Fortinet black logo

New Features

Publishing ZTNA services through the ZTNA portal 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:270091
Download PDF

Publishing ZTNA services through the ZTNA portal 7.2.1

When ZTNA is deployed on a FortiGate in the network, it is important for endpoint clients to know what ZTNA services are available from the FortiGate access proxy. FortiClients are able to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT/DoH tunnel so it can retrieve the service mapping in JSON format.

Note

This feature is not supported in FortiOS versions 7.2.6 or 7.4.1, and later.

Example 1

In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 10.10.10.174. It hosts several services, including:

  • HTTP service with real server mapping to 172.16.200.44

  • HTTP service with real server mapping to PC4, pc4.qa.fortinet.com

  • TCP forwarding with real server mapping to login.microsoft.com:443

  • SSL VPN web portal mapping to the local ztna_web_portal with a bookmark to PC5, pc5.qa.fortinet.com

The hosted services are published through the ZTNA portal, which is accessible by the FortiClient through https://vip/fct-api-xxyyzz?command=service[&user=]. The client must establish a DoT/DoH tunnel with the FortiGate ZTNA portal before the hosted services can be retrieved.

To configure the FortiGate:
  1. Configure the EMS connector:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "1"
            set server "172.16.200.167"
            set serial-number <FortiClient_EMS_serial_number>
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
        next
    end
  2. Configure the SSL VPN portal for publishing the web portal mapping:

    config vpn ssl web portal
        edit "ztna_web_portal"
            set web-mode enable
            config bookmark-group
                edit "gui-bookmarks"
                    config bookmarks
                        edit "pc05"
                            set url "http://172.16.200.55"
                        next
                    end
                next
            end
        next
    end
  3. Configure the access proxy VIP for ZTNA:

    config firewall vip
        edit "test_https"
            set type access-proxy
            set extip 10.10.10.174
            set extintf "port1"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  4. Configure the FQDN firewall address for PC4:

    config firewall address
        edit "pc4"
            set type fqdn
            set fqdn "pc4.qa.fortinet.com"
        next
    end
  5. Configure the access proxy virtual hosts:

    config firewall access-proxy-virtual-host
        edit "auto-test_ztna_portal-1"
            set ssl-certificate "Fortinet_SSL"
            set host "qa.fortinet.com"
        next
        edit "auto-test_ztna_portal-0"
            set ssl-certificate "Fortinet_SSL"
            set host "test.fortinet.com"
        next
    end

    When add-vhost-domain-to-dnsdb is enabled in the firewall access proxy settings, the virtual hosts are added automatically under config system dns-database.

  6. Configure the firewall access proxy and map each service:

    config firewall access-proxy
        edit "test_ztna_portal"
            set vip "test_https"
            set add-vhost-domain-to-dnsdb enable
            config api-gateway
                edit 2
                    set virtual-host "auto-test_ztna_portal-0"
                    config realservers
                        edit 1
                            set ip 172.16.200.44
                            set port 80
                        next
                    end
                next
                edit 3
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "login.microsoft.com"
                            set mappedport 443 
                        next
                    end
                next
                edit 4
                    set service http
                    set virtual-host "auto-test_ztna_portal-1"
                    config realservers
                        edit 1
                            set addr-type fqdn
                            set address "pc4"
                            set port 80
                        next
                    end
                next
                edit 1
                    set service web-portal
                    set ssl-vpn-web-portal "ztna_web_portal"
                next
            end
        next
    end

    Since add-vhost-domain-to-dnsdb is enabled, the shadow-ztna DNS entries are added under the config system dns-database table. FortiClient endpoints connecting to the ZTNA portal will be able to resolve the virtual hosts to the ZTNA access proxy VIP address.

    show full-configuration system dns-database
    config system dns-database
        edit "test.fortinet.com"
            set domain "test.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "test.fortinet.com"
            set contact "fgt-ztna"
        next
        edit "qa.fortinet.com"
            set domain "qa.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "qa.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "qa.fortinet.com"
            set contact "fgt-ztna"
        next
    end
  7. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 1
            set name "test_rule"
            set proxy access-proxy
            set access-proxy "test_ztna_portal"
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set ssl-ssh-profile "ssl"
        next
    end 

Testing and results

When ZTNA is configured, a FortiClient can establish a tunnel to the FortiGate using the ZTNA web portal. Once connected, it can retrieve the list of hosted services using https://10.10.10.174/fct-api-xxyyzz?command=service.

The following JSON is returned:

{
    "vips":[
        {
            "vip":"10.10.10.174:443",
            "gateways":[
                {
                    "type":"http",
                    "virtual-host":"qa.fortinet.com",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"pc4.qa.fortinet.com"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"bookmark-http",
                    "virtual-host":"172.16.200.55",
                    "path":"/",
                    "path-pattern":"sub-string"
                },
                {
                    "type":"https",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"ip",
                                    "value":[
                                        {
                                            "ip":"172.16.200.44",
                                            "mask":"255.255.255.255"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"tcp-fwd",
                    "virtual-host":"",
                    "path":"/tcp",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"login.microsoft.com"
                                        }
                                    ]
                                },
                            "mappedport":[
                                {
                                    "start":"443",
                                    "end":"443"
                                }
                            ]
                        }
                    ]
                },
                {
                    "type":"web-portal",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string"
                }
            ]
        }
    ]
}

Example 2

In this example, the FortiGate publishes two TCP forwarding rules to its ZTNA service portal. FortiClient EMS is configured to push the FortiGate ZTNA service portal address to its managed endpoints. The FortiClient endpoint queries the FortiGate for the list of ZTNA services and loads them in memory. Users can then access the ZTNA destinations without manually defining the rules or retrieving them from EMS.

Note

The configurations used in this example require FortiClient and FortiClient EMS 7.2.0. See FortiGate ZTNA service portal support and Inline CASB solution for SaaS applications in the FortiClient New Features Guide for more information.

To configure the FortiGate:
  1. Configure the EMS connector:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "1"
            set server "172.16.200.167"
            set serial-number <FortiClient_EMS_serial_number>
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
        next
    end
  2. Configure the access proxy VIP for ZTNA:

    config firewall vip
        edit "ztna_tcp_fwd"
            set type access-proxy
            set extip 11.11.11.174
            set extintf "port1"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  3. Configure the firewall addresses for PC4 and Win Server:

    config firewall address
        edit "pc4"
            set ip "172.16.200.44/32”
        next
        edit "win2016_server"
            set ip "172.16.200.188/32”
        next
    end
  4. Configure the firewall access proxy and map it to each service:

    config firewall access-proxy
        edit "ztna_tcp_fwd"
            set vip "ztna_tcp_fwd"
            set add-vhost-domain-to-dnsdb enable
            config api-gateway
                edit 1
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "pc4_addr"
                            set mappedport 22
                        next
                        edit 2
                            set address "win2016_server"
                            set mappedport 3389
                        next
                    end
                next
            end
        next
    end
  5. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_test_rule"
            set proxy access-proxy
            set access-proxy "ztna_tcp_fwd" 
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
        next
    end
To configure FortiClient EMS to push the ZTNA access portal gateway to managed endpoints:
  1. Log in to the FortiClient EMS and go to Endpoint Profiles > ZTNA Destinations.

  2. Select an existing profile and click Edit, or add a new profile.

  3. Click XML to switch the view from basic to XML.

  4. Click Edit to edit the XML content, and enter the ZTNA access portal gateway settings:

    <?xml version="1.0" ?>
    <forticlient_configuration>
        <ztna>
            <enabled>1</enabled>
        <allow_personal_rules>1</allow_personal_rules>
        <disallow_invalid_server_certificate>1</ disallow_invalid_server_certificate>
    
            <rules/>
            <portals>
                <portal>
                    <addr>11.11.11.174:443</addr>
                    <query_interval_m>30</query_interval_m>
                </portal>
            </portals>
        </ztna>
        <endpoint_control>
            <ui>
                <display_ztna>1</display_ztna>
            </ui>
        </endpoint_control>
    </forticlient_configuration>

  5. Click Save. The service portal addresses will be automatically pushed to managed FortiClient endpoints.

To verify that a registered FortiClient endpoint can access the protected services:
  1. On a remote PC that has FortiClient installed, ensure that it is registered to FortiClient EMS.

  2. Follow the verification steps in FortiGate ZTNA service portal support.

  3. On an SSH client, start a connection to the protected SSH server on 172.16.200.44:

    ssh root@172.16.200.44 
    root@172.16.200.44's password: 

    FortiClient will match this traffic to the ZTNA rule learned from the FortiGate service portal and redirect the traffic to it.

  4. On an RDP client, start a connection to the protected RDP server on 172.16.200.188.

    FortiClient will match this traffic to the ZTNA rule learned from the FortiGate service portal and redirect the traffic to it.

Publishing ZTNA services through the ZTNA portal 7.2.1

When ZTNA is deployed on a FortiGate in the network, it is important for endpoint clients to know what ZTNA services are available from the FortiGate access proxy. FortiClients are able to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT/DoH tunnel so it can retrieve the service mapping in JSON format.

Note

This feature is not supported in FortiOS versions 7.2.6 or 7.4.1, and later.

Example 1

In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 10.10.10.174. It hosts several services, including:

  • HTTP service with real server mapping to 172.16.200.44

  • HTTP service with real server mapping to PC4, pc4.qa.fortinet.com

  • TCP forwarding with real server mapping to login.microsoft.com:443

  • SSL VPN web portal mapping to the local ztna_web_portal with a bookmark to PC5, pc5.qa.fortinet.com

The hosted services are published through the ZTNA portal, which is accessible by the FortiClient through https://vip/fct-api-xxyyzz?command=service[&user=]. The client must establish a DoT/DoH tunnel with the FortiGate ZTNA portal before the hosted services can be retrieved.

To configure the FortiGate:
  1. Configure the EMS connector:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "1"
            set server "172.16.200.167"
            set serial-number <FortiClient_EMS_serial_number>
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
        next
    end
  2. Configure the SSL VPN portal for publishing the web portal mapping:

    config vpn ssl web portal
        edit "ztna_web_portal"
            set web-mode enable
            config bookmark-group
                edit "gui-bookmarks"
                    config bookmarks
                        edit "pc05"
                            set url "http://172.16.200.55"
                        next
                    end
                next
            end
        next
    end
  3. Configure the access proxy VIP for ZTNA:

    config firewall vip
        edit "test_https"
            set type access-proxy
            set extip 10.10.10.174
            set extintf "port1"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  4. Configure the FQDN firewall address for PC4:

    config firewall address
        edit "pc4"
            set type fqdn
            set fqdn "pc4.qa.fortinet.com"
        next
    end
  5. Configure the access proxy virtual hosts:

    config firewall access-proxy-virtual-host
        edit "auto-test_ztna_portal-1"
            set ssl-certificate "Fortinet_SSL"
            set host "qa.fortinet.com"
        next
        edit "auto-test_ztna_portal-0"
            set ssl-certificate "Fortinet_SSL"
            set host "test.fortinet.com"
        next
    end

    When add-vhost-domain-to-dnsdb is enabled in the firewall access proxy settings, the virtual hosts are added automatically under config system dns-database.

  6. Configure the firewall access proxy and map each service:

    config firewall access-proxy
        edit "test_ztna_portal"
            set vip "test_https"
            set add-vhost-domain-to-dnsdb enable
            config api-gateway
                edit 2
                    set virtual-host "auto-test_ztna_portal-0"
                    config realservers
                        edit 1
                            set ip 172.16.200.44
                            set port 80
                        next
                    end
                next
                edit 3
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "login.microsoft.com"
                            set mappedport 443 
                        next
                    end
                next
                edit 4
                    set service http
                    set virtual-host "auto-test_ztna_portal-1"
                    config realservers
                        edit 1
                            set addr-type fqdn
                            set address "pc4"
                            set port 80
                        next
                    end
                next
                edit 1
                    set service web-portal
                    set ssl-vpn-web-portal "ztna_web_portal"
                next
            end
        next
    end

    Since add-vhost-domain-to-dnsdb is enabled, the shadow-ztna DNS entries are added under the config system dns-database table. FortiClient endpoints connecting to the ZTNA portal will be able to resolve the virtual hosts to the ZTNA access proxy VIP address.

    show full-configuration system dns-database
    config system dns-database
        edit "test.fortinet.com"
            set domain "test.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "test.fortinet.com"
            set contact "fgt-ztna"
        next
        edit "qa.fortinet.com"
            set domain "qa.fortinet.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "qa.fortinet.com"
                    set ip 10.10.10.174
                next
            end
            set primary-name "qa.fortinet.com"
            set contact "fgt-ztna"
        next
    end
  7. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 1
            set name "test_rule"
            set proxy access-proxy
            set access-proxy "test_ztna_portal"
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set ssl-ssh-profile "ssl"
        next
    end 

Testing and results

When ZTNA is configured, a FortiClient can establish a tunnel to the FortiGate using the ZTNA web portal. Once connected, it can retrieve the list of hosted services using https://10.10.10.174/fct-api-xxyyzz?command=service.

The following JSON is returned:

{
    "vips":[
        {
            "vip":"10.10.10.174:443",
            "gateways":[
                {
                    "type":"http",
                    "virtual-host":"qa.fortinet.com",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"pc4.qa.fortinet.com"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"bookmark-http",
                    "virtual-host":"172.16.200.55",
                    "path":"/",
                    "path-pattern":"sub-string"
                },
                {
                    "type":"https",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"ip",
                                    "value":[
                                        {
                                            "ip":"172.16.200.44",
                                            "mask":"255.255.255.255"
                                        }
                                    ]
                                },
                            "port":"80"
                        }
                    ]
                },
                {
                    "type":"tcp-fwd",
                    "virtual-host":"",
                    "path":"/tcp",
                    "path-pattern":"sub-string",
                    "servers":[
                        {
                            "address":
                                {
                                    "type":"fqdn",
                                    "value":[
                                        {
                                            "fqdn":"login.microsoft.com"
                                        }
                                    ]
                                },
                            "mappedport":[
                                {
                                    "start":"443",
                                    "end":"443"
                                }
                            ]
                        }
                    ]
                },
                {
                    "type":"web-portal",
                    "virtual-host":"",
                    "path":"/",
                    "path-pattern":"sub-string"
                }
            ]
        }
    ]
}

Example 2

In this example, the FortiGate publishes two TCP forwarding rules to its ZTNA service portal. FortiClient EMS is configured to push the FortiGate ZTNA service portal address to its managed endpoints. The FortiClient endpoint queries the FortiGate for the list of ZTNA services and loads them in memory. Users can then access the ZTNA destinations without manually defining the rules or retrieving them from EMS.

Note

The configurations used in this example require FortiClient and FortiClient EMS 7.2.0. See FortiGate ZTNA service portal support and Inline CASB solution for SaaS applications in the FortiClient New Features Guide for more information.

To configure the FortiGate:
  1. Configure the EMS connector:

    config endpoint-control fctems
        edit 1
            set status enable
            set name "1"
            set server "172.16.200.167"
            set serial-number <FortiClient_EMS_serial_number>
            set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api
        next
    end
  2. Configure the access proxy VIP for ZTNA:

    config firewall vip
        edit "ztna_tcp_fwd"
            set type access-proxy
            set extip 11.11.11.174
            set extintf "port1"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  3. Configure the firewall addresses for PC4 and Win Server:

    config firewall address
        edit "pc4"
            set ip "172.16.200.44/32”
        next
        edit "win2016_server"
            set ip "172.16.200.188/32”
        next
    end
  4. Configure the firewall access proxy and map it to each service:

    config firewall access-proxy
        edit "ztna_tcp_fwd"
            set vip "ztna_tcp_fwd"
            set add-vhost-domain-to-dnsdb enable
            config api-gateway
                edit 1
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set address "pc4_addr"
                            set mappedport 22
                        next
                        edit 2
                            set address "win2016_server"
                            set mappedport 3389
                        next
                    end
                next
            end
        next
    end
  5. Configure the ZTNA policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_test_rule"
            set proxy access-proxy
            set access-proxy "ztna_tcp_fwd" 
            set srcintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
        next
    end
To configure FortiClient EMS to push the ZTNA access portal gateway to managed endpoints:
  1. Log in to the FortiClient EMS and go to Endpoint Profiles > ZTNA Destinations.

  2. Select an existing profile and click Edit, or add a new profile.

  3. Click XML to switch the view from basic to XML.

  4. Click Edit to edit the XML content, and enter the ZTNA access portal gateway settings:

    <?xml version="1.0" ?>
    <forticlient_configuration>
        <ztna>
            <enabled>1</enabled>
        <allow_personal_rules>1</allow_personal_rules>
        <disallow_invalid_server_certificate>1</ disallow_invalid_server_certificate>
    
            <rules/>
            <portals>
                <portal>
                    <addr>11.11.11.174:443</addr>
                    <query_interval_m>30</query_interval_m>
                </portal>
            </portals>
        </ztna>
        <endpoint_control>
            <ui>
                <display_ztna>1</display_ztna>
            </ui>
        </endpoint_control>
    </forticlient_configuration>

  5. Click Save. The service portal addresses will be automatically pushed to managed FortiClient endpoints.

To verify that a registered FortiClient endpoint can access the protected services:
  1. On a remote PC that has FortiClient installed, ensure that it is registered to FortiClient EMS.

  2. Follow the verification steps in FortiGate ZTNA service portal support.

  3. On an SSH client, start a connection to the protected SSH server on 172.16.200.44:

    ssh root@172.16.200.44 
    root@172.16.200.44's password: 

    FortiClient will match this traffic to the ZTNA rule learned from the FortiGate service portal and redirect the traffic to it.

  4. On an RDP client, start a connection to the protected RDP server on 172.16.200.188.

    FortiClient will match this traffic to the ZTNA rule learned from the FortiGate service portal and redirect the traffic to it.