Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.2 SSL VPN to ZTNA Migration Guide
7.2.2
7.2.5
7.2.2

Testing and verification

Testing and verification

Once the above configurations are completed, it is time to test On-net access on a workstation. Two test cases will be performed.

  1. Verify access is denied when Critical Vulnerabilities are present on the PC

  2. Verify access is allowed when Critical Vulnerabilities are resolved, and user is logged into the FortiAD domain.

To verify access is denied:

  1. On a workstation that is on-net, login to the FortiAD domain. In our example, we will use user Tom Smith (tsmith) from the Sales group logging into his PC 10.0.1.2.

  2. Open the FortiClient > Zero Trust Telemetry page.

  3. Enter the EMS address or the invitation code. Connect to EMS.

  4. Once EMS is connected, click the avatar to identify the current Zero Trust Tags assigned to this PC. This PC currently has Critical Vulnerabilities detected.

  5. Open a browser, and enter the URL https://zwebserver.ztnademo.com.

  6. The browser will redirect you to firewall policy authentication. Authenticate with the tsmith user. Note that firewall authentication can be triggered with HTTP/80, HTTPS/443 and SSH/22 access. If using ports other than these, you may need to trigger authentication with the above ports first.

  7. If user authentication passes, the ZTNA tags will be assessed. Since this workstation has Critical Vulnerabilities, access to the Web server is denied. There are no replacement messages for firewall policy authentication failures.

  8. On the FortiGate, view the corresponding logs under Log & Report > Forward Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype policy
    # execute log display
    3802 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    15: date=2022-09-13 time=16:53:42 eventtime=1663113222809282854 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=51842 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=443 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=764033 proto=6 action="deny" policyid=13 policytype="policy" poluuid="d62c92aa-33b1-51ed-a603-bc6e64fb9e67" policyname="Deny-vuln-on-net" user="tsmith" authserver="LDAP-fortiad" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"craction=131072 crlevel="high"

  9. For other users and device with Critical vulnerabilities, try accessing internal server resources as well.

To verify access is allowed:

  1. Open the FortiClient > Vulnerability Scan page.

  2. Click on Critical to see the Application that has been identified with a critical vulnerability.

  3. Apply the necessary fix to remove the vulnerability. Then perform a vulnerability scan.

  4. Now that the workstation does not have a critical vulnerability, open your browser again to try accessing the web server again.

  5. Open a browser, and enter the URL https://zwebserver.ztnademo.com.

  6. If prior user authentication is still valid, you will have access to the web server right away. In not, enter your user credentials. You should be able to access your web server.

  7. From the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype policy
    # execute log display
    3913 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    11: date=2022-09-13 time=17:06:54 eventtime=1663114014269608499 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=51878 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=443 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=764718 proto=6 action="close" policyid=14 policytype="policy" poluuid="4f530284-33b4-51ed-d838-73d540cb3b21" policyname="Allow-on-net-Sales" user="tsmith" group="LDAP-Sales" authserver="LDAP-fortiad" service="HTTPS" trandisp="noop" duration=1 sentbyte=1523 rcvdbyte=1410 sentpkt=7 rcvdpkt=8 appcat="unscanned

  8. Verify access for other On-net users as well.

Previous
Next

Testing and verification

Once the above configurations are completed, it is time to test On-net access on a workstation. Two test cases will be performed.

  1. Verify access is denied when Critical Vulnerabilities are present on the PC

  2. Verify access is allowed when Critical Vulnerabilities are resolved, and user is logged into the FortiAD domain.

To verify access is denied:

  1. On a workstation that is on-net, login to the FortiAD domain. In our example, we will use user Tom Smith (tsmith) from the Sales group logging into his PC 10.0.1.2.

  2. Open the FortiClient > Zero Trust Telemetry page.

  3. Enter the EMS address or the invitation code. Connect to EMS.

  4. Once EMS is connected, click the avatar to identify the current Zero Trust Tags assigned to this PC. This PC currently has Critical Vulnerabilities detected.

  5. Open a browser, and enter the URL https://zwebserver.ztnademo.com.

  6. The browser will redirect you to firewall policy authentication. Authenticate with the tsmith user. Note that firewall authentication can be triggered with HTTP/80, HTTPS/443 and SSH/22 access. If using ports other than these, you may need to trigger authentication with the above ports first.

  7. If user authentication passes, the ZTNA tags will be assessed. Since this workstation has Critical Vulnerabilities, access to the Web server is denied. There are no replacement messages for firewall policy authentication failures.

  8. On the FortiGate, view the corresponding logs under Log & Report > Forward Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype policy
    # execute log display
    3802 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    15: date=2022-09-13 time=16:53:42 eventtime=1663113222809282854 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=51842 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=443 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=764033 proto=6 action="deny" policyid=13 policytype="policy" poluuid="d62c92aa-33b1-51ed-a603-bc6e64fb9e67" policyname="Deny-vuln-on-net" user="tsmith" authserver="LDAP-fortiad" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"craction=131072 crlevel="high"

  9. For other users and device with Critical vulnerabilities, try accessing internal server resources as well.

To verify access is allowed:

  1. Open the FortiClient > Vulnerability Scan page.

  2. Click on Critical to see the Application that has been identified with a critical vulnerability.

  3. Apply the necessary fix to remove the vulnerability. Then perform a vulnerability scan.

  4. Now that the workstation does not have a critical vulnerability, open your browser again to try accessing the web server again.

  5. Open a browser, and enter the URL https://zwebserver.ztnademo.com.

  6. If prior user authentication is still valid, you will have access to the web server right away. In not, enter your user credentials. You should be able to access your web server.

  7. From the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype policy
    # execute log display
    3913 logs found.
    10 logs returned.
    2.0% of logs has been searched.
    11: date=2022-09-13 time=17:06:54 eventtime=1663114014269608499 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=51878 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=443 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=764718 proto=6 action="close" policyid=14 policytype="policy" poluuid="4f530284-33b4-51ed-d838-73d540cb3b21" policyname="Allow-on-net-Sales" user="tsmith" group="LDAP-Sales" authserver="LDAP-fortiad" service="HTTPS" trandisp="noop" duration=1 sentbyte=1523 rcvdbyte=1410 sentpkt=7 rcvdpkt=8 appcat="unscanned

  8. Verify access for other On-net users as well.

Previous
Next