Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Prepare FortiClient and FortiClient EMS for ZTNA

Prepare FortiClient and FortiClient EMS for ZTNA

Configurations in the previous section for SSL VPN offer a good basis for the ZTNA configuration and migration. However, a bit more configuration is required.

  1. Push ZTNA endpoint profile from EMS to FortiClient Endpoints

  2. Configure Zero Trust Tags to the FortiGate

  3. Configure a Fabric connector on the FortiGate to connect to FortiClient EMS

  4. Synchronize Zero Trust Tags to the FortiGate

Push ZTNA endpoint profile from EMS to FortiClient Endpoints

Because ZTNA requires EMS to act as the ZTNA Certificate Authority and issue client certificates to each device, the FortiClient Endpoints must have the ZTNA module installed. This is not necessary for strictly SSL VPN remote access.

To push the ZTNA endpoint profile from FortiClient EMS:

  1. Under Endpoint Profiles > ZTNA Destinations, edit the Default profile.

  2. At the very top, toggle the ZTNA Destinations Profile from Disable to Enable.

  3. For ZTNA hosted Web Access, this is the only configuration needed. Click Save to save the changes.

  4. Under Endpoint Policy & Components > Manage Policies, edit the Default policy.

  5. Ensure that the Default profile is assigned to ZTNA.

  6. Click Save to complete.

From a registered FortiClient endpoint, verify that the client has received the updates. The ZTNA Destination should now be installed.

Back on the FortiClient EMS, view the managed endpoint from Endpoints > All Endpoints. The user device should appear as connected and Managed by EMS, and the ZTNA status has changed from disable to a valid ZTNA Serial Number.

Configure Zero Trust Tags to the FortiGate

Zero Trust tagging rules are used to perform endpoint posture check on the FortiClients. This info is synchronized to the FortiGate so that it can make the policy decision on whether to allow the device access to the protected resources.

This example uses two tagging rules for security posture check.

To configure a Zero Trust Tagging Rule to detect the presence of critical vulnerabilities:

  1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

  2. On the top right, click +Add.

  3. Enter name “Critical Vulnerabilities”.

  4. For Tag Endpoint As, type in Critical_Vulnerabilites and then hit Enter to create the Tag.

  5. Click Add Rule.

    1. Select Windows OS.

    2. Select Rule Type “Vulnerable Devices”.

    3. Set Severity Level to “Critical”.

    4. Click Save.

  6. Click Save to save this Zero Trust Tagging Rule.

To configure a Zero Trust Tagging Rule for detecting logged in Active Directory Domain - FortiAD.info:

  1. Remain in Zero Trust Tagging Rules page.

  2. On the top right, click +Add.

  3. Enter name “FortiAD.Info”.

  4. For Tag Endpoint As, type in FortiAD.Info then hit Enter to create the Tag.

  5. Click Add Rule.

    1. Select Windows OS.

    2. Select Rule Type “Logged In Domain”.

    3. Set Domain FortiAD.Info.

    4. Click Save.

  6. Click Save to save this Zero Trust Tagging Rule.

To configure the ZTNA tag to display on the FortiClient:

  1. Remain in EMS and navigate to Endpoint Profiles > System Settings.

  2. Edit the Default profile.

  3. Be sure Advanced settings is selected (top right of window).

  4. Under UI, enable Show Zero Trust Tag on FortiClient GUI.

  5. Click Save.

Verification:

  1. On the FortiClient, click on the User avatar. This will show currently detected Zero Trust Tags.

  2. Back on FortiClient EMS, navigate to Zero Trust Tags > Zero Trust Tag Monitor.

  3. Refresh to display Endpoints that have been tagged by the Tagging rule.

Configure a Fabric connector on the FortiGate to connect to FortiClient EMS

In this example, the FortiClient EMS is on premise, so the FortiGate can be configured as follows.

To add an on-premise FortiClient EMS server in the GUI:

  1. Go to Security Fabric > Fabric Connectors.

  2. Click Create New and click FortiClient EMS.

  3. Enter a name for the connector and the IP address or FQDN of the EMS.

  4. Click OK.

  5. A window appears to verify the EMS server certificate. Click Accept.

    See FortiClient EMS for more information.

To add an on-premise FortiClient EMS server in the CLI:
config endpoint-control fctems
    edit <name>
        set server <server IP or domain>
    next
end

To configure the FortiGate to connect to FortiClient EMS Cloud, see the following topic.

Synchronize Zero Trust Tags to the FortiGate

  1. On the FortiGate, go to System > Feature Visibility and enable Zero Trust Network Access.

  2. Go to Policy & Objects > ZTNA. Then navigate to the ZTNA Tags tab.

    ZTNA tags that were created in EMS should be displayed on the page.

Previous
Next

Prepare FortiClient and FortiClient EMS for ZTNA

Configurations in the previous section for SSL VPN offer a good basis for the ZTNA configuration and migration. However, a bit more configuration is required.

  1. Push ZTNA endpoint profile from EMS to FortiClient Endpoints

  2. Configure Zero Trust Tags to the FortiGate

  3. Configure a Fabric connector on the FortiGate to connect to FortiClient EMS

  4. Synchronize Zero Trust Tags to the FortiGate

Push ZTNA endpoint profile from EMS to FortiClient Endpoints

Because ZTNA requires EMS to act as the ZTNA Certificate Authority and issue client certificates to each device, the FortiClient Endpoints must have the ZTNA module installed. This is not necessary for strictly SSL VPN remote access.

To push the ZTNA endpoint profile from FortiClient EMS:

  1. Under Endpoint Profiles > ZTNA Destinations, edit the Default profile.

  2. At the very top, toggle the ZTNA Destinations Profile from Disable to Enable.

  3. For ZTNA hosted Web Access, this is the only configuration needed. Click Save to save the changes.

  4. Under Endpoint Policy & Components > Manage Policies, edit the Default policy.

  5. Ensure that the Default profile is assigned to ZTNA.

  6. Click Save to complete.

From a registered FortiClient endpoint, verify that the client has received the updates. The ZTNA Destination should now be installed.

Back on the FortiClient EMS, view the managed endpoint from Endpoints > All Endpoints. The user device should appear as connected and Managed by EMS, and the ZTNA status has changed from disable to a valid ZTNA Serial Number.

Configure Zero Trust Tags to the FortiGate

Zero Trust tagging rules are used to perform endpoint posture check on the FortiClients. This info is synchronized to the FortiGate so that it can make the policy decision on whether to allow the device access to the protected resources.

This example uses two tagging rules for security posture check.

To configure a Zero Trust Tagging Rule to detect the presence of critical vulnerabilities:

  1. Go to Zero Trust Tags > Zero Trust Tagging Rules.

  2. On the top right, click +Add.

  3. Enter name “Critical Vulnerabilities”.

  4. For Tag Endpoint As, type in Critical_Vulnerabilites and then hit Enter to create the Tag.

  5. Click Add Rule.

    1. Select Windows OS.

    2. Select Rule Type “Vulnerable Devices”.

    3. Set Severity Level to “Critical”.

    4. Click Save.

  6. Click Save to save this Zero Trust Tagging Rule.

To configure a Zero Trust Tagging Rule for detecting logged in Active Directory Domain - FortiAD.info:

  1. Remain in Zero Trust Tagging Rules page.

  2. On the top right, click +Add.

  3. Enter name “FortiAD.Info”.

  4. For Tag Endpoint As, type in FortiAD.Info then hit Enter to create the Tag.

  5. Click Add Rule.

    1. Select Windows OS.

    2. Select Rule Type “Logged In Domain”.

    3. Set Domain FortiAD.Info.

    4. Click Save.

  6. Click Save to save this Zero Trust Tagging Rule.

To configure the ZTNA tag to display on the FortiClient:

  1. Remain in EMS and navigate to Endpoint Profiles > System Settings.

  2. Edit the Default profile.

  3. Be sure Advanced settings is selected (top right of window).

  4. Under UI, enable Show Zero Trust Tag on FortiClient GUI.

  5. Click Save.

Verification:

  1. On the FortiClient, click on the User avatar. This will show currently detected Zero Trust Tags.

  2. Back on FortiClient EMS, navigate to Zero Trust Tags > Zero Trust Tag Monitor.

  3. Refresh to display Endpoints that have been tagged by the Tagging rule.

Configure a Fabric connector on the FortiGate to connect to FortiClient EMS

In this example, the FortiClient EMS is on premise, so the FortiGate can be configured as follows.

To add an on-premise FortiClient EMS server in the GUI:

  1. Go to Security Fabric > Fabric Connectors.

  2. Click Create New and click FortiClient EMS.

  3. Enter a name for the connector and the IP address or FQDN of the EMS.

  4. Click OK.

  5. A window appears to verify the EMS server certificate. Click Accept.

    See FortiClient EMS for more information.

To add an on-premise FortiClient EMS server in the CLI:
config endpoint-control fctems
    edit <name>
        set server <server IP or domain>
    next
end

To configure the FortiGate to connect to FortiClient EMS Cloud, see the following topic.

Synchronize Zero Trust Tags to the FortiGate

  1. On the FortiGate, go to System > Feature Visibility and enable Zero Trust Network Access.

  2. Go to Policy & Objects > ZTNA. Then navigate to the ZTNA Tags tab.

    ZTNA tags that were created in EMS should be displayed on the page.

Previous
Next