Fortinet black logo

New Features

Using the IP pool or client IP address in a ZTNA connection to backend servers

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:230508
Download PDF

Using the IP pool or client IP address in a ZTNA connection to backend servers

By default, the connection from the ZTNA access proxy to the backend servers uses the IP address of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP address, or use the client's original IP address as the source IP address. This allows ZTNA to support more sessions without source port conflicts.

These example show the basic configurations for using an IP pool or transparent mode in a ZTNA proxy policy.

This topology uses a HTTP access proxy to forward traffic to the web server at 172.18.62.27. The IP pool range is 172.16.200.100-105, so this effectively allows for six times more connections using the six source addresses in the pool. If transparent mode is used, the FortiGate uses the client's address (10.1.100.118) as the source IP when connecting to the servers.

Basic ZTNA configuration

To configure the FortiGate:
  1. Configure the access proxy VIP:
    config firewall vip
        edit "ZTNA_S1"
            set type access-proxy
            set extip 172.18.62.16
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the virtual host:
    config firewall access-proxy-virtual-host
        edit "auto-ZTNA_S1-0"
            set ssl-certificate "Fortinet_SSL"
            set host "v1.qa.fortinet.com"
        next
    end
  3. Configure the server and path mapping:
    config firewall access-proxy
        edit "ZTNA_S1"
            set vip "ZTNA_S1"
            set client-cert enable
            set auth-portal enable
            set log-blocked-traffic enable
            config api-gateway
                edit 1
                    set virtual-host "auto-ZTNA_S1-0"
                    config realservers
                        edit 1
                            set ip 172.18.62.27
                        next
                    end
                next
            end
        next
    end
    

Example 1: IP pool

To configure the FortiGate:
  1. Configure the IP pool:
    config firewall ippool
        edit "ztna_pool1"
            set startip 172.16.200.100
            set endip 172.16.200.105
        next
    end
  2. Configure the proxy policy:
    config firewall proxy-policy
        edit 1
            set name "ZTNA_R1"
            set proxy access-proxy
            set access-proxy "ZTNA_S1"
            set srcintf "port14"
            set srcaddr "all"
            set dstaddr "all"
            set ztna-ems-tag "FCTEMS8821000000_ems140_av_tag"
            set action accept
            set schedule "always"
            set logtraffic all
            set poolname "ztna_pool1"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set av-profile "test-av"
            set webfilter-profile "test_wf"
            set file-filter-profile "g-default"
            set ips-sensor "test_ips"
            set application-list "test_app"
        next
    end

Once the ZTNA client generates traffic, run the WAD debug commands on the FortiGate. The outgoing IP address should be from the IP pool.

To test the configuration:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
...
[V]2022-03-22 17:53:45.026384 [p:356][s:339191][r:50334048] wad_http_session_disconn_srv      :1456  hcs=0x7f993d7877e8 http_svr=(nil)
[I]2022-03-22 17:53:45.026387 [p:356][s:339191][r:50334048] wad_http_connect_original_server  :6253  http ses=0x7f993d7877e8 req=0x7f993d610780 ses_ctx=0x7f993d759218 connect svr orig 10.1.100.118:61694->172.18.62.16:443 out 10.1.100.118:61694->172.18.62.16:443
[I]2022-03-22 17:53:45.026390 [p:356][s:339191][r:50334048] wad_http_upd_ses_ctx_by_req       :838   wad http session 0x7f993d7877e8  forward (nil) fwd_srv_ip=0.0.0.0
[I]2022-03-22 17:53:45.026455 [p:356][s:339191][r:50334048] wad_ippool_get_ip                 :842   clt:10.1.100.118 got ip:172.16.200.102 from ip pool, logic/phy intf(27/27)
[V]2022-03-22 17:53:45.026459 [p:356][s:339191][r:50334048] wad_http_connect_original_server  :6268  [0x7f993d610780] Connect to server: 172.18.62.27:443/172.18.62.27:443
[I]2022-03-22 17:53:45.026461 [p:356][s:339191][r:50334048] wad_tcp_port_alloc                :1434  alloc tcp_port=0x7f993ac55188
[V]2022-03-22 17:53:45.026470 [p:356][s:339191][r:50334048] wad_tcp_port_bind                 :527   tcp_port=0x7f993ac55188 src ip:172.16.200.102 is bind, create sess:1
[V]2022-03-22 17:53:45.026472 [p:356][s:339191][r:50334048] wad_tcp_port_connect_with_fd      :2179  oif =27, src_addr_unkown=0
[I]2022-03-22 17:53:45.026495 [p:356][s:339191][r:50334048] wad_tcp_port_connect_with_fd      :2221  TCP port=0x7f993ac55188 sock=63 vrf=0 connecting 172.16.200.102:12764->172.18.62.27:443
[V]2022-03-22 17:53:45.026506 [p:356][s:339191][r:50334048] wad_http_port_connect             :1815  connect to SSL terminator.
[V]2022-03-22 17:53:45.026509 [p:356][s:339191][r:50334048] wad_tcp_port_out_read_block       :975   tcp_port 0x7f993ac55048 fd=62 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 state=2.
[V]2022-03-22 17:53:45.026511 [p:356][s:339191][r:50334048] wad_tcp_port_transport_read_block :930   tcp_port 0x7f993ac55048 fd=62 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 events=0x1.
[V]2022-03-22 17:53:45.026513 [p:356][s:339191][r:50334048] wad_tcp_port_transport_read_block :944   sock 62 read_block enforced, turn off readability.

Example 2: transparent mode

To configure transparent mode in a proxy policy:
config firewall proxy-policy
    edit 1
        set name "ZTNA_R1"
        set proxy access-proxy
        set access-proxy "ZTNA_S1"
        set srcintf "port14"
        set srcaddr "all"
        set transparent enable
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS8821000000_ems140_av_tag"
        set action accept
        set schedule "always"
        set logtraffic all
        set utm-status enable
        set ssl-ssh-profile "custom-deep-inspection"
        set av-profile "test-av"
        set webfilter-profile "test_wf"
        set file-filter-profile "g-default"
        set ips-sensor "test_ips"
        set application-list "test_app"
    next
end

Once the ZTNA client generates traffic, run the WAD debug commands on the FortiGate. The client's address (10.1.100.118) should be used as the source IP address when connecting to the servers.

To test the configuration:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
...
[V]2022-03-22 18:11:34.968351 [p:356][s:343987][r:50334156] wad_http_connect_server           :6363  http session 0x7f993d7877e8 req=0x7f993d611a60
[V]2022-03-22 18:11:34.968354 [p:356][s:343987][r:50334156] wad_http_srv_still_good           :6135  srv((nil)) nontp(0) dst_type(3)
req: dst:172.18.62.27:443, proto:10)
hcs: dst:N/A:0, proto:1)
[V]2022-03-22 18:11:34.968357 [p:356][s:343987][r:50334156] wad_http_session_disconn_srv      :1456  hcs=0x7f993d7877e8 http_svr=(nil)
[I]2022-03-22 18:11:34.968360 [p:356][s:343987][r:50334156] wad_http_connect_original_server  :6253  http ses=0x7f993d7877e8 req=0x7f993d611a60 ses_ctx=0x7f993d758ec8 connect svr orig 10.1.100.118:62113->172.18.62.16:443 out 10.1.100.118:62113->172.18.62.16:443
[I]2022-03-22 18:11:34.968363 [p:356][s:343987][r:50334156] wad_http_upd_ses_ctx_by_req       :838   wad http session 0x7f993d7877e8  forward (nil) fwd_srv_ip=0.0.0.0
[V]2022-03-22 18:11:34.968367 [p:356][s:343987][r:50334156] wad_http_connect_original_server  :6268  [0x7f993d611a60] Connect to server: 172.18.62.27:443/172.18.62.27:443
[I]2022-03-22 18:11:34.968369 [p:356][s:343987][r:50334156] wad_tcp_port_alloc                :1434  alloc tcp_port=0x7f993ac55908
[V]2022-03-22 18:11:34.968379 [p:356][s:343987][r:50334156] wad_tcp_port_bind                 :527   tcp_port=0x7f993ac55908 src ip:10.1.100.118 is bind, create sess:1
[V]2022-03-22 18:11:34.968381 [p:356][s:343987][r:50334156] wad_tcp_port_connect_with_fd      :2179  oif =27, src_addr_unkown=0
[I]2022-03-22 18:11:34.968403 [p:356][s:343987][r:50334156] wad_tcp_port_connect_with_fd      :2221  TCP port=0x7f993ac55908 sock=64 vrf=0 connecting 10.1.100.118:2182->172.18.62.27:443
[V]2022-03-22 18:11:34.968412 [p:356][s:343987][r:50334156] wad_http_port_connect             :1815  connect to SSL terminator.

Using the IP pool or client IP address in a ZTNA connection to backend servers

By default, the connection from the ZTNA access proxy to the backend servers uses the IP address of the outgoing interface as the source. This enhancement enables customers to use an IP pool as the source IP address, or use the client's original IP address as the source IP address. This allows ZTNA to support more sessions without source port conflicts.

These example show the basic configurations for using an IP pool or transparent mode in a ZTNA proxy policy.

This topology uses a HTTP access proxy to forward traffic to the web server at 172.18.62.27. The IP pool range is 172.16.200.100-105, so this effectively allows for six times more connections using the six source addresses in the pool. If transparent mode is used, the FortiGate uses the client's address (10.1.100.118) as the source IP when connecting to the servers.

Basic ZTNA configuration

To configure the FortiGate:
  1. Configure the access proxy VIP:
    config firewall vip
        edit "ZTNA_S1"
            set type access-proxy
            set extip 172.18.62.16
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the virtual host:
    config firewall access-proxy-virtual-host
        edit "auto-ZTNA_S1-0"
            set ssl-certificate "Fortinet_SSL"
            set host "v1.qa.fortinet.com"
        next
    end
  3. Configure the server and path mapping:
    config firewall access-proxy
        edit "ZTNA_S1"
            set vip "ZTNA_S1"
            set client-cert enable
            set auth-portal enable
            set log-blocked-traffic enable
            config api-gateway
                edit 1
                    set virtual-host "auto-ZTNA_S1-0"
                    config realservers
                        edit 1
                            set ip 172.18.62.27
                        next
                    end
                next
            end
        next
    end
    

Example 1: IP pool

To configure the FortiGate:
  1. Configure the IP pool:
    config firewall ippool
        edit "ztna_pool1"
            set startip 172.16.200.100
            set endip 172.16.200.105
        next
    end
  2. Configure the proxy policy:
    config firewall proxy-policy
        edit 1
            set name "ZTNA_R1"
            set proxy access-proxy
            set access-proxy "ZTNA_S1"
            set srcintf "port14"
            set srcaddr "all"
            set dstaddr "all"
            set ztna-ems-tag "FCTEMS8821000000_ems140_av_tag"
            set action accept
            set schedule "always"
            set logtraffic all
            set poolname "ztna_pool1"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set av-profile "test-av"
            set webfilter-profile "test_wf"
            set file-filter-profile "g-default"
            set ips-sensor "test_ips"
            set application-list "test_app"
        next
    end

Once the ZTNA client generates traffic, run the WAD debug commands on the FortiGate. The outgoing IP address should be from the IP pool.

To test the configuration:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
...
[V]2022-03-22 17:53:45.026384 [p:356][s:339191][r:50334048] wad_http_session_disconn_srv      :1456  hcs=0x7f993d7877e8 http_svr=(nil)
[I]2022-03-22 17:53:45.026387 [p:356][s:339191][r:50334048] wad_http_connect_original_server  :6253  http ses=0x7f993d7877e8 req=0x7f993d610780 ses_ctx=0x7f993d759218 connect svr orig 10.1.100.118:61694->172.18.62.16:443 out 10.1.100.118:61694->172.18.62.16:443
[I]2022-03-22 17:53:45.026390 [p:356][s:339191][r:50334048] wad_http_upd_ses_ctx_by_req       :838   wad http session 0x7f993d7877e8  forward (nil) fwd_srv_ip=0.0.0.0
[I]2022-03-22 17:53:45.026455 [p:356][s:339191][r:50334048] wad_ippool_get_ip                 :842   clt:10.1.100.118 got ip:172.16.200.102 from ip pool, logic/phy intf(27/27)
[V]2022-03-22 17:53:45.026459 [p:356][s:339191][r:50334048] wad_http_connect_original_server  :6268  [0x7f993d610780] Connect to server: 172.18.62.27:443/172.18.62.27:443
[I]2022-03-22 17:53:45.026461 [p:356][s:339191][r:50334048] wad_tcp_port_alloc                :1434  alloc tcp_port=0x7f993ac55188
[V]2022-03-22 17:53:45.026470 [p:356][s:339191][r:50334048] wad_tcp_port_bind                 :527   tcp_port=0x7f993ac55188 src ip:172.16.200.102 is bind, create sess:1
[V]2022-03-22 17:53:45.026472 [p:356][s:339191][r:50334048] wad_tcp_port_connect_with_fd      :2179  oif =27, src_addr_unkown=0
[I]2022-03-22 17:53:45.026495 [p:356][s:339191][r:50334048] wad_tcp_port_connect_with_fd      :2221  TCP port=0x7f993ac55188 sock=63 vrf=0 connecting 172.16.200.102:12764->172.18.62.27:443
[V]2022-03-22 17:53:45.026506 [p:356][s:339191][r:50334048] wad_http_port_connect             :1815  connect to SSL terminator.
[V]2022-03-22 17:53:45.026509 [p:356][s:339191][r:50334048] wad_tcp_port_out_read_block       :975   tcp_port 0x7f993ac55048 fd=62 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 state=2.
[V]2022-03-22 17:53:45.026511 [p:356][s:339191][r:50334048] wad_tcp_port_transport_read_block :930   tcp_port 0x7f993ac55048 fd=62 on=1 n_out_block=0~>1 in(/out)_shutdown=0/0 closed=0 events=0x1.
[V]2022-03-22 17:53:45.026513 [p:356][s:339191][r:50334048] wad_tcp_port_transport_read_block :944   sock 62 read_block enforced, turn off readability.

Example 2: transparent mode

To configure transparent mode in a proxy policy:
config firewall proxy-policy
    edit 1
        set name "ZTNA_R1"
        set proxy access-proxy
        set access-proxy "ZTNA_S1"
        set srcintf "port14"
        set srcaddr "all"
        set transparent enable
        set dstaddr "all"
        set ztna-ems-tag "FCTEMS8821000000_ems140_av_tag"
        set action accept
        set schedule "always"
        set logtraffic all
        set utm-status enable
        set ssl-ssh-profile "custom-deep-inspection"
        set av-profile "test-av"
        set webfilter-profile "test_wf"
        set file-filter-profile "g-default"
        set ips-sensor "test_ips"
        set application-list "test_app"
    next
end

Once the ZTNA client generates traffic, run the WAD debug commands on the FortiGate. The client's address (10.1.100.118) should be used as the source IP address when connecting to the servers.

To test the configuration:
# diagnose wad debug enable category all
# diagnose wad debug enable level verbose
# diagnose debug enable
...
[V]2022-03-22 18:11:34.968351 [p:356][s:343987][r:50334156] wad_http_connect_server           :6363  http session 0x7f993d7877e8 req=0x7f993d611a60
[V]2022-03-22 18:11:34.968354 [p:356][s:343987][r:50334156] wad_http_srv_still_good           :6135  srv((nil)) nontp(0) dst_type(3)
req: dst:172.18.62.27:443, proto:10)
hcs: dst:N/A:0, proto:1)
[V]2022-03-22 18:11:34.968357 [p:356][s:343987][r:50334156] wad_http_session_disconn_srv      :1456  hcs=0x7f993d7877e8 http_svr=(nil)
[I]2022-03-22 18:11:34.968360 [p:356][s:343987][r:50334156] wad_http_connect_original_server  :6253  http ses=0x7f993d7877e8 req=0x7f993d611a60 ses_ctx=0x7f993d758ec8 connect svr orig 10.1.100.118:62113->172.18.62.16:443 out 10.1.100.118:62113->172.18.62.16:443
[I]2022-03-22 18:11:34.968363 [p:356][s:343987][r:50334156] wad_http_upd_ses_ctx_by_req       :838   wad http session 0x7f993d7877e8  forward (nil) fwd_srv_ip=0.0.0.0
[V]2022-03-22 18:11:34.968367 [p:356][s:343987][r:50334156] wad_http_connect_original_server  :6268  [0x7f993d611a60] Connect to server: 172.18.62.27:443/172.18.62.27:443
[I]2022-03-22 18:11:34.968369 [p:356][s:343987][r:50334156] wad_tcp_port_alloc                :1434  alloc tcp_port=0x7f993ac55908
[V]2022-03-22 18:11:34.968379 [p:356][s:343987][r:50334156] wad_tcp_port_bind                 :527   tcp_port=0x7f993ac55908 src ip:10.1.100.118 is bind, create sess:1
[V]2022-03-22 18:11:34.968381 [p:356][s:343987][r:50334156] wad_tcp_port_connect_with_fd      :2179  oif =27, src_addr_unkown=0
[I]2022-03-22 18:11:34.968403 [p:356][s:343987][r:50334156] wad_tcp_port_connect_with_fd      :2221  TCP port=0x7f993ac55908 sock=64 vrf=0 connecting 10.1.100.118:2182->172.18.62.27:443
[V]2022-03-22 18:11:34.968412 [p:356][s:343987][r:50334156] wad_http_port_connect             :1815  connect to SSL terminator.