ZTNA agentless web-based application access 7.6.1
A ZTNA web portal is now available to provide end-user access to applications without FortiClient or client certificate checks. The ZTNA portal handles authentication and authorization of traffic destined for the protected resources. It is implemented entirely in WAD.
When end-users connect to the ZTNA web portal, they are directed to a login page:
Once logged in, end-users can access bookmarks defined by the administrator:
CLI syntax
Configure an access-proxy type of VIP. Disable client-cert so that it is not checked when an agentless client connects.
config firewall vip
edit <name>
set type access-proxy
set server-type https
set extip <ip address>
set extintf <interface>
set client-cert disable
set extport <port>
set ssl-certificate <certificate>
next
end
Configure an access-proxy virtual host. End-users will connect to this destination to access the ZTNA web portal. Disable client-cert for this virtual host.
config firewall access-proxy-virtual-host
edit "ztna-web-portal-fqdn"
set ssl-certificate < certificate >
set host < web portal host name or ip >
set client-cert disable
next
end
Configure an authentication scheme. Then configure an authentication rule with the new protocol ztna-portal.
config authentication rule
edit <rule>
set protocol ztna-portal
set active-auth-method < auth scheme >
next
end
New syntax for configuring the ZTNA web portal:
config ztna web-portal
edit <name>
set vip <vip name>
set host <virtual host name>
set auth-portal {enable | disable}
set vip6 <virtual IPv6 name>
set auth-rule <rule>
next
end
|
set vip <vip name> |
The access-proxy VIP associated with this portal. |
|
set host <virtual host name> |
The access-proxy virtual host object and FQDN defined for accessing this portal. This setting must be configured. |
|
set auth-portal {enable | disable} |
Enable/disable the authentication portal. |
|
set vip6 <virtual IPv6 name> |
The access-proxy VIP6 associated with the ZTNA server and applications that this portal is allowing. |
New syntax for creating the web portal bookmarks:
config ztna web-portal-bookmark
edit <name>
set users <users>
set groups <groups>
config bookmarks
edit <name>
set apptype {ftp | rdp | sftp | smb | ssh | telnet | vnc | web}
set url <string>
set host <name or IP>
set description <description>
set port <remote port>
set sso {enable | disable}
next
end
next
end
|
set users <users> |
The user(s) allowed to access the web-portal. |
|
set groups <groups> |
The group(s) allowed to access the web-portal. |
|
set apptype {ftp | rdp | sftp | smb | ssh | telnet | vnc | web} |
Supported types of bookmarks: ftp, rdp, sftp, smb, ssh, telnet, vnc, web. |
|
set url <url> |
For different types of applications, the URL used to define the destination. |
|
set host <name or ip> |
For different types of applications, the host name or IP used to define the destination. |
|
set port <remote port> |
Where applicable, define the port for the service. |
|
set sso {enable | disable} |
Enable/disable the SSO user login and credentials to connect to the application, where applicable. |
|
Not all options are listed. Some options are available only for certain types of applications. |
Within the proxy-policy (full ZTNA policy), a new proxy type is added called ztna-proxy. Configure your proxy-policy to map to your web-portal.
config firewall proxy-policy
edit <id>
set proxy ztna-proxy
set active-auth-method <authentication rule>
set ztna-proxy <web-portal>
…
next
end
Example
This example demonstrates connecting to a ZTNA web portal to gain access to protected resources. Authentication is performed with LDAP.
To configure from the CLI:
-
Configure a firewall VIP with external IP 10.0.3.20:
config firewall vip edit "ZTNA-web-proxy" set type access-proxy set server-type https set extip 10.0.3.20 set extintf "port3" set client-cert disable set extport 443 set ssl-certificate "ztna-wildcard" next end -
Configure an access-proxy virtual host:
The configuration here overrides the settings in the VIP. Ensure that
client-certis disabled.config firewall access-proxy-virtual-host edit "ztna-web-portal-fqdn" set ssl-certificate "ztna-wildcard" set host "web-portal.ztnademo.com" set client-cert disable next end -
Configure the authentication scheme and rule:
config authentication scheme edit "ztna-web-portal-ldap" set method basic set user-database "LDAP-fortiad" next end config authentication rule edit "ztna-web-portal-rule" set protocol ztna-portal set ip-based disable set active-auth-method "ztna-web-portal-ldap" set web-auth-cookie enable next end -
Configure the ZTNA web-portal:
Map the portal to the VIP, virtual host, and authentication rule that were previously created.
config ztna web-portal edit "ztna-web-portal-ldap" set vip "ZTNA-web-proxy" set host "ztna-web-portal-fqdn" set auth-rule "ztna-web-portal-rule" next end -
Create web-portal bookmarks that will point to your internal resources:
The
groupssetting defines the user group allowed access to the portal.config ztna web-portal-bookmark edit "bookmark" set groups "LDAP-Remote-Allowed-Group" config bookmarks edit "Webserver" set url "https://10.88.0.3:9043" next edit "Server-S1-Web" set sso enable set url "https://s1.ztnademo.com" next edit "Server-S1-SSh" set apptype ssh set host "10.88.0.7" next edit "FortiGate-Internal-SSH" set apptype ssh set host "10.88.0.254" next end next end -
Create a full ZTNA policy (
proxy-policy) to allow access to the new VIP:config firewall proxy-policy edit 2 set name "ZTNA-web-portal" set proxy ztna-proxy set ztna-proxy "ztna-web-portal-ldap" set srcintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set logtraffic all next end