Publishing ZTNA services through the ZTNA portal 7.2.1
When ZTNA is deployed on a FortiGate in the network, it is important for endpoint clients to know what ZTNA services are available from the FortiGate access proxy. FortiClients are able to learn the available ZTNA services from the FortiGate ZTNA portal. The services that can be learned include HTTP/HTTPS web services, TCP forwarding services, and web portals. The FortiClient must connect to the FortiGate using a DoT/DoH tunnel so it can retrieve the service mapping in JSON format.
|
This feature is not supported in FortiOS versions 7.2.6 or 7.4.1, and later. |
Example 1
In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 10.10.10.174. It hosts several services, including:
-
HTTP service with real server mapping to 172.16.200.44
-
HTTP service with real server mapping to PC4, pc4.qa.fortinet.com
-
TCP forwarding with real server mapping to login.microsoft.com:443
-
SSL VPN web portal mapping to the local ztna_web_portal with a bookmark to PC5, pc5.qa.fortinet.com
The hosted services are published through the ZTNA portal, which is accessible by the FortiClient through https://vip/fct-api-xxyyzz?command=service[&user=]. The client must establish a DoT/DoH tunnel with the FortiGate ZTNA portal before the hosted services can be retrieved.
To configure the FortiGate:
-
Configure the EMS connector:
config endpoint-control fctems edit 1 set status enable set name "1" set server "172.16.200.167" set serial-number <FortiClient_EMS_serial_number> set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api next end -
Configure the SSL VPN portal for publishing the web portal mapping:
config vpn ssl web portal edit "ztna_web_portal" set web-mode enable config bookmark-group edit "gui-bookmarks" config bookmarks edit "pc05" set url "http://172.16.200.55" next end next end next end -
Configure the access proxy VIP for ZTNA:
config firewall vip edit "test_https" set type access-proxy set extip 10.10.10.174 set extintf "port1" set server-type https set extport 443 set ssl-certificate "Fortinet_SSL" next end -
Configure the FQDN firewall address for PC4:
config firewall address edit "pc4" set type fqdn set fqdn "pc4.qa.fortinet.com" next end -
Configure the access proxy virtual hosts:
config firewall access-proxy-virtual-host edit "auto-test_ztna_portal-1" set ssl-certificate "Fortinet_SSL" set host "qa.fortinet.com" next edit "auto-test_ztna_portal-0" set ssl-certificate "Fortinet_SSL" set host "test.fortinet.com" next endWhen
add-vhost-domain-to-dnsdbis enabled in the firewall access proxy settings, the virtual hosts are added automatically underconfig system dns-database. -
Configure the firewall access proxy and map each service:
config firewall access-proxy edit "test_ztna_portal" set vip "test_https" set add-vhost-domain-to-dnsdb enable config api-gateway edit 2 set virtual-host "auto-test_ztna_portal-0" config realservers edit 1 set ip 172.16.200.44 set port 80 next end next edit 3 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "login.microsoft.com" set mappedport 443 next end next edit 4 set service http set virtual-host "auto-test_ztna_portal-1" config realservers edit 1 set addr-type fqdn set address "pc4" set port 80 next end next edit 1 set service web-portal set ssl-vpn-web-portal "ztna_web_portal" next end next endSince
add-vhost-domain-to-dnsdbis enabled, theshadow-ztnaDNS entries are added under theconfig system dns-databasetable. FortiClient endpoints connecting to the ZTNA portal will be able to resolve the virtual hosts to the ZTNA access proxy VIP address.show full-configuration system dns-database config system dns-database edit "test.fortinet.com" set domain "test.fortinet.com" set view shadow-ztna config dns-entry edit 1 set ttl 86400 set hostname "test.fortinet.com" set ip 10.10.10.174 next end set primary-name "test.fortinet.com" set contact "fgt-ztna" next edit "qa.fortinet.com" set domain "qa.fortinet.com" set view shadow-ztna config dns-entry edit 1 set ttl 86400 set hostname "qa.fortinet.com" set ip 10.10.10.174 next end set primary-name "qa.fortinet.com" set contact "fgt-ztna" next end -
Configure the ZTNA policy:
config firewall proxy-policy edit 1 set name "test_rule" set proxy access-proxy set access-proxy "test_ztna_portal" set srcintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set ssl-ssh-profile "ssl" next end
Testing and results
When ZTNA is configured, a FortiClient can establish a tunnel to the FortiGate using the ZTNA web portal. Once connected, it can retrieve the list of hosted services using https://10.10.10.174/fct-api-xxyyzz?command=service.
The following JSON is returned:
{
"vips":[
{
"vip":"10.10.10.174:443",
"gateways":[
{
"type":"http",
"virtual-host":"qa.fortinet.com",
"path":"/",
"path-pattern":"sub-string",
"servers":[
{
"address":
{
"type":"fqdn",
"value":[
{
"fqdn":"pc4.qa.fortinet.com"
}
]
},
"port":"80"
}
]
},
{
"type":"bookmark-http",
"virtual-host":"172.16.200.55",
"path":"/",
"path-pattern":"sub-string"
},
{
"type":"https",
"virtual-host":"",
"path":"/",
"path-pattern":"sub-string",
"servers":[
{
"address":
{
"type":"ip",
"value":[
{
"ip":"172.16.200.44",
"mask":"255.255.255.255"
}
]
},
"port":"80"
}
]
},
{
"type":"tcp-fwd",
"virtual-host":"",
"path":"/tcp",
"path-pattern":"sub-string",
"servers":[
{
"address":
{
"type":"fqdn",
"value":[
{
"fqdn":"login.microsoft.com"
}
]
},
"mappedport":[
{
"start":"443",
"end":"443"
}
]
}
]
},
{
"type":"web-portal",
"virtual-host":"",
"path":"/",
"path-pattern":"sub-string"
}
]
}
]
}
Example 2
In this example, the FortiGate publishes two TCP forwarding rules to its ZTNA service portal. FortiClient EMS is configured to push the FortiGate ZTNA service portal address to its managed endpoints. The FortiClient endpoint queries the FortiGate for the list of ZTNA services and loads them in memory. Users can then access the ZTNA destinations without manually defining the rules or retrieving them from EMS.
|
|
The configurations used in this example require FortiClient and FortiClient EMS 7.2.0. See FortiGate ZTNA service portal support and Inline CASB solution for SaaS applications in the FortiClient New Features Guide for more information. |
To configure the FortiGate:
-
Configure the EMS connector:
config endpoint-control fctems edit 1 set status enable set name "1" set server "172.16.200.167" set serial-number <FortiClient_EMS_serial_number> set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api next end -
Configure the access proxy VIP for ZTNA:
config firewall vip edit "ztna_tcp_fwd" set type access-proxy set extip 11.11.11.174 set extintf "port1" set server-type https set extport 443 set ssl-certificate "Fortinet_SSL" next end -
Configure the firewall addresses for PC4 and Win Server:
config firewall address edit "pc4" set ip "172.16.200.44/32” next edit "win2016_server" set ip "172.16.200.188/32” next end -
Configure the firewall access proxy and map it to each service:
config firewall access-proxy edit "ztna_tcp_fwd" set vip "ztna_tcp_fwd" set add-vhost-domain-to-dnsdb enable config api-gateway edit 1 set url-map "/tcp" set service tcp-forwarding config realservers edit 1 set address "pc4_addr" set mappedport 22 next edit 2 set address "win2016_server" set mappedport 3389 next end next end next end -
Configure the ZTNA policy:
config firewall proxy-policy edit 1 set name "ztna_test_rule" set proxy access-proxy set access-proxy "ztna_tcp_fwd" set srcintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" next end
To configure FortiClient EMS to push the ZTNA access portal gateway to managed endpoints:
-
Log in to the FortiClient EMS and go to Endpoint Profiles > ZTNA Destinations.
-
Select an existing profile and click Edit, or add a new profile.
-
Click XML to switch the view from basic to XML.
-
Click Edit to edit the XML content, and enter the ZTNA access portal gateway settings:
<?xml version="1.0" ?> <forticlient_configuration> <ztna> <enabled>1</enabled> <allow_personal_rules>1</allow_personal_rules> <disallow_invalid_server_certificate>1</ disallow_invalid_server_certificate> <rules/> <portals> <portal> <addr>11.11.11.174:443</addr> <query_interval_m>30</query_interval_m> </portal> </portals> </ztna> <endpoint_control> <ui> <display_ztna>1</display_ztna> </ui> </endpoint_control> </forticlient_configuration>
-
Click Save. The service portal addresses will be automatically pushed to managed FortiClient endpoints.
To verify that a registered FortiClient endpoint can access the protected services:
-
On a remote PC that has FortiClient installed, ensure that it is registered to FortiClient EMS.
-
Follow the verification steps in FortiGate ZTNA service portal support.
-
On an SSH client, start a connection to the protected SSH server on 172.16.200.44:
ssh root@172.16.200.44 root@172.16.200.44's password:
FortiClient will match this traffic to the ZTNA rule learned from the FortiGate service portal and redirect the traffic to it.
-
On an RDP client, start a connection to the protected RDP server on 172.16.200.188.
FortiClient will match this traffic to the ZTNA rule learned from the FortiGate service portal and redirect the traffic to it.