Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.6.0 Administration Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Full versus simple ZTNA policies

    Full versus simple ZTNA policies

    There are two ways to configure ZTNA rules in the GUI by using a full or simple ZTNA policy.

    Full ZTNA policy

    In a full ZTNA policy, the CLI configuration remains the same as previous versions. Administrators can configure ZTNA policies from the Policy & Objects > Proxy Policy page, and by setting the Type to ZTNA.

    Simple ZTNA policy

    In a simple ZTNA policy, a regular firewall policy is used for policy management. When creating a new firewall policy, administrators can configure a ZTNA policy by setting the Type to ZTNA.

    Note

    A simple ZTNA policy cannot control access based on the destination interface or the real server’s destination address. See the Examples section for detailed configurations.

    Authentication for ZTNA policies

    Authentication remains largely the same between both ZTNA policy configuration modes. You can specify user groups under Source to define the groups in which the access control applies to. However, the underlying authentication schemes and rules must still be in place to direct the traffic to the ZTNA application gateway.

    Authentication for regular firewall policies

    Authentication for regular firewall policies is traditionally handled by authd, which does not require an authentication scheme and rules to be configured in order to function. This enhancement allows authentication for regular firewall policies to be handled by WAD so that the authentication scheme and rules are used to determine the type of authentication and the traffic that requires authentication. This option is disabled by default, but can be enabled as follows:

    config firewall auth-portal
    set proxy-auth {enable | disable} 
end

    Redirecting a simple ZTNA policy to a full ZTNA policy

    An option is added so that after matching a simple ZTNA policy, the traffic can be redirected for a full ZTNA policy match. This setting can only be configured from the CLI, and it is disabled by default.

    config firewall policy
    edit <id>
        set ztna-policy-redirect {enable | disable}
    next
end

    For example, a client has both tag A and tag B. In the simple ZTNA policy, the client matches a policy that requires tag A for a posture check. If they are using the ztna-policy-redirect option, then it will also require a full ZTNA policy match.

    If a full ZTNA policy allows either tag A or tag B or all traffic in general, then the traffic is allowed. Otherwise, if a full ZTNA policy explicitly denies one of the tags, the traffic will be denied.

    If no full ZTNA policy is matched, then the traffic is implicitly denied.

    Examples

    The following examples demonstrate how to configure a ZTNA policy using the full and simple ZTNA policy modes.

    It is assumed that the following settings are already configured:

    • EMS connection and EMS tags (Malicious-File-Detected and FortiAD.Info)

    • ZTNA server configuration (ZTNA-webserver)

    • Authentication scheme and rule

    Configuring a full ZTNA policy

    To configure a full ZTNA policy in the GUI:

    1. Go to Policy & Objects > Proxy Policy and click Create New.

    2. Configure the following settings:

      Name

      ZTNA-webserver

      Type

      ZTNA

      Incoming Interface

      port3

      Source

      all

      Destination

      Webserver1 (10.88.0.3/32)

      ZTNA Server

      ZTNA-webserver

      Schedule

      always

      Action

      ACCEPT

    3. Click OK.

    To configure a full ZTNA policy in the CLI:
    config firewall proxy-policy
    edit 1
        set name "ZTNA-webserver"
        set proxy access-proxy
        set access-proxy "ZTNA-webserver"
        set srcintf "port3"
        set srcaddr "all"
        set dstaddr "Webserver1"
        set action accept
        set schedule "always"
    next
end

    When traffic is allowed, the ZTNA logs show traffic passing through policy 1 on a policy called ZTNA-webserver, which is a proxy policy.

    To verify the traffic logs:
    # execute log filter category traffic
# execute log filter field subtype ztna
# execute log display 
9 logs found.
9 logs returned.
1: date=2023-03-06 time=20:16:11 eventtime=1678162572109525759 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=28597 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=20140 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1c0a04b8-bc85-51ed-48ba-7d43279fb899" policyname="ZTNA-webserver" duration=3604 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=303150 rcvdbyte=303150 wanout=3755 lanin=2813 sentbyte=2813 lanout=304697 appcat="unscanned"

    Configuring a simple ZTNA policy

    To configure a simple ZTNA policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Name

      ZTNA-webserver-fp

      Schedule

      always

      Action

      ACCEPT

      Type

      ZTNA

      Incoming Interface

      port3

      Source

      all

      ZTNA server

      ZTNA-webserver

    3. Click OK.

    To configure a simple ZTNA policy in the CLI:
    config firewall policy
    edit 9
        set name "ZTNA-webserver-fp"
        set srcintf "port3"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ZTNA-webserver"
        set schedule "always"
        set service "ALL"
    next
end

    When traffic is allowed, the ZTNA logs show traffic passing through policy 9 on a policy called ZTNA-webserver-fp, which is a firewall policy.

    To verify the traffic logs:
    # execute log filter category traffic
# execute log filter field subtype ztna
# execute log display
14 logs found.
10 logs returned.

1: date=2023-03-06 time=23:01:55 eventtime=1678172515724776640 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=31687 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=28076 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=75 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=3445 rcvdbyte=3445 wanout=1189 lanin=2358 sentbyte=2358 lanout=4759 appcat="unscanned"

    Configuring a ZTNA simple policy with security posture tags and authentication

    In this example, a simple ZTNA policy uses the FortiAD.Info tag for a posture check and authentication against a pre-configured Active Directory server where the user tsmith resides. The authentication scheme and rule have already been configured as follows:

    config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "LDAP-fortiad"
    next
end

    config authentication rule
    edit "ZTNA-Auth-rule"
        set srcintf "port3"
        set srcaddr "all"
        set active-auth-method "ZTNA-Auth-scheme"
    next
end
    To append security posture tag and authentication settings to the simple ZTNA policy:

    1. Go to Policy & Objects > Firewall Policy and edit the ZTNA-webserver-fp policy.

    2. For the Source field, click the + and add the user group named LDAP-Remote-Allowed-Group.

    3. For the Security Posture Tag field, click the + and add the FortiAD.Info tag.

    4. Click OK.

    To verify the configuration:

    1. Connect to the web server from a client.

    2. After selecting the client certificate, the browser will prompt for a username and password. Enter the username (tsmith) and their password.

      Upon a successful authentication, the user can access the web server.

    3. On the FortiGate, verify that the logs for the allowed traffic show the user tsmith and the tag EMS1_ZTNA_FortiAD.Info:

      # execute log filter field subtype ztna
# execute log display
18 logs found.
10 logs returned.
1: date=2023-03-06 time=23:25:23 eventtime=1678173923745891128 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=32017 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=29615 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=106 user="tsmith" group="LDAP-Remote-Allowed-Group" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.Info/EMS1_ZTNA_FortiAD.Info" emsconnection="online" wanin=301793 rcvdbyte=301793 wanout=3331 lanin=2877 sentbyte=2877 lanout=333000 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"
    Previous
    Next

    Full versus simple ZTNA policies

    Full versus simple ZTNA policies

    There are two ways to configure ZTNA rules in the GUI by using a full or simple ZTNA policy.

    Full ZTNA policy

    In a full ZTNA policy, the CLI configuration remains the same as previous versions. Administrators can configure ZTNA policies from the Policy & Objects > Proxy Policy page, and by setting the Type to ZTNA.

    Simple ZTNA policy

    In a simple ZTNA policy, a regular firewall policy is used for policy management. When creating a new firewall policy, administrators can configure a ZTNA policy by setting the Type to ZTNA.

    Note

    A simple ZTNA policy cannot control access based on the destination interface or the real server’s destination address. See the Examples section for detailed configurations.

    Authentication for ZTNA policies

    Authentication remains largely the same between both ZTNA policy configuration modes. You can specify user groups under Source to define the groups in which the access control applies to. However, the underlying authentication schemes and rules must still be in place to direct the traffic to the ZTNA application gateway.

    Authentication for regular firewall policies

    Authentication for regular firewall policies is traditionally handled by authd, which does not require an authentication scheme and rules to be configured in order to function. This enhancement allows authentication for regular firewall policies to be handled by WAD so that the authentication scheme and rules are used to determine the type of authentication and the traffic that requires authentication. This option is disabled by default, but can be enabled as follows:

    config firewall auth-portal
    set proxy-auth {enable | disable} 
end

    Redirecting a simple ZTNA policy to a full ZTNA policy

    An option is added so that after matching a simple ZTNA policy, the traffic can be redirected for a full ZTNA policy match. This setting can only be configured from the CLI, and it is disabled by default.

    config firewall policy
    edit <id>
        set ztna-policy-redirect {enable | disable}
    next
end

    For example, a client has both tag A and tag B. In the simple ZTNA policy, the client matches a policy that requires tag A for a posture check. If they are using the ztna-policy-redirect option, then it will also require a full ZTNA policy match.

    If a full ZTNA policy allows either tag A or tag B or all traffic in general, then the traffic is allowed. Otherwise, if a full ZTNA policy explicitly denies one of the tags, the traffic will be denied.

    If no full ZTNA policy is matched, then the traffic is implicitly denied.

    Examples

    The following examples demonstrate how to configure a ZTNA policy using the full and simple ZTNA policy modes.

    It is assumed that the following settings are already configured:

    • EMS connection and EMS tags (Malicious-File-Detected and FortiAD.Info)

    • ZTNA server configuration (ZTNA-webserver)

    • Authentication scheme and rule

    Configuring a full ZTNA policy

    To configure a full ZTNA policy in the GUI:

    1. Go to Policy & Objects > Proxy Policy and click Create New.

    2. Configure the following settings:

      Name

      ZTNA-webserver

      Type

      ZTNA

      Incoming Interface

      port3

      Source

      all

      Destination

      Webserver1 (10.88.0.3/32)

      ZTNA Server

      ZTNA-webserver

      Schedule

      always

      Action

      ACCEPT

    3. Click OK.

    To configure a full ZTNA policy in the CLI:
    config firewall proxy-policy
    edit 1
        set name "ZTNA-webserver"
        set proxy access-proxy
        set access-proxy "ZTNA-webserver"
        set srcintf "port3"
        set srcaddr "all"
        set dstaddr "Webserver1"
        set action accept
        set schedule "always"
    next
end

    When traffic is allowed, the ZTNA logs show traffic passing through policy 1 on a policy called ZTNA-webserver, which is a proxy policy.

    To verify the traffic logs:
    # execute log filter category traffic
# execute log filter field subtype ztna
# execute log display 
9 logs found.
9 logs returned.
1: date=2023-03-06 time=20:16:11 eventtime=1678162572109525759 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=28597 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=20140 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="1c0a04b8-bc85-51ed-48ba-7d43279fb899" policyname="ZTNA-webserver" duration=3604 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=303150 rcvdbyte=303150 wanout=3755 lanin=2813 sentbyte=2813 lanout=304697 appcat="unscanned"

    Configuring a simple ZTNA policy

    To configure a simple ZTNA policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy and click Create New.

    2. Configure the following settings:

      Name

      ZTNA-webserver-fp

      Schedule

      always

      Action

      ACCEPT

      Type

      ZTNA

      Incoming Interface

      port3

      Source

      all

      ZTNA server

      ZTNA-webserver

    3. Click OK.

    To configure a simple ZTNA policy in the CLI:
    config firewall policy
    edit 9
        set name "ZTNA-webserver-fp"
        set srcintf "port3"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "ZTNA-webserver"
        set schedule "always"
        set service "ALL"
    next
end

    When traffic is allowed, the ZTNA logs show traffic passing through policy 9 on a policy called ZTNA-webserver-fp, which is a firewall policy.

    To verify the traffic logs:
    # execute log filter category traffic
# execute log filter field subtype ztna
# execute log display
14 logs found.
10 logs returned.

1: date=2023-03-06 time=23:01:55 eventtime=1678172515724776640 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=31687 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=28076 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=75 gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdevicemanageable="manageable" wanin=3445 rcvdbyte=3445 wanout=1189 lanin=2358 sentbyte=2358 lanout=4759 appcat="unscanned"

    Configuring a ZTNA simple policy with security posture tags and authentication

    In this example, a simple ZTNA policy uses the FortiAD.Info tag for a posture check and authentication against a pre-configured Active Directory server where the user tsmith resides. The authentication scheme and rule have already been configured as follows:

    config authentication scheme
    edit "ZTNA-Auth-scheme"
        set method basic
        set user-database "LDAP-fortiad"
    next
end

    config authentication rule
    edit "ZTNA-Auth-rule"
        set srcintf "port3"
        set srcaddr "all"
        set active-auth-method "ZTNA-Auth-scheme"
    next
end
    To append security posture tag and authentication settings to the simple ZTNA policy:

    1. Go to Policy & Objects > Firewall Policy and edit the ZTNA-webserver-fp policy.

    2. For the Source field, click the + and add the user group named LDAP-Remote-Allowed-Group.

    3. For the Security Posture Tag field, click the + and add the FortiAD.Info tag.

    4. Click OK.

    To verify the configuration:

    1. Connect to the web server from a client.

    2. After selecting the client certificate, the browser will prompt for a username and password. Enter the username (tsmith) and their password.

      Upon a successful authentication, the user can access the web server.

    3. On the FortiGate, verify that the logs for the allowed traffic show the user tsmith and the tag EMS1_ZTNA_FortiAD.Info:

      # execute log filter field subtype ztna
# execute log display
18 logs found.
10 logs returned.
1: date=2023-03-06 time=23:25:23 eventtime=1678173923745891128 tz="-0800" logid="0005000024" type="traffic" subtype="ztna" level="notice" vd="root" srcip=10.0.3.2 srcport=32017 srcintf="port3" srcintfrole="wan" dstcountry="Reserved" srccountry="Reserved" dstip=10.88.0.3 dstport=9443 dstintf="port2" dstintfrole="dmz" sessionid=29615 srcuuid="b458a65a-f759-51ea-d7df-ef2e750026d1" service="tcp/9443" proxyapptype="http" proto=6 action="accept" policyid=9 policytype="proxy-policy" poluuid="1f1d5036-bcaa-51ed-1d28-687edafe9439" policyname="ZTNA-webserver-fp" duration=106 user="tsmith" group="LDAP-Remote-Allowed-Group" authserver="LDAP-fortiad" gatewayid=1 vip="ZTNA-webserver" accessproxy="ZTNA-webserver" clientdeviceid="9A016B5A6E914B42AD4168C066EB04CA" clientdevicemanageable="manageable" clientdevicetags="MAC_EMS1_ZTNA_all_registered_clients/EMS1_ZTNA_all_registered_clients/MAC_EMS1_ZTNA_FortiAD.Info/EMS1_ZTNA_FortiAD.Info" emsconnection="online" wanin=301793 rcvdbyte=301793 wanout=3331 lanin=2877 sentbyte=2877 lanout=333000 fctuid="9A016B5A6E914B42AD4168C066EB04CA" appcat="unscanned"
    Previous
    Next