Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.5 SSL VPN to ZTNA Migration Guide
7.2.5
7.2.5
7.2.2

ZTNA rule configuration

ZTNA rule configuration

Once the servers, authentication scheme and rules are configured, we will create ZTNA rules to control access. To recap, ZTNA rules help control access by defining users and ZTNA tags to perform user authentication and security posture checks. And just like firewall policies, you can granularly control the source and destination addresses, and apply appropriate security profiles to scan the traffic.

In this step, we will create a rule to deny endpoints whose security is compromised, identified by the presence of the Critical-Vulnerability tag. We will create a rule to allow users who are logged into the FortiAD.Info domain as Domain Users, identified by the presence of the Domain-Users tag. We will apply the policies for the existing LDAP-Administrators group, which is used in the SSL VPN policy.

To configure a ZTNA Rule for denying access:

  1. In FortiOS, go to Policy & Objects > Firewall Policy.

  2. Click Create New to create a new policy.

  3. In the Name box, type ZTNA-Deny-Access.

  4. Set Type to ZTNA.

  5. In the Incoming Interface list, select WAN (port3).

  6. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

      Note

      When you define a user group, users would need to be authenticated first before their ZTNA tag is checked. The advantage is the username will be recorded in the violation log.

  7. In the ZTNA Tag list, select the Critical_Vulnerability tag.

  8. In the Destination list, select the address objects FAC and FAZ.

  9. In the ZTNA Server list, select ZTNA Webserver.

  10. Beside Action, select Deny.

  11. Enable Log Violation Traffic.

  12. Enable Enable this policy.

  13. Click OK to complete.

To configure a ZTNA Rule for allowing access:

  1. On the Policy & Objects > Proxy Policy page, click Create New.

  2. In the Name box, enter ZTNA-Administrators.

  3. Set Type to ZTNA.

  4. In the Incoming Interface list, select WAN (port3).

  5. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

  6. In the ZTNA Tag list, select the Domain-Users tag.

  7. In the Destination list, select the address objects FAC and FAZ.

  8. In the ZTNA Server list, select ZTNA Webserver.

  9. Beside Action, select Accept.

  10. Enable Security Profiles as desired.

  11. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.

  12. Enable Enable this policy.

  13. Click OK to complete.

Previous
Next

ZTNA rule configuration

Once the servers, authentication scheme and rules are configured, we will create ZTNA rules to control access. To recap, ZTNA rules help control access by defining users and ZTNA tags to perform user authentication and security posture checks. And just like firewall policies, you can granularly control the source and destination addresses, and apply appropriate security profiles to scan the traffic.

In this step, we will create a rule to deny endpoints whose security is compromised, identified by the presence of the Critical-Vulnerability tag. We will create a rule to allow users who are logged into the FortiAD.Info domain as Domain Users, identified by the presence of the Domain-Users tag. We will apply the policies for the existing LDAP-Administrators group, which is used in the SSL VPN policy.

To configure a ZTNA Rule for denying access:

  1. In FortiOS, go to Policy & Objects > Firewall Policy.

  2. Click Create New to create a new policy.

  3. In the Name box, type ZTNA-Deny-Access.

  4. Set Type to ZTNA.

  5. In the Incoming Interface list, select WAN (port3).

  6. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

      Note

      When you define a user group, users would need to be authenticated first before their ZTNA tag is checked. The advantage is the username will be recorded in the violation log.

  7. In the ZTNA Tag list, select the Critical_Vulnerability tag.

  8. In the Destination list, select the address objects FAC and FAZ.

  9. In the ZTNA Server list, select ZTNA Webserver.

  10. Beside Action, select Deny.

  11. Enable Log Violation Traffic.

  12. Enable Enable this policy.

  13. Click OK to complete.

To configure a ZTNA Rule for allowing access:

  1. On the Policy & Objects > Proxy Policy page, click Create New.

  2. In the Name box, enter ZTNA-Administrators.

  3. Set Type to ZTNA.

  4. In the Incoming Interface list, select WAN (port3).

  5. In the Source list, select the following options:

    • For Address, select all.

    • For User, select LDAP-Administrators.

  6. In the ZTNA Tag list, select the Domain-Users tag.

  7. In the Destination list, select the address objects FAC and FAZ.

  8. In the ZTNA Server list, select ZTNA Webserver.

  9. Beside Action, select Accept.

  10. Enable Security Profiles as desired.

  11. In the Logging Options section, enable Log Allowed Traffic, and select All Sessions.

  12. Enable Enable this policy.

  13. Click OK to complete.

Previous
Next