Fortinet black logo

Administration Guide

ZTNA inline CASB for SaaS application access control

ZTNA inline CASB for SaaS application access control

The FortiGate ZTNA access proxy can be configured to act as an inline cloud access security broker (CASB) by providing access control to software-as-a-service (SaaS) traffic using ZTNA access control rules. A CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources.

The following components are required to use the ZTNA inline CASB feature:

  • The FortiGuard Inline CASB Database (ICDB) used by the FortiGate and FortiClient EMS, which is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
  • A FortiGate ZTNA TCP forwarding access proxy configuration that specifies SaaS application destinations using application names defined in the ICDB

  • ZTNA connection rules for SaaS traffic that are provisioned using FortiClient EMS (version 7.2.0 and later)

  • FortiClient (version 7.2.0 and later) installed on the user's machine to receive the ZTNA connection rules for SaaS traffic from FortiClient EMS

Previously, ZTNA SaaS access control was possible using the TCP forwarding access proxy configuration on FortiGate and FortiClient:

  • On the FortiGate, users would need to search all hostnames used by a SaaS application, configure these hostnames as FQDN addresses, and configure these addresses as part of the ZTNA TCP forwarding settings.
  • In FortiClient, users would need to manually add all the hostnames as destinations for ZTNA connection rules or use FortiClient EMS to push those rules to FortiClient.

ZTNA inline CASB for SaaS application access control includes the following functionalities:

  • The FortiGuard Inline CASB Database (ICDB) that includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient. The inline CASB feature is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
  • With the CASB Security Service, users can configure the ZTNA access proxy with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. This can only be configured in the CLI.

  • Users can configure the SaaS application destination in config firewall proxy-address, which can be used in config firewall proxy-policy.
  • The FortiGate traffic log includes a saasname field when traffic is controlled by inline CASB for logging SaaS traffic on the FortiGate and FortiAnalyzer.

Supported SaaS applications and SaaS application groups

The inline CASB database, as of version 1.00025, supports the following SaaS applications:

ZTNA access proxy application name

SaaS application

adobe

Adobe services domains

adp

ADP

atlassian

Atlassian

aws_s3

AWS S3

azure

Azure

box

Box

citrix

Citrix

confluence

Confluence

docusign

DocuSign

dropbox

Dropbox

egnyte

Egnyte

github

GitHub

gmail

Gmail

google_cloud

Google Cloud

google_drive

Google Drive

google_office

Google Office

google-web

Google Web Search domains

jira

Jira

ms_excel

Microsoft Excel

ms_exchange

Microsoft Exchange

ms_onedrive

Microsoft OneDrive

ms_outlook

Microsoft Outlook

ms_powerpoint

Microsoft PowerPoint

ms_teams

Microsoft Teams

ms_word

Microsoft Word

salesforce

Salesforce

sap

SAP

sharepoint

SharePoint

webex

Webex

workplace

Workplace

youtube

YouTube

zendesk

Zendesk

zoom

Zoom

The inline CASB database, as of version 1.00025, supports the following SaaS application groups:

ZTNA access proxy application name

SaaS application group

Google

Google SaaS

MS

Microsoft SaaS

Example

In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 172.18.62.10 and uses the SaaS access proxy type. Dropbox and Zoom SaaS applications are allowed, and the Microsoft SaaS application group is allowed.

Note

Although this topology shows an on-net FortiClient endpoint with respect to the FortiGate, this configuration is also supported with an off-net FortiClient endpoint when the ZTNA access proxy VIP is configured for an external IP address.

The FortiClient EMS in this example uses an external IP address, and it can also be configured to use an internal IP address within the LAN of the FortiGate.

The topology in this example is used for demonstrative purposes only and is not a recommended network topology.

To verify that the ICDB is installed on the FortiGate:
# diagnose autoupdate versions
…
Inline CASB Database
---------
Version: 1.00025
Contract Expiry Date: Fri Dec 13 2030
Last Updated using scheduled update on Fri Jul  8 12:19:36 2022
Last Update Attempt: Wed Jul 13 22:42:03 2022
Result: No Updates
To configure the FortiGate:
  1. Configure the access proxy VIP for ZTNA:
    config firewall vip
        edit "ZTNA_SaaS"
            set type access-proxy
            set extip 172.18.62.10
            set extintf "internal"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the firewall access proxy using the SaaS proxy access type and specify the SaaS application destinations:
    config firewall access-proxy
        edit "ZTNA_SaaS"
            set vip "ZTNA_SaaS"
            set log-blocked-traffic enable
            config api-gateway
                edit 1
                    set url-map "/saas"
                    set service saas
                    set application "dropbox" "zoom" "MS" 
                next
            end
        next
    end
  3. Optionally, configure the SaaS proxy address, which can be applied in a ZTNA proxy policy:
    config firewall proxy-address
        edit "ztna_saas_dropbox"
            set type saas 
            set application "dropbox" 
        next
    end
  4. Configure the ZTNA rule (proxy policy) using the SaaS proxy address as the destination:
    config firewall proxy-policy
        edit 2
            set name "ZTNA_Rule_SaaS"
            set proxy access-proxy
            set access-proxy "ZTNA_SaaS"
            set srcintf "internal"
            set srcaddr "all"
            set dstaddr "ztna_saas_dropbox"
            set action accept
            set schedule "always"
            set logtraffic all
            set users "ztnauser"
            set ssl-ssh-profile "custom-deep-inspection"
        next
    end
  5. Optionally, if user authentication is configured the ZTNA rule (set users or set groups), configure the authentication scheme and rule (see Configuring the authentication scheme and rule in the ZTNA Deployment guide). The authentication scheme and rule in this example correspond to the local user, ztnauser.
    1. Configure the authentication scheme:
      config authentication scheme
          edit "ZTNA-Auth-scheme"
              set method basic
              set require-tfa disable
              set fsso-guest disable
              set user-database "local-user-db"
          next
      end
    2. Configure the authentication rule:
      config authentication rule
          edit "ZTNA-Auth-scheme"
              set status enable
              set protocol http
              set srcintf "internal"
              set srcaddr "all"
              set ip-based enable
              set active-auth-method "ZTNA-Auth-scheme"
              set sso-auth-method ''
              set web-portal enable
              set comments ''
          next
      end

Testing and results

Before connecting, the users must have corresponding ZTNA connection rules in FortiClient.

Once ZTNA is configured on the FortiGate, ZTNA connection rules in FortiClient are provisioned using FortiClient EMS in one of the following ways:

  • In FortiClient EMS, configure SaaS applications in Endpoint Profiles > ZTNA Destinations and push application destinations to FortiClient. Currently, SaaS application rules are only supported using XML.
  • Use the Publishing ZTNA services through the ZTNA portal feature on the FortiGate. FortiClient establishes a tunnel to the FortiGate using the ZTNA web portal and creates ZTNA connection rules based on the SaaS application destinations.

Once connected, the FortiClient retrieves the list of hosted ZTNA services, including the SaaS service, and adds corresponding ZTNA connection rules for the configured SaaS applications.

To view the traffic logs on the FortiGate:
# execute log filter category 0
# execute log filter field subtype ztna
# execute log filter field accessproxy ZTNA_SaaS
# execute log display 

1: date=2022-07-21 time=10:37:54 eventtime=1658425074787641779 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.113 srcname="ubuntu-vm" srcport=58362 srcintf="internal" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=162.125.248.18 dstport=443 dstintf="wan1" dstintfrole="wan" sessionid=3417 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="07370508-086d-51ed-3c08-86ba8f10f75e" policyname="ZTNA_Rule_SaaS" duration=76 user="ztnauser" gatewayid=1 vip="ZTNA_SaaS" accessproxy="ZTNA_SaaS" saasname="dropbox" wanin=3964 rcvdbyte=3964 wanout=1406 lanin=3329 sentbyte=3329 lanout=6228 unauthuser="user1" unauthusersource="forticlient" appcat="unscanned"

2: date=2022-07-21 time=10:36:53 eventtime=1658425014191265858 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.113 srcname="ubuntu-vm" srcport=58582 srcintf="internal" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=162.125.35.138 dstport=443 dstintf="wan1" dstintfrole="wan" sessionid=3591 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="07370508-086d-51ed-3c08-86ba8f10f75e" policyname="ZTNA_Rule_SaaS" duration=0 user="ztnauser" gatewayid=1 vip="ZTNA_SaaS" accessproxy="ZTNA_SaaS" saasname="dropbox" wanin=3408 rcvdbyte=3408 wanout=453 lanin=2464 sentbyte=2464 lanout=5234 unauthuser="user1" unauthusersource="forticlient" appcat="unscanned"

ZTNA inline CASB for SaaS application access control

The FortiGate ZTNA access proxy can be configured to act as an inline cloud access security broker (CASB) by providing access control to software-as-a-service (SaaS) traffic using ZTNA access control rules. A CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources.

The following components are required to use the ZTNA inline CASB feature:

  • The FortiGuard Inline CASB Database (ICDB) used by the FortiGate and FortiClient EMS, which is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
  • A FortiGate ZTNA TCP forwarding access proxy configuration that specifies SaaS application destinations using application names defined in the ICDB

  • ZTNA connection rules for SaaS traffic that are provisioned using FortiClient EMS (version 7.2.0 and later)

  • FortiClient (version 7.2.0 and later) installed on the user's machine to receive the ZTNA connection rules for SaaS traffic from FortiClient EMS

Previously, ZTNA SaaS access control was possible using the TCP forwarding access proxy configuration on FortiGate and FortiClient:

  • On the FortiGate, users would need to search all hostnames used by a SaaS application, configure these hostnames as FQDN addresses, and configure these addresses as part of the ZTNA TCP forwarding settings.
  • In FortiClient, users would need to manually add all the hostnames as destinations for ZTNA connection rules or use FortiClient EMS to push those rules to FortiClient.

ZTNA inline CASB for SaaS application access control includes the following functionalities:

  • The FortiGuard Inline CASB Database (ICDB) that includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient. The inline CASB feature is included with the FortiClient ZTNA license. No separate license is needed for inline CASB.
  • With the CASB Security Service, users can configure the ZTNA access proxy with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. This can only be configured in the CLI.

  • Users can configure the SaaS application destination in config firewall proxy-address, which can be used in config firewall proxy-policy.
  • The FortiGate traffic log includes a saasname field when traffic is controlled by inline CASB for logging SaaS traffic on the FortiGate and FortiAnalyzer.

Supported SaaS applications and SaaS application groups

The inline CASB database, as of version 1.00025, supports the following SaaS applications:

ZTNA access proxy application name

SaaS application

adobe

Adobe services domains

adp

ADP

atlassian

Atlassian

aws_s3

AWS S3

azure

Azure

box

Box

citrix

Citrix

confluence

Confluence

docusign

DocuSign

dropbox

Dropbox

egnyte

Egnyte

github

GitHub

gmail

Gmail

google_cloud

Google Cloud

google_drive

Google Drive

google_office

Google Office

google-web

Google Web Search domains

jira

Jira

ms_excel

Microsoft Excel

ms_exchange

Microsoft Exchange

ms_onedrive

Microsoft OneDrive

ms_outlook

Microsoft Outlook

ms_powerpoint

Microsoft PowerPoint

ms_teams

Microsoft Teams

ms_word

Microsoft Word

salesforce

Salesforce

sap

SAP

sharepoint

SharePoint

webex

Webex

workplace

Workplace

youtube

YouTube

zendesk

Zendesk

zoom

Zoom

The inline CASB database, as of version 1.00025, supports the following SaaS application groups:

ZTNA access proxy application name

SaaS application group

Google

Google SaaS

MS

Microsoft SaaS

Example

In this example, the FortiGate is configured as a ZTNA access proxy with a VIP of 172.18.62.10 and uses the SaaS access proxy type. Dropbox and Zoom SaaS applications are allowed, and the Microsoft SaaS application group is allowed.

Note

Although this topology shows an on-net FortiClient endpoint with respect to the FortiGate, this configuration is also supported with an off-net FortiClient endpoint when the ZTNA access proxy VIP is configured for an external IP address.

The FortiClient EMS in this example uses an external IP address, and it can also be configured to use an internal IP address within the LAN of the FortiGate.

The topology in this example is used for demonstrative purposes only and is not a recommended network topology.

To verify that the ICDB is installed on the FortiGate:
# diagnose autoupdate versions
…
Inline CASB Database
---------
Version: 1.00025
Contract Expiry Date: Fri Dec 13 2030
Last Updated using scheduled update on Fri Jul  8 12:19:36 2022
Last Update Attempt: Wed Jul 13 22:42:03 2022
Result: No Updates
To configure the FortiGate:
  1. Configure the access proxy VIP for ZTNA:
    config firewall vip
        edit "ZTNA_SaaS"
            set type access-proxy
            set extip 172.18.62.10
            set extintf "internal"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_SSL"
        next
    end
  2. Configure the firewall access proxy using the SaaS proxy access type and specify the SaaS application destinations:
    config firewall access-proxy
        edit "ZTNA_SaaS"
            set vip "ZTNA_SaaS"
            set log-blocked-traffic enable
            config api-gateway
                edit 1
                    set url-map "/saas"
                    set service saas
                    set application "dropbox" "zoom" "MS" 
                next
            end
        next
    end
  3. Optionally, configure the SaaS proxy address, which can be applied in a ZTNA proxy policy:
    config firewall proxy-address
        edit "ztna_saas_dropbox"
            set type saas 
            set application "dropbox" 
        next
    end
  4. Configure the ZTNA rule (proxy policy) using the SaaS proxy address as the destination:
    config firewall proxy-policy
        edit 2
            set name "ZTNA_Rule_SaaS"
            set proxy access-proxy
            set access-proxy "ZTNA_SaaS"
            set srcintf "internal"
            set srcaddr "all"
            set dstaddr "ztna_saas_dropbox"
            set action accept
            set schedule "always"
            set logtraffic all
            set users "ztnauser"
            set ssl-ssh-profile "custom-deep-inspection"
        next
    end
  5. Optionally, if user authentication is configured the ZTNA rule (set users or set groups), configure the authentication scheme and rule (see Configuring the authentication scheme and rule in the ZTNA Deployment guide). The authentication scheme and rule in this example correspond to the local user, ztnauser.
    1. Configure the authentication scheme:
      config authentication scheme
          edit "ZTNA-Auth-scheme"
              set method basic
              set require-tfa disable
              set fsso-guest disable
              set user-database "local-user-db"
          next
      end
    2. Configure the authentication rule:
      config authentication rule
          edit "ZTNA-Auth-scheme"
              set status enable
              set protocol http
              set srcintf "internal"
              set srcaddr "all"
              set ip-based enable
              set active-auth-method "ZTNA-Auth-scheme"
              set sso-auth-method ''
              set web-portal enable
              set comments ''
          next
      end

Testing and results

Before connecting, the users must have corresponding ZTNA connection rules in FortiClient.

Once ZTNA is configured on the FortiGate, ZTNA connection rules in FortiClient are provisioned using FortiClient EMS in one of the following ways:

  • In FortiClient EMS, configure SaaS applications in Endpoint Profiles > ZTNA Destinations and push application destinations to FortiClient. Currently, SaaS application rules are only supported using XML.
  • Use the Publishing ZTNA services through the ZTNA portal feature on the FortiGate. FortiClient establishes a tunnel to the FortiGate using the ZTNA web portal and creates ZTNA connection rules based on the SaaS application destinations.

Once connected, the FortiClient retrieves the list of hosted ZTNA services, including the SaaS service, and adds corresponding ZTNA connection rules for the configured SaaS applications.

To view the traffic logs on the FortiGate:
# execute log filter category 0
# execute log filter field subtype ztna
# execute log filter field accessproxy ZTNA_SaaS
# execute log display 

1: date=2022-07-21 time=10:37:54 eventtime=1658425074787641779 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.113 srcname="ubuntu-vm" srcport=58362 srcintf="internal" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=162.125.248.18 dstport=443 dstintf="wan1" dstintfrole="wan" sessionid=3417 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="07370508-086d-51ed-3c08-86ba8f10f75e" policyname="ZTNA_Rule_SaaS" duration=76 user="ztnauser" gatewayid=1 vip="ZTNA_SaaS" accessproxy="ZTNA_SaaS" saasname="dropbox" wanin=3964 rcvdbyte=3964 wanout=1406 lanin=3329 sentbyte=3329 lanout=6228 unauthuser="user1" unauthusersource="forticlient" appcat="unscanned"

2: date=2022-07-21 time=10:36:53 eventtime=1658425014191265858 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=192.168.1.113 srcname="ubuntu-vm" srcport=58582 srcintf="internal" srcintfrole="lan" dstcountry="United States" srccountry="Reserved" dstip=162.125.35.138 dstport=443 dstintf="wan1" dstintfrole="wan" sessionid=3591 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="07370508-086d-51ed-3c08-86ba8f10f75e" policyname="ZTNA_Rule_SaaS" duration=0 user="ztnauser" gatewayid=1 vip="ZTNA_SaaS" accessproxy="ZTNA_SaaS" saasname="dropbox" wanin=3408 rcvdbyte=3408 wanout=453 lanin=2464 sentbyte=2464 lanout=5234 unauthuser="user1" unauthusersource="forticlient" appcat="unscanned"