Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Allow access to servers based on group

Allow access to servers based on group

Next, create new rules to allow each user group access to their servers.

To create Allow rules for On-net users from port1 (Clients_LAN) to port2 (DMZ):

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New. Name the first rule Allow-on-net-Sales.

    1. In the Incoming interface, select port1.

    2. In the Outgoing interface, select port2.

    3. In the Source list:

      • Select the Address all.

      • Add the User Groups LDAP-Sales.

    4. In the IP/MAC Based Access Control field, add the FortiAD.info tag.

    5. In the Destination list, add the Webserver address object.

    6. Set the Service to ALL.

    7. Set the Action to ACCEPT.

    8. Set Inspection Mode to Proxy-based.

    9. Enable NAT where necessary.

    10. Enable Security Profiles as needed.

    11. Enable Log Allowed Traffic, and choose All Sessions.

    12. Click OK to complete.

  3. Click Create New. Name the 2nd rule Allow-on-net-Finance.

    1. In the Incoming interface, select port1.

    2. In the Outgoing interface, select port2.

    3. In the Source list:

      • Select the Address all.

      • Add the User Groups LDAP-Finance.

    4. In the IP/MAC Based Access Control field, add the FortiAD.info tag.

    5. In the Destination list, add the Finance and Webserver address objects.

    6. Set the Service to ALL.

    7. Set the Action to ACCEPT.

    8. Set Inspection Mode to Proxy-based.

    9. Enable NAT where necessary.

    10. Enable Security Profiles as needed.

    11. Enable Log Allowed Traffic, and choose All Sessions.

    12. Click OK to complete.

  4. Click Create New. Name the 3rd rule Allow-on-net-Admin.

    1. In the Incoming interface, select port1.

    2. In the Outgoing interface, select port2.

    3. In the Source list:

      • Select the Address all.

      • Add the User Groups LDAP-Administrators.

    4. In the IP/MAC Based Access Control field, add the FortiAD.info tag.

    5. In the Destination list, add the EMS, FAC, FAZ, Finance and Webserver address objects.

    6. Set the Service to ALL.

    7. Set the Action to ACCEPT.

    8. Set Inspection Mode to Proxy-based.

    9. Enable NAT where necessary.

    10. Enable Security Profiles as needed.

    11. Enable Log Allowed Traffic, and choose All Sessions.

    12. Click OK to complete.

  5. Place the new policies below the Deny-vuln-on-net policy but above the to_DMZ_webservers policy.

  6. Disable the to_DMZ_webservers policy so that authentication does not fall through to this wide open policy.

Previous
Next

Allow access to servers based on group

Next, create new rules to allow each user group access to their servers.

To create Allow rules for On-net users from port1 (Clients_LAN) to port2 (DMZ):

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New. Name the first rule Allow-on-net-Sales.

    1. In the Incoming interface, select port1.

    2. In the Outgoing interface, select port2.

    3. In the Source list:

      • Select the Address all.

      • Add the User Groups LDAP-Sales.

    4. In the IP/MAC Based Access Control field, add the FortiAD.info tag.

    5. In the Destination list, add the Webserver address object.

    6. Set the Service to ALL.

    7. Set the Action to ACCEPT.

    8. Set Inspection Mode to Proxy-based.

    9. Enable NAT where necessary.

    10. Enable Security Profiles as needed.

    11. Enable Log Allowed Traffic, and choose All Sessions.

    12. Click OK to complete.

  3. Click Create New. Name the 2nd rule Allow-on-net-Finance.

    1. In the Incoming interface, select port1.

    2. In the Outgoing interface, select port2.

    3. In the Source list:

      • Select the Address all.

      • Add the User Groups LDAP-Finance.

    4. In the IP/MAC Based Access Control field, add the FortiAD.info tag.

    5. In the Destination list, add the Finance and Webserver address objects.

    6. Set the Service to ALL.

    7. Set the Action to ACCEPT.

    8. Set Inspection Mode to Proxy-based.

    9. Enable NAT where necessary.

    10. Enable Security Profiles as needed.

    11. Enable Log Allowed Traffic, and choose All Sessions.

    12. Click OK to complete.

  4. Click Create New. Name the 3rd rule Allow-on-net-Admin.

    1. In the Incoming interface, select port1.

    2. In the Outgoing interface, select port2.

    3. In the Source list:

      • Select the Address all.

      • Add the User Groups LDAP-Administrators.

    4. In the IP/MAC Based Access Control field, add the FortiAD.info tag.

    5. In the Destination list, add the EMS, FAC, FAZ, Finance and Webserver address objects.

    6. Set the Service to ALL.

    7. Set the Action to ACCEPT.

    8. Set Inspection Mode to Proxy-based.

    9. Enable NAT where necessary.

    10. Enable Security Profiles as needed.

    11. Enable Log Allowed Traffic, and choose All Sessions.

    12. Click OK to complete.

  5. Place the new policies below the Deny-vuln-on-net policy but above the to_DMZ_webservers policy.

  6. Disable the to_DMZ_webservers policy so that authentication does not fall through to this wide open policy.

Previous
Next