ZTNA inline CASB for SaaS application access control
The FortiGate ZTNA access proxy can be configured to act as an inline cloud access security broker (CASB) by providing access control to software-as-a-service (SaaS) traffic using ZTNA access control rules. A CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources.
The following components are required to use the ZTNA inline CASB feature:
- The FortiGuard Inline CASB Database (ICDB) used by the FortiGate and FortiClient EMS, which is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
-
A FortiGate ZTNA TCP forwarding access proxy configuration that specifies SaaS application destinations using application names defined in the ICDB
-
ZTNA connection rules for SaaS traffic that are provisioned using FortiClient EMS (version 7.2.0 and later)
- FortiClient (version 7.2.0 and later) installed on the user's machine to receive the ZTNA connection rules for SaaS traffic from FortiClient EMS
Previously, ZTNA SaaS access control was possible using the TCP forwarding access proxy configuration on FortiGate and FortiClient:
- On the FortiGate, users would need to search all hostnames used by a SaaS application, configure these hostnames as FQDN addresses, and configure these addresses as part of the ZTNA TCP forwarding settings.
- In FortiClient, users would need to manually add all the hostnames as destinations for ZTNA connection rules or use FortiClient EMS to push those rules to FortiClient.
ZTNA inline CASB for SaaS application access control includes the following functionalities:
- The FortiGuard Inline CASB Database (ICDB) that includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient. The inline CASB feature is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
-
With the CASB Security Service, users can configure the ZTNA access proxy with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. This can only be configured in the CLI.
- Users can configure the SaaS application destination in
config firewall proxy-address, which can be used inconfig firewall proxy-policy. - The FortiGate traffic log includes a
saasnamefield when traffic is controlled by inline CASB for logging SaaS traffic on the FortiGate and FortiAnalyzer.
Supported SaaS applications and SaaS application groups
The inline CASB database, as of version 1.00025, supports the following SaaS applications:
|
ZTNA access proxy application name |
SaaS application |
|---|---|
|
adobe |
Adobe services domains |
|
adp |
ADP |
|
atlassian |
Atlassian |
|
aws_s3 |
AWS S3 |
|
azure |
Azure |
|
box |
Box |
|
citrix |
Citrix |
|
confluence |
Confluence |
|
docusign |
DocuSign |
|
dropbox |
Dropbox |
|
egnyte |
Egnyte |
|
github |
GitHub |
|
gmail |
Gmail |
|
google_cloud |
Google Cloud |
|
google_drive |
Google Drive |
|
google_office |
Google Office |
|
google-web |
Google Web Search domains |
|
jira |
Jira |
|
ms_excel |
Microsoft Excel |
|
ms_exchange |
Microsoft Exchange |
|
ms_onedrive |
Microsoft OneDrive |
|
ms_outlook |
Microsoft Outlook |
|
ms_powerpoint |
Microsoft PowerPoint |
|
ms_teams |
Microsoft Teams |
|
ms_word |
Microsoft Word |
|
salesforce |
Salesforce |
|
sap |
SAP |
|
sharepoint |
SharePoint |
|
webex |
Webex |
|
workplace |
Workplace |
|
youtube |
YouTube |
|
zendesk |
Zendesk |
|
zoom |
Zoom |
The inline CASB database, as of version 1.00025, supports the following SaaS application groups:
|
ZTNA access proxy application name |
SaaS application group |
|---|---|
|
|
Google SaaS |
|
MS |
Microsoft SaaS |
Example
In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 172.18.62.10 and uses the SaaS access proxy type. Dropbox and Zoom SaaS applications are allowed, and the Microsoft SaaS application group is allowed.
|
Although this topology shows an on-net FortiClient endpoint with respect to the FortiGate, this configuration is also supported with an off-net FortiClient endpoint when the ZTNA access proxy VIP is configured for an external IP address. The FortiClient EMS in this example uses an external IP address, and it can also be configured to use an internal IP address within the LAN of the FortiGate. The topology in this example is used for demonstrative purposes only and is not a recommended network topology. |
To verify that the ICDB is installed on the FortiGate:
# diagnose autoupdate versions … Inline CASB Database --------- Version: 1.00025 Contract Expiry Date: Fri Dec 13 2030 Last Updated using scheduled update on Fri Jul 8 12:19:36 2022 Last Update Attempt: Wed Jul 13 22:42:03 2022 Result: No Updates
To configure the FortiGate:
- Configure the access proxy VIP for ZTNA:
config firewall vip edit "ZTNA_SaaS" set type access-proxy set extip 172.18.62.10 set extintf "internal" set server-type https set extport 443 set ssl-certificate "Fortinet_SSL" next end - Configure the firewall access proxy using the SaaS proxy access type and specify the SaaS application destinations:
config firewall access-proxy edit "ZTNA_SaaS" set vip "ZTNA_SaaS" set log-blocked-traffic enable config api-gateway edit 1 set url-map "/saas" set service saas set application "dropbox" "zoom" "MS" next end next end - Optionally, configure the SaaS proxy address, which can be applied in a ZTNA proxy policy:
config firewall proxy-address edit "ztna_saas_dropbox" set type saas set application "dropbox" next end - Configure the ZTNA rule (proxy policy) using the SaaS proxy address as the destination:
config firewall proxy-policy edit 2 set name "ZTNA_Rule_SaaS" set proxy access-proxy set access-proxy "ZTNA_SaaS" set srcintf "internal" set srcaddr "all" set dstaddr "ztna_saas_dropbox" set action accept set schedule "always" set logtraffic all set users "ztnauser" set ssl-ssh-profile "custom-deep-inspection" next end - Optionally, if user authentication is configured the ZTNA rule (
set usersorset groups), configure the authentication scheme and rule (see Configuring the authentication scheme and rule in the ZTNA Deployment guide). The authentication scheme and rule in this example correspond to the local user,ztnauser.- Configure the authentication scheme:
config authentication scheme edit "ZTNA-Auth-scheme" set method basic set require-tfa disable set fsso-guest disable set user-database "local-user-db" next end - Configure the authentication rule:
config authentication rule edit "ZTNA-Auth-scheme" set status enable set protocol http set srcintf "internal" set srcaddr "all" set ip-based enable set active-auth-method "ZTNA-Auth-scheme" set sso-auth-method '' set web-portal enable set comments '' next end
- Configure the authentication scheme:
Testing and results
Before connecting, the users must have corresponding ZTNA connection rules in FortiClient.
Once ZTNA is configured on the FortiGate, ZTNA connection rules in FortiClient are provisioned using FortiClient EMS in one of the following ways:
- In FortiClient EMS, configure SaaS applications in Endpoint Profiles > ZTNA Destinations and push application destinations to FortiClient. Currently, SaaS application rules are only supported using XML.
- Use the Publishing ZTNA services through the ZTNA portal feature on the FortiGate. FortiClient establishes a tunnel to the FortiGate using the ZTNA web portal and creates ZTNA connection rules based on the SaaS application destinations.
Once connected, the FortiClient retrieves the list of hosted ZTNA services, including the SaaS service, and adds corresponding ZTNA connection rules for the configured SaaS applications.
To view the traffic logs on the FortiGate:
# execute log filter category 0 # execute log filter field subtype ztna # execute log filter field accessproxy ZTNA_SaaS # execute log display 1: date=2022-07-21 time=10:37:54 eventtime=1658425074787641779 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.113 srcname="ubuntu-vm" srcport=58362 srcintf="internal" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=162.125.248.18 dstport=443 dstintf="wan1" dstintfrole="wan" sessionid=3417 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="07370508-086d-51ed-3c08-86ba8f10f75e" policyname="ZTNA_Rule_SaaS" duration=76 user="ztnauser" gatewayid=1 vip="ZTNA_SaaS" accessproxy="ZTNA_SaaS" saasname="dropbox" wanin=3964 rcvdbyte=3964 wanout=1406 lanin=3329 sentbyte=3329 lanout=6228 unauthuser="user1" unauthusersource="forticlient" appcat="unscanned" 2: date=2022-07-21 time=10:36:53 eventtime=1658425014191265858 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.113 srcname="ubuntu-vm" srcport=58582 srcintf="internal" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=162.125.35.138 dstport=443 dstintf="wan1" dstintfrole="wan" sessionid=3591 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="07370508-086d-51ed-3c08-86ba8f10f75e" policyname="ZTNA_Rule_SaaS" duration=0 user="ztnauser" gatewayid=1 vip="ZTNA_SaaS" accessproxy="ZTNA_SaaS" saasname="dropbox" wanin=3408 rcvdbyte=3408 wanout=453 lanin=2464 sentbyte=2464 lanout=5234 unauthuser="user1" unauthusersource="forticlient" appcat="unscanned"