Fortinet white logo
Fortinet white logo

Administration Guide

Full versus simple ZTNA policies

Full versus simple ZTNA policies

There are two ways to configure ZTNA rules in the GUI by using a full or simple ZTNA policy.

Full ZTNA policy

In a full ZTNA policy, the CLI configuration remains the same as previous versions. In the GUI, the Policy & Objects > ZTNA > ZTNA Rules tab has been removed. Administrators can configure ZTNA policies from the Policy & Objects > Proxy Policy page, and by setting the Type to ZTNA.

Simple ZTNA policy

In a simple ZTNA policy, a regular firewall policy is used for policy management. When creating a new firewall policy, administrators can configure a ZTNA policy by setting the Type to ZTNA.

Note

A simple ZTNA policy cannot control access based on the destination interface or the real server’s destination address. See the Examples section for detailed configurations.

Authentication for ZTNA policies

Authentication remains largely the same between both ZTNA policy configuration modes. You can specify user groups under Source to define the groups in which the access control applies to. However, the underlying authentication schemes and rules must still be in place to direct the traffic to the ZTNA application gateway.

Authentication for regular firewall policies

Authentication for regular firewall policies is traditionally handled by authd, which does not require an authentication scheme and rules to be configured in order to function. This enhancement allows authentication for regular firewall policies to be handled by WAD so that the authentication scheme and rules are used to determine the type of authentication and the traffic that requires authentication. This option is disabled by default, but can be enabled as follows:

config firewall auth-portal
    set proxy-auth {enable | disable} 
end

Redirecting a simple ZTNA policy to a full ZTNA policy

An option is added so that after matching a simple ZTNA policy, the traffic can be redirected for a full ZTNA policy match. This setting can only be configured from the CLI, and it is disabled by default.

config firewall policy
    edit <id>
        set ztna-policy-redirect {enable | disable}
    next
end

For example, a client has both tag A and tag B. In the simple ZTNA policy, the client matches a policy that requires tag A for a posture check. If they are using the ztna-policy-redirect option, then it will also require a full ZTNA policy match.

If a full ZTNA policy allows either tag A or tag B or all traffic in general, then the traffic is allowed. Otherwise, if a full ZTNA policy explicitly denies one of the tags, the traffic will be denied.

If no full ZTNA policy is matched, then the traffic is implicitly denied.

Examples

The following examples demonstrate how to configure a ZTNA policy using the full and simple ZTNA policy modes.

It is assumed that the following settings are already configured:

  • EMS connection and EMS tags (Malicious-File-Detected and FortiAD.Info)

  • ZTNA server configuration (ZTNA-webserver)

  • Authentication scheme and rule

Configuring a full ZTNA policy

To configure a full ZTNA policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy and click Create New.

  2. Configure the following settings:

    Name

    ZTNA-webserver

    Type

    ZTNA

    Incoming Interface

    port3

    Source

    all

    Destination

    Webserver1 (10.88.0.3/32)

    ZTNA Server

    ZTNA-webserver

    Schedule

    always

    Action

    ACCEPT

  3. Click OK.

To configure a full ZTNA policy in the CLI:
config firewall proxy-policy
    edit 1
        set name "ZTNA-webserver"
        set proxy access-proxy
        set access-proxy "ZTNA-webserver"
        set srcintf "port3"
        set srcaddr "all"
        set dstaddr "Webserver1"
        set action accept
        set schedule "always"
    next
end

When traffic is allowed, the ZTNA logs show traffic passing through policy 1 on a policy called ZTNA-webserver, which is a proxy policy.

To verify the traffic logs:
# execute log filter category traffic
# execute log filter field subtype ztna
# execute log display 
9 logs found.
9 logs returned.
1: date=2023-03-06 time=20:16:11 eventtime=1678162572109525759 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=28597 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=20140 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1c0a04b8-bc85-51ed-48ba-7d43279fb899" policyname="ZTNA-webserver" duration=3604 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=303150 rcvdbyte=303150 wanout=3755 lanin=2813 sentbyte=2813 lanout=304697 appcat="unscanned"

Configuring a simple ZTNA policy

To configure a simple ZTNA policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    ZTNA-webserver-fp

    Type

    ZTNA

    Incoming Interface

    port3

    Source

    all

    ZTNA server

    ZTNA-webserver

    Schedule

    always

    Action

    ACCEPT

  3. Click OK.

To configure a simple ZTNA policy in the CLI:
config firewall policy
    edit 9
        set name "ZTNA-webserver-fp"
        set srcintf "port3"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ZTNA-webserver"
        set schedule "always"
        set service "ALL"
    next
end

When traffic is allowed, the ZTNA logs show traffic passing through policy 9 on a policy called ZTNA-webserver-fp, which is a firewall policy.

To verify the traffic logs:
# execute log filter category traffic
# execute log filter field subtype ztna
# execute log display
14 logs found.
10 logs returned.

1: date=2023-03-06 time=23:01:55 eventtime=1678172515724776640 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=31687 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=28076 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=75 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=3445 rcvdbyte=3445 wanout=1189 lanin=2358 sentbyte=2358 lanout=4759 appcat="unscanned"

Configuring a ZTNA simple policy with security posture tags and authentication

In this example, a simple ZTNA policy uses the FortiAD.Info tag for a posture check and authentication against a pre-configured Active Directory server where the user tsmith resides. The authentication scheme and rule have already been configured as follows:

config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "LDAP-fortiad"
    next
end
config authentication rule
    edit "ZTNA-Auth-rule"
        set srcintf "port3"
        set srcaddr "all"
        set active-auth-method "ZTNA-Auth-scheme"
    next
end
To append security posture tag and authentication settings to the simple ZTNA policy:
  1. Go to Policy & Objects > Firewall Policy and edit the ZTNA-webserver-fp policy.

  2. For the Source field, click the + and add the user group named LDAP-Remote-Allowed-Group.

  3. For the Security Posture Tag field, click the + and add the FortiAD.Info tag.

  4. Click OK.

To verify the configuration:
  1. Connect to the web server from a client.

  2. After selecting the client certificate, the browser will prompt for a username and password. Enter the username (tsmith) and their password.

    Upon a successful authentication, the user can access the web server.

  3. On the FortiGate, verify that the logs for the allowed traffic show the user tsmith and the tag EMS1_ZTNA_FortiAD.Info:

    # execute log filter field subtype ztna
    # execute log display
    18 logs found.
    10 logs returned.
    1: date=2023-03-06 time=23:25:23 eventtime=1678173923745891128 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=32017 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=29615 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=106 user="tsmith" group="LDAP-Remote-Allowed-Group" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.Info/EMS1_ZTNA_FortiAD.Info" emsconnection="online" wanin=301793 rcvdbyte=301793 wanout=3331 lanin=2877 sentbyte=2877 lanout=333000 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"

Full versus simple ZTNA policies

Full versus simple ZTNA policies

There are two ways to configure ZTNA rules in the GUI by using a full or simple ZTNA policy.

Full ZTNA policy

In a full ZTNA policy, the CLI configuration remains the same as previous versions. In the GUI, the Policy & Objects > ZTNA > ZTNA Rules tab has been removed. Administrators can configure ZTNA policies from the Policy & Objects > Proxy Policy page, and by setting the Type to ZTNA.

Simple ZTNA policy

In a simple ZTNA policy, a regular firewall policy is used for policy management. When creating a new firewall policy, administrators can configure a ZTNA policy by setting the Type to ZTNA.

Note

A simple ZTNA policy cannot control access based on the destination interface or the real server’s destination address. See the Examples section for detailed configurations.

Authentication for ZTNA policies

Authentication remains largely the same between both ZTNA policy configuration modes. You can specify user groups under Source to define the groups in which the access control applies to. However, the underlying authentication schemes and rules must still be in place to direct the traffic to the ZTNA application gateway.

Authentication for regular firewall policies

Authentication for regular firewall policies is traditionally handled by authd, which does not require an authentication scheme and rules to be configured in order to function. This enhancement allows authentication for regular firewall policies to be handled by WAD so that the authentication scheme and rules are used to determine the type of authentication and the traffic that requires authentication. This option is disabled by default, but can be enabled as follows:

config firewall auth-portal
    set proxy-auth {enable | disable} 
end

Redirecting a simple ZTNA policy to a full ZTNA policy

An option is added so that after matching a simple ZTNA policy, the traffic can be redirected for a full ZTNA policy match. This setting can only be configured from the CLI, and it is disabled by default.

config firewall policy
    edit <id>
        set ztna-policy-redirect {enable | disable}
    next
end

For example, a client has both tag A and tag B. In the simple ZTNA policy, the client matches a policy that requires tag A for a posture check. If they are using the ztna-policy-redirect option, then it will also require a full ZTNA policy match.

If a full ZTNA policy allows either tag A or tag B or all traffic in general, then the traffic is allowed. Otherwise, if a full ZTNA policy explicitly denies one of the tags, the traffic will be denied.

If no full ZTNA policy is matched, then the traffic is implicitly denied.

Examples

The following examples demonstrate how to configure a ZTNA policy using the full and simple ZTNA policy modes.

It is assumed that the following settings are already configured:

  • EMS connection and EMS tags (Malicious-File-Detected and FortiAD.Info)

  • ZTNA server configuration (ZTNA-webserver)

  • Authentication scheme and rule

Configuring a full ZTNA policy

To configure a full ZTNA policy in the GUI:
  1. Go to Policy & Objects > Proxy Policy and click Create New.

  2. Configure the following settings:

    Name

    ZTNA-webserver

    Type

    ZTNA

    Incoming Interface

    port3

    Source

    all

    Destination

    Webserver1 (10.88.0.3/32)

    ZTNA Server

    ZTNA-webserver

    Schedule

    always

    Action

    ACCEPT

  3. Click OK.

To configure a full ZTNA policy in the CLI:
config firewall proxy-policy
    edit 1
        set name "ZTNA-webserver"
        set proxy access-proxy
        set access-proxy "ZTNA-webserver"
        set srcintf "port3"
        set srcaddr "all"
        set dstaddr "Webserver1"
        set action accept
        set schedule "always"
    next
end

When traffic is allowed, the ZTNA logs show traffic passing through policy 1 on a policy called ZTNA-webserver, which is a proxy policy.

To verify the traffic logs:
# execute log filter category traffic
# execute log filter field subtype ztna
# execute log display 
9 logs found.
9 logs returned.
1: date=2023-03-06 time=20:16:11 eventtime=1678162572109525759 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=28597 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=20140 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1c0a04b8-bc85-51ed-48ba-7d43279fb899" policyname="ZTNA-webserver" duration=3604 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=303150 rcvdbyte=303150 wanout=3755 lanin=2813 sentbyte=2813 lanout=304697 appcat="unscanned"

Configuring a simple ZTNA policy

To configure a simple ZTNA policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and click Create New.

  2. Configure the following settings:

    Name

    ZTNA-webserver-fp

    Type

    ZTNA

    Incoming Interface

    port3

    Source

    all

    ZTNA server

    ZTNA-webserver

    Schedule

    always

    Action

    ACCEPT

  3. Click OK.

To configure a simple ZTNA policy in the CLI:
config firewall policy
    edit 9
        set name "ZTNA-webserver-fp"
        set srcintf "port3"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ZTNA-webserver"
        set schedule "always"
        set service "ALL"
    next
end

When traffic is allowed, the ZTNA logs show traffic passing through policy 9 on a policy called ZTNA-webserver-fp, which is a firewall policy.

To verify the traffic logs:
# execute log filter category traffic
# execute log filter field subtype ztna
# execute log display
14 logs found.
10 logs returned.

1: date=2023-03-06 time=23:01:55 eventtime=1678172515724776640 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=31687 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=28076 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=75 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=3445 rcvdbyte=3445 wanout=1189 lanin=2358 sentbyte=2358 lanout=4759 appcat="unscanned"

Configuring a ZTNA simple policy with security posture tags and authentication

In this example, a simple ZTNA policy uses the FortiAD.Info tag for a posture check and authentication against a pre-configured Active Directory server where the user tsmith resides. The authentication scheme and rule have already been configured as follows:

config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "LDAP-fortiad"
    next
end
config authentication rule
    edit "ZTNA-Auth-rule"
        set srcintf "port3"
        set srcaddr "all"
        set active-auth-method "ZTNA-Auth-scheme"
    next
end
To append security posture tag and authentication settings to the simple ZTNA policy:
  1. Go to Policy & Objects > Firewall Policy and edit the ZTNA-webserver-fp policy.

  2. For the Source field, click the + and add the user group named LDAP-Remote-Allowed-Group.

  3. For the Security Posture Tag field, click the + and add the FortiAD.Info tag.

  4. Click OK.

To verify the configuration:
  1. Connect to the web server from a client.

  2. After selecting the client certificate, the browser will prompt for a username and password. Enter the username (tsmith) and their password.

    Upon a successful authentication, the user can access the web server.

  3. On the FortiGate, verify that the logs for the allowed traffic show the user tsmith and the tag EMS1_ZTNA_FortiAD.Info:

    # execute log filter field subtype ztna
    # execute log display
    18 logs found.
    10 logs returned.
    1: date=2023-03-06 time=23:25:23 eventtime=1678173923745891128 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=32017 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=29615 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=106 user="tsmith" group="LDAP-Remote-Allowed-Group" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.Info/EMS1_ZTNA_FortiAD.Info" emsconnection="online" wanin=301793 rcvdbyte=301793 wanout=3331 lanin=2877 sentbyte=2877 lanout=333000 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"