Fortinet Document Library

Version:

7.0.1
7.0.0
6.4.7

Version:

6.4.6
6.4.5
6.4.4

Version:

6.4.3
6.4.2
6.4.1

Version:

6.4.0

Table of Contents

Administration Guide

7.0.1
7.0.1
7.0.0
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Download PDF
Copy Link

ZTNA TCP forwarding access proxy example

In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.

By default, encryption is disabled on FortiClient ZTNA rules, as this reduces overhead for end to end protocols that are already secure. For insecure end to end protocols, enable encryption.

RDP access is configured to one server, and SSH access to the other.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

To configure the access proxy VIP:
config firewall vip
    edit "ZTNA-tcp-server"
        set type access-proxy
        set extip 10.0.3.11
        set extintf "port3"
        set server-type https
        set extport 8443
        set ssl-certificate "Fortinet_SSL"
    next
end
To configure the server addresses:
config firewall address
    edit "FAZ"
        set subnet 10.88.0.2 255.255.255.255
    next
    edit "winserver"
        set subnet 10.88.0.1 255.255.255.255
    next
end
To configure access proxy server mappings:
config firewall access-proxy
    edit "ZTNA-tcp-server"
        set vip "ZTNA-tcp-server"
        set client-cert enable
        config api-gateway
            edit 1
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "FAZ"
                        set mappedport 22 
                    next
                    edit 2
                        set address "winserver"
                        set mappedport 3389 
                    next
                end
            next
        end
    next
end

The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not specified, then any port will be matched.

To configure a ZTNA rule (proxy policy):
config firewall proxy-policy
    edit 0
        set name "ZTNA_remote"
        set proxy access-proxy
        set access-proxy "ZTNA-tcp-server"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
    next
end
To configure a firewall policy for full ZTNA:
config firewall policy
       edit 1
        set name "Full_ZTNA_policy"
        set srcintf "port3"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "ZTNA-tcp-server"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
    next
end

Test the connection to the access proxy

Before connecting, users must have a ZTNA connection rule in FortiClient.

Note

ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA TCP forwarding rules via EMS for details.
To create a ZTNA rule in FortiClient:

  1. On the ZTNA Connection Rules tab, click Add Rule.

  2. Set Rule Name to SSH-FAZ.

  3. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.

  4. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the FortiGate.

  5. Enable Encryption. This option determines whether or not the Client to FortiGate access proxy connection is encrypted in HTTPS.

  6. Click Create.

  7. Create a second rule with the following settings:

    • Rule Name: RDP_winserver

    • Destination Host: 10.88.0.1:3389

    • Proxy Gateway: 10.0.3.11:8443

    • Encryption: Enabled

After creating the ZTNA connection rules, you can SSH and RDP directly to the server IP address and port.

Logs

RDP:
1: date=2021-03-24 time=23:42:35 eventtime=1616654555724552835 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.3.2 srcport=50284 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=3389 dstintf="root" dstintfrole="undefined" sessionid=109099 service="RDP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3" duration=13 wanin=1751 rcvdbyte=1751 wanout=1240 lanin=3034 sentbyte=3034 lanout=3929 appcat="unscanned"
SSH:
1: date=2021-03-24 time=23:44:13 eventtime=1616654653388681007 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.3.2 srcport=50282 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="root" dstintfrole="undefined" sessionid=109027 service="SSH" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3" duration=134 wanin=5457 rcvdbyte=5457 wanout=2444 lanin=4478 sentbyte=4478 lanout=7943 appcat="unscanned"

ZTNA TCP forwarding access proxy example

In this example, a TCP forwarding access proxy (TFAP) is configured to demonstrate an HTTPS reverse proxy that forwards TCP traffic to the designated resource. The access proxy tunnels TCP traffic between the client and the FortiGate over HTTPS, and forwards the TCP traffic to the protected resource. It verifies user identity, device identity, and trust context, before granting access to the protected source.

By default, encryption is disabled on FortiClient ZTNA rules, as this reduces overhead for end to end protocols that are already secure. For insecure end to end protocols, enable encryption.

RDP access is configured to one server, and SSH access to the other.

This example assumes that the FortiGate EMS fabric connector is already successfully connected.

To configure the access proxy VIP:
config firewall vip
    edit "ZTNA-tcp-server"
        set type access-proxy
        set extip 10.0.3.11
        set extintf "port3"
        set server-type https
        set extport 8443
        set ssl-certificate "Fortinet_SSL"
    next
end
To configure the server addresses:
config firewall address
    edit "FAZ"
        set subnet 10.88.0.2 255.255.255.255
    next
    edit "winserver"
        set subnet 10.88.0.1 255.255.255.255
    next
end
To configure access proxy server mappings:
config firewall access-proxy
    edit "ZTNA-tcp-server"
        set vip "ZTNA-tcp-server"
        set client-cert enable
        config api-gateway
            edit 1
                set service tcp-forwarding
                config realservers
                    edit 1
                        set address "FAZ"
                        set mappedport 22 
                    next
                    edit 2
                        set address "winserver"
                        set mappedport 3389 
                    next
                end
            next
        end
    next
end

The mapped port (mappedport) restricts the mapping to the specified port or port range. If mappedport is not specified, then any port will be matched.

To configure a ZTNA rule (proxy policy):
config firewall proxy-policy
    edit 0
        set name "ZTNA_remote"
        set proxy access-proxy
        set access-proxy "ZTNA-tcp-server"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
    next
end
To configure a firewall policy for full ZTNA:
config firewall policy
       edit 1
        set name "Full_ZTNA_policy"
        set srcintf "port3"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "ZTNA-tcp-server"
        set action accept
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
    next
end

Test the connection to the access proxy

Before connecting, users must have a ZTNA connection rule in FortiClient.

Note

ZTNA TCP forwarding rules can be provisioned from the EMS server. See Provisioning ZTNA TCP forwarding rules via EMS for details.
To create a ZTNA rule in FortiClient:

  1. On the ZTNA Connection Rules tab, click Add Rule.

  2. Set Rule Name to SSH-FAZ.

  3. Set Destination Host to 10.88.0.2:22. This is the real IP address and port of the server.

  4. Set Proxy Gateway to 10.0.3.11:8443. This is the access proxy address and port that are configured on the FortiGate.

  5. Enable Encryption. This option determines whether or not the Client to FortiGate access proxy connection is encrypted in HTTPS.

  6. Click Create.

  7. Create a second rule with the following settings:

    • Rule Name: RDP_winserver

    • Destination Host: 10.88.0.1:3389

    • Proxy Gateway: 10.0.3.11:8443

    • Encryption: Enabled

After creating the ZTNA connection rules, you can SSH and RDP directly to the server IP address and port.

Logs

RDP:
1: date=2021-03-24 time=23:42:35 eventtime=1616654555724552835 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.3.2 srcport=50284 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.1 dstport=3389 dstintf="root" dstintfrole="undefined" sessionid=109099 service="RDP" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3" duration=13 wanin=1751 rcvdbyte=1751 wanout=1240 lanin=3034 sentbyte=3034 lanout=3929 appcat="unscanned"
SSH:
1: date=2021-03-24 time=23:44:13 eventtime=1616654653388681007 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.3.2 srcport=50282 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="root" dstintfrole="undefined" sessionid=109027 service="SSH" wanoptapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="fe0e1ae8-bdf9-51eb-b86f-c5e2adb934b3" duration=134 wanin=5457 rcvdbyte=5457 wanout=2444 lanin=4478 sentbyte=4478 lanout=7943 appcat="unscanned"