ZTNA inline CASB for SaaS application access control
The FortiGate ZTNA application gateway can be configured to act as an inline cloud access security broker (CASB) by providing access control to software-as-a-service (SaaS) traffic using ZTNA access control rules. A CASB sits between users and their cloud service to enforce security policies as they access cloud-based resources.
The following components are required to use the ZTNA inline CASB feature:
- The FortiGuard Inline CASB Database (ICDB) used by the FortiGate and FortiClient EMS.
- This database includes all FQDNs related to specific SaaS applications and corresponding FortiGuard packages for FortiOS and FortiClient.
-
A FortiGate ZTNA TCP forwarding access proxy configuration that specifies SaaS application destinations using application names defined in the ICDB.
-
ZTNA connection rules for SaaS traffic that are provisioned using FortiClient EMS (version 7.2.2 and later).
- FortiClient (version 7.2.0 and later) installed on the user's machine to receive the ZTNA connection rules for SaaS traffic from FortiClient EMS.
Syntax
Users can configure the ZTNA application gateway with a new SaaS proxy access type and conveniently specify SaaS application destinations by application name or by application group name without needing to manually search for and enter FQDNs specific to each SaaS application. This can only be configured in the CLI.
To configure a ZTNA application gateway to use SaaS from the CLI:
config firewall access-proxy
edit <name>
config api-gateway
edit <ID>
set url-map "/saas"
set service saas
set application <app 1> [app 2] ...
next
end
next
end
To configure the SaaS application destination from the CLI:
config firewall proxy-address
edit <name>
set type saas
set application <app 1> [app 2] ...
next
end
To configure a ZTNA proxy-policy to use the SaaS destination from the CLI:
config firewall proxy-policy
edit <ID>
set dstaddr <proxy-address>
next
end
The FortiGate traffic log includes a saasname field when traffic is controlled by inline CASB for logging SaaS traffic on the FortiGate and FortiAnalyzer.
Example
In this example, the FortiGate is configured as a ZTNA application gateway with a VIP of 10.0.3.15 and uses the SaaS access proxy type. SaaS application Gmail is allowed, but the action of getting an attachment on Gmail is blocked.
To configure the FortiGate:
- Configure the access proxy VIP for ZTNA:
config firewall vip edit "ZTNA-SaaS-Access" set type access-proxy set extip 10.0.3.15 set extintf "any" set server-type https set extport 443 set ssl-certificate “ztna-wildcard” next end - Configure the firewall access proxy using the SaaS proxy access type and specify the SaaS application destinations:
config firewall access-proxy edit "ZTNA-SaaS-Access-Proxy" set vip "ZTNA-SaaS-Access" config api-gateway edit 1 set service saas set url-map "/saas" set application "gmail" next end next end - Configure the SaaS proxy address, which can be applied in a ZTNA proxy policy to allow Gmail:
config firewall proxy-address edit "ztna-saas-gmail" set type saas set application "gmail" next end -
Configure the SaaS proxy address, which can be applied in a ZTNA proxy policy to deny Gmail attachments:
config firewall proxy-address edit "ztna-saas-gmail-attach" set type saas set application "gmail-getAttach" next end -
Configure a ZTNA rule using the SaaS proxy address as the destination to deny Gmail attachments:
config firewall proxy-policy edit 2 set name "ZTNA-SaaS-Deny-Access" set proxy access-proxy set access-proxy "ZTNA-SaaS-Access-Proxy" set srcintf "port3" set srcaddr "all" set dstaddr "ztna-saas-gmail-attach" set schedule "always" set logtraffic all next end - Configure a ZTNA rule using the SaaS proxy address as the destination to allow Gmail:
config firewall proxy-policy edit 3 set name "ZTNA-SaaS-Access" set proxy access-proxy set access-proxy "ZTNA-SaaS-Access-Proxy" set srcintf "port3" set srcaddr "all" set dstaddr "ztna-saas-gmail" set action accept set schedule "always" set logtraffic all next end -
Optionally, if user authentication is configured, the ZTNA rule (
set usersorset groups), configure the authentication scheme and rule (see Applying user authentication in the ZTNA Deployment guide).
Before connecting, the users must have corresponding ZTNA Destinations in FortiClient. In FortiClient EMS, configure SaaS applications in Endpoint Profiles > ZTNA Destinations and push application destinations to FortiClient.
To configure the FortiClient EMS:
-
On FortiClient EMS, go to Endpoint Profiles > ZTNA Destinations.
-
Edit the Default profile.
-
Besides Name, click Advanced.
-
Click the eye icon beside ZTNA Destination Profile to enable this profile to be viewed on the FortiClient.
-
Under Destinations, click Add . The Add New Gateway dialog is displayed.
-
In Proxy Gateway, enter the following:
Enter the gateway proxy address 10.0.3.15:443 Select browser user-agent for SAML login Use FortiClient embedded browser Alias google-apps -
Click Next.
-
In Private Applications, click Next.
-
In SaaS Applications, expand Google and then select gmail.
-
Click Finish.
-
Click Save.
The FortiClient endpoints will synchronize the destination from EMS.
Testing and results
Once connected, the FortiClient retrieves the list of hosted ZTNA services, including the SaaS service, and adds corresponding ZTNA connection rules for the configured SaaS applications.
Connect to Gmail from a browser. The traffic is allowed.
After closing the session, the corresponding traffic logs can be viewed from the FortiGate GUI or from the CLI.
# execute log filter field subtype ztna # execute log display 365 logs found. 10 logs returned. 2.0% of logs has been searched. 1: date=2023-11-06 time=17:55:22 eventtime=1699322121300602688 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=37060 srcintf="port3" srcintfrole="wan" dstcountry="United States" srccountry="Reserved" dstip=142.251.16.138 dstport=443 dstintf="port3" dstintfrole="wan" sessionid=90509 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="HTTPS" proxyapptype="http" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="f7739b50-7854-51ee-749a-a792f95fb219" policyname="ZTNA-SaaS-Access" duration=50 gatewayid=1 vip="ZTNA-SaaS-Access" accessproxy="ZTNA-SaaS-Access-Proxy" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" saasname="gmail" clientdevicetags="EMS1_ZTNA_Domain-Users/EMS1_ZTNA_all_registered_clients" emsconnection="online" wanin=30028 rcvdbyte=30028 wanout=2173 lanin=4206 sentbyte=4206 lanout=33385 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"
Connect to Gmail from a browser again. This time, open an email and download an attachment. The action will be blocked.
After closing the session, the corresponding traffic logs can be viewed from the FortiGate GUI or from the CLI.
# execute log filter field subtype ztna # execute log display 32: date=2023-11-06 time=18:09:26 eventtime=1699322965907196540 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=37402 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.0.3.15 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=90864 srcuuid="95f96508-7854-51ee-dc89-95da637bf0cf" dstuuid="2dcbb08e-7a8a-51ee-d38f-77193e22942b" service="HTTPS" proxyapptype="http" proto=6 action="deny" policyid=2 policytype="proxy-policy" poluuid="8d1fee22-7a82-51ee-92cf-ca1b22eacca3" policyname="ZTNA-SaaS-Deny-Access" duration=0 vip="ZTNA-SaaS-Access" accessproxy="ZTNA-SaaS-Access-Proxy" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" saasname="gmail" clientdevicetags="EMS1_ZTNA_Domain-Users/EMS1_ZTNA_all_registered_clients" emsconnection="online" msg="Traffic denied because proxy-policy action is deny. Matched tag: EMS1_ZTNA_all_registered_clients" wanin=0 rcvdbyte=0 wanout=0 lanin=1881 sentbyte=1881 lanout=3010 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned" crscore=30 craction=131072 crlevel="high"