Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.5 Administration Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    ZTNA TCP forwarding access proxy with FQDN example

    ZTNA TCP forwarding access proxy with FQDN example

    When defining ZTNA connection rules on FortiClient for TCP forwarding, it is sometimes desirable to configure the destination host address as an FQDN address instead of an IP address. Since the real servers are often servers in the corporate network, this layer of obfuscation prevents internal IPs from easily leaking to the public, and also makes the destination more easily recognizable by the end users.

    One obstacle to overcome is getting remote hosts to resolve an internal FQDN that is typically only resolvable by an internal DNS in the corporate network. This can be solved with the following:

    1. When an FQDN address is added in FortiClient’s ZTNA Destination, FortiClient will intercept connections destined for the FQDN address and replace the destination with a special IP address (such as 10.235.0.1).

    2. FortiClient listens to any traffic destined for the FQDN and its port and forwards the traffic using the TCP forwarding URL with FQDN to the ZTNA application gateway.

    3. The ZTNA application gateway will resolve the FQDN, matching the traffic to the ZTNA real server configuration with the same domain and address.

    4. If a valid ZTNA real server entry is found, traffic is forwarded to the real server.

    Example

    In this example, a FortiAnalyzer in the internal network is added to the FortiGate access proxy for TCP forwarding. A ZTNA Destination is configured on the FortiClient, with the destination host field pointing to the FQDN addresses of the internal servers. The FQDN address is also resolvable by the FortiGate and the same FQDN is used in the real server mapping.

    This example assumes that the FortiGate EMS Fabric connector is already successfully connected.

    This features requires a minimum FortiClient and FortiClient EMS version of 7.0.3.

    To configure the TCP forwarding access proxy:

    1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

    2. Click Create New.

    3. Set Name to ZTNA-webserver.

    4. Configure the network settings:

      1. Set External interface to WAN (port3).

      2. Set External IP to 10.0.3.10.

      3. Set External port to 9043.

    5. Select the Default certificate. Clients will be presented with this certificate when they connect to the application gateway VIP.

    6. Add server mapping:

      1. In the Service/server mapping table, click Create New.

      2. For Service, select TCP Forwarding.

      3. Under Server:

        1. For Address, create a new FQDN address called FAZ-FQDN for the FortiAnalyzer at fortianalyzer.ztnademo.com, then click OK.

        2. Apply the new address object as the address for the new server.

        3. Set Ports to 22.

        4. Click OK.

    7. Click OK to complete.

    To configure the ZTNA rule:

    1. Go to Policy & Objects > Proxy Policy.

    2. Click Create New.

    3. Set Name to ZTNA-Admin-Access.

    4. Set Incoming Interface to WAN (port3).

    5. Set Source to all.

    6. Set Destination to the same FAZ-FQDN address created before.

    7. Select the ZTNA server ZTNA-webserver.

    8. Configure the remaining options as needed.

    9. Click OK.

    Testing the connection to the TCP forwarding access proxy

    Before connecting, users must have a ZTNA Destination in FortiClient.

    Note

    ZTNA TCP forwarding rules can be provisioned from the EMS server. See FQDN-based ZTNA TCP forwarding services for more details.
    To create the ZTNA rules in FortiClient and connect:

    1. From the ZTNA Destination tab, click Add Destination.

    2. Create a rule for the FortiAnalyzer:

      1. Set Destination Name to SSH.

      2. Set Destination Host to fortianalyzer.ztnademo.com:22.

      3. Set Proxy Gateway to 10.0.3.10.

      4. Click Create.

    3. Upon creating the ZTNA rules, FortiClient now resolves fortianalyzer.ztnademo.com to a special address, overriding any DNS resolution for this host. From the Windows command prompt:

      > ping fortianalyzer.ztnademo.com
Pinging fortianalyzer.ztnademo.com [10.235.0.1] with 32 bytes of data:

      Note that the ping will not be successful.

    4. FortiClient will listen to the traffic to this FQDN and forward them to the TCP forwarding access proxy.

    5. Have the remote user connect to fortianalyzer.ztnademo.com from Powershell. The connection will be successful.

    From the FortiGate, go to Log & Report > ZTNA Traffic to view the logs. Alternatively, use the CLI to display the most recent ZTNA logs:

    # execute log filter category 0
# execute log filter field subtype ztna
# execute log display

1: date=2024-09-16 time=12:02:24 eventtime=1726513343785273146 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17805 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="port2" dstintfrole="dmz" sessionid=56690 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SSH" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="63e2dc6c-6f47-51ef-1470-bc6c947cfab9" policyname="ZTNA-Admin-Access" duration=909 user="tsmith" group="ZTNA-SAML-Admin" gatewayid=3 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" clientcert="yes" wanin=2797 rcvdbyte=2797 wanout=2121 lanin=4154 sentbyte=4154 lanout=5953 appcat="unscanned"
    Previous
    Next

    ZTNA TCP forwarding access proxy with FQDN example

    ZTNA TCP forwarding access proxy with FQDN example

    When defining ZTNA connection rules on FortiClient for TCP forwarding, it is sometimes desirable to configure the destination host address as an FQDN address instead of an IP address. Since the real servers are often servers in the corporate network, this layer of obfuscation prevents internal IPs from easily leaking to the public, and also makes the destination more easily recognizable by the end users.

    One obstacle to overcome is getting remote hosts to resolve an internal FQDN that is typically only resolvable by an internal DNS in the corporate network. This can be solved with the following:

    1. When an FQDN address is added in FortiClient’s ZTNA Destination, FortiClient will intercept connections destined for the FQDN address and replace the destination with a special IP address (such as 10.235.0.1).

    2. FortiClient listens to any traffic destined for the FQDN and its port and forwards the traffic using the TCP forwarding URL with FQDN to the ZTNA application gateway.

    3. The ZTNA application gateway will resolve the FQDN, matching the traffic to the ZTNA real server configuration with the same domain and address.

    4. If a valid ZTNA real server entry is found, traffic is forwarded to the real server.

    Example

    In this example, a FortiAnalyzer in the internal network is added to the FortiGate access proxy for TCP forwarding. A ZTNA Destination is configured on the FortiClient, with the destination host field pointing to the FQDN addresses of the internal servers. The FQDN address is also resolvable by the FortiGate and the same FQDN is used in the real server mapping.

    This example assumes that the FortiGate EMS Fabric connector is already successfully connected.

    This features requires a minimum FortiClient and FortiClient EMS version of 7.0.3.

    To configure the TCP forwarding access proxy:

    1. Go to Policy & Objects > ZTNA and select the ZTNA Servers tab.

    2. Click Create New.

    3. Set Name to ZTNA-webserver.

    4. Configure the network settings:

      1. Set External interface to WAN (port3).

      2. Set External IP to 10.0.3.10.

      3. Set External port to 9043.

    5. Select the Default certificate. Clients will be presented with this certificate when they connect to the application gateway VIP.

    6. Add server mapping:

      1. In the Service/server mapping table, click Create New.

      2. For Service, select TCP Forwarding.

      3. Under Server:

        1. For Address, create a new FQDN address called FAZ-FQDN for the FortiAnalyzer at fortianalyzer.ztnademo.com, then click OK.

        2. Apply the new address object as the address for the new server.

        3. Set Ports to 22.

        4. Click OK.

    7. Click OK to complete.

    To configure the ZTNA rule:

    1. Go to Policy & Objects > Proxy Policy.

    2. Click Create New.

    3. Set Name to ZTNA-Admin-Access.

    4. Set Incoming Interface to WAN (port3).

    5. Set Source to all.

    6. Set Destination to the same FAZ-FQDN address created before.

    7. Select the ZTNA server ZTNA-webserver.

    8. Configure the remaining options as needed.

    9. Click OK.

    Testing the connection to the TCP forwarding access proxy

    Before connecting, users must have a ZTNA Destination in FortiClient.

    Note

    ZTNA TCP forwarding rules can be provisioned from the EMS server. See FQDN-based ZTNA TCP forwarding services for more details.
    To create the ZTNA rules in FortiClient and connect:

    1. From the ZTNA Destination tab, click Add Destination.

    2. Create a rule for the FortiAnalyzer:

      1. Set Destination Name to SSH.

      2. Set Destination Host to fortianalyzer.ztnademo.com:22.

      3. Set Proxy Gateway to 10.0.3.10.

      4. Click Create.

    3. Upon creating the ZTNA rules, FortiClient now resolves fortianalyzer.ztnademo.com to a special address, overriding any DNS resolution for this host. From the Windows command prompt:

      > ping fortianalyzer.ztnademo.com
Pinging fortianalyzer.ztnademo.com [10.235.0.1] with 32 bytes of data:

      Note that the ping will not be successful.

    4. FortiClient will listen to the traffic to this FQDN and forward them to the TCP forwarding access proxy.

    5. Have the remote user connect to fortianalyzer.ztnademo.com from Powershell. The connection will be successful.

    From the FortiGate, go to Log & Report > ZTNA Traffic to view the logs. Alternatively, use the CLI to display the most recent ZTNA logs:

    # execute log filter category 0
# execute log filter field subtype ztna
# execute log display

1: date=2024-09-16 time=12:02:24 eventtime=1726513343785273146 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17805 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="port2" dstintfrole="dmz" sessionid=56690 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SSH" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="63e2dc6c-6f47-51ef-1470-bc6c947cfab9" policyname="ZTNA-Admin-Access" duration=909 user="tsmith" group="ZTNA-SAML-Admin" gatewayid=3 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" clientcert="yes" wanin=2797 rcvdbyte=2797 wanout=2121 lanin=4154 sentbyte=4154 lanout=5953 appcat="unscanned"
    Previous
    Next