.209)
        ADDR(192.168.40.8)
…
# diagnose test application fcnacd 7
ZTNA Cache:
-uid F4F3263AEBE54777A6509A8FCCDF9284: { "user_name": "keithli", "client_cert_sn": "563DA313367608678A3633E93C574F6F8BCB4A95", "gateway_route_list": [ { "gateway_info": { "fgt_sn": "FGVM04TM21000144", "interface": "default.35", "vdom": "root" }, "route_info": [ { "ip": "192.168.40.8", "mac": "24-b6-fd-fa-54-c1", "route_type": "direct" } ] } ], "ems_sn": "FCTEMS0000109188", "tags": [ "Malicious-File-Detected", "all_registered_clients", "Low" ] }
# execute log display
49 logs found.
10 logs returned.
3.5% of logs has been searched.

11: date=2021-03-28 time=23:14:41 eventtime=1616998481409744928 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.8 srcname="Fortinet-KeithL" srcport=51140 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=162808 proto=6 action="deny" policyid=29 policytype="policy" poluuid="2835666c-9034-51eb-135d-2f56e5f0f7a2" policyname="block-internal-malicious-access" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" crscore=30 craction=131072 crlevel="high" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0