Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Configuring and verifying rules for on-net access

Configuring and verifying rules for on-net access

So far, the configurations are focused on remote off-net access. It is assumed that with prior teleworking setup, on-net access is configured with a wide-open policy as a very basic case. In most scenarios, there will be more segmentation but one variable will remain the same. Access is granted based on the source network and sometimes user login, but the security posture of the device is not checked.

Existing Teleworking configurations to allow traffic from port1 (Clients_LAN) to port2 (DMZ):

config firewall policy
    edit 12
        set name "to_DMZ_webservers"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "FAZ" "Finance" "Webserver" "EMS" "FAC"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
    next
end

In the following section, we will explore configuring on-net access policy with ZTNA tags to enhance the security of on-net devices.

It is assumed that On-net endpoints behind port1 is registered to the FortiClient EMS server over port 8013. Therefore, this port should be allowed without any restrictions.

Previous
Next

Configuring and verifying rules for on-net access

So far, the configurations are focused on remote off-net access. It is assumed that with prior teleworking setup, on-net access is configured with a wide-open policy as a very basic case. In most scenarios, there will be more segmentation but one variable will remain the same. Access is granted based on the source network and sometimes user login, but the security posture of the device is not checked.

Existing Teleworking configurations to allow traffic from port1 (Clients_LAN) to port2 (DMZ):

config firewall policy
    edit 12
        set name "to_DMZ_webservers"
        set srcintf "port1"
        set dstintf "port2"
        set action accept
        set srcaddr "all"
        set dstaddr "FAZ" "Finance" "Webserver" "EMS" "FAC"
        set schedule "always"
        set service "ALL"
        set inspection-mode proxy
        set logtraffic all
    next
end

In the following section, we will explore configuring on-net access policy with ZTNA tags to enhance the security of on-net devices.

It is assumed that On-net endpoints behind port1 is registered to the FortiClient EMS server over port 8013. Therefore, this port should be allowed without any restrictions.

Previous
Next