Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

Mapping ZTNA virtual host and TCP forwarding domains to the DNS database 7.2.1

When ZTNA is deployed on a FortiGate in the network and a ZTNA virtual host or TCP forwarding domain is used, the corresponding virtual host or TCP forwarding domain should be mapped to the access proxy’s virtual IP. To facilitate this, when FortiClients retrieve the list of published services from the FortiGate, virtual hosts and domains are added to the FortiGate’s local DNS database. There is also a constraint to restrict the mapping of a virtual host to one access proxy entry only.

config firewall access-proxy
    edit <name>
        set add-vhost/domain-to-dnsdb {enable | disable}
    next
end

add-vhost/domain-to-dnsdb {enable | disable}

When enabled, all virtual hosts and TCP forwarding domains in the access proxy will be added under config system dns-database.

config system dns-database
    edit <name>
        set view {shadow | public | shadow-ztna}
    next
end

view {shadow | public | shadow-ztna}

Set the zone view:

  • shadow: shadow DNS zone to serve internal clients.
  • public: public DNS zone to serve public clients.
  • shadow-ztna: resolve to the ZTNA VIP. This implicit DNS zone is only visible to clients connecting to the ZTNA DoT/DoH tunnel.

Example

In this example, the FortiGate has several ZTNA access proxies configured with different VIPs attached to each one.

Different virtual hosts and TCP forwarding domains are configured on each access proxy:

Access proxy

VIP address

Virtual host

TCP forwarding domain

ztna

172.18.82.66

vh1: test1.test.com

vh2: test2.test.com

 

ztna_2

172.18.82.67

vh3: test3.test.com

 

ztna_3

172.18.82.68

 

test4.test.com

Consequently, DNS entries with shadow ZTNA view are added to the local DNS database.

To configure the FortiGate:
  1. Configure three access proxy VIPs:

    config firewall vip
        edit "ztna"
            set type access-proxy
            set extip 172.18.82.66
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
        edit "ztna_2"
            set type access-proxy
            set extip 172.18.82.67
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
        edit "ztna_3"
            set type access-proxy
            set extip 172.18.82.68
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure three virtual hosts to be used in the ZTNA access proxies:

    config firewall access-proxy-virtual-host
        edit "vh1"
            set ssl-certificate "*.test.com"
            set host "test1.test.com"
        next
        edit "vh2"
            set ssl-certificate "*.test.com"
            set host "test2.test.com"
        next
        edit "vh3"
            set ssl-certificate "*.test.com"
            set host "test3.test.com"
        next
    end
  3. Configure the first access proxy, and map virtual hosts vh1 and vh2 to different services:

    config firewall access-proxy
        edit "ztna"
            set vip "ztna"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 1
                    set virtual-host "vh1"
                    config realservers
                        edit 1
                            set addr-type fqdn
                            set address "fqdn4"
                        next
                        edit 2
                            set ip 172.16.200.207
                        next
                    end
                next
                edit 2
                    set service http
                    set virtual-host "vh2"
                    config realservers
                        edit 1
                            set ip 172.16.200.123
                        next
                    end
                next
            end
        next
    end
  4. Configure the second access proxy, and map one service to virtual host vh3.

    config firewall access-proxy
        edit "ztna_2"
            set vip "ztna_2"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 1
                    set virtual-host "vh3"
                    config realservers
                        edit 1
                            set ip 172.16.200.207
                        next
                    end
                next
            end
        next
    end

    Since add-vhost/domain-to-dnsdb is enabled, a virtual host used in the other access proxy cannot be mapped to this access proxy.

  5. Configure the third access proxy for TCP forwarding:

    config firewall access-proxy
        edit "ztna_3"
            set vip "ztna_3"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 2
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set domain "test4.test.com"
                        next
                    end
                next
            end
        next
    end

    The virtual host and TCP forwarding domains are mapped to their corresponding access proxy VIP under the local DNS database. Each will appear as a shadow ZTNA entry:

    show full-configuration system dns-database
    config system dns-database
        edit "test1.test.com"
            set domain "test1.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test1.test.com"
                    set ip 172.18.82.66
                next
            end
            set primary-name "test1.test.com"
            set contact "fgt-ztna"
        next
        edit "test2.test.com"
            set domain "test2.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test2.test.com"
                    set ip 172.18.82.66
                next
            end
            set primary-name "test2.test.com"
            set contact "fgt-ztna"
        next
        edit "test3.test.com"
            set domain "test3.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test3.test.com"
                    set ip 172.18.82.67
                next
            end
            set primary-name "test3.test.com"
            set contact "fgt-ztna"
        next
        edit "test4.test.com"
            set domain "test4.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test4.test.com"
                    set ip 172.18.82.68
                next
            end
            set primary-name "test4.test.com"
            set contact "fgt-ztna"
        next
    end

Mapping ZTNA virtual host and TCP forwarding domains to the DNS database 7.2.1

When ZTNA is deployed on a FortiGate in the network and a ZTNA virtual host or TCP forwarding domain is used, the corresponding virtual host or TCP forwarding domain should be mapped to the access proxy’s virtual IP. To facilitate this, when FortiClients retrieve the list of published services from the FortiGate, virtual hosts and domains are added to the FortiGate’s local DNS database. There is also a constraint to restrict the mapping of a virtual host to one access proxy entry only.

config firewall access-proxy
    edit <name>
        set add-vhost/domain-to-dnsdb {enable | disable}
    next
end

add-vhost/domain-to-dnsdb {enable | disable}

When enabled, all virtual hosts and TCP forwarding domains in the access proxy will be added under config system dns-database.

config system dns-database
    edit <name>
        set view {shadow | public | shadow-ztna}
    next
end

view {shadow | public | shadow-ztna}

Set the zone view:

  • shadow: shadow DNS zone to serve internal clients.
  • public: public DNS zone to serve public clients.
  • shadow-ztna: resolve to the ZTNA VIP. This implicit DNS zone is only visible to clients connecting to the ZTNA DoT/DoH tunnel.

Example

In this example, the FortiGate has several ZTNA access proxies configured with different VIPs attached to each one.

Different virtual hosts and TCP forwarding domains are configured on each access proxy:

Access proxy

VIP address

Virtual host

TCP forwarding domain

ztna

172.18.82.66

vh1: test1.test.com

vh2: test2.test.com

 

ztna_2

172.18.82.67

vh3: test3.test.com

 

ztna_3

172.18.82.68

 

test4.test.com

Consequently, DNS entries with shadow ZTNA view are added to the local DNS database.

To configure the FortiGate:
  1. Configure three access proxy VIPs:

    config firewall vip
        edit "ztna"
            set type access-proxy
            set extip 172.18.82.66
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
        edit "ztna_2"
            set type access-proxy
            set extip 172.18.82.67
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
        edit "ztna_3"
            set type access-proxy
            set extip 172.18.82.68
            set extintf "any"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure three virtual hosts to be used in the ZTNA access proxies:

    config firewall access-proxy-virtual-host
        edit "vh1"
            set ssl-certificate "*.test.com"
            set host "test1.test.com"
        next
        edit "vh2"
            set ssl-certificate "*.test.com"
            set host "test2.test.com"
        next
        edit "vh3"
            set ssl-certificate "*.test.com"
            set host "test3.test.com"
        next
    end
  3. Configure the first access proxy, and map virtual hosts vh1 and vh2 to different services:

    config firewall access-proxy
        edit "ztna"
            set vip "ztna"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 1
                    set virtual-host "vh1"
                    config realservers
                        edit 1
                            set addr-type fqdn
                            set address "fqdn4"
                        next
                        edit 2
                            set ip 172.16.200.207
                        next
                    end
                next
                edit 2
                    set service http
                    set virtual-host "vh2"
                    config realservers
                        edit 1
                            set ip 172.16.200.123
                        next
                    end
                next
            end
        next
    end
  4. Configure the second access proxy, and map one service to virtual host vh3.

    config firewall access-proxy
        edit "ztna_2"
            set vip "ztna_2"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 1
                    set virtual-host "vh3"
                    config realservers
                        edit 1
                            set ip 172.16.200.207
                        next
                    end
                next
            end
        next
    end

    Since add-vhost/domain-to-dnsdb is enabled, a virtual host used in the other access proxy cannot be mapped to this access proxy.

  5. Configure the third access proxy for TCP forwarding:

    config firewall access-proxy
        edit "ztna_3"
            set vip "ztna_3"
            set add-vhost/domain-to-dnsdb enable
            config api-gateway
                edit 2
                    set url-map "/tcp"
                    set service tcp-forwarding
                    config realservers
                        edit 1
                            set domain "test4.test.com"
                        next
                    end
                next
            end
        next
    end

    The virtual host and TCP forwarding domains are mapped to their corresponding access proxy VIP under the local DNS database. Each will appear as a shadow ZTNA entry:

    show full-configuration system dns-database
    config system dns-database
        edit "test1.test.com"
            set domain "test1.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test1.test.com"
                    set ip 172.18.82.66
                next
            end
            set primary-name "test1.test.com"
            set contact "fgt-ztna"
        next
        edit "test2.test.com"
            set domain "test2.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test2.test.com"
                    set ip 172.18.82.66
                next
            end
            set primary-name "test2.test.com"
            set contact "fgt-ztna"
        next
        edit "test3.test.com"
            set domain "test3.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test3.test.com"
                    set ip 172.18.82.67
                next
            end
            set primary-name "test3.test.com"
            set contact "fgt-ztna"
        next
        edit "test4.test.com"
            set domain "test4.test.com"
            set view shadow-ztna
            config dns-entry
                edit 1
                    set ttl 86400
                    set hostname "test4.test.com"
                    set ip 172.18.82.68
                next
            end
            set primary-name "test4.test.com"
            set contact "fgt-ztna"
        next
    end