Basic ZTNA configuration
To deploy a ZTNA access proxy, configure the following components on the FortiGate:
|
To configure ZTNA in the GUI, go to System > Feature Visibility and enable Zero Trust Network Access. |
Configure a FortiClient EMS connector
To add an on-premise FortiClient EMS server in the GUI:
-
Go to Security Fabric > Fabric Connectors.
-
Click Create New and click FortiClient EMS.
-
Enter a name for the connector and the IP address or FQDN of the EMS.
-
Click OK.
-
A window appears to verify the EMS server certificate. Click Accept.
See FortiClient EMS for more information.
To add an on-premise FortiClient EMS server in the CLI:
config endpoint-control fctems
edit <name>
set server <server IP or domain>
next
end
ZTNA tags
After the FortiGate connects to the FortiClient EMS, it automatically synchronizes ZTNA tags. ZTNA tags are generated from tagging rules configured on the FortiClient EMS. These tagging rules are based on various posture checks that can be applied on the endpoints. See Endpoint Posture Check Reference.
To view the synchronized ZTNA tags in the GUI:
-
Go to Policy & Objects > ZTNA and select the ZTNA Tags tab.
-
Hover the cursor over a tag name to view more information about the tag, such as its resolved addresses.
To create a ZTNA tag group in the GUI:
-
Go to Policy & Objects > ZTNA and select the ZTNA Tags tab.
-
Click Create New Group.
-
Enter a name for the group and select the group members.
-
Click OK.
To view the synchronized ZTNA tags in the CLI:
# diagnose firewall dynamic address # diagnose firewall dynamic list
To create a ZTNA tag group in the CLI:
config firewall addrgrp
edit <group name>
set category ztna-ems-tag
set member <members>
next
end
Configure a ZTNA server
To configure a ZTNA server, define the access proxy VIP and the real servers that clients will connect to. The access proxy VIP is the FortiGate ZTNA gateway that clients make HTTPS connections to. The service/server mappings define the virtual host matching rules and the real server mappings of the HTTPS requests.
To create a ZTNA server for HTTPS access proxy in the GUI:
-
Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.
-
Click Create New.
-
Enter a name for the server.
-
Select an external interface, enter the external IP address, and select the external port that the clients will connect to.
-
Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP.
-
Add server mapping:
-
In the Service/server mapping table, click Create New.
-
Set Service to HTTPS.
-
Set Virtual Host to Any Host or Specify.
-
Any Host: Any request that resolves to the access proxy VIP will be mapped to your real servers. For example, if both www.example1.com and www.example2.com resolve to the VIP, then both requests are mapped to your real servers.
-
Specify: Enter the name or IP address of the host that the request must match. For example, if www.example1.com is entered as the host, then only requests to www.example1.com will match.
-
-
Configure the path as needed.
The path can be matched by substring, wildcard, or regular expression. For example, if the virtual host is specified as www.example1.com, and the path substring is map1, then www.example1/map1 will be matched.
-
If multiple servers will be configured, enable Load balancing and select an algorithm.
-
Add a server:
-
In the Servers table, click Create New.
-
Enter the server IP address and port number.
-
Set the server status.
-
Click OK.
-
Add more servers as needed.
-
-
Click OK.
-
Add more server mappings as needed.
-
-
Click OK.
To create a ZTNA server and access proxy VIP in the CLI:
-
Configure an access proxy VIP:
config firewall vip edit <name> set type access-proxy set extip <external IP> set extintf <external interface> set server-type { https | ssh } set extport <external port> set ssl-certificate <certificate> next end -
If the virtual host is specified, configure the virtual host:
config firewall access-proxy-virtual-host edit <auto generated when configured from GUI> set ssl-certificate <certificate> set host <host name or IP> set host-type { sub-string | wildcard } next end -
Configure the server and path mapping:
config firewall access-proxy edit <name> set vip <vip name> set client-cert { enable | disable } set empty-cert-action { accept | block } set log-blocked-traffic {enable | disable} config api-gateway edit 1 set url-map <mapped path> set service { http | https | tcp-forwarding | samlsp } set virtual-host <name of virtual-host if specified> set url-map-type { sub-string | wildcard | regex } config realservers edit 1 set addr-type ip set ip <ip of real server> set port <port> set status { active | standby | disable } set health-check { enable | disable } next end set ldb-method static set persistence none set ssl-dh-bits 2048 set ssl-algorithm high set ssl-min-version tls-1.1 set ssl-max-version tls-1.3 next end next end
Configure a ZTNA rule
A ZTNA rule is a proxy policy used to enforce access control. ZTNA tags or tag groups can be defined to enforce zero trust role based access. Security profiles can be configured to protect this traffic.
To configure a ZTNA rule in the GUI:
-
Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
-
Click Create New.
-
Enter a name for the rule.
-
Select an Incoming Interface and Source.
-
Add the ZTNA tags or tag groups that are allowed access. If multiple tags are included, select the Match ZTNA Tags method, Any or All.
-
Select the ZTNA Server.
-
Select the Destination.
-
Con