Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Publishing ZTNA services through the ZTNA portal 7.2.1

When ZTNA is deployed on a FortiGate in the network, it is important for endpoint clients to know what ZTNA services are available from the FortiGate access proxy. FortiClients are able to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT/DoH tunnel so it can retrieve the service mapping in JSON format.

Example

In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 10.10.10.174. It hosts several services, including:

  • HTTP service with real server mapping to 172.16.200.44

  • HTTP service with real server mapping to PC4, pc4.qa.fortinet.com

  • TCP forwarding with real server mapping to login.microsoft.com:443

  • SSL VPN web portal mapping to the local ztna_web_portal with a bookmark to PC5, pc5.qa.fortinet.com

The hosted services are published through the ZTNA portal, which is accessible by the FortiClient through https://vip/fct-api-xxyyzz?command=service[&user=]. The client must establish a DoT/DoH tunnel with the FortiGate ZTNA portal before the hosted services can be retrieved.

To configure the FortiGate:
  1. Configure the EMS connector:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "1"
            set server "172.16.200.167"
            set serial-number <FortiClient_EMS_serial_number>
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
        next
    end
  2. Configure the SSL VPN portal for publishing the web portal mapping:

    config vpn ssl web portal
        edit "ztna_web_portal"
            set web-mode enable
            config bookmark-group
                edit "gui-bookmarks"
                    config bookmarks
                        edit "pc05"
                            set url "http://172.16.200.55"
                        next
                    end
                next
            end
        next
    end
  3. Configure the access proxy VIP for ZTNA:

    config firewall vip
        edit "test_https"
            set type access-proxy
            set extip 10.10.10.174
            set extintf "port1"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  4. Configure the FQDN firewall address for PC4:

    config firewall address
        edit "pc4"
            set type fqdn
            set fqdn "pc4.qa.fortinet.com"
        next
    end
  5. Configure the access proxy virtual hosts:

    config firewall access-proxy-virtual-host
        edit "auto-test_ztna_portal-1"
            set ssl-certificate "Fortinet_SSL"
            set host "qa.fortinet.com"
        next
        edit "auto-test_ztna_portal-0"
            set ssl-certificate "Fortinet_SSL"
            set host "test.fortinet.com"
        next
    end

    When add-vhost/domain-to-dnsdb is enabled in the firewall access proxy settings, the virtual hosts are added automatically under config system dns-database.

  6. Configure the firewall access proxy and map each service:

    config firewall access-proxy
        edit "test_ztna_portal"
            set vip "test_https"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 2
                    set virtual-host "auto-test_ztna_portal-0"
                    config realservers
                        edit 1
                            set ip 172.16.200.44
                            set port 80
                        next
                    end
                next
                edit 3
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "login.microsoft.com"
                            set mappedport 443 
                        next
                    end
                next
                edit 4
                    set service http
                    set virtual-host "auto-test_ztna_portal-1"
                    config realservers
                        edit 1
                            set addr-type fqdn
                            set address "pc4"
                            set port 80
                        next
                    end
                next
                edit 1
                    set service web-portal
                    set ssl-vpn-web-portal "ztna_web_portal"
                next
            end
        next
    end

    Since add-vhost/domain-to-dnsdb is enabled, the shadow-ztna DNS entries are added under the config system dns-database table. FortiClient endpoints connecting to the ZTNA portal will be able to resolve the virtual hosts to the ZTNA access proxy VIP address.

    show full-configuration system dns-database
    config system dns-database
        edit "test.fortinet.com"
            set domain "test.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "test.fortinet.com"
            set contact "fgt-ztna"
        next
        edit "qa.fortinet.com"
            set domain "qa.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "qa.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "qa.fortinet.com"
            set contact "fgt-ztna"
        next
    end
  7. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 1
            set name "test_rule"
            set proxy access-proxy
            set access-proxy "test_ztna_portal"
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set ssl-ssh-profile "ssl"
        next
    end 

Testing and results

When ZTNA is configured, a FortiClient can establish a tunnel to the FortiGate using the ZTNA web portal. Once connected, it can retrieve the list of hosted services using https://10.10.10.174/fct-api-xxyyzz?command=service.

The following JSON is returned:

{
    "vips":[
        {
            "vip":"10.10.10.174:443",
            "gateways":[
                {
                    "type":"http",
                    "virtual-host":"qa.fortinet.com",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"pc4.qa.fortinet.com"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"bookmark-http",
                    "virtual-host":"172.16.200.55",
                    "path":"/",
                    "path-pattern":"sub-string"
                },
                {
                    "type":"https",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"ip",
                                    "value":[
                                        {
                                            "ip":"172.16.200.44",
                                            "mask":"255.255.255.255"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"tcp-fwd",
                    "virtual-host":"",
                    "path":"/tcp",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"login.microsoft.com"
                                        }
                                    ]
                                },
                            "mappedport":[
                                {
                                    "start":"443",
                                    "end":"443"
                                }
                            ]
                        }
                    ]
                },
                {
                    "type":"web-portal",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string"
                }
            ]
        }
    ]
}
Note

Support for this feature will be available in a future version of FortiClient.

Publishing ZTNA services through the ZTNA portal 7.2.1

When ZTNA is deployed on a FortiGate in the network, it is important for endpoint clients to know what ZTNA services are available from the FortiGate access proxy. FortiClients are able to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT/DoH tunnel so it can retrieve the service mapping in JSON format.

Example

In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 10.10.10.174. It hosts several services, including:

  • HTTP service with real server mapping to 172.16.200.44

  • HTTP service with real server mapping to PC4, pc4.qa.fortinet.com

  • TCP forwarding with real server mapping to login.microsoft.com:443

  • SSL VPN web portal mapping to the local ztna_web_portal with a bookmark to PC5, pc5.qa.fortinet.com

The hosted services are published through the ZTNA portal, which is accessible by the FortiClient through https://vip/fct-api-xxyyzz?command=service[&user=]. The client must establish a DoT/DoH tunnel with the FortiGate ZTNA portal before the hosted services can be retrieved.

To configure the FortiGate:
  1. Configure the EMS connector:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "1"
            set server "172.16.200.167"
            set serial-number <FortiClient_EMS_serial_number>
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
        next
    end
  2. Configure the SSL VPN portal for publishing the web portal mapping:

    config vpn ssl web portal
        edit "ztna_web_portal"
            set web-mode enable
            config bookmark-group
                edit "gui-bookmarks"
                    config bookmarks
                        edit "pc05"
                            set url "http://172.16.200.55"
                        next
                    end
                next
            end
        next
    end
  3. Configure the access proxy VIP for ZTNA:

    config firewall vip
        edit "test_https"
            set type access-proxy
            set extip 10.10.10.174
            set extintf "port1"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  4. Configure the FQDN firewall address for PC4:

    config firewall address
        edit "pc4"
            set type fqdn
            set fqdn "pc4.qa.fortinet.com"
        next
    end
  5. Configure the access proxy virtual hosts:

    config firewall access-proxy-virtual-host
        edit "auto-test_ztna_portal-1"
            set ssl-certificate "Fortinet_SSL"
            set host "qa.fortinet.com"
        next
        edit "auto-test_ztna_portal-0"
            set ssl-certificate "Fortinet_SSL"
            set host "test.fortinet.com"
        next
    end

    When add-vhost/domain-to-dnsdb is enabled in the firewall access proxy settings, the virtual hosts are added automatically under config system dns-database.

  6. Configure the firewall access proxy and map each service:

    config firewall access-proxy
        edit "test_ztna_portal"
            set vip "test_https"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 2
                    set virtual-host "auto-test_ztna_portal-0"
                    config realservers
                        edit 1
                            set ip 172.16.200.44
                            set port 80
                        next
                    end
                next
                edit 3
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "login.microsoft.com"
                            set mappedport 443 
                        next
                    end
                next
                edit 4
                    set service http
                    set virtual-host "auto-test_ztna_portal-1"
                    config realservers
                        edit 1
                            set addr-type fqdn
                            set address "pc4"
                            set port 80
                        next
                    end
                next
                edit 1
                    set service web-portal
                    set ssl-vpn-web-portal "ztna_web_portal"
                next
            end
        next
    end

    Since add-vhost/domain-to-dnsdb is enabled, the shadow-ztna DNS entries are added under the config system dns-database table. FortiClient endpoints connecting to the ZTNA portal will be able to resolve the virtual hosts to the ZTNA access proxy VIP address.

    show full-configuration system dns-database
    config system dns-database
        edit "test.fortinet.com"
            set domain "test.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "test.fortinet.com"
            set contact "fgt-ztna"
        next
        edit "qa.fortinet.com"
            set domain "qa.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "qa.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "qa.fortinet.com"
            set contact "fgt-ztna"
        next
    end
  7. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 1
            set name "test_rule"
            set proxy access-proxy
            set access-proxy "test_ztna_portal"
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set ssl-ssh-profile "ssl"
        next
    end 

Testing and results

When ZTNA is configured, a FortiClient can establish a tunnel to the FortiGate using the ZTNA web portal. Once connected, it can retrieve the list of hosted services using https://10.10.10.174/fct-api-xxyyzz?command=service.

The following JSON is returned:

{
    "vips":[
        {
            "vip":"10.10.10.174:443",
            "gateways":[
                {
                    "type":"http",
                    "virtual-host":"qa.fortinet.com",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"pc4.qa.fortinet.com"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"bookmark-http",
                    "virtual-host":"172.16.200.55",
                    "path":"/",
                    "path-pattern":"sub-string"
                },
                {
                    "type":"https",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"ip",
                                    "value":[
                                        {
                                            "ip":"172.16.200.44",
                                            "mask":"255.255.255.255"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"tcp-fwd",
                    "virtual-host":"",
                    "path":"/tcp",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"login.microsoft.com"
                                        }
                                    ]
                                },
                            "mappedport":[
                                {
                                    "start":"443",
                                    "end":"443"
                                }
                            ]
                        }
                    ]
                },
                {
                    "type":"web-portal",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string"
                }
            ]
        }
    ]
}
Note

Support for this feature will be available in a future version of FortiClient.