Fortinet black logo

New Features

Implicitly generate a firewall policy for a ZTNA rule 7.0.2

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:541261
Download PDF

Implicitly generate a firewall policy for a ZTNA rule 7.0.2

The firewall policy to forward traffic to the access proxy VIP is implicitly generated based on the ZTNA rule configuration, and does not need to be manually created.

To configure a ZTNA access proxy in the GUI, create the ZTNA server and then use the server in a ZTNA rule. Rules must include a source interface to indicate where the traffic is sourced from.

When upgrading to FortiOS 7.0.2, the ZTNA rule source interface will be set to any and all full ZTNA firewall policies will automatically be removed.

To perform IP/MAC filtering with ZTNA tags in a firewall policy, assign tags in the IP/MAC Based Access Control field. The toggle to select Full ZTNA or IP/MAC filtering is removed.

These examples assume that the FortiGate EMS fabric connector is already successfully connected.

Example 1 - Configuring a ZTNA HTTPS access proxy

In this example, a ZTNA access proxy is configured for HTTP access to the Web server from a remote endpoint.

To configure the ZTNA server in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Servers tab, and click Create New.

  2. Set Name to WIN2K16-P1.

  3. Configure the Network settings:

    1. Set External interface to port1.

    2. Set External IP to 192.168.2.86.

    3. Set External port to 8443.

  4. Select a Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.

  5. Add a server mapping:

    1. In the Service/server mapping table click Create New.

    2. Set Service to HTTPS

    3. Set Virtual Host to Any Host.

    4. Add a server:

      1. In the Servers table click Create New.

      2. Set IP to 192.168.20.6.

      3. Set Port to 443.

      4. Set Status as Active.

      5. Click OK.

    5. Click OK.

  6. Click OK.

To configure a ZTNA rule in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

  2. Set Name to proxy-WIN2K16-P1.

  3. Set Incoming Interface to port1.

  4. Set Source to all.

  5. In ZTNA Tag add Low

  6. In ZTNA Server add WIN2K16-P1.

  7. Set Destination to all.

  8. Set Action to ACCEPT.

  9. Configure the remaining options as needed.

  10. Click OK.

To configure HTTPS access in the CLI:
  1. Configure the access proxy VIP:

    config firewall vip
        edit "WIN2K16-P1"
            set type access-proxy
            set extip 192.168.2.86
            set extintf "port1"
            set server-type https
            set extport 8443
            set ssl-certificate "Fortinet_SSL"
        next
    end
    
  2. Configure the server and path mapping:

    config firewall access-proxy
        edit "WIN2K16-P1"
            set vip "WIN2K16-P1"
            set client-cert enable
            config api-gateway
                edit 1
                    config realservers
                        edit 1
                            set ip 192.168.20.6
                        next
                    end
                next
            end
        next
    end
    
  3. Configure the ZTNA rule:

    config firewall proxy-policy
        edit 1
            set name "proxy-WIN2K16-P1"
            set proxy access-proxy
            set access-proxy "WIN2K16-P1"
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set ztna-ems-tag "FCTEMS0000109188_Low"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
    
To test the remote access to the HTTPS access proxy:
  1. On the remote endpoint, open FortiClient.

  2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.

  3. Open a browser and go to the address of the server, in this case https://winserver.fgdocs.com:8443, which resolves to 192.168.2.86:8443.

  4. The browser prompts for the client certificate to use. Select the EMS signed certificate then click OK.

    The client is verified by the FortiGate to authenticate your identity.

    The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding ZTNA rule, and you are allowed access to the web server.

  5. Check the access in the Traffic log on the FortiGate:

    # execute log filter category 0
    # execute log display
    …
    1: date=2021-10-17 time=23:45:42 eventtime=1634539543024700086 tz="-0700" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.10.10.20 srcport=65474 srcintf="port1" srcintfrole="wan" dstip=192.168.2.86 dstport=8443 dstintf="root" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=278276 proto=6 action="close" policyid=1 policytype="proxy-policy" poluuid="1aafa942-2fdc-51ec-b89f-47fb64264865" policyname="proxy-WIN2K16-P1" service="tcp/8443" trandisp="noop" app="tcp/8443" duration=18 sentbyte=5606 rcvdbyte=108762 sentpkt=47 rcvdpkt=80 appcat="unscanned" mastersrcmac="08:5b:0e:ea:7f:d4" srcmac="08:5b:0e:ea:7f:d4" srcserver=0

Example 2 - Configuring a policy to perform posture checks using ZTNA tags

In this example, IP/MAC based access control is configured to allow traffic from an internal subnet when the endpoint is tagged as Low risk.

To configure a firewall policy to use IP/MAC based access control in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set Name to allow-internal-access.

  3. Set Incoming Interface to default.35.

  4. Set Outgoing Interface to port3.

  5. Set Source to all.

  6. In IP/MAC Based Access Control add the ZTNA tag Low.

  7. Set Destination to all.

  8. Set Service to ALL.

  9. Set Action to ACCEPT.

  10. Enable Log Allowed Traffic and set it to All Sessions.

  11. Configuring the remaining options as needed.

  12. Click OK.

To configure a firewall policy to use IP/MAC based access control in the CLI:
config firewall policy
    edit 30
        set name "allow-internal-access"
        set srcintf "default.35"
        set dstintf "port3"
        set action accept
        set ztna-status enable
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS0000109188_Low"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set nat enable
    next
end
To test the access to the web server from the on-net client endpoint:
  1. On the on-net endpoint, open FortiClient.

  2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.

  3. Open a browser and go to the address of the server.

    The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding firewall policy (allow-internal-access), and you are allowed access to the web server.

  4. Check the access in the Traffic log on the FortiGate:

    # execute log filter category 0
    # execute log filter field dstip 192.168.20.6
    # execute log display
    …
    1: date=2021-10-18 time=09:17:19 eventtime=1634573839454698399 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.6 srcname="Fortinet-KeithL" srcport=62756 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=330678 proto=6 action="close" policyid=30 policytype="policy" poluuid="8f6ea492-9034-51eb-f197-c00d803b7489" policyname="allow-internal-access" service="HTTPS" trandisp="snat" transip=192.168.20.5 transport=62756 duration=6 sentbyte=3468 rcvdbyte=107732 sentpkt=50 rcvdpkt=80 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10" masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0
    

Implicitly generate a firewall policy for a ZTNA rule 7.0.2

The firewall policy to forward traffic to the access proxy VIP is implicitly generated based on the ZTNA rule configuration, and does not need to be manually created.

To configure a ZTNA access proxy in the GUI, create the ZTNA server and then use the server in a ZTNA rule. Rules must include a source interface to indicate where the traffic is sourced from.

When upgrading to FortiOS 7.0.2, the ZTNA rule source interface will be set to any and all full ZTNA firewall policies will automatically be removed.

To perform IP/MAC filtering with ZTNA tags in a firewall policy, assign tags in the IP/MAC Based Access Control field. The toggle to select Full ZTNA or IP/MAC filtering is removed.

These examples assume that the FortiGate EMS fabric connector is already successfully connected.

Example 1 - Configuring a ZTNA HTTPS access proxy

In this example, a ZTNA access proxy is configured for HTTP access to the Web server from a remote endpoint.

To configure the ZTNA server in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Servers tab, and click Create New.

  2. Set Name to WIN2K16-P1.

  3. Configure the Network settings:

    1. Set External interface to port1.

    2. Set External IP to 192.168.2.86.

    3. Set External port to 8443.

  4. Select a Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.

  5. Add a server mapping:

    1. In the Service/server mapping table click Create New.

    2. Set Service to HTTPS

    3. Set Virtual Host to Any Host.

    4. Add a server:

      1. In the Servers table click Create New.

      2. Set IP to 192.168.20.6.

      3. Set Port to 443.

      4. Set Status as Active.

      5. Click OK.

    5. Click OK.

  6. Click OK.

To configure a ZTNA rule in the GUI:
  1. Go to Policy & Objects > ZTNA, select the ZTNA Rules tab, and click Create New.

  2. Set Name to proxy-WIN2K16-P1.

  3. Set Incoming Interface to port1.

  4. Set Source to all.

  5. In ZTNA Tag add Low

  6. In ZTNA Server add WIN2K16-P1.

  7. Set Destination to all.

  8. Set Action to ACCEPT.

  9. Configure the remaining options as needed.

  10. Click OK.

To configure HTTPS access in the CLI:
  1. Configure the access proxy VIP:

    config firewall vip
        edit "WIN2K16-P1"
            set type access-proxy
            set extip 192.168.2.86
            set extintf "port1"
            set server-type https
            set extport 8443
            set ssl-certificate "Fortinet_SSL"
        next
    end
    
  2. Configure the server and path mapping:

    config firewall access-proxy
        edit "WIN2K16-P1"
            set vip "WIN2K16-P1"
            set client-cert enable
            config api-gateway
                edit 1
                    config realservers
                        edit 1
                            set ip 192.168.20.6
                        next
                    end
                next
            end
        next
    end
    
  3. Configure the ZTNA rule:

    config firewall proxy-policy
        edit 1
            set name "proxy-WIN2K16-P1"
            set proxy access-proxy
            set access-proxy "WIN2K16-P1"
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set ztna-ems-tag "FCTEMS0000109188_Low"
            set action accept
            set schedule "always"
            set logtraffic all
        next
    end
    
To test the remote access to the HTTPS access proxy:
  1. On the remote endpoint, open FortiClient.

  2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.

  3. Open a browser and go to the address of the server, in this case https://winserver.fgdocs.com:8443, which resolves to 192.168.2.86:8443.

  4. The browser prompts for the client certificate to use. Select the EMS signed certificate then click OK.

    The client is verified by the FortiGate to authenticate your identity.

    The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding ZTNA rule, and you are allowed access to the web server.

  5. Check the access in the Traffic log on the FortiGate:

    # execute log filter category 0
    # execute log display
    …
    1: date=2021-10-17 time=23:45:42 eventtime=1634539543024700086 tz="-0700" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.10.10.20 srcport=65474 srcintf="port1" srcintfrole="wan" dstip=192.168.2.86 dstport=8443 dstintf="root" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=278276 proto=6 action="close" policyid=1 policytype="proxy-policy" poluuid="1aafa942-2fdc-51ec-b89f-47fb64264865" policyname="proxy-WIN2K16-P1" service="tcp/8443" trandisp="noop" app="tcp/8443" duration=18 sentbyte=5606 rcvdbyte=108762 sentpkt=47 rcvdpkt=80 appcat="unscanned" mastersrcmac="08:5b:0e:ea:7f:d4" srcmac="08:5b:0e:ea:7f:d4" srcserver=0

Example 2 - Configuring a policy to perform posture checks using ZTNA tags

In this example, IP/MAC based access control is configured to allow traffic from an internal subnet when the endpoint is tagged as Low risk.

To configure a firewall policy to use IP/MAC based access control in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Set Name to allow-internal-access.

  3. Set Incoming Interface to default.35.

  4. Set Outgoing Interface to port3.

  5. Set Source to all.

  6. In IP/MAC Based Access Control add the ZTNA tag Low.

  7. Set Destination to all.

  8. Set Service to ALL.

  9. Set Action to ACCEPT.

  10. Enable Log Allowed Traffic and set it to All Sessions.

  11. Configuring the remaining options as needed.

  12. Click OK.

To configure a firewall policy to use IP/MAC based access control in the CLI:
config firewall policy
    edit 30
        set name "allow-internal-access"
        set srcintf "default.35"
        set dstintf "port3"
        set action accept
        set ztna-status enable
        set srcaddr "all"
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS0000109188_Low"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
        set nat enable
    next
end
To test the access to the web server from the on-net client endpoint:
  1. On the on-net endpoint, open FortiClient.

  2. On the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.

  3. Open a browser and go to the address of the server.

    The FortiGate matches your security posture by verifying your ZTNA tag and matching the corresponding firewall policy (allow-internal-access), and you are allowed access to the web server.

  4. Check the access in the Traffic log on the FortiGate:

    # execute log filter category 0
    # execute log filter field dstip 192.168.20.6
    # execute log display
    …
    1: date=2021-10-18 time=09:17:19 eventtime=1634573839454698399 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.40.6 srcname="Fortinet-KeithL" srcport=62756 srcintf="default.35" srcintfrole="undefined" dstip=192.168.20.6 dstport=443 dstintf="port3" dstintfrole="undefined" srcuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" dstuuid="5445be2e-5d7b-51ea-e2c3-ae6b7855c52f" srccountry="Reserved" dstcountry="Reserved" sessionid=330678 proto=6 action="close" policyid=30 policytype="policy" poluuid="8f6ea492-9034-51eb-f197-c00d803b7489" policyname="allow-internal-access" service="HTTPS" trandisp="snat" transip=192.168.20.5 transport=62756 duration=6 sentbyte=3468 rcvdbyte=107732 sentpkt=50 rcvdpkt=80 fctuid="F4F3263AEBE54777A6509A8FCCDF9284" unauthuser="keithli" unauthusersource="forticlient" appcat="unscanned" mastersrcmac="24:b6:fd:fa:54:c1" srcmac="24:b6:fd:fa:54:c1" srcserver=0 dstosname="Windows" dstswversion="10" masterdstmac="52:54:00:e3:4c:1a" dstmac="52:54:00:e3:4c:1a" dstserver=0