Fortinet black logo

SSL VPN to ZTNA Migration Guide

Home FortiGate / FortiOS 7.2.5 SSL VPN to ZTNA Migration Guide
7.2.5
7.2.5
7.2.2

Testing and verification

Testing and verification

Once the above configurations are completed, it is time to test On-net access on a workstation. Two test cases will be performed.

  1. Verify access is denied when Critical Vulnerabilities are present on the PC

  2. Verify access is allowed when Critical Vulnerabilities are resolved, and user is logged into the FortiAD domain.

To verify access is denied:

  1. On a workstation that is on-net, login to the FortiAD domain. In our example, we will use user Max Johnson (mjohnson) from the Sales group logging into his PC 10.0.1.2.

  2. Open the FortiClient > Zero Trust Telemetry page.

  3. Enter the EMS address or the invitation code. Connect to EMS.

  4. Once EMS is connected, click the avatar to identify the current Zero Trust Tags assigned to this PC. This PC currently has Critical Vulnerabilities detected.

  5. Open a browser, and enter the URL https://webserver.ztnademo.com:9043.

  6. The browser will redirect you to firewall policy authentication. Authenticate with the mjohnson user. Note that firewall authentication can be triggered with HTTP/80, HTTPS/443 and SSH/22 access. If using ports other than these, you may need to trigger authentication with the above ports first.

  7. If user authentication passes, the ZTNA tags will be assessed. Since this workstation has Critical Vulnerabilities, access to the Web server is denied. There are no replacement messages for firewall policy authentication failures.

  8. On the FortiGate, view the corresponding logs under Log & Report > Forward Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype forward
    # execute log display
    2276 logs found.
    10 logs returned.
    7.7% of logs has been searched.
    1: date=2023-09-08 time=00:28:00 eventtime=1694158081119618932 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=2482 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=9043 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=99139 proto=6 action="deny" policyid=12 policytype="policy" poluuid="644b6606-4e14-51ee-3ca4-bc5fed465194" policyname="Deny-vuln-on-net" user="mjohnson" authserver="LDAP-fortiad" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"

  9. For other users and devices with Critical vulnerabilities, try accessing internal server resources as well.

To verify access is allowed:

  1. Open the FortiClient > Vulnerability Scan page.

  2. Click on Critical to see the Application that has been identified with a critical vulnerability.

  3. Apply the necessary fix to remove the vulnerability. Then perform a vulnerability scan.

  4. Now that the workstation does not have a critical vulnerability, open your browser again to try accessing the web server again.

  5. Open a browser, and enter the URL https://webserver.ztnademo.com:9043.

  6. If prior user authentication is still valid, you will have access to the web server right away. If not, enter your user credentials. You should be able to access your web server.

  7. From the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype policy
    # execute log display
    2357 logs found.
    10 logs returned.
    10: date=2023-09-08 time=00:34:21 eventtime=1694158461283011281 tz="-0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=3031 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=9043 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=99449 proto=6 action="accept" policyid=13 policytype="policy" poluuid="9ea730fa-4e14-51ee-c255-046c7236dbbe" policyname="Allow-on-net-Sales" user="mjohnson" group="LDAP-Sales" authserver="LDAP-fortiad" service="tcp/9043" trandisp="snat" transip=10.88.0.254 transport=63448 duration=125 sentbyte=3209 rcvdbyte=312184 sentpkt=39 rcvdpkt=229 appcat="unscanned" sentdelta=3209 rcvddelta=312184

  8. Verify access for other On-net users as well.

Previous
Next

Testing and verification

Once the above configurations are completed, it is time to test On-net access on a workstation. Two test cases will be performed.

  1. Verify access is denied when Critical Vulnerabilities are present on the PC

  2. Verify access is allowed when Critical Vulnerabilities are resolved, and user is logged into the FortiAD domain.

To verify access is denied:

  1. On a workstation that is on-net, login to the FortiAD domain. In our example, we will use user Max Johnson (mjohnson) from the Sales group logging into his PC 10.0.1.2.

  2. Open the FortiClient > Zero Trust Telemetry page.

  3. Enter the EMS address or the invitation code. Connect to EMS.

  4. Once EMS is connected, click the avatar to identify the current Zero Trust Tags assigned to this PC. This PC currently has Critical Vulnerabilities detected.

  5. Open a browser, and enter the URL https://webserver.ztnademo.com:9043.

  6. The browser will redirect you to firewall policy authentication. Authenticate with the mjohnson user. Note that firewall authentication can be triggered with HTTP/80, HTTPS/443 and SSH/22 access. If using ports other than these, you may need to trigger authentication with the above ports first.

  7. If user authentication passes, the ZTNA tags will be assessed. Since this workstation has Critical Vulnerabilities, access to the Web server is denied. There are no replacement messages for firewall policy authentication failures.

  8. On the FortiGate, view the corresponding logs under Log & Report > Forward Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype forward
    # execute log display
    2276 logs found.
    10 logs returned.
    7.7% of logs has been searched.
    1: date=2023-09-08 time=00:28:00 eventtime=1694158081119618932 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=2482 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=9043 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=99139 proto=6 action="deny" policyid=12 policytype="policy" poluuid="644b6606-4e14-51ee-3ca4-bc5fed465194" policyname="Deny-vuln-on-net" user="mjohnson" authserver="LDAP-fortiad" service="HTTPS" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"

  9. For other users and devices with Critical vulnerabilities, try accessing internal server resources as well.

To verify access is allowed:

  1. Open the FortiClient > Vulnerability Scan page.

  2. Click on Critical to see the Application that has been identified with a critical vulnerability.

  3. Apply the necessary fix to remove the vulnerability. Then perform a vulnerability scan.

  4. Now that the workstation does not have a critical vulnerability, open your browser again to try accessing the web server again.

  5. Open a browser, and enter the URL https://webserver.ztnademo.com:9043.

  6. If prior user authentication is still valid, you will have access to the web server right away. If not, enter your user credentials. You should be able to access your web server.

  7. From the FortiGate, view the corresponding logs under Log & Report > ZTNA Traffic, or from the CLI:

    # execute log filter category traffic
    # execute log filter field subtype policy
    # execute log display
    2357 logs found.
    10 logs returned.
    10: date=2023-09-08 time=00:34:21 eventtime=1694158461283011281 tz="-0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.2 srcport=3031 srcintf="port1" srcintfrole="undefined" dstip=10.88.0.3 dstport=9043 dstintf="port2" dstintfrole="dmz" srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" dstuuid="592dfb72-0775-51ec-aa79-94bd9894388c" srccountry="Reserved" dstcountry="Reserved" sessionid=99449 proto=6 action="accept" policyid=13 policytype="policy" poluuid="9ea730fa-4e14-51ee-c255-046c7236dbbe" policyname="Allow-on-net-Sales" user="mjohnson" group="LDAP-Sales" authserver="LDAP-fortiad" service="tcp/9043" trandisp="snat" transip=10.88.0.254 transport=63448 duration=125 sentbyte=3209 rcvdbyte=312184 sentpkt=39 rcvdpkt=229 appcat="unscanned" sentdelta=3209 rcvddelta=312184

  8. Verify access for other On-net users as well.

Previous
Next