Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Testing and verification

Testing and verification

Once the above configurations are completed, it is time to test ZTNA remote access on a workstation. Two test cases will be performed.

  1. Verify access is denied when Critical Vulnerabilities are present on the PC

  2. Verify access is allowed when Critical Vulnerabilities are resolved, and user is logged into the FortiAD domain.

To verify access is denied:

  1. On an administrator’s workstation, login to the FortiAD domain.

  2. Open the FortiClient > Zero Trust Telemetry page.

  3. Enter the EMS address or the invitation code. Connect to EMS.

  4. Once EMS is connected, click the avatar to identify the current Zero Trust Tags assigned to this PC.

  5. Open a browser, and enter the URL https://zfaz.ztnademo.com.

  6. The browser will first prompt for the client certificate you want to use for this connection. Select the client certificate and press OK.

  7. Next, the browser will prompt you for your user credentials. Enter your LDAP/Active Directory to continue.

  8. If user authentication passes, the ZTNA rule will then assess the ZTNA tags. Since this workstation has Critical Vulnerabilities, access to the FortiAnalyzer is denied.

  9. On the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype ztna
    # execute log display
    68 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    1: date=2022-08-25 time=17:36:29 eventtime=1661474189533247783 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=58729 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.10 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=232642 srcuuid="32b4d66c-9426-51ec-be9c-9b0879d5b527" dstuuid="8cbf3c68-f75d-51ea-4533-3cd1379a79dc" service="HTTPS" proto=6 action="deny" policyid=2 policytype="proxy-policy" poluuid="9b5aa784-9514-51ec-22d8-290ec0314a08" policyname="ZTNA Deny Access" duration=211 user="Administrator" group="LDAP-Administrators" authserver="LDAP-fortiad" vip="ZTNA Webserver" accessproxy="ZTNA Webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="on-line/MAC_EMS1_ZTNA_Critical_Vulnerabilities/EMS1_ZTNA_FortiAD.info/MAC_EMS1_ZTNA_all_registered_clients" msg="Denied: proxy-policy action is deny. Matched tag: EMS1_ZTNA_Critical_Vulnerabilities" wanin=0 rcvdbyte=0 wanout=0 lanin=2839 sentbyte=2839 lanout=10114 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned" crscore=30 craction=131072 crlevel="high"
To verify access is allowed:

  1. Open the FortiClient > Vulnerability Scan page.

  2. Click on Critical to see the Application that has been identified with a critical vulnerability.

  3. Apply the necessary fix to remove the vulnerability. Then perform a vulnerability scan.

  4. Now that the workstation does not have a critical vulnerability, open your browser again to try accessing the FortiAnalyzer again.

  5. Open a browser, and enter the URL https://zfaz.ztnademo.com.

  6. If prior device certificate and user authentication are still valid, you will have access to your FortiAnalyzer right away. In not, select your device certificate and enter your user credentials. You should be able to access your FortiAnalyzer.

  7. From the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype ztna
    # execute log display
    73 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    1: date=2022-08-25 time=17:55:17 eventtime=1661475317602317498 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=58807 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=443 dstintf="port2" dstintfrole="dmz" sessionid=234555 srcuuid="32b4d66c-9426-51ec-be9c-9b0879d5b527" dstuuid="8cbf3c68-f75d-51ea-4533-3cd1379a79dc" service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1b4276e8-942f-51ec-b92e-ce92797e4550" policyname="ZTNA-Administrators" duration=10 user="Administrator" group="LDAP-Administrators" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA Webserver" accessproxy="ZTNA Webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="on-line/EMS1_ZTNA_FortiAD.info/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.info" wanin=127358 rcvdbyte=127358 wanout=3141 lanin=3561 sentbyte=3561 lanout=124521 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"

  8. Verify access to zems.ztnademo.com and zfac.ztnademo.com as well.

Previous
Next

Testing and verification

Once the above configurations are completed, it is time to test ZTNA remote access on a workstation. Two test cases will be performed.

  1. Verify access is denied when Critical Vulnerabilities are present on the PC

  2. Verify access is allowed when Critical Vulnerabilities are resolved, and user is logged into the FortiAD domain.

To verify access is denied:

  1. On an administrator’s workstation, login to the FortiAD domain.

  2. Open the FortiClient > Zero Trust Telemetry page.

  3. Enter the EMS address or the invitation code. Connect to EMS.

  4. Once EMS is connected, click the avatar to identify the current Zero Trust Tags assigned to this PC.

  5. Open a browser, and enter the URL https://zfaz.ztnademo.com.

  6. The browser will first prompt for the client certificate you want to use for this connection. Select the client certificate and press OK.

  7. Next, the browser will prompt you for your user credentials. Enter your LDAP/Active Directory to continue.

  8. If user authentication passes, the ZTNA rule will then assess the ZTNA tags. Since this workstation has Critical Vulnerabilities, access to the FortiAnalyzer is denied.

  9. On the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype ztna
    # execute log display
    68 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    1: date=2022-08-25 time=17:36:29 eventtime=1661474189533247783 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=58729 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.10 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=232642 srcuuid="32b4d66c-9426-51ec-be9c-9b0879d5b527" dstuuid="8cbf3c68-f75d-51ea-4533-3cd1379a79dc" service="HTTPS" proto=6 action="deny" policyid=2 policytype="proxy-policy" poluuid="9b5aa784-9514-51ec-22d8-290ec0314a08" policyname="ZTNA Deny Access" duration=211 user="Administrator" group="LDAP-Administrators" authserver="LDAP-fortiad" vip="ZTNA Webserver" accessproxy="ZTNA Webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="on-line/MAC_EMS1_ZTNA_Critical_Vulnerabilities/EMS1_ZTNA_FortiAD.info/MAC_EMS1_ZTNA_all_registered_clients" msg="Denied: proxy-policy action is deny. Matched tag: EMS1_ZTNA_Critical_Vulnerabilities" wanin=0 rcvdbyte=0 wanout=0 lanin=2839 sentbyte=2839 lanout=10114 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned" crscore=30 craction=131072 crlevel="high"
To verify access is allowed:

  1. Open the FortiClient > Vulnerability Scan page.

  2. Click on Critical to see the Application that has been identified with a critical vulnerability.

  3. Apply the necessary fix to remove the vulnerability. Then perform a vulnerability scan.

  4. Now that the workstation does not have a critical vulnerability, open your browser again to try accessing the FortiAnalyzer again.

  5. Open a browser, and enter the URL https://zfaz.ztnademo.com.

  6. If prior device certificate and user authentication are still valid, you will have access to your FortiAnalyzer right away. In not, select your device certificate and enter your user credentials. You should be able to access your FortiAnalyzer.

  7. From the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype ztna
    # execute log display
    73 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    1: date=2022-08-25 time=17:55:17 eventtime=1661475317602317498 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=58807 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=443 dstintf="port2" dstintfrole="dmz" sessionid=234555 srcuuid="32b4d66c-9426-51ec-be9c-9b0879d5b527" dstuuid="8cbf3c68-f75d-51ea-4533-3cd1379a79dc" service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1b4276e8-942f-51ec-b92e-ce92797e4550" policyname="ZTNA-Administrators" duration=10 user="Administrator" group="LDAP-Administrators" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA Webserver" accessproxy="ZTNA Webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicetags="on-line/EMS1_ZTNA_FortiAD.info/MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.info" wanin=127358 rcvdbyte=127358 wanout=3141 lanin=3561 sentbyte=3561 lanout=124521 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"

  8. Verify access to zems.ztnademo.com and zfac.ztnademo.com as well.

Previous
Next