Fortinet black logo

Administration Guide

ZTNA session-based form authentication

ZTNA session-based form authentication

Session-based form authentication for ZTNA allows users to log in through an authentication portal with support for multi-factor authentication (MFA). This added advantage over the basic type authentication method allows FortiToken MFA to be applied directly to FortiGate users. FortiToken MFA can be applied to local users or remote users. Session-based form authentication can also be applied to explicit and transparent web proxies.

Example

In this example, the FortiGate is configured with a ZTNA HTTPS access proxy to protect access to the web server. It uses session-based form authentication with cookies and auth-portal enabled. It connects to the internal Windows Active Directory using LDAPS for user authentication, and assigns FortiToken MFA to individual users.

This example assumes that the FortiGate EMS Fabric connector is already successfully connected.

To configure the LDAP server:
  1. Go to User & Authentication > LDAP Servers and click Create New.

  2. Configure the following settings:

    Name

    LDAP-fortiad

    Server IP/Name

    10.88.0.1

    Server Port

    389

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=fortiad,dc=info

    Exchange server

    Disable this setting.

    Bind Type

    Regular

    Enter the Username and Password for LDAP binding and lookup.

    Secure Connection

    Enable and set the Protocol to LDAPS.

    Certificate

    Enable and select the CA certificate to validate the server certificate.

    Server identity check

    Optionally, enable to verify the domain name or IP address against the server certificate.

  3. Click Test Connectivity to verify the connection to the server.

  4. Click OK.

To configure a user with FortiToken MFA:
  1. Go to User & Authentication > User Definition and click Create New.
  2. Set User Type to Remote LDAP User and click Next.
  3. Set LDAP Server to LDAP-fortiad and click Next.
  4. For Remote Users, right-click on a user from the list under the corresponding OU and click Add Selected. In this example, the user tsmith under the Marketing OU is selected.
  5. Click Submit.
  6. Double-click the new user, tsmith, to edit the settings.
  7. Enable Two-factor Authentication. Select either FortiToken Cloud or FortiToken. In this example, FortiToken is selected with a mobile FortiToken available on this FortiGate.
  8. Enter an Email Address for the user to get a token activation notification.
  9. Click OK.
To configure a user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. Enter the name of the group, FortiAD-MFA-group.
  3. Set Type to Firewall.
  4. Click the +in the Members field and add the user, tsmith.
  5. Click OK.
To configure the authentication scheme:
  1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
  2. Enter the name, ZTNA-Auth-scheme.
  3. Set Method to Form-based.
  4. Set User database to Other and select the LDAP-fortiad LDAP server.
  5. Enable Two-factor authentication.
  6. Click OK.
To configure the authentication rule:
config authentication rule
    edit "ztna_form_rule"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "ZTNA-Auth-scheme"
        set web-auth-cookie enable
    next
end
Note

By disabling ip-based, the rule is session-based, so web authentication cookies must be enabled.

To configure the ZTNA basic server settings in the GUI:

Configuring the ZTNA server requires some settings that can only be configured in the CLI. The basic settings are configured in the GUI first, then the advanced CLI-only configurations are added after.

  1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

  2. Click Create New.

  3. Enter the server name, ZTNA_S1.

  4. Configure the network settings:

    1. Set External interface to port3.

    2. Set External IP to 10.0.3.10.

    3. Set External port to 9443.

  5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP. In this example, the custom certificate, ztna-wildcard is selected.

  6. Add server mapping:

    1. In the Service/server mapping table, click Create New.

    2. Set Service to HTTPS.

    3. Set Virtual Host to Any Host.

    4. Configure the path as needed.

    5. Add a server:

      1. In the Servers table, click Create New.

      2. Set IP to 10.88.0.3.

      3. Set Port to 9443.

      4. Click OK to complete the server settings.

    6. Click OK to complete the HTTPS service mapping.

  7. Click OK.

To configure the advanced authentication settings in the CLI:

The following steps are required to create a virtual host and to enable the authentication portal.

  1. Create an access proxy virtual host that points to the ZTNA access proxy. The FQDN of the host must be able to resolve to the external address 10.0.3.10. The client will be redirected to this page for form authentication:
    config firewall access-proxy-virtual-host
        edit "auth-portal-vhost"
            set ssl-certificate "ztna-wildcard"
            set host "authportal.ztnademo.com"
        next
    end
  2. Enable auth-portal on the access proxy and point it to the virtual host:
    config firewall access-proxy
        edit "ZTNA_S1"
            set auth-portal enable
            set auth-virtual-host "auth-portal-vhost"
        next
    				end

    Note

    When auth-virtual-host is configured in the access proxy, it acts as a single sign-on (SSO) point. This means users will be authenticated once when accessing any domains or services in ZTNA_S1.

    When auth-virtual-host is not configured, users will be re-authenticated for each domain or service in ZTNA_S1.

To apply the authentication to the ZTNA rule:
  1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
  2. Click Create New.
  3. Enter the name, ZTNA_R1.
  4. Set Incoming Interface to port3.
  5. Set Source to all. This can also be set to specific IP addresses to only allow those addresses to connect to this HTTPS access proxy.
  6. Click the + in the Source and from the User tab, select the FortiAD-MFA-group user group.

  7. Click the + in the ZTNA Tag field and select the Low tag.
  8. Set ZTNA Server to ZTNA_S1.
  9. Set Destination to Webserver1, which is an address object for 10.88.0.3/32.
  10. Configure the remaining options as needed.
  11. Click OK.

Testing the connection

To test the remote access to the HTTPS access proxy with user authentication:
  1. On the remote Windows PC, open FortiClient.
  2. From the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
  3. Open a browser and enter the address or FQDN of the server and the access port. In this example, https://webserver.ztnademo.com:9443 resolves to https://10.0.3.10:9443.
  4. The browser prompts for the client certificate to use. Select the EMS signed certificate, then click OK.
  5. The client is verified by the FortiGate to authenticate your identity.
  6. Form authentication redirects you to the captive portal defined by the auth-virtual-host, authportal.ztnademo.com:9443. Enter your user credentials and FortiToken code.

  7. After the user authentication passes, the FortiGate performs a posture check on the endpoint. When the posture check passes, you are allowed access to the website.

To verify the logs:
  1. Verify the logged in users in the WAD daemon:
    # diagnose wad user list 
    ID: 2, VDOM: root, IPv4: 10.0.3.2
      user name   : tsmith
      worker      : 1
      duration    : 42
      auth_type   : Session
      auth_method : Form
      pol_id      : 1
      g_id        : 4
      user_based  : 0
      expire      : no
      LAN:
        bytes_in=5117 bytes_out=302717
      WAN:
        bytes_in=304915 bytes_out=4407
  2. Verify the endpoint information:
    # diagnose endpoint record list 
    Record #1:
                    IP Address = 10.0.3.2
                    MAC Address = 02:09:0f:00:03:03
                    MAC list = 02:09:0f:00:04:03;02:09:0f:00:03:03;
                    VDOM =  (-1)
                    EMS serial number: FCTEMS8822000000
                    Client cert SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A
                    Public IP address: 67.249.72.215
                    Quarantined: no
                    Online status: online
                    Registration status: registered
                    On-net status: on-net
                    Gateway Interface: 
                    FortiClient version: 7.0.2
                    AVDB version: 1.0
                    FortiClient app signature version: 13.364
                    FortiClient vulnerability scan engine version: 2.31
                    FortiClient UID: 9A016B5A6E914B42AD4168C066EB04CA
                    Host Name: WIN10-01
                    OS Type: WIN64
                    OS Version: Microsoft Windows 10 Professional Edition, 64-bit  (build 19042) (version 2009)
                    Host Description: 
                    Domain: fortiad.info
                    Last Login User: tsmith
                    …
                    Number of Routes: (0)
    online records: 1; offline records: 0; quarantined records: 0
  3. Verify the detected tags on the endpoint:
    # diagnose test app fcnacd 7
    ZTNA Cache V2:
    Entry #1:
     - UID: 9A016B5A6E914B42AD4168C066EB04CA
     - EMS SN: FCTEMS88220010000
     - Domain: fortiad.info
     - User: tsmith
     - Owner: 
     - Certificate SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A
     - online: true
     - Tags (2):
      -- Tag (#0): all_registered_clients
      -- Tag (#1): Low
    lls_idx_mask = 0x00000001,
  4. Verify the ZTNA logs.
    • In the GUI, go to Log & Report > ZTNA Traffic.
    • In the CLI:
      # execute log filter category 0
      # execute log filter field subtype ztna
      # execute log display 
      17 logs found.
      10 logs returned.
      
      1: date=2022-05-19 time=13:04:41 eventtime=1652990680922903215 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63111 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="root" dstintfrole="undefined" sessionid=8313 service="tcp/9443" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="b513a216-d7a9-51ec-7965-6ba166e99004" policyname="ZTNA_R1" duration=66 user="tsmith" group="FortiAD-MFA-group" gatewayid=1 vip="ZTNA_S1" accessproxy="ZTNA_S1" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="MAC_FCTEMS8822000000_Low/FCTEMS8822000000_all_registered_clients/MAC_FCTEMS8822000000_all_registered_clients" wanin=303042 rcvdbyte=303042 wanout=3925 lanin=4430 sentbyte=4430 lanout=301660 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"

ZTNA session-based form authentication

Session-based form authentication for ZTNA allows users to log in through an authentication portal with support for multi-factor authentication (MFA). This added advantage over the basic type authentication method allows FortiToken MFA to be applied directly to FortiGate users. FortiToken MFA can be applied to local users or remote users. Session-based form authentication can also be applied to explicit and transparent web proxies.

Example

In this example, the FortiGate is configured with a ZTNA HTTPS access proxy to protect access to the web server. It uses session-based form authentication with cookies and auth-portal enabled. It connects to the internal Windows Active Directory using LDAPS for user authentication, and assigns FortiToken MFA to individual users.

This example assumes that the FortiGate EMS Fabric connector is already successfully connected.

To configure the LDAP server:
  1. Go to User & Authentication > LDAP Servers and click Create New.

  2. Configure the following settings:

    Name

    LDAP-fortiad

    Server IP/Name

    10.88.0.1

    Server Port

    389

    Common Name Identifier

    sAMAccountName

    Distinguished Name

    dc=fortiad,dc=info

    Exchange server

    Disable this setting.

    Bind Type

    Regular

    Enter the Username and Password for LDAP binding and lookup.

    Secure Connection

    Enable and set the Protocol to LDAPS.

    Certificate

    Enable and select the CA certificate to validate the server certificate.

    Server identity check

    Optionally, enable to verify the domain name or IP address against the server certificate.

  3. Click Test Connectivity to verify the connection to the server.

  4. Click OK.

To configure a user with FortiToken MFA:
  1. Go to User & Authentication > User Definition and click Create New.
  2. Set User Type to Remote LDAP User and click Next.
  3. Set LDAP Server to LDAP-fortiad and click Next.
  4. For Remote Users, right-click on a user from the list under the corresponding OU and click Add Selected. In this example, the user tsmith under the Marketing OU is selected.
  5. Click Submit.
  6. Double-click the new user, tsmith, to edit the settings.
  7. Enable Two-factor Authentication. Select either FortiToken Cloud or FortiToken. In this example, FortiToken is selected with a mobile FortiToken available on this FortiGate.
  8. Enter an Email Address for the user to get a token activation notification.
  9. Click OK.
To configure a user group:
  1. Go to User & Authentication > User Groups and click Create New.
  2. Enter the name of the group, FortiAD-MFA-group.
  3. Set Type to Firewall.
  4. Click the +in the Members field and add the user, tsmith.
  5. Click OK.
To configure the authentication scheme:
  1. Go to Policy & Objects > Authentication Rules and click Create New > Authentication Scheme.
  2. Enter the name, ZTNA-Auth-scheme.
  3. Set Method to Form-based.
  4. Set User database to Other and select the LDAP-fortiad LDAP server.
  5. Enable Two-factor authentication.
  6. Click OK.
To configure the authentication rule:
config authentication rule
    edit "ztna_form_rule"
        set srcaddr "all"
        set ip-based disable
        set active-auth-method "ZTNA-Auth-scheme"
        set web-auth-cookie enable
    next
end
Note

By disabling ip-based, the rule is session-based, so web authentication cookies must be enabled.

To configure the ZTNA basic server settings in the GUI:

Configuring the ZTNA server requires some settings that can only be configured in the CLI. The basic settings are configured in the GUI first, then the advanced CLI-only configurations are added after.

  1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

  2. Click Create New.

  3. Enter the server name, ZTNA_S1.

  4. Configure the network settings:

    1. Set External interface to port3.

    2. Set External IP to 10.0.3.10.

    3. Set External port to 9443.

  5. Select the Default certificate. Clients will be presented with this certificate when they connect to the access proxy VIP. In this example, the custom certificate, ztna-wildcard is selected.

  6. Add server mapping:

    1. In the Service/server mapping table, click Create New.

    2. Set Service to HTTPS.

    3. Set Virtual Host to Any Host.

    4. Configure the path as needed.

    5. Add a server:

      1. In the Servers table, click Create New.

      2. Set IP to 10.88.0.3.

      3. Set Port to 9443.

      4. Click OK to complete the server settings.

    6. Click OK to complete the HTTPS service mapping.

  7. Click OK.

To configure the advanced authentication settings in the CLI:

The following steps are required to create a virtual host and to enable the authentication portal.

  1. Create an access proxy virtual host that points to the ZTNA access proxy. The FQDN of the host must be able to resolve to the external address 10.0.3.10. The client will be redirected to this page for form authentication:
    config firewall access-proxy-virtual-host
        edit "auth-portal-vhost"
            set ssl-certificate "ztna-wildcard"
            set host "authportal.ztnademo.com"
        next
    end
  2. Enable auth-portal on the access proxy and point it to the virtual host:
    config firewall access-proxy
        edit "ZTNA_S1"
            set auth-portal enable
            set auth-virtual-host "auth-portal-vhost"
        next
    				end

    Note

    When auth-virtual-host is configured in the access proxy, it acts as a single sign-on (SSO) point. This means users will be authenticated once when accessing any domains or services in ZTNA_S1.

    When auth-virtual-host is not configured, users will be re-authenticated for each domain or service in ZTNA_S1.

To apply the authentication to the ZTNA rule:
  1. Go to Policy & Objects > ZTNA and select the ZTNA Rules tab.
  2. Click Create New.
  3. Enter the name, ZTNA_R1.
  4. Set Incoming Interface to port3.
  5. Set Source to all. This can also be set to specific IP addresses to only allow those addresses to connect to this HTTPS access proxy.
  6. Click the + in the Source and from the User tab, select the FortiAD-MFA-group user group.

  7. Click the + in the ZTNA Tag field and select the Low tag.
  8. Set ZTNA Server to ZTNA_S1.
  9. Set Destination to Webserver1, which is an address object for 10.88.0.3/32.
  10. Configure the remaining options as needed.
  11. Click OK.

Testing the connection

To test the remote access to the HTTPS access proxy with user authentication:
  1. On the remote Windows PC, open FortiClient.
  2. From the Zero Trust Telemetry tab, make sure that you are connected to the EMS server.
  3. Open a browser and enter the address or FQDN of the server and the access port. In this example, https://webserver.ztnademo.com:9443 resolves to https://10.0.3.10:9443.
  4. The browser prompts for the client certificate to use. Select the EMS signed certificate, then click OK.
  5. The client is verified by the FortiGate to authenticate your identity.
  6. Form authentication redirects you to the captive portal defined by the auth-virtual-host, authportal.ztnademo.com:9443. Enter your user credentials and FortiToken code.

  7. After the user authentication passes, the FortiGate performs a posture check on the endpoint. When the posture check passes, you are allowed access to the website.

To verify the logs:
  1. Verify the logged in users in the WAD daemon:
    # diagnose wad user list 
    ID: 2, VDOM: root, IPv4: 10.0.3.2
      user name   : tsmith
      worker      : 1
      duration    : 42
      auth_type   : Session
      auth_method : Form
      pol_id      : 1
      g_id        : 4
      user_based  : 0
      expire      : no
      LAN:
        bytes_in=5117 bytes_out=302717
      WAN:
        bytes_in=304915 bytes_out=4407
  2. Verify the endpoint information:
    # diagnose endpoint record list 
    Record #1:
                    IP Address = 10.0.3.2
                    MAC Address = 02:09:0f:00:03:03
                    MAC list = 02:09:0f:00:04:03;02:09:0f:00:03:03;
                    VDOM =  (-1)
                    EMS serial number: FCTEMS8822000000
                    Client cert SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A
                    Public IP address: 67.249.72.215
                    Quarantined: no
                    Online status: online
                    Registration status: registered
                    On-net status: on-net
                    Gateway Interface: 
                    FortiClient version: 7.0.2
                    AVDB version: 1.0
                    FortiClient app signature version: 13.364
                    FortiClient vulnerability scan engine version: 2.31
                    FortiClient UID: 9A016B5A6E914B42AD4168C066EB04CA
                    Host Name: WIN10-01
                    OS Type: WIN64
                    OS Version: Microsoft Windows 10 Professional Edition, 64-bit  (build 19042) (version 2009)
                    Host Description: 
                    Domain: fortiad.info
                    Last Login User: tsmith
                    …
                    Number of Routes: (0)
    online records: 1; offline records: 0; quarantined records: 0
  3. Verify the detected tags on the endpoint:
    # diagnose test app fcnacd 7
    ZTNA Cache V2:
    Entry #1:
     - UID: 9A016B5A6E914B42AD4168C066EB04CA
     - EMS SN: FCTEMS88220010000
     - Domain: fortiad.info
     - User: tsmith
     - Owner: 
     - Certificate SN: 5BDEE2D7B7FCA460D9CEC67BBF4D1FA33E3D281A
     - online: true
     - Tags (2):
      -- Tag (#0): all_registered_clients
      -- Tag (#1): Low
    lls_idx_mask = 0x00000001,
  4. Verify the ZTNA logs.
    • In the GUI, go to Log & Report > ZTNA Traffic.
    • In the CLI:
      # execute log filter category 0
      # execute log filter field subtype ztna
      # execute log display 
      17 logs found.
      10 logs returned.
      
      1: date=2022-05-19 time=13:04:41 eventtime=1652990680922903215 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=63111 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="root" dstintfrole="undefined" sessionid=8313 service="tcp/9443" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="b513a216-d7a9-51ec-7965-6ba166e99004" policyname="ZTNA_R1" duration=66 user="tsmith" group="FortiAD-MFA-group" gatewayid=1 vip="ZTNA_S1" accessproxy="ZTNA_S1" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="MAC_FCTEMS8822000000_Low/FCTEMS8822000000_all_registered_clients/MAC_FCTEMS8822000000_all_registered_clients" wanin=303042 rcvdbyte=303042 wanout=3925 lanin=4430 sentbyte=4430 lanout=301660 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"