Fortinet white logo
Fortinet white logo

Administration Guide

ZTNA TCP forwarding access proxy with FQDN example

ZTNA TCP forwarding access proxy with FQDN example

When defining ZTNA connection rules on FortiClient for TCP forwarding, it is sometimes desirable to configure the destination host address as an FQDN address instead of an IP address. Since the real servers are often servers in the corporate network, this layer of obfuscation prevents internal IPs from easily leaking to the public, and also makes the destination more easily recognizable by the end users.

One obstacle to overcome is getting remote hosts to resolve an internal FQDN that is typically only resolvable by an internal DNS in the corporate network. This can be solved with the following:

  1. When an FQDN address is added in FortiClient’s ZTNA Destination, FortiClient will intercept connections destined for the FQDN address and replace the destination with a special IP address (such as 10.235.0.1).

  2. FortiClient listens to any traffic destined for the FQDN and its port and forwards the traffic using the TCP forwarding URL with FQDN to the ZTNA application gateway.

  3. The ZTNA application gateway will resolve the FQDN, matching the traffic to the ZTNA real server configuration with the same domain and address.

  4. If a valid ZTNA real server entry is found, traffic is forwarded to the real server.

Example

In this example, a FortiAnalyzer in the internal network is added to the FortiGate access proxy for TCP forwarding. A ZTNA Destination is configured on the FortiClient, with the destination host field pointing to the FQDN addresses of the internal servers. The FQDN address is also resolvable by the FortiGate and the same FQDN is used in the real server mapping.

This example assumes that the FortiGate EMS Fabric connector is already successfully connected.

This features requires a minimum FortiClient and FortiClient EMS version of 7.0.3.

To configure the TCP forwarding access proxy:
  1. Go to Policy & Objects > ZTNA and select the ZTNA Server tab.

  2. Click Create new.

  3. Set Name to ZTNA-webserver.

  4. Configure the network settings:

    1. Set Interface to WAN (port3).

    2. Set IP address to 10.0.3.10.

    3. Set Port to 9043.

  5. Select the Default certificate. Clients will be presented with this certificate when they connect to the application gateway VIP.

  6. Add server mapping:

    1. In the Service/server mapping table, click Create new.

    2. For Service, select TCP Forwarding.

    3. Under Server:

      1. For Address, create a new FQDN address called FAZ-FQDN for the FortiAnalyzer at fortianalyzer.ztnademo.com, then click OK.

      2. Apply the new address object as the address for the new server.

      3. Set Ports to 22.

      4. Click OK.

  7. Click OK to complete.

To configure the ZTNA rule:
  1. Go to Policy & Objects > Proxy Policy.

  2. Click Create new.

  3. Set Name to ZTNA-Admin-Access.

  4. Set Incoming Interface to WAN (port3).

  5. Set Source to all.

  6. Set Destination to the same FAZ-FQDN address created before.

  7. Select the ZTNA server ZTNA-webserver.

  8. Configure the remaining options as needed.

  9. Click OK.

Testing the connection to the TCP forwarding access proxy

Before connecting, users must have a ZTNA Destination in FortiClient.

Note

ZTNA TCP forwarding rules can be provisioned from the EMS server. See FQDN-based ZTNA TCP forwarding services for more details.

To create the ZTNA rules in FortiClient and connect:
  1. From the ZTNA Destination tab, click Add Destination.

  2. Create a rule for the FortiAnalyzer:

    1. Set Destination Name to SSH.

    2. Set Destination Host to fortianalyzer.ztnademo.com:22.

    3. Set Proxy Gateway to 10.0.3.10.

    4. Click Create.

  3. Upon creating the ZTNA rules, FortiClient now resolves fortianalyzer.ztnademo.com to a special address, overriding any DNS resolution for this host. From the Windows command prompt:

    > ping fortianalyzer.ztnademo.com
    Pinging fortianalyzer.ztnademo.com [10.235.0.1] with 32 bytes of data:

    Note that the ping will not be successful.

  4. FortiClient will listen to the traffic to this FQDN and forward them to the TCP forwarding access proxy.

  5. Have the remote user connect to fortianalyzer.ztnademo.com from Powershell. The connection will be successful.

From the FortiGate, go to Log & Report > ZTNA Traffic to view the logs. Alternatively, use the CLI to display the most recent ZTNA logs:

# execute log filter category 0
# execute log filter field subtype ztna
# execute log display

1: date=2024-09-16 time=12:02:24 eventtime=1726513343785273146 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17805 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="port2" dstintfrole="dmz" sessionid=56690 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SSH" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="63e2dc6c-6f47-51ef-1470-bc6c947cfab9" policyname="ZTNA-Admin-Access" duration=909 user="tsmith" group="ZTNA-SAML-Admin" gatewayid=3 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" clientcert="yes" wanin=2797 rcvdbyte=2797 wanout=2121 lanin=4154 sentbyte=4154 lanout=5953 appcat="unscanned"

ZTNA TCP forwarding access proxy with FQDN example

ZTNA TCP forwarding access proxy with FQDN example

When defining ZTNA connection rules on FortiClient for TCP forwarding, it is sometimes desirable to configure the destination host address as an FQDN address instead of an IP address. Since the real servers are often servers in the corporate network, this layer of obfuscation prevents internal IPs from easily leaking to the public, and also makes the destination more easily recognizable by the end users.

One obstacle to overcome is getting remote hosts to resolve an internal FQDN that is typically only resolvable by an internal DNS in the corporate network. This can be solved with the following:

  1. When an FQDN address is added in FortiClient’s ZTNA Destination, FortiClient will intercept connections destined for the FQDN address and replace the destination with a special IP address (such as 10.235.0.1).

  2. FortiClient listens to any traffic destined for the FQDN and its port and forwards the traffic using the TCP forwarding URL with FQDN to the ZTNA application gateway.

  3. The ZTNA application gateway will resolve the FQDN, matching the traffic to the ZTNA real server configuration with the same domain and address.

  4. If a valid ZTNA real server entry is found, traffic is forwarded to the real server.

Example

In this example, a FortiAnalyzer in the internal network is added to the FortiGate access proxy for TCP forwarding. A ZTNA Destination is configured on the FortiClient, with the destination host field pointing to the FQDN addresses of the internal servers. The FQDN address is also resolvable by the FortiGate and the same FQDN is used in the real server mapping.

This example assumes that the FortiGate EMS Fabric connector is already successfully connected.

This features requires a minimum FortiClient and FortiClient EMS version of 7.0.3.

To configure the TCP forwarding access proxy:
  1. Go to Policy & Objects > ZTNA and select the ZTNA Server tab.

  2. Click Create new.

  3. Set Name to ZTNA-webserver.

  4. Configure the network settings:

    1. Set Interface to WAN (port3).

    2. Set IP address to 10.0.3.10.

    3. Set Port to 9043.

  5. Select the Default certificate. Clients will be presented with this certificate when they connect to the application gateway VIP.

  6. Add server mapping:

    1. In the Service/server mapping table, click Create new.

    2. For Service, select TCP Forwarding.

    3. Under Server:

      1. For Address, create a new FQDN address called FAZ-FQDN for the FortiAnalyzer at fortianalyzer.ztnademo.com, then click OK.

      2. Apply the new address object as the address for the new server.

      3. Set Ports to 22.

      4. Click OK.

  7. Click OK to complete.

To configure the ZTNA rule:
  1. Go to Policy & Objects > Proxy Policy.

  2. Click Create new.

  3. Set Name to ZTNA-Admin-Access.

  4. Set Incoming Interface to WAN (port3).

  5. Set Source to all.

  6. Set Destination to the same FAZ-FQDN address created before.

  7. Select the ZTNA server ZTNA-webserver.

  8. Configure the remaining options as needed.

  9. Click OK.

Testing the connection to the TCP forwarding access proxy

Before connecting, users must have a ZTNA Destination in FortiClient.

Note

ZTNA TCP forwarding rules can be provisioned from the EMS server. See FQDN-based ZTNA TCP forwarding services for more details.

To create the ZTNA rules in FortiClient and connect:
  1. From the ZTNA Destination tab, click Add Destination.

  2. Create a rule for the FortiAnalyzer:

    1. Set Destination Name to SSH.

    2. Set Destination Host to fortianalyzer.ztnademo.com:22.

    3. Set Proxy Gateway to 10.0.3.10.

    4. Click Create.

  3. Upon creating the ZTNA rules, FortiClient now resolves fortianalyzer.ztnademo.com to a special address, overriding any DNS resolution for this host. From the Windows command prompt:

    > ping fortianalyzer.ztnademo.com
    Pinging fortianalyzer.ztnademo.com [10.235.0.1] with 32 bytes of data:

    Note that the ping will not be successful.

  4. FortiClient will listen to the traffic to this FQDN and forward them to the TCP forwarding access proxy.

  5. Have the remote user connect to fortianalyzer.ztnademo.com from Powershell. The connection will be successful.

From the FortiGate, go to Log & Report > ZTNA Traffic to view the logs. Alternatively, use the CLI to display the most recent ZTNA logs:

# execute log filter category 0
# execute log filter field subtype ztna
# execute log display

1: date=2024-09-16 time=12:02:24 eventtime=1726513343785273146 tz="-0700" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=17805 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.2 dstport=22 dstintf="port2" dstintfrole="dmz" sessionid=56690 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="SSH" proxyapptype="http" proto=6 action="accept" policyid=2 policytype="proxy-policy" poluuid="63e2dc6c-6f47-51ef-1470-bc6c947cfab9" policyname="ZTNA-Admin-Access" duration=909 user="tsmith" group="ZTNA-SAML-Admin" gatewayid=3 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" clientcert="yes" wanin=2797 rcvdbyte=2797 wanout=2121 lanin=4154 sentbyte=4154 lanout=5953 appcat="unscanned"